Linux Server Hardening Best Practices

Een onbeveiligde Linux server is binnen minuten kwetsbaar voor aanvallen. In deze gids behandelen we essentiële hardening technieken volgens CIS Benchmarks om uw infrastructuur te beschermen.

1. SSH Hardening

SSH is vaak de eerste aanvalsvector. Deze configuratie is essentieel:

Verplichte Configuratie

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
PermitEmptyPasswords no
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers admin@10.0.0.0/8

SSH Keys

Gebruik altijd ED25519 of RSA 4096-bit keys:

# Genereer veilige SSH key
ssh-keygen -t ed25519 -C "admin@bedrijf.nl"

# Of RSA 4096
ssh-keygen -t rsa -b 4096 -C "admin@bedrijf.nl"

⚠️ Kritiek: Schakel password authentication altijd uit. 90% van brute-force aanvallen richt zich op SSH passwords.

2. Firewall Configuratie

UFW (Uncomplicated Firewall) voor Ubuntu/Debian systemen:

# Default policies
ufw default deny incoming
ufw default allow outgoing

# Allow SSH (change port if using non-standard)
ufw allow 22/tcp

# Allow HTTP/HTTPS
ufw allow 80/tcp
ufw allow 443/tcp

# Rate limiting voor SSH
ufw limit 22/tcp

# Enable firewall
ufw enable

FirewallD voor CentOS/RHEL

# Check status
firewall-cmd --state

# Allow services
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https

# Reload
firewall-cmd --reload

3. Automatische Security Updates

Kritieke patches moeten automatisch worden geïnstalleerd:

Ubuntu/Debian

apt install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

CentOS/RHEL

yum install yum-cron
systemctl enable yum-cron
systemctl start yum-cron

4. Fail2Ban

Automatische IP blokkering na failed login attempts:

# Installatie
apt install fail2ban

# Configuratie
cat > /etc/fail2ban/jail.local <<EOF
[sshd]
enabled = true
port = 22
maxretry = 3
bantime = 3600
findtime = 600
EOF

systemctl enable fail2ban
systemctl start fail2ban

5. Kernel Hardening

Beveilig de kernel met sysctl parameters:

# /etc/sysctl.d/99-security.conf

# IP Spoofing bescherming
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Ignore source routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Log Martians
net.ipv4.conf.all.log_martians = 1

# Ignore ICMP ping
net.ipv4.icmp_echo_ignore_all = 1

# Apply changes
sysctl -p /etc/sysctl.d/99-security.conf

6. Gebruikersbeheer

Sudo Configuratie

# Specifieke sudo rechten
visudo

# Voorbeeld: admin mag alles
admin ALL=(ALL) NOPASSWD:ALL

# Beter: specifieke commands
backup ALL=(ALL) NOPASSWD:/usr/bin/rsync

Password Policy

# /etc/security/pwquality.conf
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1

7. Auditing met Auditd

Monitor alle security-relevante events:

# Installatie
apt install auditd

# Monitor password file changes
auditctl -w /etc/passwd -p wa -k passwd_changes
auditctl -w /etc/shadow -p wa -k shadow_changes

# Monitor sudo usage
auditctl -w /etc/sudoers -p wa -k sudoers_changes

# View logs
ausearch -k passwd_changes

8. File Permissions

# Kritieke files
chmod 644 /etc/passwd
chmod 640 /etc/shadow
chmod 600 /etc/ssh/sshd_config
chmod 700 /root

# Find world-writable files (potentiële risk)
find / -xdev -type f -perm -0002 -ls

9. SELinux / AppArmor

Mandatory Access Control voor extra beveiliging:

SELinux (RHEL/CentOS)

# Check status
sestatus

# Enable enforcing mode
setenforce 1

# Permanent
sed -i 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config

AppArmor (Ubuntu/Debian)

# Status
aa-status

# Enable profile
aa-enforce /etc/apparmor.d/usr.sbin.apache2

10. Monitoring & Intrusion Detection

AIDE - File Integrity

# Installatie
apt install aide

# Initialize database
aideinit

# Check voor wijzigingen
aide --check

Rootkit Detection

# rkhunter
apt install rkhunter
rkhunter --update
rkhunter --check

# chkrootkit
apt install chkrootkit
chkrootkit

Checklist Samenvatting

✓ SSH hardening (key-only, no root)
✓ Firewall actief (UFW/FirewallD)
✓ Automatic security updates
✓ Fail2Ban configured
✓ Kernel hardening (sysctl)
✓ Strong password policy
✓ Auditing enabled (auditd)
✓ Correct file permissions
✓ SELinux/AppArmor enforcing
✓ Integrity monitoring (AIDE)
✓ Regular security scans

🛡️ 5iX Managed Security: Wij implementeren en monitoren deze configuraties voor al onze klanten. 24/7 security monitoring inclusief.