I'm a system administrator for Amazon Lightsail instances that run Linux. I want to know server security best practices that I can use to help protect my data.
Resolution
The following are basic Linux server security best practices. This isn't a complete list. As a local system administrator, there are many complex settings that you must configure based on your requirements and use case.
Encrypt data communication to and from your Linux server
Use SCP, SSH, rsync, or SFTP for file transfers. Don't use FTP and Telnet because they aren't secure. To maintain a secure (HTTPS) connection, install and configure an SSL/TLS certificate on your server.
Reduce software to minimize vulnerability in Linux, and regularly perform security audits
To avoid vulnerabilities from software or packages, don't install unnecessary software. If possible, identify and remove all unwanted packages.
Keep the Linux kernel and software up to date
Security patches are an important part of Linux server maintenance. Linux provides all the necessary tools to keep your system updated. You can easily upgrade between versions. Review and apply all security updates as soon they're released, and make sure that you update to the latest available kernel. To apply all security updates, use the package managers that are based on your Linux distributions, such as yum, apt-get, or dpkg.
Use Linux security extensions
Linux comes with security features that you can use to guard against misconfigured or compromised programs. If possible, use SELinux and other Linux security extensions to enforce limitations on network and other programs.
Turn off the root login
Don't log in as the root user. When required, it's a best practice to use sudo to run root-level commands. Sudo enhances the security of the system and doesn't share the credentials with other users and administrators. For more information, see Disallowing root access on the Red Hat website.
Use SS or netstat to find listening network ports, and close or restrict all other ports
Use ss or netstat to find the ports that are listening on the system's network interfaces. Any open ports might be evidence of an intrusion. For more information, see Linux networking: socket stats via ss and Linux networking: 13 uses for netstat on the Red Hat website.
Configure the Lightsail firewall and OS-level firewalls on Linux servers for additional security
Use the Lightsail firewall to filter traffic and allow only necessary traffic to your server. The operating system-level firewall is a user space application program that allows you to configure the firewalls that the Linux kernel provides. Depending on your Linux distribution, you can use iptables, ufw, firewalld, and so on. For more information on iptables and firewalld, see Setting and Controlling IP sets using iptables and Using firewalls on the Red Hat website. For more information on ufw, see Security - Firewall on the ubuntu website.
Use auditd to audit your system
Use auditd to audit your system. Auditd writes audit records to the disk. It also monitors system activities, such as system logins, authentications, account modifications, and SELinux denials. These records help you identify malicious activity or unauthorized access. For more information, see Configure Linux system auditing with auditd on the Red Hat website.
Install an IDS
Use fail2ban or denyhost as an intrusion detection system (IDS). Fail2ban and denyhost scan the log files for too many failed login attempts, and block the IP address that shows signs of malicious activity.
Create backups regularly
For more information, see Snapshots in Amazon Lightsail.
Avoid read, write, and run Permissions (777) for files and directories to users, groups, and others
You can use chmod to restrict access to files and directories, such as the web-root directory or document root. For more information, see Linux permissions: An introduction to chmod on the Red Hat website. To provide access to only authorized users, edit the permissions. For more information, see How to manage Linux permissions for users, groups, and others on the Red Hat website.
Related information
Security in Amazon Lightsail
Compliance validation for Amazon Lightsail
Infrastructure security in Lightsail
Best practices for securing Windows Server-based Lightsail instances