Securing your Linux server

Accounts, that have UID set to 0, have the highest privilige on the system. In most cases it should be the root account, the command down should be listing all accounts with UID 0.

sudo awk -F: '($3=="0"){print}' /etc/passwd

Accounts that don’t have a password have basically zero security. The next command prints all accounts that have no password.

sudo cat /etc/shadow | awk -F: '($2==""){print $1}'

Besides forbidding login with root with SSH you can also block the account completely on your server. If you want to block the root account with this command :

sudo passwd -l root

If you want to allow the account (after all i don’t know why you should) you can do it with this command :

sudo passwd root

Configure requirements of the complexity of your password in /etc/security/pwquality.conf. I recommend adding minimal lenght for the password of 16 characters.

sudo vi /etc/security/pwquality.conf

minlen = 16

It isn’t required to do a FTP server besides web server if you aren’t using FTP. That same thing applies to other protocols which open backdoors to your system. With assumption that you don’t use these services use this command to remove unnecesary packages that can help hackers get easily into your server.

sudo apt-get purge --auto-remove telnetd ftp vsftpd samba nfs-kernel-server nfs-common

My next tip is to disable IPv6 in the entire server (with assumption that you don’t use it). With the disabling of IPv6 there should be a smaller attack area of your server.

sudo vi /etc/sysctl.conf

# disable ipv6 on the system

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

With that all you should (hopefully) have a secure linux server.

Also available in : Slovak