Hardening your Rocky Linux Server

Photo by Alexander Schimmeck / Unsplash

I made a mistake with my new server that I built in Vultr (sign up here for $100 free credit: https://www.vultr.com/?ref=8916306)! I left things unsecured after I set it up and after logging in less than 16 hours after building the server. I found that there was 2233 failed logins to my server as the “root” user.

I did some investigation and found no signs of a breach! I was lucky this time but I need to make sure this doesn’t happen again. Time to secure my server. I’m going to start off by creating a new user with a strong password, which I will use instead of continuing to use the root login and I’m then going to prevent the root account from logging on to the server via SSH. You can follow along with the commands below:

adduser nathangemmill

passwd nathangemmill

usermod -aG wheel nathangemmill

nano /etc/ssh/sshd_config

Edit the following line within the config file to match below:

PermitRootLogin no

Restart your ssh service to apply this change. Make sure you test this before logging off your current session by trying to ssh from a new window.

sudo systemctl restart sshd

Awesome! We’ve locked down our accounts which is a good first step but there is more that we need to do. I will now move onto enabling automatic updates for the server to prevent any vulnerabilities from being exploited.

sudo dnf install dnf-automatic

sudo nano /etc/dnf/automatic.conf

Update the following line of the configuration to yes so that it will automatically install the new updates which become available.

upgrade_type = security

apply_updates = yes

The last thing I’m going to do is add an easier firewall to manage all my inbound traffic. I find it much easier to use in comparison to the stock firewalld option installed on Rocky Linux. If you’re already familiar with firewalld however, just double check your configuration to make sure you’re happy with it and you can skip this step. Unfortunately, ufw isn’t available in the rocky Linux repository and you will first need to enable the epel repository in order to download & install ufw. You can install the epel (Extra Packages for Enterprise Linux) repository with the following command:

sudo dnf install epel-release

Now we can install ufw into our server with a single command.

sudo dnf install ufw

Before we enable the firewall, check what is currently running on your server.

sudo ss –tupln

If there is anything that you need to allow, make sure you create your firewall rules now before starting the ufw service. Here are my commands I chose to run which allow all outgoing traffic, blocks all incoming traffic, allows me to SSH into my server & finally,  allows my dogecoin full node to accept incoming connections.

sudo ufw default allow outgoing

sudo ufw default deny incoming

sudo ufw allow ssh

sudo ufw allow 22556/tcp

The last command we need to finish off the firewall install is going to start your firewall & enable it at system boot.

sudo ufw enable

You can check your firewall status or rules at any time by running ufw status

That’s the basic steps I’m going to recommend. There is definitely more that can be done, including securing your login with trusted keys, implementing MFA with 3rd party tools such as DUO or changing the SSH port for the server. I may update this article later with those steps too.

Nathan Gemmill

Nathan Gemmill