Home  >  Article  >  Operation and Maintenance  >  Linux server security hardening: configure and optimize your system

Linux server security hardening: configure and optimize your system

WBOY
WBOYOriginal
2023-09-08 15:19:411323browse

Linux server security hardening: configure and optimize your system

Linux server security hardening: Configure and optimize your system

Introduction:
Protect your Linux server in today's environment of increasing information security threats Protection from malicious attacks and unauthorized access becomes critical. To harden your system security, you need to take a series of security measures to protect your server and the sensitive data stored on it. This article will cover some key configuration and optimization steps to improve the security of your Linux server.

1. Update and manage software packages
Installing the latest software packages and updates is crucial to maintaining the security of your system. You can use a package manager such as apt, yum or dnf to update your system and packages. Here is a sample command line for updating packages on Debian/Ubuntu and CentOS systems:

Debian/Ubuntu:

sudo apt update
sudo apt upgrade

CentOS:

sudo yum update

Additionally, you All software you install should be regularly reviewed and upgraded to plug possible vulnerabilities.

2. Configuring the firewall
Configuring the firewall is one of the first tasks to protect the Linux server. You can use iptables (IPv4) or nftables (IPv6) to configure firewall rules. Here is an example of configuring a firewall using iptables:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -j DROP

The above example allows connections via SSH, allowing established connections and associated packets to pass through, and remaining packets will be denied.

3. Disable unnecessary services
Disabling unnecessary services can reduce the attackable surface area. You can view the list of running services and disable the ones you don't need. For example, if your server is not required to run a web server, you can disable services such as Apache or Nginx.

View running services (Ubuntu/Debian):

sudo service --status-all

Disable unnecessary services:

sudo service <service-name> stop
sudo systemctl disable <service-name>

4. Disable unsafe protocols and encryption algorithms
Disabling insecure protocols and encryption algorithms prevents malicious attackers from exploiting weaknesses to gain entry into your system. You can disable insecure protocols and encryption algorithms by editing the OpenSSH server configuration file. Locate and edit the /etc/ssh/sshd_config file and comment out or change the following lines to more secure options:

# Ciphers aes128-ctr,aes192-ctr,aes256-ctr
# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

Commenting out or changing these lines will use a more secure encryption algorithm and Message authentication code.

5. Configure secure remote access
Remote access is an essential part of server management, but it can also easily become a way for attackers to invade. To protect your server from remote attacks, you can configure the following:

  • Use SSH key to log in instead of password
  • Disable root login
  • Configure disallowed login Users with empty passwords
  • Use anti-brute-force cracking tools, such as Fail2ban

6. Back up important data regularly
No matter how many security measures you take, you cannot guarantee complete protection against attack. Therefore, it is very important to back up important data regularly. You can use various backup tools such as rsync, tar or Duplicity to back up your data regularly.

# 创建数据备份
sudo tar -cvzf backup.tar.gz /path/to/important/data

# 还原备份数据
sudo tar -xvzf backup.tar.gz -C /path/to/restore/data

7. Encrypt sensitive data
For sensitive data stored in the server, you can use encryption to further protect it. For example, you can use GPG or openssl to encrypt files or directories.

Use GPG to encrypt files:

gpg --cipher-algo AES256 -c filename

Use openssl to encrypt files:

openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc

Conclusion:
By properly configuring and optimizing your Linux server, you can improve the performance of your system Security and reliability. This article covers some important security hardening steps, such as updating and managing software packages, configuring firewalls, disabling unnecessary services, disabling insecure protocols and encryption algorithms, configuring secure remote access, regularly backing up important data, and encrypting sensitive data. . By following these best practices, you can protect your server from a variety of security threats.

The above is the detailed content of Linux server security hardening: configure and optimize your system. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn