Upload
chinku85
View
266
Download
6
Embed Size (px)
Citation preview
8/13/2019 25 Hardening Security Tips for Linux Servers
1/9
25 Hardening Security Tips for Linux Servers
Everybody says that Linux is secure by default and agreed to some extend (Its debatable
topics). However, inux has in!built security model in place by default. "eed to tune it up and
customi#e as per your need which may help to ma$e more secure system. inux is harder to
manage but offers more flexibility and configuration options.
Securing a system in a production from the hands of hackersand crackersis a challenging task
for a System Administrator. This is our first article related to How to Secure Linux box orHardening a Linux Box. In this post Well explain 25 usefu tips ! tricksto secure your
Linux system. Hope !elo" tips # tricks "ill help you some extend to secure your system.
1. Physical System Security
$onfigure the B"#S to disa!le !ooting from $%&%'% (xterna %evices )oppy %rive in
B"#S. %ext ena!le B"#Spass"ord # also protect *+,B"ith pass"ord to restrict physical
access of your system.
%et &' *assword to *rotect inux %ervers
2. Disk Partitions
Its important to ha&e different partitions to o!tain higher data security in case if any disasterhappens. 'y creating different partitions data can !e separated and grouped. When an
unexpected accident occurs only data of that partition "ill !e damaged "hile the data on other
partitions sur&i&ed. (ake sure you must ha&e follo"ing separate partitions and sure that thirdparty applications should !e installed on separate file systems under &opt.
//boot/usr/var/home/tmp/opt
3. Minimize Packages to Minimize Vulnerability
)o you really "ant all sort of ser&ices installed*. Its recommended to a&oid installing useless
packages to a&oid &ulnera!ilities in packages. This may minimi+e risk that compromise of oneser&ice may lead to compromise of other ser&ices. ,ind and remo&e or disa!le un"anted ser&ices
from the ser&er to minimi+e &ulnera!ility. -se the chkconfig command to find out ser&ices
"hich are running on runeve -.
# /sbin/chkconfig --list |grep '3:on'
http://www.tecmint.com/password-protect-grub-in-linux/http://www.tecmint.com/password-protect-grub-in-linux/8/13/2019 25 Hardening Security Tips for Linux Servers
2/9
/nce you&e find out any un"anted ser&ice are running disa!le them using the follo"ing
command.
# chkconfig serviceName off
-se the +./package manager such as yum or apt0get tools to list all installed packages on
a system and remo&e them using the follo"ing command.
# yum -y remove package-name# sudo apt-get remove package-name
4. Check Listening et!ork Ports
With the help of netstat net"orking command you can &ie" all open ports and associatedprograms. 0s I said a!o&e use chkconfig command to disa!le all un"anted net"ork ser&ices
from the system.
# netstat tulpn
". #se Secure Shell$SS%&
Tenetand roginprotocols uses plain text not encrypted format "hich is the security !reaches.
SSHis a secure protocol that use encryption technology during communication "ith ser&er.
%e&er login directly as root unless necessary. -se sudo to execute commands. sudo arespecified in &etc&sudoersfile also can !e edited "ith the visudo utility "hich opens in '"editor.
Its also recommended to change default SSH 22port num!er "ith some other higher le&el port
num!er. /pen the main SSHconfiguration file and make some follo"ing parameters to restrictusers to access.
# vi /etc/ssh/sshdconfig
Disable root Login!ermit"ootogin no
'nly allo! S(eci)ic #sers$llo%&sers username
#se SS% Protocol 2 Version!rotocol
*. +ee( System u(,ate,
8/13/2019 25 Hardening Security Tips for Linux Servers
3/9
0l"ays keep system updated "ith latest releases patches security fixes and kernel "hen its
a&aila!le.
# yum updates# yum check-update
-. Lock,o!n Cronobs
$ronhas its o"n !uilt in feature "here it allo"s to specify "ho may and "ho may not "ant torun 1o!s. This is controlled !y the use of files called &etc&cron1aowand &etc&cron1deny. To lock
a user using cron simply add user names in cron1denyand to allo" a user to run cron add in
cron1aowfile. If you "ould like to disa!le all users from using cron add the ALL line to
cron1denyfile.
# echo $ ((/etc/cron)deny
/. Disable #S0 stick to Detect
(any times it happens that "e "ant to restrict users from using ,SBstick in systems to protect
and secure data from stealing. $reate a file &etc&modprobe1d&no0usb and adding !elo" line
"ill not detect ,SBstorage.
install usb-storage /bin/true
. urn on SLinu
Security0(nhanced Linux 2S(Linux3 is a compulsory access control security mechanismpro&ided in the kernel. )isa!ling S(Linux means remo&ing security mechanism from the
system. Think t"ice carefully !efore remo&ing if your system is attached to internet and
accessed !y the pu!lic then think some more on it.
S(Linuxpro&ides three !asic modes of operation and they are.
Enforcing+ his is default mode which enable and enforce the SELinuxsecurity policy
on the machine.
Permissive+ In this mode, SELinuxwill not enforce the security policy on the system,
only warn and log actions. his mode is very useful in term of troubleshooting SELinuxrelated issues.
Disabled+ SELinuxis turned off.
4ou can &ie" current status of S(Linuxmode from the command line using system0config0seinux getenforce or sestatus commands.
# sestatus
8/13/2019 25 Hardening Security Tips for Linux Servers
4/9
If it is disa!led ena!le S(Linuxusing the follo"ing command.
# setenforce enforcing
It also can !e managed from &etc&seinux&config file "here you can ena!le or disa!le it.
15. 6emo7e +D89'M Deskto(s
There is no need to run 3indowdesktops like 4%(or *#/(on your dedicated L0(5
ser&er. 4ou can remo&e or disa!le them to increase security of ser&er and performance. To
disa!le simple open the file &etc&inittab and set run le&el to -. If you "ish to remo&e itcompletely from the system use the !elo" command.
# yum groupremove *+ ,indo% ystem*
11. urn ')) :P7*
If youre not using a ".v6protocol then you should disa!le it !ecause most of the applicationsor policies not re6uired ".v6protocol and currently it doesnt re6uired on the ser&er. 7o tonet"ork configuration file and add follo"ings lines to disa!le it.
# vi /etc/sysconfig/net%orkN.,0"12N2!456no2!452N26no
12. 6estrict #sers to #se 'l, Pass!or,s
This is &ery useful if you "ant to disallo" users to use same old pass"ords. The old pass"ord
file is located at &etc&security&opasswd. This can !e achie&ed !y using .A/module.
/pen &etc&pam1d&system0auth file under +H(L & $ent#S & )edora.
# vi /etc/pam)d/system-auth
/pen 7&etc&pam1d&common0password file under ,buntu&%ebian&Linux /int.
# vi /etc/pam)d/common-pass%ord
0dd the follo"ing line to auth section.
auth sufficient pamuni7)so likeauth nullok
0dd the follo"ing line to password section to disallo" a user from re8using last 5pass"ord ofhis or her.
pass%ord sufficient pamuni7)so nullok useauthtok md8 shado% remember68
http://www.tecmint.com/install-apache-mysql-php-on-redhat-centos-fedora/http://www.tecmint.com/install-apache-mysql-php-on-redhat-centos-fedora/http://www.tecmint.com/install-apache-mysql-php-on-redhat-centos-fedora/8/13/2019 25 Hardening Security Tips for Linux Servers
5/9
/nly last 5pass"ords are remem!er !y ser&er. If you tried to use any of last 5old pass"ords
you "ill get an error like.
!ass%ord has been already used) 9hoose another)
13. %o! to Check Pass!or, (iration o) #ser
In Linux users pass"ords are stored in &etc&shadow file in encrypted format. To check
pass"ord expiration of users you need to use chage command. It displays information of
pass"ord expiration details along "ith last pass"ord change date. These details are used !y
system to decide "hen a user must change his9her pass"ord.
To &ie" any existing users aging information such as expiry dateand time use the follo"ing
command.
#chage -l username
To change pass"ord aging of any user use the follo"ing command.
#chage - 5; username#chage - 5; -m < -, < userName
Parameters
-M%et maximum number of days
-m%et minimum number of days
-W%et the number of days of warning
14. Lock an, #nlock ;ccount Manually
The lock and unlock features are &ery useful instead of remo&ing an account from the systemyou can lock it for an "eek or a month. To lock a specific user you can use the follo"
command.
# pass%d -l accountName
ote: The locked user is still a&aila!le for rootuser only. The locking is performed !y replacing
encrypted pass"ord "ith an 283 string. If someone trying to access the system using this account
he "ill get an error similar to !elo".
# su - accountNamehis account is currently not available)
To unlock or ena!le access to an locked account use the command as. This "ill remo&e 2 83
string "ith encrypted pass"ord.
# pass%d -u accountName
1". n)orcing Stronger Pass!or,s
8/13/2019 25 Hardening Security Tips for Linux Servers
6/9
0 num!er of users use soft or "eak pass"ords and their pass"ord might !e hacked "ith a
dictionary based or !rute8force attacks. The pam9crackib module is a&aila!le in .A/
2.uggabe Authentication /odues3 module stack "hich "ill force user to set strongpass"ords. /pen the follo"ing file "ith an editor.
;ead 0lso:
# vi /etc/pam)d/system-auth
-nd add line using credit parameters as (lcredit, ucredit, dcredit andor ocreditrespectively
lower!case, upper!case, digit and other)
/lib/security/=2$/pamcracklib)so retry63 minlen6> lcredit6-? ucredit6-dcredit6- ocredit6-?
1*. nable :(tables $
8/13/2019 25 Hardening Security Tips for Linux Servers
7/9
1. Dis(lay SS% 0anner 0e)ore Login
Its al"ays a !etter idea to ha&e an legal !anner or security !anners "ith some security "arnings
!efore SSH authentication. To set such !anners read the follo"ing article.
25. Monitor #ser ;cti7ities
If you are dealing "ith lots of users then its important to collect the information of each useracti&ities and processes consumed !y them and analyse them at a later time or in case if any kind
of performance security issues. 'ut ho" "e can monitor and collect user acti&ities information.
There are t"o useful tools called psacct and acct are used for monitoring user acti&ities and
processes on a system. These tools runs in a system !ackground and continuously tracks eachuser acti&ity on a system and resources consumed !y ser&ices such as Apache /yS;L SSH
)T. etc. ,or more information a!out installation configuration and usage &isit the !elo" url.
/onitor ser -ctivity with psacct or acct 0ommands
21. 6e7ie! Logs 6egularly
(o&e logs in dedicated log ser&er this may pre&ents intruders to easily modify local logs. 'elo"
are the $ommon Linux default log files name and their usage:
/var/log/message1 2here whole system logs or current activity logs are available.
/var/log/auth.log1 -uthentication logs.
/var/log/kern.log1 3ernel logs.
/var/log/cron.log1 0rond logs (cron 4ob).
/var/log/maillog1 /ail server logs.
/var/log/boot.log1 %ystem boot log.
/var/log/ms!ld.log1 /y%5 database server log file.
/var/log/secure1 -uthentication log.
/var/log/utm"or /var/log/#tm"+ ogin records file.
/var/log/um.log+ 6um log files.
22. :m(ortant )ile 0acku(
In a production system it is necessary to take important files !ackup and keep them in safety
&ault remote site or offsite for )isasters reco&ery.
http://www.tecmint.com/how-to-monitor-user-activity-with-psacct-or-acct-toolshttp://www.tecmint.com/how-to-monitor-user-activity-with-psacct-or-acct-tools8/13/2019 25 Hardening Security Tips for Linux Servers
8/9
23. :C 0on,ing
There are t"o types of mode in "$!onding need to mention in !onding interface.
mode$%1 'ound 'obin
mode$&1 -ctive and ac$up
"$ Bondinghelps us to a&oid single point of failure. In "$!onding "e !ond t"o or more
etwork (thernet $ardstogether and make one single &irtual Interface "here "e can assign ".address to talk "ith other ser&ers. /ur net"ork "ill !e a&aila!le in case of one "$ $ard is
do"n or una&aila!le due to any reason.
+ead Aso: $reate %I$ $hannel 'onding in Linux
24. +ee( 8boot as rea,@only
Linux kernel and its related files are in &bootdirectory "hich is !y default as read0write.$hanging it to read0onyreduces the risk of unauthori+ed modification of critical !oot files. To
do this open &etc&fstab file.
# vi /etc/fstab
0dd the follo"ing line at the !ottom sa&e and close it.
$A.6/boot /boot e7t defaultsBro ?
5lease note that you need to reset the change to read8"rite if you need to upgrade the kernel in
future.
2". :gnore :CMP or 0roa,cast 6eHuest
0dd follo"ing line in &etc&sysct1conf file to ignore pingor broadcastre6uest.
2gnore 29! reCuest:net)ipvD)icmpechoignoreall 6 ?
2gnore Aroadcast reCuest:net)ipvD)icmpechoignorebroadcasts 6 ?
Load ne" settings or changes !y running follo"ing command
#sysctl -p
If you&e missed any important security or hardening tip in the a!o&e list or you&e any other tip
that needs to !e included in the list. 5lease drop your comments in our comment !ox. Tec/intisal"ays interested in recei&ing comments suggestions as "ell as discussion for impro&ement.
http://www.tecmint.com/create-nic-channel-bonding-in-redhat-centos-fedora/http://www.tecmint.com/create-nic-channel-bonding-in-redhat-centos-fedora/8/13/2019 25 Hardening Security Tips for Linux Servers
9/9