Securing & Hardening Linux Web Server (Part I – Theory)

This paper will try to cover the most important steps to properly securing and hardening your Linux web server.

  1. Part I – Theory
  2. Part II – Practice

In the first part, we will discuss what do we need to do theoretically to secure our Linux web server without explaining how we can exactly do it in practice. In this way, we can avoid the confusion of different configuration for different systems, Linux distributions and services.

- What do we need to run a web server?

Server (Local, Dedicated, VPS etc)
Operating System (Linux distribution)
Web Server (eg. Apache)
Database Server (eg. MySQL)
Name Server (eg. Bind)
SSH Server (eg. OpenSSH)
Firewall (eg. IPTables)

That’s a very basic configuration for a Linux web server. However, in your case maybe it’s slightly different. For example, you will not need to run SSH if you have local access or maybe you need to run more services such as Mail server.

- What kind of attacks do we need to prevent for a server like this one?

Mass Packets
     Denial of service (DOS)
     Brute force (SSH Login, HTTP Login Forms, DNS Lookups, …)
     Web Scanning (Crawling, File/Dir Brute force, …)

Known Vulnerabilities Exploitation (running services, web applications, …)
Information Exposure (Versions, Error messages etc)
Web Attacks (SQL Injections, Cross-site Scripting, File Inclusions, …)

Now, that we know what kind of system we need to run our web server and what kind of attacks we need to prevent, we need to know…

- What do we need to do to prevent the above kind of attacks?

Operating System

Patching, Updating, Monitoring, Logging, Backup
Remove unnecessary Users, Packages, Services
Use strong password policy
Review file permissions, ownership, SUID/SGID files
Install security tools (Rootkit Hunter, Chkrootkit, Tripwire, …)

Web Server

Change default version banners
Disable verbose error messages
Disable directory listing
Disable unnecessary modules, functions
Install security modules (web application firewall for DOS and Web attacks)
Secure coding for custom web applications

Database Server

Remove unnecessary Users
Change default root username
Restrict access from the outside world

Name Server

Change default version banners
Disable recursion, zone transfers and Port 53/tcp

SSH Server

Change default version banners, Display welcome banner
Change default listen port
Use only protocol 2, public key authentication
Disable remote root access
Restrict access to specific IP Address(es) if that possible


Default Policy deny all
Identify Spoofing, Invalid IP Addresses
Identify Invalid Packets
Identify Port scanning
Identify Mass Packets (DOS Attacks, SYN Flood, Web Scanning, Brute force for SSH Logins, HTTP Login Forms, DNS Lookups)
Allow necessary services
Enable Logging & Ban


Securing & Hardening Linux Web Server (Part II – Practice)


Leave a Reply



June 27th



© 2019 SuRGeoNix | Security Blog