How to Secure a Linux Server
Here are some useful tips & tricks to secure your Linux system. Hopefully these tips & tricks will help you to secure your Linux server.
What is system hardening?
To improve the security level of a system, we take different types of measures. This could be the removal of an existing system service or uninstall some software components.
System hardening is the process of doing the ‘right’ things. The goal is to enhance the security level of the system. There are many aspects to securing a system properly. Yet, the basics are similar for most operating systems. So the system hardening process for Linux desktop and servers is that that special.
Core principles of system hardening
If we would put a microscope on system hardening, we could split the process into a few core principles. These include the principle of least privilege, segmentation, and reduction.
Principe of least privilege
The principle of least privileges means that you give users and processes the bare minimum of permission to do their job. It is similar to granting a visitor access to a building. You could give full access to the building, including all sensitive areas. The other option is to only allow your guest to access a single floor where they need to be. The choice is easy, right?
Examples:
- When read-only access is enough, don’t give write permissions
- Don’t allow executable code in memory areas that are flagged as data segments
- Don’t run applications as the root user, instead use a non-privileged user account
Segmentation
The next principle is that you split bigger areas into smaller ones. If we look at that building again, we have split it into multiple floors. Each floor can be further divided into different zones. Maybe you visitor is only allowed on floor 4, in the blue zone. If we translate this to Linux security, this principle would apply to memory usage. Each process can only access their own memory segments.
Reduction
This principle aims to remove something that is not strictly needed for the system to work. It looks like the principle of least privilege, yet focuses on preventing something in the first place. A process that does not have to run, should be stopped. Similar for unneeded user accounts or sensitive data that is no longer being used.
System hardening steps
Overview of hardening steps
- Install security updates and patches
- Use strong passwords
- Bind processes to localhost
- Implement a firewall
- Keep things clean
- Security configurations
- Limit access
- Monitor your systems
- Create backups (and test!)
- Perform system auditing
1. Physical System Security
Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS. Next, enable BIOS password & also protect GRUB with password to restrict physical access of your system.
2. Disk Partitions
It’s important to have different partitions to obtain higher data security in case if any disaster happens. By creating different partitions, data can be separated and grouped. When an unexpected accident occurs, only data of that partition will be damaged, while the data on other partitions survived. Make sure you must have following separate partitions and sure that third party applications should be installed on separate file systems under /opt.
/
/boot
/usr
/var
/home
/tmp
/opt
3. Minimize Packages to Minimize Vulnerability
Do you really want all sort of services installed?. It’s recommended to avoid installing useless packages to avoid vulnerabilities in packages. This may minimize risk that compromise of one service may lead to compromise of other services. Find and remove or disable unwanted services from the server to minimize vulnerability. Use the ‘chkconfig‘ command to find out services which are running on runlevel 3.
# /sbin/chkconfig --list |grep '3:on'
Once you’ve find out any unwanted service are running, disable them using the following command.
# chkconfig serviceName off
Use the package manager such as “yum” or “apt-get” tools to list all installed packages on a system and remove them using the following command.
# yum -y remove package-name
# sudo apt-get remove package-name
4. Check Listening Network Ports
With the help of ‘netstat‘ networking command you can view all open ports and associated programs. As I said above use ‘chkconfig‘ command to disable all unwanted network services from the system.
# netstat -tulpn
5. Use Secure Shell(SSH)
Telnet and rlogin protocols uses plain text, not encrypted format which is the security breaches. SSH is a secure protocol that use encryption technology during communication with server.
Never login directly as root unless necessary. Use “sudo” to execute commands. sudo are specified in /etc/sudoers file also can be edited with the “visudo” utility which opens in VI editor.
It’s also recommended to change default SSH 22 port number with some other higher level port number. Open the main SSH configuration file and make some following parameters to restrict users to access.
# vi /etc/ssh/sshd_config
Disable root Login
PermitRootLogin no
Only allow Specific Users
AllowUsers username
Use SSH Protocol 2 Version Protocol 2
6. Keep System updated
Always keep system updated with latest releases patches, security fixes and kernel when it’s available.
# yum updates
# yum check-update
7. Lockdown Cronjobs
Cron has it’s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ‘ALL‘ line to cron.deny file.
# echo ALL >>/etc/cron.deny
8. Disable USB stick to Detect
Many times it happens that we want to restrict users from using USB stick in systems to protect and secure data from stealing. Create a file ‘/etc/modprobe.d/no-usb‘ and adding below line will not detect USB storage.
install usb-storage /bin/true
9. Turn on SELinux
Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel. Disabling SELinux means removing security mechanism from the system. Think twice carefully before removing, if your system is attached to internet and accessed by the public, then think some more on it.
SELinux provides three basic modes of operation and they are.
Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.
Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues.
Disabled: SELinux is turned off.
You can view current status of SELinux mode from the command line using ‘system-config-selinux‘, ‘getenforce‘ or ‘sestatus‘ commands.
# sestatus
If it is disabled, enable SELinux using the following command.
# setenforce enforcing
It also can be managed from ‘/etc/selinux/config‘ file, where you can enable or disable it.
10. Remove KDE/GNOME Desktops
There is no need to run X Window desktops like KDE or GNOME on your dedicated LAMP server. You can remove or disable them to increase security of server and performance. To disable simple open the file ‘/etc/inittab‘ and set run level to 3. If you wish to remove it completely from the system use the below command.
# yum groupremove "X Window System"
11. Turn Off IPv6
If you’re not using a IPv6 protocol, then you should disable it because most of the applications or policies not required IPv6 protocol and currently it doesn’t required on the server. Go to network configuration file and add followings lines to disable it.
# vi /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no
Monitoring your system
After you take steps to prevent intrusion, you need to set up a monitoring system to detect whether an attack against your server has taken place. If you're alerted to an attack, you're better prepared to handle it. Tripwire (see
Related topics) alerts you to unauthorized activity that takes place with system files on your server. Use Logwatch (see
Related topics) to create reports you can analyze.
Tripwire
Tripwire sets up a baseline of normal system binaries for your computer. It then reports any anomalies against this baseline through an email alert or through a log. Essentially, if the system binaries have changed, you'll know about it. If a legitimate installation causes such a change, no problem. But if the binaries are altered as a result of a Trojan horse-type installation, you have a starting point from which to research the attack and fix the problems.
- To install and configure Tripwire through the command line, type the following command and then press Enter:
1
|
sudo aptitude install tripwire
|
- Choose Yes to all of the questions during the installation.
You may be asked to create a passphrase. If you are, make note of it for future use.
- When you reach the screen shown in Figure 1, Tripwire has been installed. Click OK.
Tripwire installation complete
https://www.tecmint.com/linux-server-hardening-security-tips/
https://www.cyberciti.biz/tips/linux-security.html
https://www.computerworld.com/article/3144985/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.html
https://linux-audit.com/linux-server-hardening-most-important-steps-to-secure-systems/
https://www.linode.com/docs/security/securing-your-server/
https://www.ibm.com/developerworks/linux/tutorials/l-harden-server/index.html
https://www.linuxjournal.com/content/simple-server-hardening