Keamanan Server Linux: Hardening dan Best Practices

Mengamankan server Linux adalah t kritikal untuk melindungi data dan service dari serangan cyber.

Security Checklist

Immediate Actions

1. Update system ke versi terbaru
2. Hapus default users yang tidak diperlukan
3. Set strong passwords untuk semua akun
4. Disable direct root login
5. Configure firewall
6. Install fail2ban untuk brute force protection

User Management

Root Account Management

# Jangan pernah login sebagai root untuk daily tasks
# Gunakan sudo sebagai gantinya

# Cek siapa yang punya sudo access
getent group sudo
getent group wheel

Create Users dengan Minimal Privileges

# Create user
adduser username

# Tambah ke sudo group (Debian/Ubuntu)
usermod -aG sudo username

# Tambah ke wheel group (CentOS/RHEL)
usermod -aG wheel username

Password Policy

# Install password quality checker
apt install libpam-pwquality    # Debian/Ubuntu
yum install libpwquality        # CentOS

# Edit password quality
nano /etc/security/pwquality.conf

# Minimal password length
minlen = 12

# Minimal uppercase character
minclass = 3

# Enforce password expiration
chage -M 90 username

Disable User Login (opsional)

# Lock account
usermod -L username

# Expire password
chage -E 0 username

# Change shell ke nologin
usermod -s /usr/sbin/nologin username

SSH Security

Edit SSH Configuration

nano /etc/ssh/sshd_config

Recommended Settings

# Disable root login
PermitRootLogin no

# Disable password authentication (gunakan SSH key)
PasswordAuthentication no
ChallengeResponseAuthentication no

# Gunakan key-based auth
PubkeyAuthentication yes

# Ubah default port (security by obscurity)
Port 2222

# Limit login attempts
MaxAuthTries 3

# Set idle timeout
ClientAliveInterval 300
ClientAliveCountMax 2

# Allow hanya user spesifik
AllowUsers admin user1 user2

# Disable X11 forwarding
X11Forwarding no

# Disable agent forwarding
AllowAgentForwarding no

Setup SSH Key Authentication

# Generate key di client
ssh-keygen -t rsa -b 4096 -C "user@server"

# Copy key ke server
ssh-copy-id -p 2222 user@server_ip

# Atau manual
cat ~/.ssh/id_rsa.pub | ssh -p 2222 user@server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_files"

Restrict SSH Access

# Allow hanya dari IP tertentu
# Edit /etc/hosts.allow
sshd: 192.168.1.0/24 : ALLOW

# Edit /etc/hosts.deny
sshd: ALL : DENY

# Atau dengan fail2ban (lebih advanced)

Firewall Configuration

UFW (Ubuntu - Recommended untuk pemula)

# Install UFW
apt install ufw

# Set default policies
ufw default deny incoming
ufw default allow outgoing

# Allow SSH (custom port)
ufw allow 2222/tcp

# Allow HTTP/HTTPS
ufw allow 80/tcp
ufw allow 443/tcp

# Enable UFW
ufw enable

# Check status
ufw status verbose

iptables (Advanced)

# List rules
iptables -L -n -v

# Flush all rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t mangle -F

# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Save rules
iptables-save > /etc/iptables/rules.v4

Fail2Ban Configuration

Install Fail2Ban

# Debian/Ubuntu
apt install fail2ban

# CentOS/RHEL
yum install fail2ban

Basic Configuration

# Copy default config
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit config
nano /etc/fail2ban/jail.local

[DEFAULT]
# Ban for 1 hour
bantime = 3600

# Find failures within 10 minutes
findtime = 600

# Ban after 3 failures
maxretry = 3

# Email notification
destemail = [email protected]
sender = [email protected]
action = %(action_mwl)s

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Enable and Start

systemctl enable fail2ban
systemctl start fail2ban

# Check status
fail2ban-client status
fail2ban-client status sshd

System Hardening

Disable Unused Services

# List all services
systemctl list-unit-files --type=service

# Disable service yang tidak diperlukan
systemctl disable postfix
systemctl stop postfix

systemctl disable telnet
systemctl stop telnet

Secure Shared Memory

echo "tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0" >> /etc/fstab
mount -o remount /run/shm

Disable IPv6 (jika tidak diperlukan)

echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
sysctl -p

Kernel Parameters Hardening

nano /etc/sysctl.conf

# Disable IP forwarding
net.ipv4.ip_forward = 0

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable TCP SYN cookies
net.ipv4.tcp_syncookies = 1

# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Log suspicious packets
net.ipv4.conf.all.log_martians = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Apply changes
sysctl -p

File Permissions

Secure Critical Files

# Lock bootloader
chown root:root /boot/grub/grub.cfg
chmod 600 /boot/grub/grub.cfg

# Secure /etc/shadow
chmod 600 /etc/shadow

# Secure SSH config
chmod 600 /etc/ssh/sshd_config

# Secure crontab
chmod 600 /etc/crontab

Check for World-Writable Files

# Cari world-writable files
find / -perm -002 -type f 2>/dev/null

# Cari world-writable directories
find / -perm -o+w -type d 2>/dev/null

Application Security

Keep Software Updated

# Debian/Ubuntu
apt update
apt upgrade -y

# CentOS/RHEL
yum update -y

# Auto-update (Ubuntu)
apt install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

Secure Web Server (Apache/Nginx)

Apache

# Hide version
nano /etc/apache2/conf-available/security.conf
ServerTokens Prod
ServerSignature Off

# Disable directory listing
<Directory /var/www/html>
    Options -Indexes
</Directory>

Nginx

# Hide version
nano /etc/nginx/nginx.conf
server_tokens off;

# Disable directory listing
autoindex off;

Monitoring dan Logging

Audit System with auditd

# Install auditd
apt install auditd    # Debian/Ubuntu
yum install auditd    # CentOS

# Enable and start
systemctl enable auditd
systemctl start auditd

# Check logs
ausearch -m avc -ts recent

Configure rsyslog

nano /etc/rsyslog.conf

# Send logs to remote server
*.* @logserver.example.com:514

# Rotate logs
logrotate /etc/logrotate.conf

Install Monitoring Tools

# htop untuk resource monitoring
apt install htop

# iotop untuk I/O monitoring
apt install iotop

# nethogs untuk network monitoring
apt install nethogs

# atop untuk advanced monitoring
apt install atop

Intrusion Detection

Install and Configure AIDE

# Install AIDE
apt install aide    # Debian/Ubuntu
yum install aide    # CentOS

# Initialize database
aide --init

# Copy database
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Check integrity
aide --check

# Schedule daily check
crontab -e
0 5 * * * /usr/bin/aide --check

Rootkit Detection (rkhunter)

# Install rkhunter
apt install rkhunter    # Debian/Ubuntu
yum install rkhunter    # CentOS

# Update database
rkhunter --update

# Propagate file properties
rkhunter --propupd

# Run scan
rkhunter --check

Backup and Recovery

Automated Backup Script

nano /usr/local/bin/backup.sh

#!/bin/bash
BACKUP_DIR="/backup"
DATE=$(date +%Y%m%d_%H%M%S)
RETENTION_DAYS=7

mkdir -p $BACKUP_DIR

# Backup critical directories
tar -czf $BACKUP_DIR/system_$DATE.tar.gz \
    /etc \
    /home \
    /var/www \
    /root \
    /usr/local/bin

# Backup database (MySQL)
mysqldump --all-databases > $BACKUP_DIR/mysql_$DATE.sql

# Delete backups older than retention period
find $BACKUP_DIR -name "*_${DATE}*.tar.gz" -mtime +$RETENTION_DAYS -delete
find $BACKUP_DIR -name "*_${DATE}*.sql" -mtime +$RETENTION_DAYS -delete

echo "Backup completed: $DATE"

chmod +x /usr/local/bin/backup.sh

# Add to crontab (daily at 2 AM)
crontab -e
0 2 * * * /usr/local/bin/backup.sh

Security Assessment Tools

Install Lynis (Security Auditing)

# Install Lynis
apt install lynis    # Debian/Ubuntu
yum install lynis    # CentOS

# Run audit
lynis audit system

# Check results
lynis show details

Run OpenVAS (Vulnerability Scanner)

# Install OpenVAS
apt install openvas    # Debian/Ubuntu

# Start service
systemctl start openvas-scanner

# Run scan
openvas-start

Best Practices Summary

1. Principle of Least Privilege - User/service hanya punya akses minimal yang diperlukan
2. Defense in Depth - Multiple layers of security
3. Keep Updated - Selalu update OS dan aplikasi
4. Monitor and Log - Log everything dan monitoring secara aktif
5. Regular Backups - Backup dan test restore secara berkala
6. Separation of Concerns - Pisahkan production, staging, development
7. Document Everything - Catat konfigurasi dan perubahan
8. Security Awareness - Training security awareness untuk team
9. Incident Response Plan - Punya plan untuk handle security incident
10. Regular Audits - Audit security secara berkala

Resources

• CIS Benchmarks - https://www.cisecurity.org/cis-benchmarks/
• NIST Guidelines - https://www.nist.gov/cyberframework
• OWASP - https://owasp.org/
• Linux Security Documentation - https://www.kernel.org/doc/html/latest/admin-guide/security/

Kesimpulan

Security adalah proses berkelanjutan, bukan sekadar one-time setup. Regularly review, update, dan audit sistem Anda untuk memastikan tetap aman dari evolving threats.