How to harden your Web Server in Linux?

by | Jun 5, 2024 | All, Linux, SysOps

Securing a web server is crucial to protect sensitive data, ensure privacy, and maintain the integrity of your applications and services. This guide will walk you through various steps and best practices to harden your Linux web server, making it more resilient against cyber threats.

 

1. Update and Patch Your System

Keeping your system up to date is the first line of defense.

  1. Regular Updates:
    • Use apt or yum to keep your system updated.



      sudo apt update && sudo apt upgrade

      sudo yum update

  2. Automate Updates:
    • Set up automatic updates to ensure timely patching.



      sudo apt install unattended-upgrades

      sudo dpkg-reconfigure --priority=low unattended-upgrades

2. User and Permission Management

Proper user management and permissions prevent unauthorized access.

  1. Limit Root Access:
    • Avoid using the root account directly. Use sudo for administrative tasks.

      sudo usermod -aG sudo yourusername

      Secure SSH Access:

    • Disable root login via SSH.

      sudo nano /etc/ssh/sshd_config

      # Set PermitRootLogin to no

      PermitRootLogin no

       

    • Use key-based authentication instead of passwords.

      ssh-keygen -t rsa -b 4096

      ssh-copy-id yourusername@yourserver

       

    • Change the default SSH port.

      # Edit /etc/ssh/sshd_config

      Port 2222

       

  3. Manage User Permissions:
    • Use chown and chmod to set proper file permissions.

      sudo chown -R www-data:www-data /var/www/html

      sudo chmod -R 755 /var/www/html

       

3. Firewall Configuration

A well-configured firewall controls access to your server. You can use either some firewall like ufw or rely on managing iptables “by hand”. Make sure you decide which method do you use and stick to it. Mixing both methods is not recommended. We recommend ufw as it is easier to manage. 

  1. Use ufw (Uncomplicated Firewall):
    • Allow necessary services and deny all others.

      sudo ufw default deny incoming

      sudo ufw default allow outgoing

      sudo ufw allow ssh

      sudo ufw allow http

      sudo ufw allow https

      sudo ufw enable

       

  2. Advanced Firewall (iptables):
    • Create custom rules for more granular control.

      sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

      sudo iptables -A INPUT -p tcp –dport 80 -j ACCEPT

      sudo iptables -A INPUT -p tcp –dport 443 -j ACCEPT

      sudo iptables -A INPUT -j DROP

       

4. Secure Network Services

Limiting and securing network services reduces the attack surface.

  1. Disable Unnecessary Services:
    • Identify and stop services that are not required.

      sudo systemctl list-unit-files --type=service

      sudo systemctl disable some-unneeded-service

      sudo systemctl stop some-unneeded-service

       

  2. Restrict Listening Ports:
    • Ensure services only listen on required interfaces.

      sudo netstat -tulnp

      sudo lsof -i -P -n | grep LISTEN

       

5. Web Server Configuration

Proper configuration of your web server is essential for security.

  1. Apache:
    • Disable directory listing.

      sudo nano /etc/apache2/apache2.conf

      # Add or modify:

      <Directory /var/www/>

      Options -Indexes

      </Directory>

       

    • Secure .htaccess files.

      <Files ~ "^\.ht">

      Order allow,deny

      Deny from all

      </Files>

       

    • Enable security modules.

      sudo a2enmod headers

      sudo a2enmod ssl

      sudo a2enmod rewrite

       

  2. Nginx:
    • Disable server tokens.

      sudo nano /etc/nginx/nginx.conf

      # Add or modify:

      server_tokens off;

       

    • Restrict access to sensitive files.

      location ~ /\.ht {

      deny all;

      }

       

    • Implement strong SSL/TLS settings.

      sudo nano /etc/nginx/conf.d/ssl.conf

      # Add or modify:

      ssl_protocols TLSv1.2 TLSv1.3;

      ssl_prefer_server_ciphers on;

      ssl_ciphers ‘HIGH:!aNULL:!MD5’;

       

6. Intrusion Detection and Prevention

Monitoring your system for unauthorized activities is crucial.

  1. Install and Configure Fail2Ban:
    • Protect your server from brute-force attacks.

      sudo apt install fail2ban

      sudo systemctl enable fail2ban

      sudo systemctl start fail2ban

      sudo nano /etc/fail2ban/jail.local

      # Add or modify:

      [sshd]

      enabled = true

      port = 2222

      filter = sshd

      logpath = /var/log/auth.log

      maxretry = 3

       

  2. Use AIDE (Advanced Intrusion Detection Environment):
    • Monitor file system changes.

      sudo apt install aide

      sudo aideinit

      sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

      sudo aide –check

       

7. Logging and Monitoring

Regularly review logs to detect and respond to suspicious activities.

  1. Centralize Logging:
    • Use tools like rsyslog or syslog-ng to centralize logs.

      sudo apt install rsyslog

      sudo systemctl enable rsyslog

      sudo systemctl start rsyslog

       

  2. Analyze Logs:
    • Use log analysis tools like Logwatch or ELK Stack.

      sudo apt install logwatch

      sudo logwatch –detail High –mailto your-email@example.com –service All –range today

       

8. Secure Your Applications

Ensure that the applications running on your server are secure.

  1. Regularly Update Applications:
    • Use package managers or other tools to keep applications updated.

      sudo apt update && sudo apt upgrade

       

  2. Configure Secure Application Settings:
    • Follow security best practices for each application (e.g., database, CMS).

9. Backup and Disaster Recovery

Prepare for the worst by having a solid backup and recovery plan.

  1. Automate Backups:
    • Use tools like rsnapshot or duplicity.

      sudo apt install rsnapshot

      sudo nano /etc/rsnapshot.conf

      sudo rsnapshot configtest

      sudo rsnapshot hourly

       

  2. Test Backups:
    • Regularly test your backups to ensure they can be restored.

10. Security Tools and Best Practices

Leverage security tools and follow best practices to enhance security.

  1. Use SELinux or AppArmor:
    • Implement mandatory access control.

      sudo apt install selinux-basics selinux-policy-default auditd

       

      sudo selinux-activate

      sudo apt install apparmor

      sudo systemctl enable apparmor

       

      sudo systemctl start apparmor

Conclusion

By following these comprehensive steps, you can significantly harden your Linux web server against various threats. Regular updates, proper user management, firewall configuration, secure web server settings, intrusion detection, logging, and backups are essential components of a robust security strategy. Stay vigilant and proactive to ensure your server remains secure.