How to Secure Rocky Linux 8

Security is an essential consideration for any server you launch into a production environment. The latest version of Rocky Linux 8 comes with robust security features. However, not all of them are active or properly configured by default, so a fresh installation is always vulnerable to hacks and intrusion attacks.

In this guide, we will have a look at a few important tasks to perform on the server for the initial setup and basic server hardening.

Step 1 – Update Your Server

First, install the latest security patches and updates to your server. Run the following command to update them.

dnf update -y

Next, install some basic software packages by running the following command:

dnf install wget git curl bind-utils tree net-tools -y

Step 2 – Change the Default Root Password

When you launch a new server, your servers are automatically set with secure passwords. However, it is recommended to change your root password every 60-90 days thereafter in order to ensure it remains secure. You should create a root password with a minimum of 8 characters, including lowercase characters, uppercase characters, and numbers.

You can change the root password using the following command:

passwd root

Step 3 – Create a New User with sudo Privileges

By default, the root is the default admin user for many Linux operating systems, including Rocky Linux 8, so it’s recommended to create a new user with sudo/root permissions and use it for day-to-day administration tasks. Generally, hackers target the root user because they know it’s the default admin user. Creating a new user with root permissions will increase the security of your server access.

First, create a new user with the following command:

adduser user1

Next, set the password user1 using the following command:

passwd user1

After creating a new user, you will need to add this user to the sudo wheel group. In Rocky Linux 8, once you add them to the sudo wheel group, they are automatically assigned sudo/root permissions.

Run the following command to add the user to the sudo wheel group.

usermod -aG wheel user1

Once you created the user with sudo/root permissions, log in to user1 with the following command:

su - user1

Once you are logged in, run the following command using sudo:

sudo dnf update -y

You will be asked to provide the user1 password to update your system.

This will confirm that your sudo user is working as expected.

Step 4 – Disable Root Login Via SSH

We already created an admin user with sudo/root permissions to perform all tasks. You don’t need to keep the root user available and vulnerable over SSH on your server, so you will need to disable the root login via SSH.

Edit the SSH main configuration file with the following command:

sudo nano /etc/ssh/sshd_config

Find the following line:

PermitRootLogin yes

Change it to the following line:

PermitRootLogin no

Save and close the file, then restart the SSH service to apply the changes:

systemctl restart sshd

Step 5 – Change SSH Default Port

By default, SSH listens on port 22. Generally, hackers and bots continuously target the default SSH port 22, so it is recommended to change the default SSH port to any other port.

To change the SSH port, edit the SSH main configuration file:

sudo nano /etc/ssh/sshd_config

Find the following line:

#Port 22

Change it to the following lines:

Port 2020

Save and close the file, then restart the SSH service to apply the changes:

systemctl restart sshd

You can now log in to your Atlantic server remotely via SSH using the following command:

ssh user1@your-server-ip -p 2020

Step 6 – Configure a Firewall

By default, your Atlantic.Net’s Rocky Linux 8 is loaded with a default firewall named firewalld, but it is not enabled. You can check the status of the firewall using the following command:

firewall-cmd --state

You should see that firewall is not running:

not running

It is recommended to enable the firewall and allow necessary ports for external access.

First, enable the firewalld service with the following command:

systemctl start firewalld
systemctl enable firewalld

Next, allow the SSH port 2020 through the firewall with the following command:

sudo firewall-cmd --permanent --add-port=2020/tcp

Next, reload the firewalld service to apply the changes:

sudo firewall-cmd --reload

You can now verify the added ports with the following command:

sudo firewall-cmd --list-ports

You should see the following output:

2020/tcp

If you have any web server installed and running on your server, you may need to allow the HTTP and HTTPS service through the firewall in order to access it over the Internet.

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

To allow POP3, IMAP, and SMTP services for external access, run the following command:

sudo firewall-cmd --permanent --add-service=pop3s
sudo firewall-cmd --permanent --add-service=imaps
sudo firewall-cmd --permanent --add-service=smtp

Step 7 – Install NTP for Time Synchronization

It is also recommended to install an NTP server to synchronize the time and date of computers over the network in order to keep them accurate and up to date.

First, install the NTP server using the following command:

sudo dnf install chrony -y

Once the NTP service is installed, start it and enable it to start at system reboot:

sudo systemctl start chronyd
sudo systemctl enable chronyd

Now, your NTP server is installed and will constantly update the server’s time from the NTP server.

Step 8 – Disable IPv6

If you are not using IPv6, then it is recommended to disable it for security reasons.

First, check whether IPv6 is enabled on your Rocky Linux 8 installation using the following command:

ip a | grep inet6

You should see the following lines if IPv6 is enabled:

    inet6 ::1/128 scope host 
    inet6 fe80::200:d8ff:fe62:817/64 scope link 
    inet6 fe80::200:aff:fe62:817/64 scope link

You will need to create a new configuration file to disable IPv6:

sudo nano /etc/sysctl.d/70-ipv6.conf

Add the following lines:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Save and close the file, then reload the configuration file with the following command:

sudo sysctl --load /etc/sysctl.d/70-ipv6.conf

You should see the following output:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

To verify IPv6 is disabled, run the following command:

ip a | grep inet6

If the command doesn’t return anything, you have confirmed that IPv6 has been disabled on all your network interfaces.

Step 9 – Create a Swap Space

A swap is a space on a disk that is used when the amount of physical RAM memory is full. When your server runs out of RAM, all inactive pages are moved from the RAM to the swap space.

When you launch a new instance on Atlantic.Net, it does not create a swap partition. You will need to create a swap space manually after launching the new instance.

Generally, swap space should be half of your existing RAM. If you have 1GB of actual Ram, then you will need to create a 512MB file.

First, create a swap space (of 512MB) with the following command:

sudo dd if=/dev/zero of=/swapfile bs=1024 count=524288

Output:

524288+0 records in
524288+0 records out
536870912 bytes (537 MB, 512 MiB) copied, 10.3523 s, 51.9 MB/s

You can calculate the block size using the formula 1024 x 512MB = 524288.

After creating the Swap space, format it with the following command:

sudo mkswap /swapfile

Output:

mkswap: /swapfile: insecure permissions 0644, 0600 suggested.
Setting up swapspace version 1, size = 512 MiB (536866816 bytes)
no label, UUID=8981408a-549d-47aa-a99a-72870b65212d

Next, set proper permissions on the /swapfile with the following command:

sudo chown root:root /swapfile
sudo chmod 0600 /swapfile

Next, activate the Swap space using the following command:

sudo swapon /swapfile

Next, verify the Swap space using the following command:

swapon -s

Output:

Filename				Type		Size	Used	Priority
/swapfile                              	file    	524284	0	-2

Next, you will need to add the Swap file entry to the /etc/fstab in order to make it active even after a reboot.

nano /etc/fstab

Add the following line:

/swapfile              swap   swap     defaults     0 0

Save and close the file, then verify the Swap space using the following command:

free -m

You should see the following output:

              total        used        free      shared  buff/cache   available
Mem:           1817         263         100          68        1452        1329
Swap:           511           0         511

Conclusion

In the above guide, we explained some basic steps to secure your Rocky Linux 8 server. You can now proceed to host any application in the secured environment – try it on your VPS hosting account from Atlantic.Net!