Server Hardening 101

W elcome to server hardening 101. Here, we are going to let you know the basic measures by which you can increase the security of your servers and block the basic attacks that are happening/might happen on your server.

Points which are covered in this guide.

Below are the basic points that are helpful in securing a server, I will explain each point in detail and also show how to configure a firewall,  add a non-root user, change default ports of standard services.

1. Keep the server up to date by upgrading it with regular security patches and updates from OS.
2. Create non-root user.
3. Add non-root user to sudoers list.
4. Disable root login over SSH.
5. Deny all the traffic to all the ports in UFW.
6. Change the default ports of SSH, MySQL.
7. Allow only the basic required and essentials ports in UFW.
8. Make your server listen only on one protocol either IPv4 or IPv6. Disable the other one.

Above listed measures in detail.

1. Keep the server up to date by upgrading it with regular security patches and updates from OS.
   • By updating the OS we will get the latest security patches which might and can be able to save us from zero-day attacks.
   • Another benefit of upgrading the system includes the update of extra third-party packages and overcoming their current vulnerabilities.
   • You can do the OS upgrade by executing the following commands, I’ll explain what each command does.

     • # update the apt package manager's list, and fetch if the new version of packages are available 
       $ sudo apt update
       
       # upgrade all the packages which are available in the added repositories.
       $ sudo apt upgrade
       
       

2. Create non-root user
   • Creating non-root user helps us to save from the attacks in which the attacker is using user as root to take access of our server.

     • # add user named "adminuser", replace it with your desired username
       $ adduser adminuser
       
       

3. Add non-root user to sudoers list.
   • Adding root user to sudoers list gives that user to run commands using elevated permissions. So, instead of using root to execute commands which needs elevated permissions, we will use the non-root user which resides in the sudoers list.

     • # add user named "adminuser" to sudoers list for admin rights
       $ usermod -aG sudo adminuser
       
       

4. Disable root login over SSH.
   • Disabling root login over SSH port will disallow root login directly to the server. But, If we want to use root then first we need to login using non-root user which is present in sudoers list and then we can execute commands as root by opening a root shell inside our current shell using this command:

     • # switch user as root in the current shell
       $ sudo su - root
       
       

5. Deny all the traffic to all the ports in UFW.
   • Denying all the traffic on all incoming ports lets you increase the security on all other open ports or other application ports which are present on your server. This can be done easily by executing the below command:

     • # block all the incoming connection to the server using UFW
       $ sudo ufw default deny incoming

   • The above command denies all the incoming connection to your server, given the UFW is enabled beforehand. If it isn’t you can enable it by below command.

     • # allow OpenSSH ports in UFW
       $ sudo ufw allow OpenSSH
       
       # enable UFW
       $ sudo ufw enable

   • NOTE: Enabling UFW will disconnect you from SSH and if it does that then you can’t again login to your server using SSH so before enabling UFW, make sure you have added the OpenSSH rule to your UFW config. Both the commands are as below in sequence.
     
     
6. Change the default ports of SSH, MySQL.
   • Changing the default ports to some uncommon ports makes us more secure from the bombardments coming from bots which attackers have implemented o attack on all the default ports of SSH and MySQL.
   • To change the default port of SSH we have to edit its config, the procedure is shown below.

     • # open sshd_config using nano
       $ sudo nano /etc/ssh/sshd_config
       

   • You’ll find a line:

     • # Port 22
       

   • This line is commented out using the hash sign before it, remove that hash sign and change the port number 22 to your desired port.
   • Similarly to change the port of MySQL we have to edit its config file, the procedure is as below.

     • # open MySQL config file using nano
       $ sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

   • Find the line which says.

     • port = 3306

   • Change the port number 3306 to your desired port. 
7. Allow only the basic required and essentials ports in UFW.
   • Allow only the required port in UFW such as HTTP, HTTPS, MySQL, SSH.
   • If the port is not of a standard service then you have to allow it manually by executing below command.

     • # allow your custom port in UFW
       $ sudo ufw allow <port_number>
       
       

8. Make your server listen only on one protocol either IPv4 or IPv6. Disable the other one.
   • SSH listens on both the protocol versions i.e. IPv4 and IPv6, and we only need one to connect to the server, so it is advisable to enable the only one which is in use.
   • Use the below options for IPv4 and IPv6 respectively.

     • AddressFamily inet
       AddressFamily inet6
       

   • To enable for IPv4 do the below command, similar goes for IPv6 too.

     • # append AddressFamily at the end of sshd_config and display it
       $ echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config

     • NOTE: This does not disable the protocol system-wide, this only disables it for SSH connection.

So, this is how we can secure a server by applying the basic steps, these are very robust methods which sets a base to further more increase the security.