25 Hardening Security Tips for Linux Servers

8/13/2019 25 Hardening Security Tips for Linux Servers

1/9

25 Hardening Security Tips for Linux Servers

Everybody says that Linux is secure by default and agreed to some extend (Its debatable

topics). However, inux has in!built security model in place by default. "eed to tune it up and

customi#e as per your need which may help to ma$e more secure system. inux is harder to

manage but offers more flexibility and configuration options.

Securing a system in a production from the hands of hackersand crackersis a challenging task

for a System Administrator. This is our first article related to How to Secure Linux box orHardening a Linux Box. In this post Well explain 25 usefu tips ! tricksto secure your

Linux system. Hope !elo" tips # tricks "ill help you some extend to secure your system.

1. Physical System Security

$onfigure the B"#S to disa!le !ooting from $%&%'% (xterna %evices )oppy %rive in

B"#S. %ext ena!le B"#Spass"ord # also protect *+,B"ith pass"ord to restrict physical

access of your system.

%et &' *assword to *rotect inux %ervers

2. Disk Partitions

Its important to ha&e different partitions to o!tain higher data security in case if any disasterhappens. 'y creating different partitions data can !e separated and grouped. When an

unexpected accident occurs only data of that partition "ill !e damaged "hile the data on other

partitions sur&i&ed. (ake sure you must ha&e follo"ing separate partitions and sure that thirdparty applications should !e installed on separate file systems under &opt.

//boot/usr/var/home/tmp/opt

3. Minimize Packages to Minimize Vulnerability

)o you really "ant all sort of ser&ices installed*. Its recommended to a&oid installing useless

packages to a&oid &ulnera!ilities in packages. This may minimi+e risk that compromise of oneser&ice may lead to compromise of other ser&ices. ,ind and remo&e or disa!le un"anted ser&ices

from the ser&er to minimi+e &ulnera!ility. -se the chkconfig command to find out ser&ices

"hich are running on runeve -.

# /sbin/chkconfig --list |grep '3:on'
http://www.tecmint.com/password-protect-grub-in-linux/http://www.tecmint.com/password-protect-grub-in-linux/


2/9

/nce you&e find out any un"anted ser&ice are running disa!le them using the follo"ing

command.

# chkconfig serviceName off

-se the +./package manager such as yum or apt0get tools to list all installed packages on

a system and remo&e them using the follo"ing command.

# yum -y remove package-name# sudo apt-get remove package-name

4. Check Listening et!ork Ports

With the help of netstat net"orking command you can &ie" all open ports and associatedprograms. 0s I said a!o&e use chkconfig command to disa!le all un"anted net"ork ser&ices

from the system.

# netstat tulpn

". #se Secure Shell$SS%&

Tenetand roginprotocols uses plain text not encrypted format "hich is the security !reaches.

SSHis a secure protocol that use encryption technology during communication "ith ser&er.

%e&er login directly as root unless necessary. -se sudo to execute commands. sudo arespecified in &etc&sudoersfile also can !e edited "ith the visudo utility "hich opens in '"editor.

Its also recommended to change default SSH 22port num!er "ith some other higher le&el port

num!er. /pen the main SSHconfiguration file and make some follo"ing parameters to restrictusers to access.

# vi /etc/ssh/sshdconfig

Disable root Login!ermit"ootogin no

'nly allo! S(eci)ic #sers$llo%&sers username

#se SS% Protocol 2 Version!rotocol

*. +ee( System u(,ate,


3/9

0l"ays keep system updated "ith latest releases patches security fixes and kernel "hen its

a&aila!le.

# yum updates# yum check-update

-. Lock,o!n Cronobs

$ronhas its o"n !uilt in feature "here it allo"s to specify "ho may and "ho may not "ant torun 1o!s. This is controlled !y the use of files called &etc&cron1aowand &etc&cron1deny. To lock

a user using cron simply add user names in cron1denyand to allo" a user to run cron add in

cron1aowfile. If you "ould like to disa!le all users from using cron add the ALL line to

cron1denyfile.

# echo $ ((/etc/cron)deny

/. Disable #S0 stick to Detect

(any times it happens that "e "ant to restrict users from using ,SBstick in systems to protect

and secure data from stealing. $reate a file &etc&modprobe1d&no0usb and adding !elo" line

"ill not detect ,SBstorage.

install usb-storage /bin/true

. urn on SLinu

Security0(nhanced Linux 2S(Linux3 is a compulsory access control security mechanismpro&ided in the kernel. )isa!ling S(Linux means remo&ing security mechanism from the

system. Think t"ice carefully !efore remo&ing if your system is attached to internet and

accessed !y the pu!lic then think some more on it.

S(Linuxpro&ides three !asic modes of operation and they are.

Enforcing+ his is default mode which enable and enforce the SELinuxsecurity policy

on the machine.

Permissive+ In this mode, SELinuxwill not enforce the security policy on the system,

only warn and log actions. his mode is very useful in term of troubleshooting SELinuxrelated issues.

Disabled+ SELinuxis turned off.

4ou can &ie" current status of S(Linuxmode from the command line using system0config0seinux getenforce or sestatus commands.

# sestatus


4/9

If it is disa!led ena!le S(Linuxusing the follo"ing command.

# setenforce enforcing

It also can !e managed from &etc&seinux&config file "here you can ena!le or disa!le it.

15. 6emo7e +D89'M Deskto(s

There is no need to run 3indowdesktops like 4%(or *#/(on your dedicated L0(5

ser&er. 4ou can remo&e or disa!le them to increase security of ser&er and performance. To

disa!le simple open the file &etc&inittab and set run le&el to -. If you "ish to remo&e itcompletely from the system use the !elo" command.

# yum groupremove *+ ,indo% ystem*

11. urn ')) :P7*

If youre not using a ".v6protocol then you should disa!le it !ecause most of the applicationsor policies not re6uired ".v6protocol and currently it doesnt re6uired on the ser&er. 7o tonet"ork configuration file and add follo"ings lines to disa!le it.

# vi /etc/sysconfig/net%orkN.,0"12N2!456no2!452N26no

12. 6estrict #sers to #se 'l, Pass!or,s

This is &ery useful if you "ant to disallo" users to use same old pass"ords. The old pass"ord

file is located at &etc&security&opasswd. This can !e achie&ed !y using .A/module.

/pen &etc&pam1d&system0auth file under +H(L & $ent#S & )edora.

# vi /etc/pam)d/system-auth

/pen 7&etc&pam1d&common0password file under ,buntu&%ebian&Linux /int.

# vi /etc/pam)d/common-pass%ord

0dd the follo"ing line to auth section.

auth sufficient pamuni7)so likeauth nullok

0dd the follo"ing line to password section to disallo" a user from re8using last 5pass"ord ofhis or her.

pass%ord sufficient pamuni7)so nullok useauthtok md8 shado% remember68
http://www.tecmint.com/install-apache-mysql-php-on-redhat-centos-fedora/http://www.tecmint.com/install-apache-mysql-php-on-redhat-centos-fedora/http://www.tecmint.com/install-apache-mysql-php-on-redhat-centos-fedora/


5/9

/nly last 5pass"ords are remem!er !y ser&er. If you tried to use any of last 5old pass"ords

you "ill get an error like.

!ass%ord has been already used) 9hoose another)

13. %o! to Check Pass!or, (iration o) #ser

In Linux users pass"ords are stored in &etc&shadow file in encrypted format. To check

pass"ord expiration of users you need to use chage command. It displays information of

pass"ord expiration details along "ith last pass"ord change date. These details are used !y

system to decide "hen a user must change his9her pass"ord.

To &ie" any existing users aging information such as expiry dateand time use the follo"ing

command.

#chage -l username

To change pass"ord aging of any user use the follo"ing command.

#chage - 5; username#chage - 5; -m < -, < userName

Parameters

-M%et maximum number of days

-m%et minimum number of days

-W%et the number of days of warning

14. Lock an, #nlock ;ccount Manually

The lock and unlock features are &ery useful instead of remo&ing an account from the systemyou can lock it for an "eek or a month. To lock a specific user you can use the follo"

command.

# pass%d -l accountName

ote: The locked user is still a&aila!le for rootuser only. The locking is performed !y replacing

encrypted pass"ord "ith an 283 string. If someone trying to access the system using this account

he "ill get an error similar to !elo".

# su - accountNamehis account is currently not available)

To unlock or ena!le access to an locked account use the command as. This "ill remo&e 2 83

string "ith encrypted pass"ord.

# pass%d -u accountName

1". n)orcing Stronger Pass!or,s


6/9

0 num!er of users use soft or "eak pass"ords and their pass"ord might !e hacked "ith a

dictionary based or !rute8force attacks. The pam9crackib module is a&aila!le in .A/

2.uggabe Authentication /odues3 module stack "hich "ill force user to set strongpass"ords. /pen the follo"ing file "ith an editor.

;ead 0lso:

# vi /etc/pam)d/system-auth

-nd add line using credit parameters as (lcredit, ucredit, dcredit andor ocreditrespectively

lower!case, upper!case, digit and other)

/lib/security/=2$/pamcracklib)so retry63 minlen6> lcredit6-? ucredit6-dcredit6- ocredit6-?

1*. nable :(tables $


7/9

1. Dis(lay SS% 0anner 0e)ore Login

Its al"ays a !etter idea to ha&e an legal !anner or security !anners "ith some security "arnings

!efore SSH authentication. To set such !anners read the follo"ing article.

25. Monitor #ser ;cti7ities

If you are dealing "ith lots of users then its important to collect the information of each useracti&ities and processes consumed !y them and analyse them at a later time or in case if any kind

of performance security issues. 'ut ho" "e can monitor and collect user acti&ities information.

There are t"o useful tools called psacct and acct are used for monitoring user acti&ities and

processes on a system. These tools runs in a system !ackground and continuously tracks eachuser acti&ity on a system and resources consumed !y ser&ices such as Apache /yS;L SSH

)T. etc. ,or more information a!out installation configuration and usage &isit the !elo" url.

/onitor ser -ctivity with psacct or acct 0ommands

21. 6e7ie! Logs 6egularly

(o&e logs in dedicated log ser&er this may pre&ents intruders to easily modify local logs. 'elo"

are the $ommon Linux default log files name and their usage:

/var/log/message1 2here whole system logs or current activity logs are available.

/var/log/auth.log1 -uthentication logs.

/var/log/kern.log1 3ernel logs.

/var/log/cron.log1 0rond logs (cron 4ob).

/var/log/maillog1 /ail server logs.

/var/log/boot.log1 %ystem boot log.

/var/log/ms!ld.log1 /y%5 database server log file.

/var/log/secure1 -uthentication log.

/var/log/utm"or /var/log/#tm"+ ogin records file.

/var/log/um.log+ 6um log files.

22. :m(ortant )ile 0acku(

In a production system it is necessary to take important files !ackup and keep them in safety

&ault remote site or offsite for )isasters reco&ery.
http://www.tecmint.com/how-to-monitor-user-activity-with-psacct-or-acct-toolshttp://www.tecmint.com/how-to-monitor-user-activity-with-psacct-or-acct-tools


8/9

23. :C 0on,ing

There are t"o types of mode in "$!onding need to mention in !onding interface.

mode$%1 'ound 'obin

mode$&1 -ctive and ac$up

"$ Bondinghelps us to a&oid single point of failure. In "$!onding "e !ond t"o or more

etwork (thernet $ardstogether and make one single &irtual Interface "here "e can assign ".address to talk "ith other ser&ers. /ur net"ork "ill !e a&aila!le in case of one "$ $ard is

do"n or una&aila!le due to any reason.

+ead Aso: $reate %I$ $hannel 'onding in Linux

24. +ee( 8boot as rea,@only

Linux kernel and its related files are in &bootdirectory "hich is !y default as read0write.$hanging it to read0onyreduces the risk of unauthori+ed modification of critical !oot files. To

do this open &etc&fstab file.

# vi /etc/fstab

0dd the follo"ing line at the !ottom sa&e and close it.

$A.6/boot /boot e7t defaultsBro ?

5lease note that you need to reset the change to read8"rite if you need to upgrade the kernel in

future.

2". :gnore :CMP or 0roa,cast 6eHuest

0dd follo"ing line in &etc&sysct1conf file to ignore pingor broadcastre6uest.

2gnore 29! reCuest:net)ipvD)icmpechoignoreall 6 ?

2gnore Aroadcast reCuest:net)ipvD)icmpechoignorebroadcasts 6 ?

Load ne" settings or changes !y running follo"ing command

#sysctl -p

If you&e missed any important security or hardening tip in the a!o&e list or you&e any other tip

that needs to !e included in the list. 5lease drop your comments in our comment !ox. Tec/intisal"ays interested in recei&ing comments suggestions as "ell as discussion for impro&ement.
http://www.tecmint.com/create-nic-channel-bonding-in-redhat-centos-fedora/http://www.tecmint.com/create-nic-channel-bonding-in-redhat-centos-fedora/


9/9

Documents

25 Hardening Security Tips for Linux Servers