Improve Linux security: 14 things to create a secure Linux server
Maybe most people think Linux is safe? But I want to tell you that this idea is absolutely wrong! Assuming your laptop is stolen without enhanced security, the thief will first try to use “root” (username) and “toor” (password) to log in to your computer, because this is the default user of KaliLinux Name and password, and most people will still continue to use them. Are you like that too? I hope you are not!
In this article, I will share with you some of the ways to make your Linux host more secure, which will include some penetration test skills. It should be noted that there are many different Linux distributions on the market at present, from the point of view of command-line tools, although these versions are different, but the principle and processing logic is the same. Next, let’s get started!
1 – Record the host information
Whenever you are working on a new Linux host for security enhancements, you need to create a document and document the items listed in this document, and after the work is done, you will need to check these items The In addition, at the beginning of the document, you need to record the information about the Linux host:
- Device name
- IP address
- Mac address
- The person in charge of the security enhancement work (actually you)
- date
- Asset number (if you are working for a business, then you need to record the asset number of the device)
2-BIOS protection
You need to set a password for this host’s BIOS to ensure that the end user can not modify or override the security settings in the BIOS, which is very important! After the BIOS administrator password is set, you need to disable the host from the external media device (USB / CD / DVD) to start. If you ignore this setting, anyone can access the data in this host via a U disk that has written a boot image.
In the new server’s motherboard built-in a Web server, you can use it to remotely access the host data. So you want to make sure you have modified the default password for the server management page, and if you can, disable this feature directly.
3 – Hard disk encryption
Most Linux distributions allow you to encrypt the disk before proceeding with the installation. Disk encryption is very important, because when your computer is stolen, even if the thief will your hard drive into their own computer is still unable to read your data.
In the following figure, select the third option in the list: Guided-use entire disk and set up encrypted LVM (LVM stands for Logical Volume Manager).
If your Linux distribution does not support encryption, you can choose to use encryption software like TrueCrypt.
4 Disk Protection
Data backup is a good habit, when the system crashes or system updates fail, the advantages of the backup is highlighted. For some important servers, in order to prevent the impact of disasters (including natural disasters and human factors), backup data usually need to be offline storage. Of course, the backup also requires us to spend energy to manage. For example, how long does the old backup file need to be saved? When do I need to back up the system? (Daily or weekly)?
The core system disk needs to be partitioned:
- /
- /boot
- /usr
- /home
- /tmp
- /var
- /opt
Disk partition can be in the case of system failure still protect the system performance and security. In the following figure, you can see the partition options provided by Kali Linux during the installation process.
5 – Lock the boot directory
The boot directory contains a large number of important files, which are related to the Linux kernel, so you need to make sure that the directory is open only “read-only” by following these steps. First, open the “fstab” file.
Next, add the last line of data shown in the following figure.
After this step is complete, you need to execute the following command to set the owner of the file:
|
1
|
#chown root:root /etc/fstab
|
Then you need to set some permissions to protect the startup settings:
– set the owner and group of /etc/grub.conf as root:
|
1
|
#chown root:root /etc/grub.conf
|
– set /etc/grub.conf file only root can read and write:
|
1
|
#chmod og-rwx /etc/grub.conf
|
– Single-user mode requires authentication:
|
1
2
|
#sed -i “/SINGLE/s/sushell/sulogin/”/etc/sysconfig/init
#sed -i “/PROMPT/s/yes/no/” /etc/sysconfig/init
|
6 – Disable USB storage devices
Depending on the importance of your system, sometimes you need to disable Linux hosts from using USB storage devices. There are many ways to disable USB storage devices, the following is to provide you with the most commonly used one:
Open the “blacklist.conf” file with your favorite text editor :
|
1
|
#nano /etc/modprobe.d/blacklist.conf
|
After opening the file, add the following information to the bottom of the file and save and exit:
|
1
|
blacklist usb_storage
|
Then open the rc.local file:
|
1
|
#nano /etc/rc.local
|
Add the following two lines of data:
|
1
2
|
modprobe –r usb_storage
exit 0
|
7 – System Update
After the first start, the first thing is to update the system, this step should be considered relatively simple. Normally, you can open the terminal and then execute the appropriate command. In Kali Linux, you can use the following command to update the system:
8 – Check installed packages
List all the installed packages in your Linux system, and then delete those you do not need. If you are working on a server, then you have to be very careful, because the server is usually only used to install the application and services. You can list the packages installed in Kali Linux by following the commands shown below:
Remember to disable those services that you do not need to reduce the attack surface of the server. If you find the following legacy services in your own Linux server, please delete them quickly:
- Telnet server
- RSH server
- NIS server
- TFTP server
- TALK server
9 – Check the open port
Identifying open connections to the Internet is a very important task. In Kali Linux, we can use the following command to find hidden open ports:
10 – enhance the security of SSH
Yes, SSH is really safe, but we still have to continue to enhance its security on an existing basis. First of all, if you can disable SSH, then the problem is solved. However, if you still need to use it, then you need to modify the default configuration of SSH. Switch to the directory / etc / ssh, and then open the “sshd_config” file.
– Change the default port number (22) to another number (for example, 99).
– Ensure that the root user can not log in remotely via SSH:
|
1
|
PermitRootLogin no
|
– allow certain special users:
|
1
|
AllowUsers [username]
|
If you need a richer configuration, make sure you read the SSH manual and understand all the configuration items in the file.
In addition, you also need to ensure that the following configuration options are configured in the “sshd_config” file:
- Protocol2
- IgnoreRhosts to yes
- HostbasedAuthentication no
- PermitEmptyPasswords no
- X11Forwarding no
- MaxAuthTries 5
- Ciphers aes128-ctr, aes192-ctr, aes256-ctr
- ClientAliveInterval 900
- ClientAliveCountMax 0
- UsePAM yes
Finally, set the file access permissions to ensure that only the root user can modify the contents of the file:
|
1
2
|
#chown root:root etc/ssh/sshd_config
#chmod 600 /etc/ssh/sshd_config
|
11 – enable SELinux
SELinux is a kernel security mechanism that supports access control security policies. SELinux has three configuration modes:
- Disabled: Turned-off
- Permissive: Prints warnings
- Enforcing: Policy is enforced
Open the configuration file:
|
1
|
#nano /etc/selinux/config
|
Make sure SELinux is on:
|
1
|
SELINUX=enforcing
|
12 – network parameters
Protecting Linux host network activity is also very important, never expect the firewall to help you complete all the tasks. Open the /etc/sysctl.conf file and make the following settings:
- – Set the net.ipv4.ip_forward parameter to 0.
- – Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0.
- – Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0.
- – Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1.
13 – Password policy
People usually use the same password in different places, which is a very bad habit. The old password is stored in the / etc / security / opasswd file, and we need to use the PAM module to manage the security policy in the Linux host. In the Debian release, you can open the /etc/pam.d/common-password file and add the following information to prevent users from reusing the four passwords that have been used recently:
|
1
2
|
auth sufficient pam_unix.so likeauthnullok
password sufficient pam_unix.so remember=4
|
Another password strategy is to force users to use a robust password. The PAM module provides a library (pam_cracklib) that can help your server against dictionary attacks and blasting attacks. Open the /etc/pam.d/system-auth file and add the following information:
|
1
|
/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8lcredit=–1 ucredit=–2 dcredit=–2 ocredit=–1
|
Linux is the password hash, so you want to ensure that the system is using the SHA512 hash algorithm.
Another interesting feature is “password output error after five times locked account.” Open the /etc/pam.d/password-auth file and add the following data:
|
1
2
3
4
5
6
|
auth required pam_env.so
auth required pam_faillock.so preauth audit silent deny=5unlock_time=604800
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5unlock_time=604800
auth sufficient pam_faillock.so authsucc audit deny=5unlock_time=604800
auth required pam_deny.so
|
Then open the /etc/pam.d/system-auth file and add the following information:
|
1
2
3
4
5
6
|
auth required pam_env.so
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=604800
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5unlock_time=604800
auth sufficient pam_faillock.so authsucc audit deny=5unlock_time=604800
auth required pam_deny.so
|
Password error after five times, only the administrator can unlock the account, unlock the command as follows:
|
1
|
# /usr/sbin/faillock –user <userlocked> –reset
|
Another good habit is to set the “password 90 days after the expiration.”
– Set the PASS_MAX_DAYS parameter in /etc/login.defs to 90.
– modify the current user’s password expiration time:
|
1
|
#chage –maxdays 90 <user>
|
Now, we have to restrict access to the su command. Open the /etc/pam.d/su file, and then set the pam_wheel.so parameter:
|
1
|
auth required pam_wheel.so use_uid
|
The last step is to prohibit non-root users to access the system account. This step can be done with the following bash script:
|
1
2
3
4
5
6
7
8
9
10
|
#!/bin/bash
for user in `awk –F: ‘($3 < 500) {print $1 }’/etc/passwd`; do
if [ $user != “root” ]
then
/usr/sbin/usermod –L $user
if [ $user != “sync” ] && [ $user !=“shutdown” ] && [ $user != “halt” ]
then /usr/sbin/usermod –s /sbin/nologin $user
fi
fi
done
|
14 – Permission and validation
There is no doubt that if you want to ensure the security of the Linux host, the permissions are certainly the most important thing.
Use the following command to set the appropriate permissions for / etc / anacrontab, / etc / crontab, and /etc/cron.*:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
#chown root:root /etc/anacrontab
#chmod og-rwx /etc/anacrontab
#chown root:root /etc/crontab
#chmod og-rwx /etc/crontab
#chown root:root /etc/cron.hourly
#chmod og-rwx /etc/cron.hourly
#chown root:root /etc/cron.daily
#chmod og-rwx /etc/cron.daily
#chown root:root /etc/cron.weekly
#chmod og-rwx /etc/cron.weekly
#chown root:root /etc/cron.monthly
#chmod og-rwx /etc/cron.monthly
#chown root:root /etc/cron.d
#chmod og-rwx /etc/cron.d
|
Assign appropriate permissions to / var / spool / cron:
|
1
2
|
#chown root:root <crontabfile>
#chmod og-rwx <crontabfile>
|
Assign the appropriate permissions to the “passwd”, “group”, “shadow”, and “gshadow” files:
|
1
2
3
4
5
6
7
8
|
#chmod 644 /etc/passwd
#chown root:root /etc/passwd
#chmod 644 /etc/group
#chown root:root /etc/group
#chmod 600 /etc/shadow
#chown root:root /etc/shadow
#chmod 600 /etc/gshadow
#chown root:root /etc/gshadow
|
