TranslateProject/sources/tech/20161130 Locking Down Your Linux Server.md

99 lines
6.5 KiB
Markdown
Raw Normal View History

wcnnbdk1 translating
2016-12-03 16:07:17 +08:00
Locking Down Your Linux Server
============================================================
> By: Steven J. Vaughan-Nichols
![](https://cdn-images-1.medium.com/max/800/1*DeQtDiP3I2sn0Ba7hO53DA.png)
### No matter what your Linux, you need to protect it with an iptables-based firewall.
Yes! Youve just set up your first Linux server and youre ready to rock and roll! Right? Uh, no.
By default, your Linux box is not secure against attackers. Oh sure, its more secure than Windows XP, but thats not saying much.
To really nail down your Linux system you need to follow the instructions in [Linode][1]s [Securing your Server][2] guide.
To summarize, you mustfirstturn off the services you dont need. Of course to do that, you need to know what network services youre running in the first place.
You can find out what those are with the shell command:
_netstat -tulpn_
[_Netstat_][3] will tell you what services youre running and what ports theyre using. If you dont need a particular service or port, you should turn it off. For example, unless youre running a website, you dont need to be running the [Apache][4] or [Nginx][5] web servers or have the 80 or 8080 ports open.
In short, when in doubt, turn it off or close it down.
On a plain vanilla Linux server, with nothing extra, youll see [SSH][6], [RPC][7], and [NTPdate][8] up and running with open ports. Do not add such old and insecure shell programs as [telnet][9] or the hackers will rise up and slap your server right out of your control. Yeah, maybe you loved telnet back on your SunOS box in the 80s, but that was then and this is now.
As for SSH, be sure to lock it down with [RSA keys][10] and [Fail2Ban][11]. Unless you need RPCand if you need it, youll knowgo ahead and uninstall it.
So much for closing your doors; lets talk about using iptables to lock them from intruders.
When you start your Linux server it has nonadarules. That means all traffic is allowed. This is NOT GOOD. So, you need to setup your firewall … as soon as possible!
Iptables is a shell utility that sets network rule policies for [netfilter][12], Linuxs default firewall, using a set of rules to allow or block traffic. When someone tries to connect with your systemand someone will every day, without failiptables looks to match the request with its rules list. If it cant find a match, it will resort to whatever the default action is.
That action should be to “Drop” the connection, which will block those outsiders wanting in. But it wont let them know what happened to their attempts to knock on your servers network door. (You could also “Reject” the connection, but that lets them know you have a Linux firewall up and running. These days, the less information a stranger has about my system, the better. At least, thats my philosophy.)
Now, you could set up your firewall with _just_ iptables. Ive done it. But then, I used to ride a bike to work six miles away, uphill both directions. These days, I drive.
That means I use [FirewallD][13] for the Fedora distributions and [UFW][14][Uncomplicated Firewall] for the Debian family. These are easy-to-use, shell front-ends to iptables. For the finer details on how use either, see these Linode guides: [FirewallD][15] and [UFW][16].
Both come with default rule sets that, in essence, put up “No Trespassing” signs around your server. Use them.
But dont get too excited about shutting down all your connections. For example:
_sudo ufw default deny incoming_
may look like a good idea. After all, it blocks everything!
Well, yes. Yes, it does. That means it also blocks ssh. And _that_ means you can no longer get to your shiny new server. Whoops!
Still, if youre going to err, err on the side of blocking more connections. You seethe hackers really are out to get you.
Or, to be more exact, its not you or your servers personally. Sure, youre not the [National Security Agency (NSA), which getsno kidding300-million hacking attempts per day][17]. But a hacking script doesnt care. It just screens the internet looking for a server with a known hole. My own quiet little servers get hundreds of attackson a slow day.
So, what are you waiting for? Go, lock down your network services. Install FirewallD or UFW and secure your servers. Youll be glad you did.
* * *
_Please feel free to share below any comments or insights about your experience locking down a Linux server with an IPtables-based firewall. And if this blog was useful, consider sharing it through social media._
--------------------------------------------------------------------------------
via: https://medium.com/linode-cube/locking-down-your-linux-server-24d8516ae374#.qy8qq4bx2
作者:[Steven J. Vaughan-Nichols][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
2016-12-08 15:23:10 +08:00
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出
2016-12-03 16:07:17 +08:00
[a]:https://medium.com/linode-cube/locking-down-your-linux-server-24d8516ae374#.qy8qq4bx2
[1]:https://www.linode.com/
[2]:https://www.linode.com/docs/security/securing-your-server
[3]:http://www.faqs.org/docs/linux_network/x-087-2-iface.netstat.html
[4]:https://httpd.apache.org/
[5]:https://www.nginx.com/
[6]:https://www.linode.com/docs/tools-reference/ssh/
[7]:http://www.linux.org/threads/tcp-ip-service-remote-procedure-call-rpc.4913/
[8]:https://help.ubuntu.com/lts/serverguide/NTP.html
[9]:http://www.telnet.org/htm/faq.htm
[10]:https://www.linode.com/docs/security/securing-your-server/#create-an-authentication-key-pair
[11]:https://www.linode.com/docs/security/securing-your-server/#use-fail2ban-for-ssh-login-protection
[12]:https://www.netfilter.org/
[13]:http://www.firewalld.org/
[14]:https://help.ubuntu.com/community/UFW
[15]:https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos
[16]:https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw
[17]:http://thehackernews.com/2016/02/nsa-utah-data-center.html
[18]:http://www.zdnet.com/meet-the-team/us/steven-j-vaughan-nichols/
[19]:http://www.pcmag.com/author-bio/steven-j.-vaughan-nichols
[20]:http://www.infoworld.com/author/Steven-J.-Vaughan_Nichols/
[21]:http://www.computerworld.com/author/Steven-J.-Vaughan_Nichols/
[22]:http://www.linuxtoday.com/author/Steven+J.+Vaughan-Nichols/
[23]:http://www.eweek.com/cp/bio/Steven-J.-Vaughan-Nichols/