AlmaLinux: Simple Steps for a Secure Server

Introduction

Ensuring the security of your AlmaLinux server is paramount in safeguarding against potential threats. This guide covers essential security measures to fortify your AlmaLinux server and protect it from vulnerabilities.


1. Configure Firewall Rules

A properly configured firewall is the first line of defense against unauthorized access. AlmaLinux comes with firewalld, a dynamic firewall manager. Let's set it up.

Installing Firewalld

sudo dnf install firewalld

Checking Firewalld Status

sudo systemctl status firewalld

By default, Firewalld is inactive. Let's enable and start it:

sudo systemctl enable --now firewalld

Opening Essential Ports

sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload


2. Secure SSH Access

Securing SSH access is critical as it's a common target for attackers. Enhance security by modifying default settings and using key-based authentication.

Modify SSH Configuration

sudo nano /etc/ssh/sshd_config

Adjust settings like:

  • Change the default SSH port.
  • Disable root login.
  • Allow only specific users.

After modifying, restart the SSH service

sudo systemctl restart sshd

Set Up Key-Based Authentication

Generate SSH key pairs on your local machine:

ssh-keygen -t rsa 

Copy the public key to your AlmaLinux server:

ssh-copy-id user@your_server_ip

Disable password authentication in SSH configuration:

PasswordAuthentication no


3. Regular Software Updates

Keeping your software up-to-date is crucial in addressing potential vulnerabilities. AlmaLinux uses the DNF package manager.

Update System Packages

sudo dnf update


4. Implement SELinux

SELinux (Security-Enhanced Linux) adds an extra layer of security by enforcing mandatory access controls. It's enabled by default on AlmaLinux.

Check SELinux Status

sestatus

Ensure it's set to enforcing. If not, modify /etc/selinux/config and reboot.


5. Install and Configure Fail2Ban

Fail2Ban protects against brute-force attacks by monitoring system logs and banning suspicious IP addresses.

Install Fail2Ban

sudo dnf install fail2ban

Configure Fail2Ban

Edit the configuration file:

sudo nano /etc/fail2ban/jail.conf

Adjust settings as needed and start the service:

sudo systemctl enable --now fail2ban


6. Enable Automatic Updates

Automating system updates ensures that security patches are promptly applied.

Install DNF Automatic

sudo dnf install dnf-automatic

Configure automatic updates:

sudo nano /etc/dnf/automatic.conf

Set apply_updates = yes and enable the service:

sudo systemctl enable --now dnf-automatic.timer


7. Monitor System Logs

Regularly monitoring system logs helps identify potential security issues.

View System Logs

journalctl

Useful flags:

  • -u for filtering by unit (service).
  • -p for filtering by priority (severity).


Conclusion

By following these essential security measures, you've significantly enhanced the security posture of your AlmaLinux server. Regularly audit and update your security practices to stay ahead of potential threats.

If you encounter any issues or have feedback, feel free to leave a comment below. Stay secure!