|
Let us Read for you.
 |
Everybody says that Linux is secure by default and agreed to some extent (It’s debatable topics). However, Linux has an in-built security model in place by default. Need to tune it up and customize as per your need which may help to make a more secure system. 25 Linux Server Security and Hardening Tips is harder to manage but offers more flexibility and configuration options.
Securing a system during production from the hands of hackers and cracked could be a difficult task for a computer user.
This is our 1st article associated with “How to Secure Linux box” or “Hardening a Linux Box“.
In this post, We’ll justify 25 helpful tips & tricks to secure your Linux server management and system.
Hope, below tips & tricks, can assist you some extend to secure your system.
Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS. Next, enable BIOS password & also protect GRUB with a password and physical access of your system.
The main reason why partition is necessary is that it helps to obtain high security in case of any disasters. By creating partitions data are separated into different groups and sections and during a disaster data of only that particular group is destroyed, the rest remains intact and unharmed. We need to make sure that third-party applications are installed in separate files systems under /opt
/ /boot /usr /var /home /tmp /opt
It is recommended so that we avoid installing packages that are not important and we avoid vulnerabilities in packages. This may minimize the risk it posses to other services. By using the command ‘chkconfig’ command we can find the services which are running on runlevel3 and disable the unwanted services to reduce the vulnerability.
2. # chkconfig serviceName off
RPM package manager such as “yum” or “apt-get” tools to list all installed packages on a system
3.# yum -y remove package-name
4.# sudo apt-get remove package-name
By using ‘netstat’ networking command we can view all open ports and associated programs and by using ‘chkconfig’ we can close all the unwanted network services.
# netstat -tulpn
Using plain text and not encrypted ones is a breach of security. SSH is a secure protocol that uses encryption technology during communication with server. Never login directly as root unless necessary. Use “sudo” to execute commands. sudo is specified in /etc/sudoers file also can be edited with the “visudo” utility which opens in VI editor.
It’s also recommended to change the default SSH 22 port number with some other higher and lower level port number. Open the main SSH configuration file and some parameters to restrict users to access.
# vi /etc/ssh/sshd_config
PermitRootLogin no
AllowUsers username
Protocol 2
Always keep the system updated with latest releases patches, security fixes, and kernel when it’s available
# yum updates # yum check-update
Cron has its own facility, which specify who may and who may not want to run jobs, this is controlled with the help of files named /etc/cron.allow and /etc/cron.deny. we can lock a user from using cron by simply adding the user name in cron.deny and allow a user to use Cron by adding a cron. allow file. We can also deny all users from using cron by simply adding ‘all’to cron. deny file.
# echo ALL >>/etc/cron.deny
we want to restrict users from using a USB stick in systems to protect and secure data from stealing. Create a file ‘/etc/modprobe.d/no-usb‘ and adding below line will not detect USB storage.
install usb-storage /bin/true
Security-Enhanced Linux (SELinux) is an access control security mechanism which is provided by Kernel, disabling SELinux means making the system vulnerable to security. We need to think very carefully before removing SELinux and especially when our system is attached to the internet and can be accessed by the public.SELinux has given us 3 modes of operations.
1. Enforcing– This is the default mode that enables and enforces the SELinux security policy on the machines.
2.Permissive– In this mode, SELinux will not enforce a security system without permission, but will only warn about it and log actions. This mode is very useful if you want to SELinux related issues.
3.Disabled– In this mode, SELinux is turned off.
We can also view the present status of SELinux by using the command ‘system-config-selinux’, ‘getenforce’, ‘sestatus’.
# sestatus If it is disabled, enable SELinux using the following command.
# setenforce enforcing
It also can be managed from ‘/etc/selinux/config‘ file, where you can enable or disable it.
There is no need to run X Window desktops like KDE or GNOME on your dedicated LAMP server. You can remove or disable them to increase the security of server and performance. To disable simple open the file ‘/etc/inittab‘ and set runlevel to 3. If you wish to remove it completely from the system use the below command.
# yum groupremove "X Window System"
If you’re using IPv6 protocol, then it will be wise if you disable it because most of the applications and policies don’t require IPv6 protocol and also it is not required in the server. Go to the network configuration file and add followings lines to disable it.
# vi /etc/sysconfig/network
NETWORKING_IPV6=no IPV6INIT=no
This is useful if you want to stop the users from using the same password again and again. The old password file is located in the /etc/security/password and can be achieved by using PAM module.
Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.
# vi /etc/pam.d/system-auth
In Linux, user’s passwords are stored in ‘/etc/shadow‘ files in an encrypted format. To check the password expiration of users, you need to use ‘chage‘ command. It displays information on password expiration details along with the last password change date. These details are used by the system to decide when a user must change his/her password.
To view any existing user’s aging information such as expiry date and time, use the following command.
The lock and unlock features are very useful, instead of removing an account from the system, you can lock it for a week or a month.
# passwd -l accountName The locked user is still available for root user only.
# su - accountName This account is currently not available. This will remove (!) string with encrypted password.
# passwd -u accountName
A number of users use soft or weak passwords and their password might be hacked with a dictionary-based or brute-force attacks. The ‘pam_cracklib‘ module is available in PAM (Pluggable Authentication Modules) module stack which will force a user to set strong passwords.
# vi /etc/pam.d/system-auth
/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1
It’s highly recommended to enable Linux firewalls to secure and safe unauthorized access to your servers. Apply rules in all users to filters incoming, outgoing and forwarding packets. We can specify and unhappily the source and destination location to allow and deny in specific udp/tcp port number.
In Linux distributions, pressing the button Ctrl+Alt+Delete to take the system to reboot process, it is not a good option to have this system enabled, especially in the production server where one mistake can reboot the whole system. This is defined in the file ‘/etc/inittab’ and by looking closely at the file we can see a file similar to that. The line is not commented out by default we have to comment it out. This key signal will shut down the system.
Any account having AN empty word suggests that its opened for unauthorized access to anyone on the net and it’s a section of security among a Linux server.
So, you want to check that all accounts have sturdy passwords and nobody has any approved access.
Empty word accounts ar security risks that are often simply hackable.
To check if there have been any accounts with empty words, use the subsequent command.
# cat /etc/shadow | awk -F: '($2==""){print $1}'
It’s always an idea to have a legal banner of security banners with some security warnings show before SSH authentication.
In the case of lots of users, it is important to collect the information of each user activity and analyze them later in case of any performance or security issues. But the question remains about how we can collect and monitor the user activities, we can do that with the help of two tools namely “psacct” and “acct”. this system runs in the background and tracks each user’s activity and resources consumed by services such as Apache, MySQL, SSH, FTP and etc.
/var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.
It is necessary to take important files backup.
The two types of NIC bonding that needs to be mentioned in the bonding interface are-
To avoid single point failure we use NIC Bonding. we bond two or more Network Ethernet Cards both’s and one single virtual Interface where we can assign IP address to talk with other servers. Our network will be available in case of one NIC Card is slow, down or unavailable due to any reason.
Linux kernel and servers it’s related files are in /boot directory which is by default as read-write. To do this, open “/etc/fstab” file.
# vi /etc/fstab
LABEL=/boot /boot ext2 defaults,ro 1 2
you need to reset the change to read-write and upgrade in-kernel Linux.
“/etc/sysctl.conf” file to ignore ping or broadcast request.
Ignore ICMP request: net.ipv4.icmp_echo_ignore_all = 1 Ignore Broadcast request: net.ipv4.icmp_echo_ignore_broadcasts = 1
Load new setting and running following command
#sysctl -p
If you have missed any other important Linux security or hardening tip in the above list, or you’ve any other tip that needs to be included in the list. Please drop your comments in our comment box. Iserveradmin.com is always interested in comments, suggestions, discussion for improvement.
Server Hardening Linux: Knowing More About
Let us Read for you. In all businesses, knowledge plays a very important vital role. Hence, the security of your data or information is essential. The solution to protecting your knowledge lies in backing up the server and conducting periodic server hardening assessment. It keeps an exact copy of each version of a file, each time […]
Sleuth Kit
Let us Read for you. Sleuth Kit The Sleuth Kit is a C library forensic analysis tool and a collection command-line tool. This kit will let you examine your suspect computer file system in a non-intrusive manner. These tools are not dependent on the operating system to process, delete and hide the content of the […]
7 Facts about Amazon Web Services
Let us Read for you. 7 Facts about Amazon Web Services and AWS Firstly, let’s talk about what is it? 7 Facts about Amazon Web Services and AWS Cloud Computing- It is the base through which the network of the remote servers hosted on the internet to manage, store and process data rather than […]
The Big Idea of Server Support Services
Let us Read for you. As with any new product and service, training and guidance are extremely critical. You may have an internal resource that can meet the s requirements of your server support services. Fantastic, with the right training, your server ship is ready to navigate. While a server provides wonderful networking and communication […]
Comments (0)