Locking Down Your Linux Server

By: Steven J. Vaughan-Nichols

No matter what your Linux, you need to protect it with an iptables-based firewall.

Yes! You’ve just set up your first Linux server and you’re ready to rock and roll! Right? Uh, no.

By default, your Linux box is not secure against attackers. Oh sure, it’s more secure than Windows XP, but that’s not saying much.

To really nail down your Linux system you need to follow the instructions in Linode’s Securing your Server guide.

To summarize, you must — first — turn off the services you don’t need. Of course to do that, you need to know what network services you’re running in the first place.

You can find out what those are with the shell command:

netstat -tulpn

Netstat will tell you what services you’re running and what ports they’re using. If you don’t need a particular service or port, you should turn it off. For example, unless you’re running a website, you don’t need to be running the Apache or Nginx web servers or have the 80 or 8080 ports open.

In short, when in doubt, turn it off or close it down.

On a plain vanilla Linux server, with nothing extra, you’ll see SSH, RPC, and NTPdate up and running with open ports. Do not add such old and insecure shell programs as telnet or the hackers will rise up and slap your server right out of your control. Yeah, maybe you loved telnet back on your SunOS box in the 80s, but that was then and this is now.

As for SSH, be sure to lock it down with RSA keys and Fail2Ban. Unless you need RPC — and if you need it, you’ll know — go ahead and uninstall it.

So much for closing your doors; let’s talk about using iptables to lock them from intruders.

When you start your Linux server it has no — nada — rules. That means all traffic is allowed. This is NOT GOOD. So, you need to setup your firewall … as soon as possible!

Iptables is a shell utility that sets network rule policies for netfilter, Linux’s default firewall, using a set of rules to allow or block traffic. When someone tries to connect with your system — and someone will every day, without fail — iptables looks to match the request with its rules list. If it can’t find a match, it will resort to whatever the default action is.

That action should be to “Drop” the connection, which will block those outsiders wanting in. But it won’t let them know what happened to their attempts to knock on your server’s network door. (You could also “Reject” the connection, but that let’s them know you have a Linux firewall up and running. These days, the less information a stranger has about my system, the better. At least, that’s my philosophy.)

Now, you could set up your firewall with just iptables. I’ve done it. But then, I used to ride a bike to work six miles away, uphill both directions. These days, I drive.

That means I use FirewallD for the Fedora distributions and UFW [Uncomplicated Firewall] for the Debian family. These are easy-to-use, shell front-ends to iptables. For the finer details on how use either, see these Linode guides: FirewallD and UFW.

Both come with default rule sets that, in essence, put up “No Trespassing” signs around your server. Use them.

But don’t get too excited about shutting down all your connections. For example:

sudo ufw default deny incoming

may look like a good idea. After all, it blocks everything!

Well, yes. Yes, it does. That means it also blocks ssh. And that means you can no longer get to your shiny new server. Whoops!

Still, if you’re going to err, err on the side of blocking more connections. You see — the hackers really are out to get you.

Or, to be more exact, it’s not you or your servers personally. Sure, you’re not the National Security Agency (NSA), which gets — no kidding — 300-million hacking attempts per day. But a hacking script doesn’t care. It just screens the internet looking for a server with a known hole. My own quiet little servers get hundreds of attacks — on a slow day.

So, what are you waiting for? Go, lock down your network services. Install FirewallD or UFW and secure your servers. You’ll be glad you did.