20 Linux Server Hardening Security Tips (en)
Securing your Linux server is crucial to protect data, intellectual property, and time from the hands of malicious crackers. System administrators are responsible for the security of Linux. This section will describe 20 tips to secure a standard Linux installation.
Data Communication Encryption
All data transmitted over a network is open to monitoring. Encrypt data transmissions whenever possible using passwords or keys/certificates.
- Use scp, ssh, rsync, or sftp for file transfers. You can also mount file systems from a remote server or our home directory using sshfs and fuse tools.
- GnuPG allows you to encrypt and sign your data communications. GnuPG also has a good key management system and access to various public key directories.
- Fugu is a graphical interface for the command line Secure File Transfer (SFTP). SFTP is similar to FTP but encrypts all communication sessions, making it harder for third parties to breach. Another application is FileZilla - a cross-platform client that supports FTP, FTP over SSL/TLS (FTPS), and SSH File Transfer Protocol (SFTP).
- OpenVPN offers a cost-effective, lightweight solution for SSL VPN.
- Lighttpd SSL (Secure Server Layer) configuration and https installation
- Apache SSL (Secure Server Layer) configuration and https installation (mod_ssl)
Avoid Using FTP, Telnet, and Rlogin / Rsh
Under normal network conditions, username, password, and file transfer processes of FTP / telnet / rsh can easily be captured by those on the same network using sniffers. A solution for this is to use OpenSSH, SFTP, or FTPS (FTP over SSL), which add SSL or TLS encryption to FTP. In RedHat derivatives, you can enter the following command to remove NIS, rsh, and other outdated services:
# yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve
Minimize Application Software to Minimize Vulnerabilities
Do we need various installed services? Avoid installing unnecessary software to prevent software vulnerabilities. Use RPM package managers like yum or apt-get and/or dpkg to view all software installed on the system. Delete unwanted packages.
# yum list installed # yum list packageName # yum remove packageName
or
# dpkg --list # dpkg --info packageName # apt-get remove packageName
One Network Service Per System or VM Instance
Run different network services on separate servers or VM instances. This limits the number of services that can be compromised. For perspective, if all services are installed on one server or VM instance, if an attacker successfully exploits a software like Apache flow, they will gain access to the entire server including services like MySQL, e-mail server, and many more. See how to install virtualization software:
- Install and Setup Xen Virtualization Software on Linux CentOS 5
- How to Setup OpenVZ on RHEL / Linux CentOS
Keep Linux Kernel and Software Up to Date
Applying security patches is an essential part of keeping Linux servers secure. Linux provides all the necessary tools to keep your system updated and also allows for easy version upgrades. All security updates should be reviewed and applied as soon as possible. Again, use RPM package managers like yum or apt-get or dpkg to apply all security updates.
# yum update
or
# apt-get update && apt-get upgrade
You can configure Red Hat / CentOS / Fedora Linux to send yum update package notifications via email. Another option is to schedule all security updates through a cron job. In Debian / Ubuntu Linux, you can use apticron to send security notifications.
Use Linux Security Extensions
Linux comes with various security patches that can be used to guard against misconfigured or compromised programs. If possible, use SELinux and other Linux security extensions to impose restrictions on the network and other programs. For example, SELinux provides various security policies for the Linux kernel.
SELinux
I highly recommend using SELinux, which provides a flexible Mandatory Access Control (MAC). Based on the standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has user permissions for objects like files, sockets, and other processes. Running a MAC kernel protects the system from malicious or flawed applications that could damage or destroy the system. See the official Redhat documentation for configuring SELinux.
User Account and Strong Password Policy
Use the useradd/usermod commands to create and maintain user accounts. Ensure you have a strong and effective password policy. For example, a good password includes at least 8 characters and a mix of letters, numbers, special characters, upper and lower cases, and more. Most importantly, choose a password you can remember. Use tools like "john the ripper" (in Kali Linux use the command john) to identify weak user passwords on your server.
Install and configure libpam-cracklib to enforce password policies. Installation on Ubuntu can be done with the command,
apt-get install libpam-cracklib
Edit the configuration,
vi /etc/pam.d/common-password
Add, for example,
password required pam_cracklib.so retry=2 minlen=10 difok=6
Check for Weak Passwords
To check for weak passwords, essentially, we crack passwords using tools like john in Kali Linux. The way to do it is,
Copy (can be done with scp) these 2 files from the server
/etc/passwd /etc/shadow
To a Kali Linux computer, and do
unshadow passwd shadow > unshadowed.txt john --wordlist=/usr/share/john/password.lst --rules unshadowed.txt
Password Age
The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change their password. The /etc/login.defs file defines site-specific configuration for the shadow password suite including password aging configuration. To disable password aging features, enter:
chage -M 99999 userName
To set X days, enter
chage -M X userName
To get information on when a password will expire, enter:
chage -l userName
Finally, you can also edit /etc/shadow as follows:
{userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:
Where,
- Minimum_days: Minimum number of days required between password changes, i.e., the number of days left before the user is allowed to change their password.
- Maximum_days: Maximum number of days the password is valid (after this user will be forced to change the password).
- Warn: The number of days before the password is to expire that the user is warned that their password needs to be changed.
- Expire: Absolute date specifying when login is no longer possible.
It is advisable not to edit /etc/shadow directly:
# chage -M 60 -m 7 -W 7 userName
Recommended Reading:
- Linux: Force Users To Change Their Passwords Upon First Login
- Linux turn On / Off password expiration / aging
- Lock the user password
- Search for all accounts without a password and lock them
- Use Linux groups to enhance security
Force Password Change
To force a password change at first login
chage -d 0 <username>
Limit Old Password Usage
You can prevent/limit users from using or recycling old passwords on Linux. The pam_unix module parameters can be configured to remember old passwords that cannot be reused.
In Ubuntu edit,
vi /etc/pam.d/common-password
Add
password sufficient pam_unix.so use_authtok md5 shadow remember=13
or
password sufficient pam_unix2.so use_authtok md5 shadow remember=13
Lock User Accounts after several failed Login Attempts
In Linux, we can use the faillog command to display faillog records or to set the login failure limit. faillog will format the display of log record content from the database / log file /var/log/faillog. It can also be used to count and limit login failures. To view failed login attempts, type:
faillog
or see
/var/log/auth.log
Install and configure libpam-cracklib to enforce password policies. To enable faillog in Ubuntu, edit
vi /etc/pam.d/common-auth
Insert at the top
auth required pam_tally.so no_magic_root account required pam_tally.so deny=3 no_magic_root lock_time=300
To lock an account after failed login attempts, run:
faillog -r -u userName
You can use the passwd command to lock and unlock an account:
# lock account passwd -l userName
# unlock account passwd -u userName
Verify there are no Accounts with empty passwords?
To verify that there are no Accounts with empty passwords can be done by typing the following command
# awk -F: '($2 == "") {print}' /etc/shadow
Next, we can lock accounts with passwords empty:
# passwd -l accountName
Make sure no Non-Root Accounts have UID 0
Only the root account has UID 0 with full permissions to access the system. Write the following command to display all accounts with UID set to 0:
# awk -F: '($3 == "0") {print}' /etc/passwd
You should only see this line:
root:x:0:0:root:/root:/bin/bash
If you see any other lines, remove them or ensure that the account is indeed authorized to use UID 0.
Enable sudoers
Enable several users to become superusers. To create a user, run:
adduser UserName passwd UserName
Install sudo:
apt install sudo
Add UserName as a sudoer:
usermod –aG wheel UserName
Test it:
su - UserName sudo ls -la /root
Alternatively, edit the /etc/sudoers file:
visudo
Ensure it contains:
root ALL=(ALL) ALL UserName ALL=(ALL) ALL
Test it:
su — UserName sudo ls —la /root
Disable root login
Never remotely log in as the root user. Instead, use sudo to execute root-level commands when necessary. This enhances system security without sharing the root password with other users and admins. The sudo command also provides simple auditing and tracking features.
Disable remote root login by editing:
vi /etc/ssh/sshd_config
Ensure it reads:
PermitRootLogin prohibit-password StrictModes yes
Or more strictly:
PermitRootLogin no
Physical server security
You must protect physical access to your Linux server. Configure the BIOS, such as disabling boot from external devices like DVDs/CDs/USBs. You can also add a password to the grub boot loader to tighten access to your Linux server. Additionally, it is advisable to keep important data related to production locked in IDCs (Internet Data Centers), and everyone must pass some form of security check before accessing your server. See also:
- 9 Tips for Protecting Access to a Linux Server Physically.
Disable unnecessary services
To keep the server secure, we need to deactivate all unnecessary services and daemons (background services). We must remove all unnecessary services from the system start-up. Type the following command to see a list of all services that are automatically turned on at boot in runlevel #3:
chkconfig --list | grep '3:on'
To stop services and disable them at boot, enter:
service serviceName stop chkconfig serviceName off
In Ubuntu, different from RedHat, to see services that are enabled (runlevel #3 on) you can use:
systemctl list-unit-files -t service | grep enabled systemctl list-unit-files --type=service | grep enabled
To stop/disable them at boot, you can type:
systemctl disable serviceName
List Comparison of chkconfig vs. systemctl commands:
| SysVinit | systemd |
|---|---|
| service example start | systemctl start example |
| service example stop | systemctl stop example |
| service example restart | systemctl restart example |
| service example reload | systemctl reload example |
| service example condrestart | systemctl condrestart example |
| service example status | systemctl status example |
| chkconfig example on | systemctl enable example |
| chkconfig example off | systemctl disable example |
| chkconfig example --list | systemctl is-enabled example |
| chkconfig | systemctl list-unit-files --type=service |
| chkconfig example --add | systemctl daemon-reload |
Identifying active network ports
Use the following commands to view open ports and the programs associated with those ports:
netstat -tulpn
or
nmap -sT -O localhost nmap -sT -O server.example.com
Use iptables to close those ports or turn off unwanted network services and use systemctl commands.
Detecting Port Scans
Install:
sudo apt-get install psad
Edit:
vi /etc/syslog.conf
kern.info |/var/lib/psad/psadfifo
Restart:
/etc/init.d/sysklogd restart /etc/init.d/klogd
Edit:
vi /etc/psad/psad.conf
EMAIL_ADDRESSES vivek@nixcraft.in; HOSTNAME server.nixcraft.in; HOME_NET NOT_USED; ### only one interface on box IGNORE_PORTS udp/53, udp/5000; ENABLE_AUTO_IDS Y; IPTABLES_BLOCK_METHOD Y;
Restart:
/etc/init.d/psad restart
Modify iptables:
iptables -A INPUT -j LOG iptables -A FORWARD -j LOG
Report:
psad -S
Details on iptables can be found at https://www.cyberciti.biz/faq/linux-detect-port-scan-attacks/
Netstat for viewing attacks
Remove X Windows
X windows on a server is unnecessary. There is no reason to run X Windows on a dedicated mail and Apache web server. You can disable and remove X Windows to enhance server security and performance. Edit /etc/inittab and change the runlevel to 3. Finally, to remove the X Windows system, enter:
# yum groupremove "X Window System"
Configuring Iptables and TCPWrappers
Iptables is the standard firewall (Netfilter) provided by the Linux kernel. Use this firewall to filter traffic and only allow necessary traffic. You can also use the host-based ACL network system, TCPWrappers, to filter network access to the Internet. You can prevent many Denial of Service attacks with the help of Iptables:
- Lighttpd Traffic Shaping: Single IP Connection Valve (Rate Limit).
- How to: Block common attacks with Linux Iptables.
- psad: Linux Detection and Block Port Scanning Attacks in Real-Time.
Linux Kernel /etc/sysctl.conf Hardening
/etc/sysctl.conf is a file used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot. Examples of strengthening configurations in /etc/sysctl.conf:
# Turn on execshield kernel.exec-shield=1 kernel.randomize_va_space=1 # Enable IP spoofing protection net.ipv4.conf.all.rp_filter=1 # Disable IP source routing net.ipv4.conf.all.accept_source_route=0 # Ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_messages=1 # Make sure spoofed packets get logged net.ipv4.conf.all.log_martians = 1
Separate Disk Partitions
Separate the operating system files from user files to enhance both performance and security. Ensure the following file systems are mounted on different partitions:
- /usr
- /home
- /var and /var/tmp
- /tmp
Create separate partitions for the root directories of Apache and FTP servers. Edit the /etc/fstab file and ensure you add the following configuration options:
- noexec - Prevents execution of all binaries on that partition (binaries cannot be executed but scripts are allowed).
- nodev - Does not allow character devices or other special devices on that partition (device files like zero, sda, etc., cannot be used).
- nosuid - Cannot set SUID/SGID access on this partition (prevents setuid bit).
Example contents of /etc/fstab to limit user access to /dev/sda5 (FTP server root directory):
/dev/sda5 /ftpdata ext3 defaults,nosuid,nodev,noexec 1 2
Disk Quotas
Ensure disk quotas are enabled for all users. To implement disk quotas, use the following steps:
- Enable quotas per file system by modifying the /etc/fstab file.
- Remount the file systems.
- Create a quota database file and generate disk usage tables.
- Set quota policies.
- See the disk quota implementation tutorial for further details.
Turn off IPv6
Internet Protocol version 6 (IPv6) provides a new layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and offers many benefits. Currently, there are tools available that can scan systems over the network for IPv6 security issues. Most Linux distros enable the IPv6 protocol by default. Crackers can send malicious data traffic through IPv6 that is not monitored by administrators. Unless network configurations demand it, here are ways to disable IPv6 or configure Linux IPv6 firewall:
- Turning off IPv6 in RedHat / CentOS.
- Turning off IPv6 in Debian / Ubuntu and Other Linux Distros.
- Linux IPv6 Howto - Chapter 19. Security.
- Configure the Linux firewall for IPv6 along with other scripts available click here.
Turn off Unwanted SUID and SGID Binaries
All enabled SUID/SGID bits can be misused when SUID/SGID executables have security flaws or bugs. All local or remote users will be able to use these files. It is advisable to search for all such files, which can be found using the following commands:
#See all set user id files: find / -perm +4000 # See all group id files find / -perm +2000 # Or combine both in a single command find / \( -perm -4000 -o -perm -2000 \) -print find / -path -prune -o -type f -perm +6000 -ls
You need to analyze/investigate each reported file. See the reported file's man page for further details.
World-Writable Files
Everyone can modify world-writable files, which causes security issues. Use the following command to find all files set to world-writable with sticky bits:
find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
We need to analyze all the reported files and set the correct user and group permissions or even delete them entirely.
Ownerless Files
Files without an owner can cause security problems. Search for such files using the following command:
find /dir -xdev \( -nouser -o -nogroup \) -print find / -xdev \( -nouser -o -nogroup \) -print
We need to analyze each reported file and assign the correct user & group or delete the file.
Use Centralized Authentication Services
Without a centralized authentication system, user auth data becomes inconsistent, which may lead to numerous outdated data, credentials, and accounts not being deleted. A centralized authentication service allows us to maintain control over Linux/UNIX account data and authentication. We can keep auth data synchronized across multiple servers. Do not use NIS for centralized authentication. Use OpenLDAP for clients and servers.
Kerberos
Kerberos authenticates as a trusted third-party authentication service using a cryptographic shared secret assuming packets will traverse an insecure network that can be read, modified, and inserted. Kerberos is built using symmetric-key cryptography and requires a key distribution center (KDC). We can securely make remote logins, remote copies, inter-system file copies, and handle various high-risk jobs controlled by Kerberos. Thus, if users authenticate for network services using Kerberos, unauthorized users attempting to capture passwords by monitoring network traffic will be fundamentally thwarted. See how to set up and use Kerberos.
Logging and Auditing
We need to configure logging and auditing to record all hacking and cracking attempts. By default, syslog stores data in the /var/log/ directory. These logs are very useful for detecting misconfigured software that could expose our system to attacks. It's advisable to look at the following articles related to logging:
- Linux log file locations
- How to send logs to a remote loghost.
- How do I rotate log files?
- man pages syslogd, syslog.conf, and logrotate.
Monitoring Suspicious Message Logs using Logwatch / Logcheck
Read logs using logwatch or logcheck. Install with the command:
apt-get install logcheck apt-get install logwatch
These tools make reading logs easier. We can obtain more detailed reports of suspicious activities in syslog via email. Run using the command:
sudo -u logcheck logcheck
An example of a syslog report is as follows:
################### Logwatch 7.3 (03/24/06) ####################
Processing Initiated: Fri Oct 30 04:02:03 2009
Date Range Processed: yesterday
( 2009-Oct-29 )
Period is day.
Detail Level of Output: 0
Type of Output: unformatted
Logfiles for Host: www-52.nixcraft.net.in
##################################################################
--------------------- Named Begin ------------------------
**Unmatched Entries**
general: info: zone XXXXXX.com/IN: Transfer started.: 3 Time(s)
general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 3 Time(s)
general: info: zone XXXXXX.com/IN: Transfer started.: 4 Time(s)
general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 4 Time(s)
---------------------- Named End -------------------------
--------------------- iptables firewall Begin ------------------------
Logged 87 packets on interface eth0
From 58.y.xxx.ww - 1 packet to tcp(8080)
From 59.www.zzz.yyy - 1 packet to tcp(22)
From 60.32.nnn.yyy - 2 packets to tcp(45633)
From 222.xxx.ttt.zz - 5 packets to tcp(8000,8080,8800)
---------------------- iptables firewall End -------------------------
--------------------- SSHD Begin ------------------------
Users logging in through sshd:
root:
123.xxx.ttt.zzz: 6 times
---------------------- SSHD End -------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 450G 185G 241G 44% /
/dev/sda1 99M 35M 60M 37% /boot
---------------------- Disk Space End -------------------------
###################### Logwatch End #########################
(Note output is truncated)
System Accounting using auditd
auditd is a service for performing system auditing. It is responsible for writing audit records to disk. At startup, rules in /etc/audit.rules are read by this daemon. We can open the /etc/audit.rules file and make changes such as setting up the audit log file and various other options. With auditd, we can answer the following questions:
- System startup and shutdown events (reboot / halt).
- Date and time of the event.
- User responsible for the event (such as trying to access /path/to/topsecret.dat file).
- Type of event (edit, access, delete, write, update file & commands).
- Success or failure of the event.
- Records events that Modify date and time.
- Find out who made changes to modify the system's network settings.
- Record events that modify user/group information.
- See who made changes to a file, etc.
See our quick tutorial which explains enabling and using the auditd service.
Secure OpenSSH Server
The SSH protocol is recommended for remote login and file transfer. However, SSH is highly susceptible to attacks. Read about securing the OpenSSH server at:
- Top 20 OpenSSH Server Best Security Practices.
Installation and Use of Intrusion Detection Systems
A network intrusion detection system (NIDS) is an intrusion detection system that attempts to detect malicious activities such as denial of service attacks, port scans, or even efforts to crack into a computer by monitoring network traffic.
It is advisable to check software integrity before the system goes online and enters the production/operational environment. If possible, it is beneficial to install AIDE software before the system connects to any network. AIDE is a host-based intrusion detection system (HIDS) that monitors and analyzes the internals of the system.
Snort is a software for intrusion detection capable of performing packet logging and real-time traffic analysis on IP networks.
Protecting Files, Directories, and Email
Linux offers excellent protections against unauthorized data access. File permissions and MAC prevent unauthorized access from accessing data. However, permissions set by Linux are irrelevant if an attacker has physical access to a computer and can simply move the computer's hard drive to another system to copy and analyze the sensitive data. You can easily protect files and partitions under Linux using the following tools:
- To encrypt and decrypt files with a password, use the gpg command.
- Linux or UNIX password protects files with OpenSSL and other tools.
- See how to encrypt directories with ecryptfs.
- TrueCrypt is a free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux.
- Howto: Disk and partition encryption in Linux for mobile devices.
- How to set up encrypted Swap on Linux.
Securing Email Server
You can use SSL certificates and gpg keys to secure email communications on both server and client computers:
- Linux Securing Dovecot IMAPS / POP3S Server with SSL Configuration
- Linux Postfix SMTP (Mail Server) SSL Certificate Installations and Configuration
- Courier IMAP SSL Server Certificate Installation and Configuration.
- Configure Sendmail SSL encryption for sending and receiving email.
- Enigmail: Encrypted mail with Mozilla Thunderbird.
Additional Recommendations
- Backups - It cannot be stressed enough how important it is to make a backup of your Linux system. A proper offsite backup allows you to recover from a cracked server, i.e., an intrusion. The traditional UNIX backup programs dump and restore are also recommended.
- How to: Looking for Rootkits.
- Howto: Enable ExecShield Buffer Overflows Protection.
- Subscribe to Red Hat or Debian Linux security mailing list or RSS feed.
- Recommended Reading
1. [Red Hat Enterprise Linux - Security Guide](http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Security_Guide/) 2. [Linux Security Cookbook](http://www.amazon.com/gp/product/0596003919?ie=UTF8&tag=cyberciti-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0596003919) - A great collection of security recipes for new Linux admins. 3. [Snort 2.1 Intrusion Detection, Second Edition](http://www.amazon.com/gp/product/1931836043?ie=UTF8&tag=cyberciti-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=1931836043) - A good introduction to Snort and intrusion detection on Linux. 4. [Hardening Linux](http://www.amazon.com/gp/product/1590594444?ie=UTF8&tag=cyberciti-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=1590594444) - Hardening Linux identifies many risks of running Linux hosts and their applications and provides practical examples and methods to minimize those risks. 5. [Linux Security HOWTO](http://tldp.org/HOWTO/html_single/Security-HOWTO/)
In the next part of this series, I will discuss how to secure specific applications (such as proxy, Mail, LAMP, Database) and some other security tools.
References
- [Cyberciti Linux Security Tips](http://www.cyberciti.biz/tips/linux-security.html)