SECURITY: 20 Linux Server Hardening Security Tips (en)

From OnnoWiki
Jump to navigation Jump to search

Securing your Linux server is essential to protect data, copyrights, and time from the malicious hands of crackers. System administrators are responsible for Linux security. This section will explain 20 tips for securing a standard Linux installation.

Encrypt Data Communication

All data transmitted over the network is open to monitoring. Encrypt as much of the data sent with passwords or using keys/certificates.

  1. Use scp, ssh, rsync, or sftp for file transfers. You can also mount file systems on a remote server or our home directory using sshfs and fuse tools.
  2. GnuPG allows us to encrypt and sign our data communications. GnuPG also has a good key management system and access to various public key directories.
  3. Fugu is a graphical interface for the command-line Secure File Transfer (SFTP). SFTP is similar to FTP, but unlike FTP, all communication sessions are encrypted, making it harder for third parties to breach.
  4. OpenVPN is a cost-effective, lightweight solution for SSL VPNs.
  5. Lighttpd SSL (Secure Server Layer) configuration and https installation.
  6. Apache SSL (Secure Server Layer) configuration and https installation (mod_ssl).

Do not use FTP, Telnet, and Rlogin / Rsh

Under normal network conditions, the username, password, from the FTP / telnet / rsh commands, and file transfer processes can easily be captured by those on the same network using sniffer. A solution to this can use OpenSSH, SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP. In RedHat derivatives, you can write the following command to remove NIS, rsh, and various other outdated services:

# yum erase inetd xinetd ypserv tftp-server telnet-server rsh-server

Minimize Application Software to Minimize Vulnerabilities

Do we need various services installed? Avoid installing unnecessary software to avoid vulnerabilities in the software. Use RPM package managers like yum or apt-get and/or dpkg to view all software installed on the system. Delete unwanted packages.

# yum list installed
# yum list packageName
# yum remove packageName

or

# dpkg --list
# dpkg --info packageName
# apt-get remove packageName

One Network Service per System or per VM Instance

Run different network services on separate servers or VM instances. This limits the number of services that can be compromised. To give an idea, if all services are installed on one server or VM instance, then if an attacker successfully exploits a software like Apache flow, they will gain access to the entire server including services like MySQL, e-mail server, and many more. See how to install virtualization software:

  • Install and Setup Xen Virtualization Software on Linux CentOS 5
  • How to Setup OpenVZ on RHEL / Linux CentOS

Keep Linux Kernel and Software Up to Date

Applying security patches is an important part of maintaining a Linux server. Linux provides all the tools needed to keep your system updated, and also allows for easy upgrades between versions. All security updates should be reviewed and applied as soon as possible. Again, use RPM package managers like yum and/or apt-get and/or dpkg to apply all security updates.

# yum update

or

# apt-get update && apt-get upgrade

You can configure Red Hat / CentOS / Fedora Linux to send yum update package update notifications by email. Another option is to use all security updates via cron job. In Debian / Ubuntu Linux, you can use apticron to send security notifications.

Use Linux Security Extensions

Linux comes with various security patches that can be used to protect against misconfigured or hijacked programs. If possible, use SELinux and other Linux security extensions to enforce restrictions on other networks and programs. For example, SELinux provides various security policies for the Linux kernel.

SELinux

I highly recommend using SELinux which provides flexible Mandatory Access Control (MAC). Based on standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has user permissions for objects such as files, sockets, and other processes. Running a MAC kernel protects the system from malicious or defective applications that can damage or destroy the system. See the official Redhat documentation explaining SELinux configuration.

User Account and Strong Password Policies

Use the useradd/usermod commands to create and maintain user accounts. Make sure you have a good and strong password policy. For example, a good password includes at least 8 characters and a mix of letters, numbers, special characters, upper case, lower case, etc. Most importantly, choose a password you can remember. Use tools like "ripper John" (in Kali Linux using the john command) to find weak passwords of users on your server.

Install and configure libpam-cracklib to enforce password policies. Installation in Ubuntu can use the command,

apt-get install libpam-cracklib

Edit configuration,

vi /etc/pam.d/common-password

Add, for example,

password required pam_cracklib.so retry=2 minlen=10 difok=6

Check for Weak Passwords

To check for weak passwords, basically, we crack passwords using tools like john in Kali Linux. What can be done is,

Copy (can be done with scp) these 2 files from the server

/etc/passwd
/etc/shadow

To a Kali Linux computer, and do

unshadow passwd shadow > unshadowed.txt
john --wordlist=/usr/share/john/password.lst --rules unshadowed.txt

Password Age

The change command changes the number of days between password changes and the last password change date. This information is used by the system to determine when a user must change their password. The file /etc/login.defs defines site-specific configurations for the shadow password array including password age configuration. To disable the password age feature, enter:

chage -M 99999 userName

To set X days, enter

chage -M X userName

To get expired password information, enter:

chage -l userName

Finally, you can also edit /etc/shadow as follows:

{userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:

Where,

  1. Minimum_days: The minimum number of days required between password changes, i.e., the number of days left before the user is allowed to change their password.
  2. Maximum_days: The maximum number of days the password is valid (after which the user will be forced to change their password).
  3. Warn: The number of days before the password expires, the user will be warned that their password needs to be changed.
  4. Expire: The absolute date when login is no longer possible.

It is advisable not to edit /etc/shadow directly:

# chage -M 60 -m 7 -W 7 userName

Reading Recommendations:

  • Linux: Force Users To Change Their Passwords Upon First Login
  • Linux turn On / Off password expiration / aging
  • Lock the user password
  • Search for all accounts without a password and lock them
  • Use Linux groups to enhance security

Force Password Change

To force a password change at first login

chage -d 0 <username>

Restricting Use of Old Passwords

You can restrict/prevent users from using or recycling old passwords using Linux. The pam_unix module parameters can be configured to remember previous passwords that cannot be reused.

In Ubuntu edit,

vi /etc/pam.d/common-password

Add

password sufficient pam_unix.so use_authtok md5 shadow remember=13

or

password sufficient pam_unix2.so use_authtok md5 shadow remember=13

Lock User Accounts after several failed Login Attempts

In Linux, we can use the faillog command to display faillog records or to set the login failure limit. faillog will format the display/content of log records from the database / log file /var/log/faillog. It can also be used to count and limit login failures. To see failed login attempts, write:

faillog

or see

/var/log/auth.log

Install and configure libpam-cracklib to enforce password policies. Enable faillog in Ubuntu, edit

vi /etc/pam.d/common-auth

Enter at the top

auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=300

To lock an account after a failed login, run:

faillog -r -u userName

We can use the passwd command to lock and unlock an account:

# lock account
passwd -l userName
# unlock account
passwd -u userName

Verify there are no Accounts with Blank Passwords?

To verify that there are no Accounts with blank passwords, type the following command

# awk -F: '($2 == "") {print}' /etc/shadow

Next, we can lock accounts with passwords blank:

# passwd -l accountName

Ensure No Non-Root Accounts Have UID 0

Only the root account should have UID 0 with full access to the system. Use the following command to display all accounts with UID set to 0:

# awk -F: '($3 == "0") {print}' /etc/passwd

You should only see this line:

root:x:0:0:root:/root:/bin/bash

If you see any other lines, remove them or ensure those accounts are indeed allowed to use UID 0.

Enable sudoers

Enable some users to become superusers. Create the user:

adduser UserName
passwd UserName

Install sudo:

apt install sudo

Add UserName as a sudoer:

usermod –aG wheel UserName

Test:

su - UserName
sudo ls -la /root

Alternatively, edit the /etc/sudoers file:

visudo

Make sure it contains:

root ALL=(ALL) ALL
UserName ALL=(ALL) ALL

Test:

su — UserName
sudo ls —la /root

Disable Root Login

Never remotely log in as the user root. You should use sudo to run root level commands when necessary. This enhances system security without sharing the root password with other users and admins. The sudo command also provides simple auditing and tracking features.

Disable root remote login by editing:

vi /etc/ssh/sshd_config

Ensure it states:

PermitRootLogin prohibit-password
StrictModes yes

or more strictly:

PermitRootLogin no

Physical Server Security

You must protect physical access to your Linux server. Configure the BIOS such as disabling booting from external devices like DVD/CD/USB. You can also add a password to the grub bootloader to tighten access to the Linux server. It is also advised to lock important production-related data in IDCs (Internet Data Centers) and everyone should go through some type of security check before accessing your server. See also:

  • 9 Tips for Protecting Access to a Linux Server Physically.

Disable Unnecessary Services

For server security, we need to disable all unnecessary services and daemons (background services). We must remove all unnecessary services from the system startup. Type the following command to see a list of all services automatically turned on at boot in runlevel #3:

chkconfig --list | grep '3:on'

To stop services and disable them at boot, enter:

service serviceName stop
chkconfig serviceName off

In Ubuntu, unlike RedHat, to see which services are enabled (runlevel #3 on) use:

systemctl list-unit-files -t service | grep enabled
systemctl list-unit-files --type=service | grep enabled

To stop/disable at boot, type:

systemctl disable serviceName

Comparison List of chkconfig vs. systemctl Commands


SysVinit systemd
service example start systemctl start example
service example stop systemctl stop example
service example restart systemctl restart example
service example reload systemctl reload example
service example condrestart systemctl condrestart example
service example status systemctl status example
chkconfig example on systemctl enable example
chkconfig example off systemctl disable example
chkconfig example --list systemctl is-enabled example
chkconfig systemctl list-unit-files --type=service
chkconfig example --add systemctl daemon-reload


Detect Active Network Ports

Use the following command to see open ports and programs associated with them:

netstat -tulpn

or

nmap -sT -O localhost
nmap -sT -O server.example.com

Use iptables to close these ports or turn off unwanted network services and use systemctl commands.

Detect Port Scans

Install:

sudo apt-get install psad

Edit:

vi /etc/syslog.conf
kern.info       |/var/lib/psad/psadfifo

Restart:

/etc/init.d/sysklogd restart
/etc/init.d/klogd

Edit:

vi /etc/psad/psad.conf
EMAIL_ADDRESSES             vivek@nixcraft.in;
HOSTNAME                    server.nixcraft.in;
HOME_NET                    NOT_USED;  ### only one interface on box
IGNORE_PORTS                udp/53, udp/5000;
ENABLE_AUTO_IDS             Y;
IPTABLES_BLOCK_METHOD       Y;

Restart:

/etc/init.d/psad restart

Modify iptables:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

Report:

psad -S

Details on iptables are at: https://www.cyberciti.biz/faq/linux-detect-port-scan-attacks/

Netstat to Detect Attacks

Remove X Windows

X windows is not necessary on a server. There is no reason to run X Windows on a dedicated mail and Apache web server. You can disable and remove X Windows to improve server security and performance. Edit /etc/inittab and change the runlevel to 3. Finally, to remove the X Windows system, enter:

# yum groupremove "X Window System"

Iptables and TCPWrappers Settings

Iptables is the standard firewall (Netfilter) provided by the Linux kernel. Use the firewall to filter traffic and only allow necessary traffic. You can also use the host-based ACL network system TCPWrappers to filter network access to the Internet. Many Denial of Service attacks can be prevented with the help of Iptables:

  • Lighttpd Traffic Shaping: Single IP Connection Valve (Rate Limit).
  • How to: Block common attacks with Linux Iptables.
  • psad: Detect and Block Port Scan Attacks in Real-Time on Linux.

Linux Kernel /etc/sysctl.conf Hardening

/etc/sysctl.conf is a file used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot. Examples of hardening configurations in /etc/sysctl.conf:

# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
# Ignore broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1

Separate Disk Partitions

Separate operating system files from user files for better and safer systems. Ensure the following file systems are mounted on different partitions:

  • /usr
  • /home
  • /var and /var/tmp
  • /tmp

Create separate partitions for the Apache and FTP server roots. Edit the /etc/fstab file and ensure you add the following configuration options:

  1. noexec - Cannot execute any binaries on that partition (binaries cannot be executed but scripts are allowed).
  2. nodev - Do not allow character devices or other special devices on that partition (device files like zero, sda, etc. cannot be used).
  3. nosuid - Cannot set SUID/SGID access on this partition (blocks setuid bit).

Example content of /etc/fstab to limit user access to /dev/sda5 (ftp server root directory):

/dev/sda5  /ftpdata          ext3    defaults,nosuid,nodev,noexec 1 2

Disk Quotas

Ensure Disk Quotas are enabled for all users. To implement disk quotas, use the following steps:

  1. Enable quotas per file system by modifying the /etc/fstab file.
  2. Perform a remount of the file systems.
  3. Create the quota files and generate disk usage tables.
  4. Set quota policies.
  5. See the disk quota implementation tutorial for more details.

Disable IPv6

Internet Protocol version 6 (IPv6) provides a new layer of the TCP/IP protocol suite, replacing Internet Protocol version 4 (IPv4) and offering numerous benefits. Currently, there are robust tools available that can inspect systems across networks for IPv6 security issues. Most Linux distributions enable IPv6 by default. Attackers can send malicious data traffic through IPv6 that goes unmonitored by administrators. Unless network configurations require it, here are ways to disable IPv6 or configure IPv6 Linux firewalls:

Disable Unwanted SUID and SGID Binaries

All enabled SUID/SGID bits can be misused when SUID/SGID executables have security issues or bugs. All local or remote users will be able to use these files. It is advisable to search for all such files, using the following commands:

# See all set user id files:
find / -perm +4000
# See all group id files
find / -perm +2000
# Or combine both in a single command
find / \( -perm -4000 -o -perm -2000 \) -print
find / -path -prune -o -type f -perm +6000 -ls

You need to analyze/investigate each reported file. See reported file's man page for further details.

World-Writable Files

Anyone can modify world-writable files causing security problems. Use the following command to find all files that are set world writable and sticky bits:

find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

We need to analyze all reported files and set correct user and group permissions or even remove/delete them entirely.

Ownerless Files

Files that lack ownership can pose security risks. Find such files using the following command:

find /dir -xdev \( -nouser -o -nogroup \) -print
find / -xdev \( -nouser -o -nogroup \) -print

We need to analyze each reported file and assign proper user & group or delete the file entirely.

Use Centralized Authentication Services

Without a centralized authentication system, user authentication data can become inconsistent, which may cause many data, credentials, accounts to be out-of-date and not deleted. A centralized authentication service allows us to maintain control over Linux/UNIX account data and authentication. We can keep authentication data synchronized across multiple servers. Do not use NIS for centralized authentication. Use OpenLDAP for client and server.

Kerberos

Kerberos performs authentication as a trusted third-party authentication service using cryptographic shared secrets, assuming packets operate on an insecure network that can be read, modified, and inserted. Kerberos is built using symmetric-key cryptography and requires a central key distribution center. We can securely perform remote logins, remote copying, inter-system file copies, and other high-risk tasks, which can be securely controlled by Kerberos. Therefore, if a user authenticates for a network service using Kerberos, any uninvited users trying to obtain passwords by monitoring network traffic will essentially be eliminated. See how to set up and use Kerberos.

Logging and Auditing

We need to configure logging and auditing to record all hacking and cracking attempts. By default, syslog will store data in the /var/log/ directory. These logs are very useful for seeing if there is any misconfigured software exposing our system to attacks. It is advisable to look at the following articles related to logging:

  1. Linux log file locations
  2. How to send logs to a remote loghost.
  3. How do I rotate log files?
  4. man pages syslogd, syslog.conf, and logrotate.

Monitor Suspicious Message Logs using Logwatch / Logcheck

Read logs using logwatch or logcheck. Install using the command:

apt-get install logcheck
apt-get install logwatch

These tools make reading logs easier. We can obtain more detailed reports of suspicious activities in syslog via email. Run using the command:

sudo -u logcheck logcheck

An example of a syslog report is as follows:

 ################### Logwatch 7.3 (03/24/06) ####################
        Processing Initiated: Fri Oct 30 04:02:03 2009
        Date Range Processed: yesterday
                              ( 2009-Oct-29 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: www-52.nixcraft.net.in
  ##################################################################  

 --------------------- Named Begin ------------------------ 

 **Unmatched Entries**
    general: info: zone XXXXXX.com/IN: Transfer started.: 3 Time(s)
    general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 3 Time(s)
    general: info: zone XXXXXX.com/IN: Transfer started.: 4 Time(s)
    general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 4 Time(s) 

 ---------------------- Named End ------------------------- 

  --------------------- iptables firewall Begin ------------------------ 

 Logged 87 packets on interface eth0
   From 58.y.xxx.ww - 1 packet to tcp(8080)
   From 59.www.zzz.yyy - 1 packet to tcp(22)
   From 60.32.nnn.yyy - 2 packets to tcp(45633)
   From 222.xxx.ttt.zz - 5 packets to tcp(8000,8080,8800) 

 ---------------------- iptables firewall End -------------------------  

 --------------------- SSHD Begin ------------------------ 

 Users logging in through sshd:
    root:
       123.xxx.ttt.zzz: 6 times

 ---------------------- SSHD End ------------------------- 

 --------------------- Disk Space Begin ------------------------ 

 Filesystem            Size  Used Avail Use% Mounted on
 /dev/sda3             450G  185G  241G  44% /
 /dev/sda1              99M   35M   60M  37% /boot 

 ---------------------- Disk Space End ------------------------- 

 ###################### Logwatch End #########################

(Note output is truncated)


System Accounting using auditd

auditd is a service for performing system auditing. It is responsible for writing audit records to disk. At startup, the rules in /etc/audit.rules are read by this daemon. We can open the /etc/audit.rules file and make changes such as setting up the audit log file and various other options. With auditd, we can answer the following questions:

  1. System startup and shutdown events (reboot/halt).
  2. Date and time of the event.
  3. User responsible for the event (such as trying to access /path/to/topsecret.dat file).
  4. Type of event (edit, access, delete, write, update file & commands).
  5. Success or failure of the event.
  6. Records events that modify date and time.
  7. Find out who made changes to modify the system's network settings.
  8. Record events that modify user/group information.
  9. See who made changes to a file, etc.

See our quick tutorial which explains enabling and using the auditd service.

Secure OpenSSH Server

The SSH protocol is recommended for performing remote logins and file transfers. However, SSH is highly susceptible to attacks. Ways to secure an OpenSSH server can be read at:

  • Top 20 OpenSSH Server Best Security Practices.

Installation and Use of Intrusion Detection System

A network intrusion detection system (NIDS) is an intrusion detection system that attempts to detect malicious activities such as denial of service attacks, port scans, or even attempts to crack into computers by monitoring network traffic.

It is advisable to check software integrity before the system goes online and enters a production/operational environment. If possible, it is wise to install AIDE before the system connects to any network. AIDE is a host-based intrusion detection system (HIDS) that will monitor and analyze the internals of the system.

Snort is software for intrusion detection capable of performing packet logging and real-time traffic analysis on IP networks.

Protecting Files, Directories, and Email

Linux offers excellent protection against unauthorized data access. File permissions and MAC prevent unauthorized users from accessing data. However, permissions set by Linux are irrelevant if an attacker has physical access to a computer and can simply move the computer's hard drive to another system to copy and analyze sensitive data. You can easily protect files and partitions under Linux using the following tools:

  • To encrypt and decrypt files with a password, use the gpg command.
  • Linux or UNIX password protect files with openssl and other tools.
  • See how to encrypt directories with ecryptfs.
  • TrueCrypt is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux.
  • Howto: Disk and partition encryption in Linux for mobile devices.
  • How to set up encrypted Swap on Linux.

Securing Email Server

You can use SSL certificates and gpg keys to secure email communications on both server and client computers:

Other Recommendations:

  • Backups - It cannot be stressed enough how important it is to make a backup of your Linux system. A proper offsite backup allows you to recover from a cracked server i.e., an intrusion. The traditional UNIX backup programs are dump and restore are also recommended.
  • How to: Looking for Rootkits.
  • Howto: Enable ExecShield Buffer Overflows Protection.
  • Subscribe to Redhat or Debian Linux security mailing list or RSS feed.

Recommended Reading

  1. [Red Hat Enterprise Linux Security Guide](http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Security_Guide/)
  2. [Linux Security Cookbook](http://www.amazon.com/gp/product/0596003919?ie=UTF8&tag=cyberciti-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0596003919) - A great collection of security recipes for new Linux admins.
  3. [Snort 2.1 Intrusion Detection, Second Edition](http://www.amazon.com/gp/product/1931836043?ie=UTF8&tag=cyberciti-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=1931836043) - A good introduction to Snort and intrusion detection on Linux.
  4. [Hardening Linux](http://www.amazon.com/gp/product/1590594444?ie=UTF8&tag=cyberciti-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=1590594444) - Hardening Linux identifies many risks of running Linux hosts and applications and provides practical examples and methods to minimize those risks.

In the next part of this series, I will discuss how to secure specific applications (such as proxy, Mail, LAMP, Database) and some other security tools.

References

Interesting Links