Business Security

How to secure your Linux server

Avast Business Team, 5 April 2021

Learn how to secure your Linux server and protect data from hackers

Server security describes the software, tools, and processes used to protect a business’ server from unauthorized access and other cyberthreats. It is a key requirement for most system administrators and cybersecurity teams. 

Linux security is considered good, based on the operating system’s strong default permissions structure. However, you must still adopt best practices to keep your servers running safely and effectively.

Whether your Linux server is running Ubuntu, Debian, or some other distribution, follow these steps to strengthen your Linux server’s default configuration. 

1. Only install required packages

You should only install the packages that your business needs to run in order to protect the functionality of your server.

Linux server distributions come with a variety of common packages already installed, such as adduser and base-passwd. During installation, users can opt to install additional packages, including an Open SSH server, a DNS server, a LAMP stack, and a print server.

You can also add further packages through the default package management system. Packages can be drawn from official repositories or by adding PPAs (Personal Package Archives), repositories created by Linux users, to gain access to a wider selection of programs.

However, the more packages you install, particularly from third-party repositories, the more vulnerabilities you could be introducing into the system. Keep installed packages to a reasonable minimum and periodically eliminate what isn’t needed.

2. Disable the root login 

Linux distributions include a superuser called ‘root’ that contains elevated administrative permissions. Keeping root login enabled can present a security risk and diminish the safety of small business cloud resources hosted on the server, as hackers can exploit this credential to access the server. To strengthen your server security, you must disable this login.

The process of disabling the root account varies depending upon which distribution of Linux you are using – you must first create a new user account and assign elevated (sudo) permissions, so that you will still have a way of installing packages and performing other admin actions on the server. Alternatively, you can assign these permissions to an existing user in order to ensure a secure server login. 

3. Configure 2FA

Two-factor authentication (2FA) greatly improves the security of user access by requiring a password and second token before users can log on to the server. 

To set up 2FA on a Debian server and Debian-derived distributions, you should install the libpam-google-authenticator package. The package can display a QR code or produce a secret token that can be added to a software authentication device, such as Google Authenticator or Authy.

2FA can be used in conjunction with SSH (Secure Shell) to enforce the requirement for a second credential when logging into the server. SSH is a protocol that creates an encrypted, text-based connection to a remote server. Together, these make the server more resistant to brute force, unauthorized login attempts and can improve cloud safety for small businesses.

4. Enforce good password hygiene

Good password hygiene isn’t only relevant to users logging into their personal computers or SaaS applications. For servers, administrators also need to ensure that users are utilizing sufficiently rigorous passwords. This practice makes them much more resistant to attacks.  

Enforcing a minimum cryptographic strength

Passwords used by your staff should be above a certain cryptographic strength, for example, at least 12 characters, with a random mix of letters, numbers, and symbols. To enforce this across your business, consider implementing a password management tool that can validate the level of security of a password or generate one of sufficient complexity.

Enforcing regular password rotation

Make sure that your staff is regularly updating all their passwords for applications and logins, especially those with administrative server access. 

Most Linux distributions contain, by default, a utility for modifying password expiry and aging information. This program can force the user to reset their password at a regular interval. Chage is one such CLI (command-line interface). 

Administrators can force users to change their password after a certain number of days, for instance, by using the -W operator:

Change -W 10 daniel

Run from elevated permissions, this command will force the user ‘daniel’ to change their password after 10 days have passed. Forced password changes can also be enforced as bathes or upon login events. 

5. Server-side antivirus software

While Linux computers are considered relatively resistant to viruses, malware, and other forms of cyberattack, all Linux endpoints – including desktops – should run antivirus protection. Antivirus products will enhance the defensive capabilities of any server it runs. 

Next-gen Linux server antivirus from Avast Business supports both 32-bit and 64-bit hardware, and features on-demand scanning initiated over a CLI. 

6. Update regularly or automatically

You should not hold old, unpatched packages, as these introduce critical vulnerabilities to the system that could be exploited by cybercriminals. To avoid this problem, ensure that your server, or server pool, is updated regularly. 

Many Linux distributions, notably Ubuntu, are also updated in a rolling distribution cycle with both long-term (LTS) and short-term release versions. Your security teams should consider from the start whether they want to run bleeding edge or stable software on their machines, and configure the appropriate update policies. 

Additionally, many Linux distributions contain tools for applying automated updates. The unattended-upgrades package available for Debian, for instance, will poll for updates at a fixed interval and apply them automatically in the background.

7. Enable a firewall

Every Linux server should be running a firewall as an initial line of defense against unauthorized or malicious connection requests. UFW (uncomplicated firewall) is a common basic Linux firewall. You should inspect the firewall policy to ensure that it makes sense for your business’ operating environment. 

These days, Distributed Denial of Service (DDoS) attacks also present a threat for some operators. Internet-facing Linux servers can be placed behind a proxy service to inspect and scrub inbound traffic, providing DDoS protection. Additionally, there are open source scripts that can be installed directly onto the server. 

8. Backup your server

There are always things that can go wrong when it comes to computer systems, and packages can create dependency problems and other issues. It’s therefore vital that you retain the ability to rollback changes to your server. 

A robust backup approach should involve creating two copies, one offsite, for every primary protected device. Simpler system rollback tools are available for Linux servers that can help to automate this process and allow for speedier disaster recovery (DR). 

Keep security in mind 

Linux may be the best server for your small business or enterprise, as distributions generally have a decent security posture automatically configured. However, to significantly increase your defenses and minimize the chances that malicious users will gain access, you must harden your Linux server by applying the best practice tips. 

Using a server-side antivirus tool, such as Avast Business Linux Antivirus, should always be part of a multi-layered security policy. Explore our Linux antivirus solution today.