Blocking access using a firewall*
One of the easiest server protection measures all users should take is to activate and configure a firewall. Firewalls act as a barrier between general network traffic and individual servers. They monitor incoming and outgoing traffic and decide whether or not to let certain information through.
This is done by inspecting the traffic with a set of rules set by the user. Typically, a server uses only a few specific network ports to run services. The other ports are not used, so they must be well protected by a firewall, which will deny access to all data arriving on these ports.
This allows you to discard all unknown data and even set conditions for the use of services in some cases. Sensible firewall rules provide a good basis for server protection.
UFW stands for "Uncomplicated Firewall". Its purpose is to reliably protect the server without using complex syntax and unnecessary add-ons.
Probably the most widely known Linux firewall is IPTables. IPTables is another component used to control the NetFilter firewall included in the Linux kernel. It has been around for a long time and has been repeatedly tested to ensure its reliability. To create IPv6 traffic restrictions there is a version of IPTables called ip6tables.
Secure remote connection to the system using SSH
To manage a server that you don't have local access to, you will need to use a remote connection. The standard and reasonably secure way to do this on a Linux system is to use the SSH protocol, which stands for "Secure Shell".
SSH allows for end-to-end encryption, sending unencrypted traffic over a secure connection, using X-forwarding (graphical user interface over a network connection), and much more. Basically, if there is no possibility to establish a local connection or use out-of-band management, SSH becomes the main way for an administrator to interact with the machine.
The protocol itself is very secure, since it has been extensively researched and code-checked; however, the choice of configurations can both enhance and significantly degrade the security of the service. Here are a few options for using the protocol.
Password vs SSH key logins
Logging in with a password is used most often, but it is less secure because it allows a potential attacker to brute-force passwords until the right combination is found. This type of attack is called "direct picking", and with the help of modern tools it can be easily automated.
The SSH key logon method involves creating a secure key pair for authentication. The public key is used to identify the user. It can be public because it is not used for anything other than identifying the user; you can only log in with its corresponding private key. The private key must be kept secret and is used to validate the corresponding public key.
In general, the public key can be placed on a server, allowing logins using the corresponding private key. Such keys are so complex that they cannot be picked up. Moreover, a long phrasal password can be additionally activated for these keys, which strengthens their protection.
Blocking malicious IP addresses with fail2ban
One action that will help ensure the overall security of SS configurations is to implement fail2ban. Fail2ban is a service that monitors login logs to determine if a remote system is a legitimate user, and then temporarily denies traffic from the corresponding IP address.
Implementing IDS for server intrusion detection
Developing a server intrusion detection strategy is one of the most important aspects of enhancing system security. Not only do you need to think about preventative measures, but you also need to test whether they work.
An intrusion detection system, also known as an IDS, records configuration and file information in a known good condition. It then compares the recorded data to detect changed files or configurations.
Tripwire is one of the best known IDSs.
Tripwire compiles a database of system files and protects its configuration and executable files with a set of keys. After setting the appropriate configurations and defining exceptions, Tripwire will report any changes made to the tracked files.
Aide is another variant of IDS. Similar to Tripwire, Aide works by creating a database and comparing the current state of the system with previously stored known good values. If discrepancies occur, the system can notify the administrator of the problem.
Psad works differently from the tools listed above. Instead of monitoring the system files, it monitors the firewall logs in an attempt to detect malicious activity.
Another IDS option is the Bro system. Bro is actually a network monitoring mechanism which can be used as a network IDS or for other purposes such as collecting general usage statistics, examining problems or pattern detection.
RKHunter works along the same principles as many IDSs for detecting rootkits and common malware, although it is not technically an intrusion detection system.