TranslateProject/sources/tech/20161130 Locking Down Your Linux Server.md
2016-12-03 16:07:17 +08:00

6.5 KiB
Raw Blame History

Locking Down Your Linux Server

By: Steven J. Vaughan-Nichols

No matter what your Linux, you need to protect it with an iptables-based firewall.

Yes! Youve just set up your first Linux server and youre ready to rock and roll! Right? Uh, no.

By default, your Linux box is not secure against attackers. Oh sure, its more secure than Windows XP, but thats not saying much.

To really nail down your Linux system you need to follow the instructions in LinodeSecuring your Server guide.

To summarize, you mustfirstturn off the services you dont need. Of course to do that, you need to know what network services youre running in the first place.

You can find out what those are with the shell command:

netstat -tulpn

Netstat will tell you what services youre running and what ports theyre using. If you dont need a particular service or port, you should turn it off. For example, unless youre running a website, you dont need to be running the Apache or Nginx web servers or have the 80 or 8080 ports open.

In short, when in doubt, turn it off or close it down.

On a plain vanilla Linux server, with nothing extra, youll see SSHRPC, and NTPdate up and running with open ports. Do not add such old and insecure shell programs as telnet or the hackers will rise up and slap your server right out of your control. Yeah, maybe you loved telnet back on your SunOS box in the 80s, but that was then and this is now.

As for SSH, be sure to lock it down with RSA keys and Fail2Ban. Unless you need RPCand if you need it, youll knowgo ahead and uninstall it.

So much for closing your doors; lets talk about using iptables to lock them from intruders.

When you start your Linux server it has nonadarules. That means all traffic is allowed. This is NOT GOOD. So, you need to setup your firewall … as soon as possible!

Iptables is a shell utility that sets network rule policies for netfilter, Linuxs default firewall, using a set of rules to allow or block traffic. When someone tries to connect with your systemand someone will every day, without failiptables looks to match the request with its rules list. If it cant find a match, it will resort to whatever the default action is.

That action should be to “Drop” the connection, which will block those outsiders wanting in. But it wont let them know what happened to their attempts to knock on your servers network door. (You could also “Reject” the connection, but that lets them know you have a Linux firewall up and running. These days, the less information a stranger has about my system, the better. At least, thats my philosophy.)

Now, you could set up your firewall with just iptables. Ive done it. But then, I used to ride a bike to work six miles away, uphill both directions. These days, I drive.

That means I use FirewallD for the Fedora distributions and UFW[Uncomplicated Firewall] for the Debian family. These are easy-to-use, shell front-ends to iptables. For the finer details on how use either, see these Linode guides: FirewallD and UFW.

Both come with default rule sets that, in essence, put up “No Trespassing” signs around your server. Use them.

But dont get too excited about shutting down all your connections. For example:

sudo ufw default deny incoming

may look like a good idea. After all, it blocks everything!

Well, yes. Yes, it does. That means it also blocks ssh. And that means you can no longer get to your shiny new server. Whoops!

Still, if youre going to err, err on the side of blocking more connections. You seethe hackers really are out to get you.

Or, to be more exact, its not you or your servers personally. Sure, youre not the National Security Agency (NSA), which getsno kidding300-million hacking attempts per day. But a hacking script doesnt care. It just screens the internet looking for a server with a known hole. My own quiet little servers get hundreds of attackson a slow day.

So, what are you waiting for? Go, lock down your network services. Install FirewallD or UFW and secure your servers. Youll be glad you did.


Please feel free to share below any comments or insights about your experience locking down a Linux server with an IPtables-based firewall. And if this blog was useful, consider sharing it through social media.


via: https://medium.com/linode-cube/locking-down-your-linux-server-24d8516ae374#.qy8qq4bx2

作者:Steven J. Vaughan-Nichols 译者:译者ID 校对:校对者ID

本文由 LCTT 原创编译,Linux中国 荣誉推出