Member-only story
23 Linux Server Security Tips and Best Practices
A checklist for SysAdmins to live by
This article includes a collection of commands and best practices that you can use to improve the security of your Linux servers (RHEL/CentOS). If you have more suggestions, please mention them in the comments. Enjoy the read!
1. Remove insecure tools (FTP, telnet, rlogin, rsh, etc.) and use only secure alternatives (SCP, SSH, sftp, rsync, etc.)
When choosing data communication tools, use only the secure and encrypted tools and remove the rest of the tools from the server.
$ yum erase xinetd ypserv tftp-server telnet-server rsh-server2. Enable firewall/Iptables
Iptables allows you to configure the IP packet filter rules of the Linux kernel firewall. To get the maximum advantage, you may need some advanced knowledge on setting up these rules. The following are few examples that you can try.
$ service iptables start// Force SYN packets check
$ iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP// Drop XMAS packets
$ iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP// Drop null packets
$ iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP// Drop incoming packets with fragments
$ iptables -A INPUT -f -j DROP
3. Disable unwanted services and daemons
You may not need services like AutoFS, NFS, FTP, HTTP, NIS, telnetd, sendmail most of the time. You can remove/disable them.
$ chkconfig –list | grep ‘3:on’
$ service serviceName stop
$ chkconfig serviceName off$ yum remove packageName
4. Audit installed packages and remove unwanted ones regularly
A smaller number of packages always results in a smaller security threat surface, which means fewer potential threats at the end of the day. Therefore, keep only the necessary packages and clean up the rest.
$ yum list installed
$ yum…
