Server Hardening Greatest Practices for Devoted Servers

Begin with the Assault Floor Stock

Earlier than altering something, know what’s operating:

# All listening ports

ss -tlnp

# Working companies

systemctl list-units --type=service --state=operating

# SUID/SGID recordsdata (privilege escalation candidates)

discover / -perm /6000 -type f 2>/dev/null

# World-writable directories

discover / -xdev -type d -perm -0002 2>/dev/null

Doc what every open port and operating service is for. Should you can’t instantly reply “why is that this port open,” that’s the very first thing to research.

SSH Hardening

SSH is the first administrative entry vector on Linux servers — and the first goal for brute-force assaults. Hardening SSH closes off the most typical assault path earlier than every other configuration.

Edit /and so on/ssh/sshd_config and implement these settings:

# Disable password authentication fully

PasswordAuthentication no

ChallengeResponseAuthentication no

# Disable root login over SSH

PermitRootLogin no

# Use a non-standard port (reduces automated scan noise)

Port 2222

# Restrict SSH to particular customers

AllowUsers deploy_user admin_user

# Cut back authentication timeout window

LoginGraceTime 30

MaxAuthTries 3

# Disable legacy protocol options

Protocol 2

X11Forwarding no

AllowAgentForwarding no

AllowTcpForwarding no

# Maintain-alive settings to terminate idle periods

ClientAliveInterval 300

ClientAliveCountMax 2

Key-based authentication is necessary as soon as password authentication is disabled. Generate keys in your native machine with ssh-keygen -t ed25519 and duplicate the general public key to ~/.ssh/authorized_keys on the server earlier than disabling passwords.

Apply the modifications: systemctl restart sshd. Confirm you possibly can nonetheless join through key earlier than closing your present session.

NIST Particular Publication 800-123 gives complete steering on SSH configuration in manufacturing environments, together with key administration practices.

Firewall Configuration with nftables

Fashionable Linux distributions use nftables as the popular firewall framework. A minimal ruleset for an internet server:

#!/usr/sbin/nft -f

flush ruleset

desk inet filter {

    chain enter {

        sort filter hook enter precedence 0; coverage drop;

        # Settle for established/associated connections

        ct state established,associated settle for

        # Settle for loopback

        iif lo settle for

        # Settle for ICMP (ping) - restrict price

        icmp sort echo-request restrict price 5/second settle for

        icmpv6 sort echo-request restrict price 5/second settle for

        # SSH on customized port

        tcp dport 2222 ct state new restrict price 10/minute settle for

        # HTTP and HTTPS

        tcp dport { 80, 443 } settle for

        # Log and drop every thing else

        log prefix "Dropped: " drop

    }

    chain ahead {

        sort filter hook ahead precedence 0; coverage drop;

    }

    chain output {

        sort filter hook output precedence 0; coverage settle for;

    }

}

Save to /and so on/nftables.conf and allow: systemctl allow –now nftables. The default coverage is drop on inbound — solely explicitly allowed visitors will get via.

For servers operating cPanel/WHM, cPanel manages its personal firewall guidelines. Use ConfigServer Safety & Firewall (CSF), which integrates with WHM and gives a UI for rule administration with out overriding cPanel’s required ports.

Person Account Administration

Each consumer account is a possible compromise vector. Dedicate consideration to:

Disable unused system accounts: Examine /and so on/passwd for accounts with login shells that shouldn’t have them. Set their shell to /sbin/nologin:

usermod -s /sbin/nologin unused_account

Take away pointless sudo privileges: visudo to overview /and so on/sudoers. Every line granting NOPASSWD sudo is a privilege escalation path if that account is compromised. Require password for all sudo operations in manufacturing.

Use role-based consumer accounts: Utility companies ought to run as their very own devoted system consumer with minimal permissions. The online server shouldn’t run as root. MySQL shouldn’t run as root. Create application-specific customers:

useradd -r -s /sbin/nologin -d /var/www/app appuser

chown -R appuser:appuser /var/www/app

Audit final logins repeatedly: lastlog | grep -v By no means reveals accounts which have been used to log in. Accounts you didn’t count on to see in that output warrant investigation.

Kernel Hardening through sysctl

A number of kernel parameters cut back the assault floor for network-level exploits:

# /and so on/sysctl.d/99-hardening.conf

# Disable IP supply routing (utilized in some spoofing assaults)

web.ipv4.conf.all.accept_source_route = 0

web.ipv4.conf.default.accept_source_route = 0

# Disable ICMP redirect acceptance

web.ipv4.conf.all.accept_redirects = 0

web.ipv4.conf.default.accept_redirects = 0

# Allow reverse path filtering (anti-spoofing)

web.ipv4.conf.all.rp_filter = 1

# Disable ping broadcasts

web.ipv4.icmp_echo_ignore_broadcasts = 1

# Log martian packets (packets with inconceivable supply addresses)

web.ipv4.conf.all.log_martians = 1

# Disable IPv6 if not in use

web.ipv6.conf.all.disable_ipv6 = 1

# Kernel pointer hiding

kernel.kptr_restrict = 2

kernel.dmesg_restrict = 1

Apply with sysctl -p /and so on/sysctl.d/99-hardening.conf.

File System Safety

Set right permissions on delicate directories:

chmod 750 /root

chmod 644 /and so on/passwd

chmod 640 /and so on/shadow

chmod 600 /and so on/ssh/sshd_config

Mount choices that cut back privilege escalation dangers:

Edit /and so on/fstab so as to add noexec, nosuid, and nodev to partitions that shouldn’t comprise executable recordsdata:

/dev/sdb1 /var/tmp ext4 defaults,noexec,nosuid,nodev 0 2

Audit file integrity with AIDE: AIDE (Superior Intrusion Detection Atmosphere) creates a database of file checksums and might alert when recordsdata change unexpectedly. Initialize with aide –init, then run aide –verify periodically or through cron. Surprising modifications to system binaries, libraries, or configuration recordsdata point out a compromise.

Software program and Bundle Administration

Maintain packages present: Unpatched vulnerabilities within the kernel, OpenSSL, glibc, and different system libraries are the most typical path to server compromise after weak credentials.

# CentOS/AlmaLinux/Rocky Linux

dnf replace --security -y

# Ubuntu/Debian

apt-get improve -y

Automate safety updates: dnf-automatic (RHEL household) or unattended-upgrades (Debian household) will be configured to routinely apply safety patches whereas leaving main model upgrades for guide overview.

Audit put in packages: Take away packages that had been put in for testing and by no means eliminated. Every put in package deal is a possible vulnerability. rpm -qa (RHEL) or dpkg -l (Debian) lists every thing put in.

Take away growth instruments from manufacturing servers: Compilers, debuggers, and package deal construct instruments don’t belong on manufacturing servers. An attacker who positive factors restricted entry can use them to compile exploit code. Take away gcc, make, and related instruments in the event that they’re current.

Intrusion Detection and Log Monitoring

Fail2Ban displays log recordsdata and blocks IPs that exhibit suspicious patterns — repeated failed SSH logins, Nginx 4xx error floods, and different abuse indicators. Fail2Ban is installable through the package deal supervisor on all main Linux distributions and works with any log file format.

Log centralization: Transport logs to a distant syslog server implies that even when the server is compromised and native logs are wiped, you keep the audit path. rsyslog helps distant logging natively. For groups already operating an ELK stack (Elasticsearch, Logstash, Kibana) or a managed log aggregation service, configure the server’s rsyslog.conf to ahead to the central receiver.

Monarx malware detection: InMotion’s Premier Care bundle consists of Monarx, a file-scanning malware detection engine designed particularly for hosting environments. Monarx detects internet shell uploads, malicious PHP injections, and cryptocurrency miners — the most typical malware concentrating on Linux servers in hosting contexts. It runs on the kernel stage with out the efficiency impression of conventional antivirus options.

Scheduling Common Audits

Hardening at provisioning time degrades over time if not maintained. Set a quarterly overview cycle masking:

• Assessment open ports towards present utility necessities
• Audit consumer accounts and SSH authorized_keys for all customers
• Examine AIDE integrity database for sudden file modifications
• Assessment sudo grants and take away any which might be not wanted
• Apply any safety patches that weren’t routinely utilized
• Assessment Fail2Ban and firewall logs for assault sample modifications

The servers with the cleanest safety information aren’t those that obtained hardened as soon as and forgotten. They’re those the place somebody checks the work on a schedule.

Associated studying: DDoS Safety Methods for Devoted Infrastructure | Zero Belief Safety on Naked Steel