Overall Best Security Practices for Linux
There are numerous steps to take that increase the overall security of a Linux system. Some of the steps should be implemented as a matter of fact, others may engage discussion within an organization. However, this is a discussion that needs to happen soon rather than later - it MUST be a priority. Cybersecurity is increasing in importance with the growing number of tools and technology at the hands of those attempting to infiltrate systems, steal data, and hold systems for ransom.
Following are some best practices:
- Strong passwords - Good options to consider would be: a minimum length of at least 10 characters, require the use of special characters or upper and lowercase letters. The same password should never be used for multiple users or software systems. Configure password expiration dates.
- Generate an SSH Key Pair - While strong passwords can make a difference, even stronger methods of logging into private servers are available. Secure shell (SSH) key pairs, in particular, are worth implementing because these systems are far more difficult to hack through brute force. This may not be popular among the general users, but it is a much more secure option
- Update software at regular intervals - Linux server security includes implementing regular software patches to address potential vulnerabilities. This could be enhanced by enabling automatic updates.
- Avoid installing unnecessary software. There is so much awesome software in the Linux realm, but does it need to be installed?
- Disable booting from external devices to reduce the potential for physical attacks, which can be just as damaging as hacking.
- Close any TCP/IP ports that aren't being used. Open ports may reveal network architecture information while extending attack opportunities.
- Create frequent system backups and test them for reliability.
- root login is disabled on most distributions - DO NOT enable root logins.
- Make sure no non-root accounts have UID set to 0.
- Lock user accounts after login failures.
- Prevent all users from using or reusing same old passwords.
- Avoid using ftp, telnet, and rlogin/rsh services - use secure versions of these utilities.
- Encrypt transmitted data whenever possible with passwords or using keys/certificates.
- Generate SSL/TLS certificates for free using tools like OpenSSL, or purchase them from public certificate authorities.
- Several steps to prevent unwanted console access:
- Set a BIOS password. Even if the system is rebooted the attacker cannot simply login at boot time.
- Set GRUB boot loader password. That way the attacker has one more hurdle to get past.
- Enable authentication for Single-User Mode.
- Disable interactive Hotkey startup at boot.
- Setup time-out for login shells
- Setup screen locking
- Disable Ctrl+Alt+Delete
- Verify no accounts have empty passwords