How to Build Secure Linux Server? [Part 2]

In partnership with

After covering the foundational steps in Part 1, it’s time to take your Linux server's security to the next level. Even with basic protections in place, determined attackers often exploit overlooked areas and subtle vulnerabilities. This section focuses on advanced measures, diving deeper into best practices like network hardening, file integrity monitoring, and proactive intrusion detection. Each step is tailored to enhance your server's defenses while ensuring minimal impact on performance. Let’s build a fortress around your Linux server and stay ahead of emerging threats!

26. Set Up DNS Security Extensions (DNSSEC)

Why?

DNSSEC protects your DNS records from tampering by adding verification, preventing attackers from redirecting traffic to malicious sites.

How to Do It

With BIND: Enable DNSSEC in the named.conf file by adding:

dnssec-enable yes; dnssec-validation auto;

On Cloud Providers: Many DNS providers (like AWS Route 53) offer DNSSEC as an option in their configuration settings.

Kloudnative is committed to staying free for all our users. We kindly encourage you to explore our sponsors to help support us.

Hire Ava, the Industry-Leading AI BDR

Ava automates your entire outbound demand generation so you can get leads delivered to your inbox on autopilot. She operates within the Artisan platform, which consolidates every tool you need for outbound:

• 300M+ High-Quality B2B Prospects

• Automated Lead Enrichment With 10+ Data Sources Included

• Full Email Deliverability Management

• Personalization Waterfall using LinkedIn, Twitter, Web Scraping & More

Book a demo to see what Ava can do.

☝️ Support Kloudnative by clicking the link above to explore our sponsors!

27. Use a Host-Based Intrusion Detection System (HIDS)

Why?

A HIDS monitors your server for suspicious activity, alerting you to potential intrusions in real time.

How to Do It

Install a HIDS like OSSEC:

sudo apt install ossec-hids

Configure alert thresholds and actions to receive notifications for any detected malicious activity.

28. Regularly Rotate Encryption Keys and Credentials

Why?

Regularly rotating keys, passwords, and certificates reduces the likelihood of old, compromised credentials remaining in use.

How to Do It

1. Use a Credential Management System to handle key rotation, like AWS KMS for AWS resources.

2. Rotate SSH keys, API keys, and passwords on a regular basis by generating new ones and removing old ones.

29. Apply Principle of Least Privilege (PoLP)

Why?

The Principle of Least Privilege ensures users and processes only have the permissions they absolutely need, reducing the potential impact of compromised accounts.

How to Do It

1. Assign specific permissions to each user in /etc/sudoers rather than granting full sudo access.

2. For database users, grant access only to the specific tables or operations needed.

3. Example for MySQL:

GRANT SELECT, INSERT ON database.* TO 'user'@'host';

30. Monitor for Configuration Drift

Why?

Configuration drift, where server configurations deviate from the original secure state, can introduce vulnerabilities over time. Automated configuration checks can keep you aware of unauthorized changes.

How to Do It

1. Use a configuration management tool like Ansible, Chef, or Puppet to define and enforce a secure baseline configuration.

2. Regularly audit configurations with tools like Lynis or custom scripts.

31. Set Up a Web Application Firewall (WAF)

Why?

A Web Application Firewall (WAF) protects against common web-based attacks, such as SQL injection, cross-site scripting (XSS), and request forgery. This is essential if your Linux server hosts web applications.

How to Do It

Use a WAF like ModSecurity to protect web applications:

sudo apt install libapache2-mod-security2  # For Apache
sudo apt install modsecurity-crs           # Install Core Rule Set (CRS) rules

Enable ModSecurity by adding these lines in your web server’s configuration file:

SecRuleEngine On

Regularly update your WAF rules to cover the latest threats.

32. Implement Application Sandboxing

Why?

Application sandboxing isolates applications from each other, minimizing the risk that a vulnerability in one application affects the entire server.

How to Do It

1. Use Firejail or AppArmor for application sandboxing:

sudo apt install firejail

To sandbox a program, use Firejail:

firejail program_name

Configure profiles for each application to restrict access to files and directories they don’t need.

33. Configure Two-Factor Authentication (2FA) for SSH with Duo

Why?

Adding two-factor authentication (2FA) provides a second layer of security, making it much harder for unauthorized users to access the server.

How to Do It

Install Duo Security’s PAM module for 2FA:

sudo apt install libpam-duo

1. Configure /etc/duo/pam_duo.conf to set up the Duo parameters.

2. Update /etc/pam.d/sshd to enable Duo:

auth required pam_duo.so

Test logging in with SSH to verify 2FA is working.

34. Conduct Regular Vulnerability Scans

Why?

Vulnerability scans help you identify and address security issues in the server and software before attackers can exploit them.

How to Do It

Use OpenVAS or Nessus to conduct scans:

• For OpenVAS:

sudo apt install openvas

• Follow instructions to set up and run scans.

Schedule scans weekly or monthly and address any vulnerabilities found.

35. Implement Data Loss Prevention (DLP) Measures

Why?

Data Loss Prevention (DLP) protects sensitive information from unauthorized access and prevents accidental or intentional leaks.

How to Do It

1. Use file integrity monitoring tools like AIDE to track changes to sensitive data.

2. Encrypt all sensitive data using GPG or OpenSSL.

3. Set permissions on sensitive files and ensure they are not accessible by non-authorized users.

36. Use Immutable Backups and Snapshots

Why?

Immutable backups prevent modification or deletion, ensuring that you have a reliable recovery point if data is compromised.

How to Do It

1. Use cloud backup solutions with immutable backup options (e.g., AWS Backup).

2. Set up regular snapshots of data and server configurations on cloud platforms like AWS or using rsync for local snapshots.

37. Configure Advanced Auditing with Auditbeat and Filebeat

Why?

Auditbeat and Filebeat (Elastic’s Beats suite) provide advanced logging and auditing features, allowing for in-depth monitoring of file integrity, login attempts, and more.

How to Do It

Install Filebeat and Auditbeat:

sudo apt install filebeat auditbeat

Configure auditbeat.yml to monitor critical files and log all activities.

Integrate with an ELK stack (Elasticsearch, Logstash, Kibana) for real-time alerts and monitoring.

38. Set Up Remote Logging

Why?

Remote logging ensures you have a copy of logs even if your server is compromised, allowing you to analyze incidents without relying on potentially tampered local logs.

How to Do It

Configure rsyslog to forward logs to a remote server:

sudo nano /etc/rsyslog.conf

Add:

*.* @remote_log_server:514

Restart rsyslog:

sudo systemctl restart rsyslog

39. Perform Regular Penetration Testing

Why?

Penetration testing simulates attacks on your server to uncover weaknesses, providing insights into areas that need reinforcement.

How to Do It

Use tools like Metasploit, Nmap, or Nikto to perform tests.

sudo apt install nmap nikto

Work with a qualified penetration tester for in-depth assessments.

Act on findings to mitigate vulnerabilities.

40. Implement Access Control Lists (ACLs) for Fine-Grained Permissions

Why?

ACLs provide more flexibility than traditional permissions, allowing you to specify access control at a more granular level for different users and groups.

How to Do It

1. Enable ACLs if not already enabled by default.

2. Use setfacl to define permissions on files:

sudo setfacl -m u:username:rwx /path/to/file

Use getfacl to review ACLs:

getfacl /path/to/file

41. Use Bastion Hosts for Secure Server Access

Why?

A bastion host is a secure server used to access other servers, adding a layer of control and logging for access to sensitive servers.

How to Do It

1. Set up a separate bastion server with strict security controls and access monitoring.

2. Require all SSH traffic to production servers to go through the bastion host.

3. Configure MFA and detailed logging on the bastion for secure access tracking.

42. Harden Database Access

Why?

Databases often store sensitive information and are common attack targets. Securing database access reduces the risk of data breaches.

How to Do It

1. Restrict database access to specific IPs using configuration settings in MySQL, PostgreSQL, or other databases.

2. Use encryption for data at rest and in transit.

3. Regularly update database passwords and apply the least privilege principle to user roles.

43. Regularly Review Logs and Analyze Suspicious Activities

Why?

Regular log reviews help detect suspicious activities early, giving you the chance to respond to security incidents proactively.

How to Do It

1. Set up tools like Splunk or Graylog for log analysis and visualization.

2. Create automated alerts for specific events, such as repeated failed login attempts or unusual file access patterns.

3. Review critical logs regularly (auth.log, syslog, and application-specific logs).

44. Encrypt Disk Partitions

Why?

Encrypting disk partitions protects data in case of hardware theft or unauthorized physical access.

How to Do It

Use LUKS (Linux Unified Key Setup) to encrypt partitions:

sudo cryptsetup luksFormat /dev/sdx

Create a passphrase and follow prompts to complete encryption.

Mount the encrypted partition using cryptsetup :

sudo cryptsetup luksOpen /dev/sdx encrypted_partition

45. Implement Zero-Trust Architecture Principles

Why?

Zero-trust principles mandate strict verification for every request, reducing the risk of insider threats and unauthorized access.

How to Do It

1. Set up multi-factor authentication and apply least privilege principles across all services.

2. Configure role-based access control (RBAC) on all applications.

3. Use a policy engine (such as Open Policy Agent) to define fine-grained access policies for each service.

46. Apply a Honeypot System for Detection

Why?

Honeypots detect and track attackers by luring them to a vulnerable “fake” system, allowing you to study attack patterns without risking production systems.

How to Do It

Use tools like Cowrie or Dionaea to set up a honeypot.

sudo apt install cowrie

1. Configure the honeypot on a separate network or subnet to capture attack data.

2. Monitor honeypot activity to gain insights into attack methods.

47. Implement Server Hardening with CIS Benchmarks

Why?

The Center for Internet Security (CIS) provides industry-standard benchmarks to harden server configurations, ensuring compliance with best practices.

How to Do It

1. Download the appropriate CIS benchmark for your server’s OS.

2. Use tools like CIS-CAT or Lynis to automate benchmarking and scan for non-compliant settings.

sudo apt install lynis 
sudo lynis audit system

Address non-compliance issues by following CIS recommendations.

48. Use Just-In-Time (JIT) Access Controls

Why?

Just-In-Time (JIT) access reduces risk by granting temporary access to users or applications only when needed, and only for a limited duration.

How to Do It

1. Use tools like AWS Identity and Access Management (IAM) to enforce JIT policies.

2. Configure automated workflows to allow temporary SSH keys to be issued and automatically revoked after the access window closes.

3. Track JIT access requests and review them periodically for anomalies.

49. Implement Endpoint Detection and Response (EDR) Tools

Why?

Endpoint Detection and Response (EDR) tools provide advanced threat detection by monitoring server behavior, logging unusual activities, and providing incident response capabilities.

How to Do It

1. Use EDR solutions like CrowdStrike Falcon or OSSEC.

2. Configure EDR policies to detect specific threat behaviors and isolate infected endpoints if necessary.

3. Regularly review and update EDR policies based on observed activity and emerging threats.

50. Use Hardware Security Modules (HSMs) for Key Management

Why?

Hardware Security Modules (HSMs) are tamper-resistant devices that securely manage encryption keys, adding an extra layer of physical security for sensitive cryptographic operations.

How to Do It

1. Deploy an HSM for applications that handle sensitive data (e.g., financial transactions).

2. Configure applications to use the HSM for cryptographic operations, such as TLS key storage and encryption.

3. Regularly rotate and audit keys stored in the HSM to maintain security.

51. Apply Immutable Infrastructure Principles

Why?

Immutable infrastructure ensures that any changes or updates are made by replacing the entire system with a fresh version. This prevents configuration drift and limits the risk of unnoticed changes.

How to Do It

1. Use Docker containers or HashiCorp Packer for creating immutable images.

2. For critical updates, deploy new instances rather than updating the existing ones.

3. Automate deployments with infrastructure-as-code tools like Terraform to ensure consistency.

52. Conduct Regular Compliance Audits

Why?

Compliance audits help verify that your server adheres to industry regulations (e.g., GDPR, HIPAA), which may require encryption, logging, or specific access controls.

How to Do It

1. Use tools like Auditd or OpenSCAP to automate compliance checks.

2. Set up regular auditing to review changes, permission violations, and access logs.

3. Address any compliance issues promptly and document changes for audit records.

53. Create a Disaster Recovery Plan (DRP)

Why?

A Disaster Recovery Plan (DRP) enables quick recovery and continuity of services in case of data loss, security incidents, or hardware failure.

How to Do It

1. Identify critical data, applications, and infrastructure needed for recovery.

2. Set up automated backups to an offsite location, preferably encrypted.

3. Regularly test the DRP by simulating disasters and ensuring all recovery steps are effective.

54. Harden the Kernel with Grsecurity

Why?

Grsecurity is a set of kernel patches that provide enhanced security features, including exploit mitigation and access control, hardening the kernel against many classes of attacks.

How to Do It

1. Download the Grsecurity patches and apply them to the Linux kernel source.

2. Recompile and install the patched kernel on your server.

3. Configure Grsecurity settings to enforce strict access controls and mitigate memory-based exploits.

Note: Grsecurity is available for commercial use and may require a subscription for access.

55. Enable Memory Protection with ExecShield

Why?

ExecShield protects against buffer overflow and memory corruption attacks by marking memory segments as non-executable.

How to Do It

If using CentOS, enable ExecShield by adding the following to /etc/sysctl.conf

kernel.exec-shield=1

Enable other related settings like Address Space Layout Randomization (ASLR) to make exploitation harder:

kernel.randomize_va_space=2

56. Set Up Security Information and Event Management (SIEM)

Why?

A SIEM system aggregates and analyzes log data from across your infrastructure, providing centralized insight into security incidents and supporting compliance.

How to Do It

1. Use tools like Splunk, AlienVault, or ELK Stack for SIEM.

2. Configure the SIEM system to collect logs from servers, applications, and network devices.

3. Set up alerting rules for high-severity incidents and review logs regularly to detect unusual patterns.

57. Restrict Access with Role-Based Access Control (RBAC) for Applications

Why?

RBAC enforces least privilege by assigning access based on job roles, minimizing the permissions each user or process has to only what’s necessary.

How to Do It

1. Define roles and associated permissions within applications (e.g., using IAM for AWS resources).

2. Review role assignments regularly to ensure users and services have appropriate permissions.

3. Document role definitions and permissions for auditing.

58. Create a Data Retention Policy

Why?

Data retention policies define how long data is stored, helping to reduce storage costs and minimizing the risk of data leaks by removing unnecessary data.

How to Do It

1. Set up automated data deletion schedules using cron jobs or cloud lifecycle policies.

2. Define retention periods based on regulatory requirements and business needs.

3. Ensure sensitive data is securely deleted to prevent recovery.

59. Set Up Honeytokens to Detect Unauthorized Access

Why?

Honeytokens are decoy data entries designed to detect unauthorized access or unusual activity. They act like digital “tripwires” and help identify insider threats or data breaches.

How to Do It

1. Insert a fake record in your database that would only be accessed by unauthorized users.

2. Set up monitoring to alert you when the honeytoken is accessed or modified.

3. Investigate any alert to determine if unauthorized access has occurred.

Conclusion

Securing a Linux server is a continuous process that demands diligence and vigilance. Implementing these steps goes a long way in protecting your server from the vast majority of attacks. Remember, layering security measures — like firewalls, encryption, access control, and regular audits — helps create a robust defense against emerging threats. By staying proactive and regularly reviewing your server’s security posture, you’ll help ensure that your Linux environment remains secure and resilient.

These steps will give you a strong foundation for Linux server security and can be adapted to evolving threats and specific environments.