With more Linux options that any other dedicated host, ServerPronto receives lots of questions regarding best practices for Linux security. Below are 9 basic tips to help you keep your server a bit more secure than the standard install. These were written for the Red Hat edition specifically, but the concepts are similar across most linux platforms.

Change the port ssh listens on.
Edit the ssh configuration file.
nano /etc/ssh/sshd_config
Locate the line “Port 22”.
Comment out this line by adding a “#” before it. (Good practice when modifying any file)
Insert a new line below it “Port ####” (Replace #### with a number between 1024 and 65535).
Save the file with “ctrl+o” and exit the editor with “ctrl+x”.
#### is the port sshd will listen on after the next restart of sshd.

Restrict ssh access to accounts which are not root.
Edit the ssh configuration file.
nano /etc/ssh/sshd_config
Locate the line “PermitRootLogin yes”.
Comment out this line by adding a “#” before it. (Good practice when modifying any file)
Insert a new line below it “PermitRootLogin no”.
Save the file with “ctrl+o” and exit the editor with “ctrl+x”.

Create alternate user account.
Use the adduser command to create a new user with ssh access.
“adduser –G wheel ?????” (Replace ????? with a username 5 or more characters long).
Set the password for the user.
“passwd ?????” follow prompts to set the password.

Open new ssh port in the firewall.
Edit the iptables configuration file.
nano /etc/sysconfig/iptables
Locate the line which contains “–dport 22”.
Comment out this line by adding a “#” before it. (Good practice when modifying any file)
Insert a new line below it exactly the same except replace “22” with the number you replaced #### with.
Save the file with “ctrl+o” and exit the editor with “ctrl+x”.

Make new user accounts easier to use.
Import a functional profile for all users with ssh access.
Create a file “nano /etc/environment-common”
Add the text “${EXPORT}PATH${EQ}/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:” to the new file without the “s.
Save the file with “ctrl+o” and exit the editor with “ctrl+x”.
Open the profile file “nano /etc/profile”
Add the text “EQ=’=’ EXPORT=”export ” . /etc/environment-common” at the end of the file.
Save the file with “ctrl+o” and exit the editor with “ctrl+x”.

Test user account.
Using your ssh client open a new connection to the server on port 22.
Login with the user you created.
Check super user access by typing “su” and entering the root password for the server.
Type “exit” twice to logoff of this test session.

Restart changed services.
“/etc/init.d/sshd restart”
“/etc/init.d/iptables restart”

Test new settings.
Using your ssh client open a new connection to the server on port ####.
Login with the user you created.
Check super user access by typing “su” and entering the root password for the server.
Switch to the original session logged on as root.
Type “exit” to logoff of this session.

Optional sudo (Super user) settings.
Use “visudo” to remove the comment from the line “%wheel ALL=(ALL) NOPASSWD: ALL”
Type “:wq” to save and exit this program.

Other helpful tips.

• Ensure all password meet strong password requirements.
• http://www.microsoft.com/protect/fraud/passwords/checker.aspx
• Never disable the software firewall.
• Change user account passwords on receipt of server details.
• Do not run a mail server daemon unless you intend to configure it for internal use.
• Disable all daemons and software packages you do not intend to use.