What are best practices for securing my Linux server running on Lightsail?

Last updated: 2021-10-28

I'm a system administrator for Amazon Lightsail instances running Linux. What are some server security best practices I can use to help protect my data?

Resolution

The following are basic Linux server security best practices. While these are important considerations for Linux server security, keep in mind that this isn't a complete list. There are many complex settings that should be configured and addressed by your local system administrator team based on your specific requirements and use case.

  • Encrypt data communication to and from your Linux server.
    Use SCP, SSH, rsync, or SFTP for file transfers. Avoid using services such as FTP, Telnet, and so on, as these aren't secure. To maintain a secure (HTTPS) connection, install and configure an SSL certificate on your server.
  • Minimize software to minimize vulnerability in Linux and perform security audits on a regular basis.
    Don't install unnecessary software so that you avoid introducing vulnerabilities from software or packages. If possible, identify and remove all unwanted packages.
  • Keep the Linux kernel and software up to date.
    Applying security patches is an important part of maintaining your Linux server. Linux provides all of the necessary tools to keep your system updated. Linux also allows for easy upgrades between versions. Review and apply all security updates as soon as possible and make sure that you update to the latest available kernel. Use the respective package managers based on your Linux distributions, such as yum, apt-get, or dpkg to apply all security updates.
  • Use Linux security extensions.
    Linux comes with various security features that you can use to guard against misconfigured or compromised programs. If possible, use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for the Linux kernel.
  • Disable the root login.
    It's a best practice not to log in as a root user. You should use sudo to run root level commands when required. Sudo greatly enhances the security of the system without sharing the credentials with other users and administrators.
  • Find listening network ports using SS or netstat and close or restrict all other ports.
    It's important to pay attention to which ports are listening on the system's network interfaces. This can be done through ss or netstat. Any open ports might be evidence of an intrusion.
  • Configure both Lightsail firewall and OS-level firewalls on Linux servers for an additional level of security.
    Use Lightsail firewall to filter out traffic and allow only necessary traffic to your server. OS-level firewall is a user space application program that allows you to configure the firewalls provided by the Linux kernel. You can use iptables, ufw, firewalld, and so on, depending on your Linux distribution.
  • Use auditd for system accounting.
    Linux provides auditd for system auditing. Auditd writes audit records to the disk. It also monitors various system activites, such as system logins, authentications, account modifications, and SELinux denials. These records help administrators identify malicious activity or unauthorized access.
  • Install an intrusion detection system (IDS).
    Use fail2ban or denyhost as an IDS. Fail2ban and denyhost scan the log files for too many failed login attempts and block the IP address that's showing signs of malicious activity.
  • Create backups on a regular basis.
    For more information, see Snapshots in Amazon Lightsail.
  • Avoid providing read, write, and run Permissions (777) for files and directories to users, groups, and others.
    You can use chmod to restrict access to files and directories, such as the web-root directory, document-root, and so on. Edit the permissions to provide access to authorized users only.