35. Disable unused services You can disable unused services using the service command /systemctl command: $ sudo systemctl stop service $ sudo systemctl disable service For example, if you are not going to use Nginx service for some time disable it: $ sudo systemctl stop nginx $ sudo systemctl disable nginx 36. Use fail2ban/denyhost as IDS (Install an Intrusion Detection System) Fail2ban or denyhost scans the log files for too many failed login attempts and blocks the IP address which is showing malicious signs. See how to install and use denyhost for Linux . One
can install fail2ban easily: $ sudo apt-get install fail2ban OR $ sudo yum install fail2ban Edit the config file as per your needs: $ sudo vi /etc/fail2ban/jail.conf Restart the service: $ sudo systemctl restart fail2ban.service Debian / Ubuntu Linux Install Advanced Intrusion Detection Environment (AIDE) Software psad: Linux Detect And Block Port Scan Attacks In Real Time 37. Secure Apache/PHP/Nginx server Edit httpd.conf file and add the following: ServerTokens Prod ServerSignature Off TraceEnable Off Options all -Indexes Header always unset X-Powered-By Restart the httpd/apache2 server on Linux , run: $ sudo systemctl restart apache2.service OR $ sudo systemctl restart httpd.service You must install and enable mod_security on RHEL/CentOS server . It is recommended that you edit php.ini and secure it too. Top 25 Nginx Web Server Best Security Practices How to analyze Nginx configuration files for security misconfiguration on Linux or Unix 38. Protecting Files, Directories and Email Linux offers excellent protections against unauthorized data access. File permissions and MAC prevent unauthorized access from accessing data. However, permissions set by the Linux are irrelevant if an attacker has physical access to a computer and can simply move the computer’s hard drive to another system to copy and analyze the sensitive data. You can easily protect files, and partitons under Linux using the following tools:
To encrypt and decrypt files with a password, use gpg command . Linux or UNIX password protect files with openssl and other tools. Full disk encryption is a must for securing data, and is supported by most Linux distributions. See how to encrypting harddisk using LUKS on Linux . Make sure swap is also encrypted. Require a password to edit bootloader. Make sure root mail is forwarded to an account you check. Howto: Disk and partition encryption in Linux for mobile devices . Linux Securing Dovecot IMAPS / POP3S Server with SSL Configuration . Linux Postfix SMTP (Mail Server) SSL Certificate Installations and Configuration . Courier IMAP SSL Server Certificate Installtion and Configuration . Configure Sendmail SSL encryption for sending and receiving email . 39. Backups It cannot be stressed enough how important it is to make a backup of your Linux system. A proper offsite backup allows you to recover from cracked server i.e. an intrusion. The traditional UNIX backup programs are dump and restore are also recommended. You must set up encrypted backups to external storage such as NAS server or FreeNAS server or use cloud computing service such as AWS: Debian / Ubuntu Linux Install and Configure Remote Filesystem Snapshot with rsnapshot Incremental Backup Utility How To Set Red hat / CentOS Linux Remote Backup / Snapshot Server How To Back Up a Web Server How To Use rsync Command To Backup Directory Under Linux
You've reached the end of your free preview.
Want to read all 15 pages?
- Spring '20