Securing your server with iptables
Securing your server with iptables
In the Getting Started guide, you learned how to deploy a Linux distribution, boot your Linode and perform some basic administrative tasks. Now it’s time to harden your Linode to protect it from unauthorized access.
Update Your System–Frequently
Keeping your software up to date is the single biggest security precaution you can take for any operating system–be it desktop, mobile or server. Software updates frequently contain patches ranging from critical vulnerabilities to minor bug fixes, and many software vulnerabilities are actually patched by the time they become public.
Automatic Security Updates
There are opposing arguments for and against automatic updates on servers. Nonetheless, CentOS, Debian, Fedora and Ubuntu can be automatically updated to various extents. Fedora’s Wiki has a good breakdown of the pros and cons, but if you limit updates to those for security issues, the risk of using automatic updates will be minimal.
The practicality of automatic updates must be something which you judge for yourself because it comes down to what you do with your Linode. Bear in mind that automatic updates apply only to packages sourced from repositories, not self-compiled applications. You may find it worthwhile to have a test environment which replicates your production server. Updates can be applied there and reviewed for issues before being applied to the live environment.
- CentOS uses yum-cron for automatic updates.
- Debian and Ubuntu use unattended upgrades.
- Fedora uses dnf-automatic.
Add a Limited User Account
Up to this point, you have accessing your Linode as the root
user. The concern here is that root
has unlimited privileges and can execute any command–even one that could accidentally break your server. For this reason and others, we recommend creating a limited user account and using that at all times. Administrative tasks will be done using sudo
to temporarily elevate your limited user’s privileges so you can administer your server without logging in as root.
To add a new user, log in to your Linode via SSH.
CentOS / Fedora
- Create the user, replacing
example_user
with your desired username, and assign a password:useradd example_user && passwd example_user
- Add the user to the
wheel
group for sudo privileges:usermod -aG wheel example_user
Debian / Ubuntu
- Create the user, replacing
example_user
with your desired username. You’ll then be asked to assign the user a password.adduser example_user
- Add the user to the sudo group so you’ll have administrative privileges:
adduser example_user sudo
With your new user assigned, disconnect from your Linode as root
:
exit
Log back in to your Linode as your new user. Replace example_user
with your username, and the example IP address with your Linode’s IP address:
ssh example_user@203.0.113.0
Now you can administer your Linode from your new user account instead of root
. Superuser commands can now be prefaced with sudo
; for example, sudo iptables -L
. Nearly all superuser commands can be executed with sudo
, and those commands will be logged to /var/log/auth.log
.