Question

The Linux servers will be composed of web servers, user servers, log servers and database servers(however, remember that no matter what type of server that you are building, security still needs to be put in place.). How will you solve it as a new hire ,technically and securely

Answer 1

Building Linux server (web servers, user servers, log servers, and database servers) security, technically and securely.
* The first step after creating or installing a server or its OS is setting up security on it to prevent hackers from obtaining unwanted access.
* Basically, it requires to harden the security on the Linux server.
* On the other hand, a Linux server is secure by default to much extent, as it has in-built security model in general. Also, Linux is designed and developed based on the least privileged access model.
* It requires minimal installation of packages for security purposes. It requires to purge any unwanted packages.
* One could, in general, go for cloud, or specifically for public cloud service such as Amazon Web Services (AWS) and create instances or Virtual Machines (VMs) so all the management of the underlying infrastructure, hardware, software, power, cabling, manpower, etc, and administration of the servers or VMs are handled by the provider. They also provide security of the cloud i.e., of the infrastructure, however, as an employee, a new hire has to implement security in the cloud for the resources, servers, and services he creates.
* One should turn on Security-Enhanced Linux (SELinux) which is an access control security mechanism provided in the Linux kernel.
* One should secure console access on the Linux server disabling the booting from external devices such as DVDs, CDs, USB pen drives after BIOS setup.
* As an administrator or Linux engineer, one should restrict using old passwords.
* Finding out and checking for any listening or open ports to close or disable them. One could use the "netstat" command to view the open ports.
* One should always disable Root login.
* One can change the default SSH port on a Linux server, thus adding a layer of opacity to keeping the server safe.
* One should disable Ctrl+Alt+Delete in inittab to prevent the server from rebooting process.
* Implementing and using the password-less login feature to SSH into the server without any password, generating only the ssh-keys.
* One should install and run Fail2Ban for SSH login to dynamically alter the firewall rules banning addresses that unsuccessfully attempted to log in a certain number of times.
* One should disable IPv6 wherever it is required and appropriate or when not using it on Linux.
* Pick the right and more or the most secured Linux distribution.
* Setup 2FA/MFA (2 Factor Authentication or Multi-Factor Authentication) for SSH (Secure Shell).
* One should limit who or which accounts an administrator wants them and can use sudo.
* Setup NTP Client for security as the system time correctness accounts to the system's security.
* Secure /proc such that you limit users who can only see information about their processes.
* Implement a password policy for the users forcing their accounts to use secure passwords.
* One should set up automatic security updates and alerts.
* Setup appropriate and secure firewall. Setup firewall with UFW (Uncomplicated Firewall).
* Setting up iptables intrusion detection and prevention with PSAD to monitor all network activities to detect potential intrusion attempts.
* Setting up application intrusion detection and prevention with Fail2Ban tool installed.
* For auditing, set up file/folder integrity monitoring with AIDE (WIP).
* Setting up anti-virus scanning with ClamAV (WIP).
* Setting up rootkit detection with Rkhunter (WIP).
* Or setting up rootkit detection with chrootkit (WIP).
* For monitoring and audit purposes, setting up logwatch which is a system log analyzer and reporter.
* Using the ss tool to see ports (any unwanted ports) the Linux server is listening on.
* Installing and using Lynis tool for Linux security auditing.
* Using encryption tools, features, options, and methods for data communication for Linux server and also for data at rest.
* Disabling or de-activating, or avoiding the usage of FTP, Telnet, and Rlogin or Rsh services on Linux, instead of using OpenSSH, SFTP, or FTPS i.e., FTP over SSL, adding SSL or TLS encryption to FTP.
* Minimizing the installation and usage of many software to minimize vulnerability in Linux.
* One should have only one network service per system, server, or VM Instance.
* Ensuring and keeping Linux server kernel and software always up to date.
* Using Linux security extensions wherever appropriate.
* Setting up password aging for Linux users for better security.
* Setup locking policy to lock user accounts after a certain number of login failures.
* Ensuring and verifying no accounts have empty passwords or ensuring all the accounts have a respective password.
* Ensuring no Non-Root accounts have UID set to 0.
* Also, it requires disabling any and all unwanted Linux services.
* Turning off any and all unwanted services at boot time.
* Deleting X Window Systems (X11) on the server as it is not required.
* One should configure iptables and TCPWrappers firewall on Linux server.
* The Linux kernel configuration file, /etc/sysctl.conf in general, should be hardened.
* One should differentiate and separate disk partitions for Linux systems.
* Ensuring disk quotas is enabled for all users.
* Disabling any and all unwanted SUID and SGID binaries.
* Setup world-writable files on a Linux server such that setting correct user and group permission on them or removing it.
* Assigning noowner files to an appropriate user and group or removing it.
* Using a centralized authentication service on the server.
* Using Kerberos to perform authentication as a trusted third party authentication service using a cryptographic shared secret.
* Implementing appropriate logging and auditing.
* Securing OpenSSH server.
* Disabling USB, firewire, or Thunderbolt devices.
* Securing Apache, PHP, or Nginx server editing httpd.conf configuration files accordingly.
* In general, protecting files, directories, and email against unauthorized data access using file permissions, encryption, password policies, protecting password files, etc.
* Ensure proper backups are set up for scheduled backups and later are restored effectively.