There has been lot said about hardening and security of Linux OS. I would like to highlight some points which are quite essential to secure your servers from attacks, hacks and hijacks.
- File-Directory Permissions :- Linux operating system is presented with file and directory permissions of 644 and 755(where r=4,w=2,x=1 and 1st user is owner,2nd is group ownership,3rd is for others who are not part of groups ). So never give 777 for a file or directory if you want user to get access try giving him a limited access rights of read.
- Passwords :- Passwords shouldn’t be predictable and kept strong with alpha numeric and special characters. Use chage command restricting users to change password after few months or days and faillog command to identify the failure logins and then locking the user.
- Disable root logins, enable sudo privileges for any user who has to use any root privileged services restart,shutdown etc.
- Have firewall(iptables,shorewall,tcp wrappers) etc enabled to prevent unauthorized packets and attacks like DOS,DDOS.Use IDS-IPS (Intrusion Detection-Prevention Systems) like OSSEC,Suricata etc for identifying & preventing attacks.
- Antivirus like ClamAV (Open Source) or Trend Micro,Commodo, Avast should be installed and configured well with regular updates.
- Kernel up-gradation & patching to prevent any loopholes or exploits in the kernel.
- Use portscanner like nmap,nessus for any unwanted ports opened and shut them off.
- Disable unwanted services if you are not using it.
- If you have an application server running on LAMP, jboss,tomcat enable application hardening like using of certificates (SSL), code & vulnerability scanning as per OWASP vulnerabilities as mentioned in my previous blog posts with tools like W3AF, OpenVAS,Acunetix etc.
- Ensure and use 3 tier architecture(Loadbalancer->Webserver->Application server-Database Server) with DMZ architecture so that your servers are not directly accessible and visible globally.
This are some pointers which I mentioned. Please feel free to comment or ask for any queries.