Update Your System–Frequently
Add a Limited User Account
Harden SSH Access
1
2
ssh-keygen -b 4096
ssh-copy-id example_user@203.0.113.10
/etc/ssh/sshd_config
- Disallow root logins over SSH.
1 2
# Authentication: ... PermitRootLogin no
- Disable SSH password authentication.
1 2
# Change to no to disable tunnelled clear text passwords* PasswordAuthentication no
- Listen on only one internet protocol.
1 2 3
# AddressFamily inet to listen only on IPv4. # AddressFamily inet6 to listen only on IPv6. AddressFamily inet
- Restart the SSH service to load the new configuration.
1
sudo systemctl restart sshd - Use Fail2Ban for SSH Login Protection Tutorial
Remove Unused Network-Facing Services
Most Linux distributions install with running network services which listen for incoming connections from the internet, the loopback interface, or a combination of both. Network-facing services which are not needed should be removed from the system to reduce the attack surface of both running processes and installed packages.
Determine Running Services
1
sudo ss -atpu
Determine Which Services to Remove
A basic TCP and UDP nmap scan of your Linode without a firewall enabled would show SSH and possibly other services listening for incoming connections. By configuring a firewall you can filter those ports to your requirements. Ideally, the unused services should be disabled.
You will likely be administering your server primarily through an SSH connection, so that service needs to stay. As mentioned above, RSA keys and Fail2Ban can help protect SSH. System services like chronyd, systemd-resolved, and dnsmasq are usually listening on localhost and only occasionally contacting the outside world. Services like this are part of your operating system and will cause problems if removed and not properly substituted.
However, some services are unnecessary and should be removed unless you have a specific need for them. Some examples could be Exim, Apache and RPC.
Uninstall the Listening Services
Configure a Firewall
Using a firewall to block unwanted inbound traffic to your Linode provides a highly effective security layer. By being very specific about the traffic you allow in, you can prevent intrusions and network mapping. A best practice is to allow only the traffic you need, and deny everything else. See our documentation on some of the most common firewall applications:
- Iptables is the controller for netfilter, the Linux kernel’s packet filtering framework. Iptables is included in most Linux distributions by default.
- FirewallD is the iptables controller available for the CentOS / Fedora family of distributions.
- UFW provides an iptables frontend for Debian and Ubuntu.