Securing a Linux server starts with the process of hardening the system, and to do this it's important to define a list of security controls. A security controls list (or security checklist) confirms that proper security controls have been implemented.
Let's have a look at various security control checklists.
Now we will look into each security control checklist:
- Installation media such as CD-ROM/DVD/ISO should be checked by using checksum
- A minimal base installation should be done when creating the server
- It is good practice to create separate filesystems for
/home
, and/tmp
- It is good practice to install minimum software on the server to minimize the chances of vulnerability
- Always keep the Linux kernel and software up to date
Now we will look into each security control checklist:
- Encrypt partitions using disk encryption methods such as LUKS.
- Limit access to BIOS by configuring a BIOS password.
- Limit bootable devices and allow only devices such as disk to be booted.
- Configure a password to access the single user mode boot loader.
Now we will look into each security control checklist:
- Determine the services running by checking the open network ports.
- Use a firewall such as
iptables/nftables
to limit access to the services as per need. - Encrypt all data transmitted over the network.
- Avoid using services such as FTP, Telnet, and Rlogin/Rsh.
- Any unwanted services should be disabled.
- A centralized authentication service should be used.
Now we will look into each security control checklist:
- File integrity tools such as AIDE, Samhain, and AFICK should be installed and configured for monitoring important files.
- Use a malware scanner such as CalmAV to protect against malicious scripts.
- Configure system logging to a remote machine for the purpose of detection, forensics, and archiving.
- Deter brute-force attacks by using anti brute-force tools for authentication attempts.