{"id":13229,"date":"2019-04-01T08:42:12","date_gmt":"2019-04-01T08:42:12","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=13229"},"modified":"2019-04-01T08:42:12","modified_gmt":"2019-04-01T08:42:12","slug":"25-hardening-security-tips-for-linux-servers","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/04\/01\/25-hardening-security-tips-for-linux-servers\/","title":{"rendered":"25 Hardening Security Tips for Linux Servers"},"content":{"rendered":"

Everybody says that\u00a0Linux<\/strong>\u00a0is secure by default and agreed to some extend (It\u2019s debatable topics). However, Linux has in-built security model in place by default. Need to tune it up and customize as per your need which may help to make more secure system. Linux is harder to manage but offers more flexibility and configuration options.<\/p>\n

\n

\"Linux<\/a><\/p>\n

25 Linux Security and Hardening Tips<\/p>\n<\/div>\n

Securing a system in a production from the hands of\u00a0hackers<\/strong>\u00a0and\u00a0crackers<\/strong>\u00a0is a challenging task for a\u00a0System Administrator<\/strong>. This is our first article related to \u201cHow to Secure Linux box<\/strong>\u201d or \u201cHardening a Linux Box<\/strong>\u201c. In this post We\u2019ll explain\u00a025 useful tips & tricks<\/strong>\u00a0to secure your Linux system. Hope, below tips & tricks will help you some extend to secure your system.<\/p>\n

1. Physical System Security<\/h3>\n

Configure the\u00a0BIOS<\/strong>\u00a0to disable booting from\u00a0CD\/DVD<\/strong>,\u00a0External Devices<\/strong>,\u00a0Floppy Drive<\/strong>\u00a0in\u00a0BIOS<\/strong>. Next, enable\u00a0BIOS<\/strong>password & also protect\u00a0GRUB<\/strong>\u00a0with password to restrict physical access of your system.<\/p>\n

    \n
  1. Set GRUB Password to Protect Linux Servers<\/a><\/li>\n<\/ol>\n

    2. Disk Partitions<\/h3>\n

    It\u2019s important to have different partitions to obtain higher data security in case if any disaster happens. By creating different partitions, data can be separated and grouped. When an unexpected accident occurs, only data of that partition will be damaged, while the data on other partitions survived. Make sure you must have following separate partitions and sure that third party applications should be installed on separate file systems under\u00a0\/opt<\/strong>.<\/p>\n

    \/\r\n\/boot\r\n\/usr\r\n\/var\r\n\/home\r\n\/tmp\r\n\/opt<\/pre>\n
    3. Minimize Packages to Minimize Vulnerability<\/h3>\n
    Do you really want all sort of services installed?. It\u2019s recommended to avoid installing useless packages to avoid vulnerabilities in packages. This may minimize risk that compromise of one service may lead to compromise of other services. Find and remove or disable unwanted services from the server to minimize vulnerability. Use the \u2018chkconfig<\/strong>\u2018 command to find out services which are running on\u00a0runlevel 3<\/strong>.<\/p>\n
    # \/sbin\/chkconfig --list |grep '3:on'<\/pre>\n
    Once you\u2019ve find out any unwanted service are running, disable them using the following command.<\/p>\n
    # chkconfig serviceName off<\/pre>\n
    Use the\u00a0RPM<\/strong>\u00a0package manager such as \u201cyum<\/strong>\u201d or \u201capt-get<\/strong>\u201d tools to list all installed packages on a system and remove them using the following command.<\/p>\n
    # yum -y remove package-name<\/pre>\n
    # sudo apt-get remove package-name<\/pre>\n
      \n
    1. 5 chkconfig Command Examples<\/a><\/li>\n
    2. 20 Practical Examples of RPM Commands<\/a><\/li>\n
    3. 20 Linux YUM Commands for Linux Package Management<\/a><\/li>\n
    4. 25 APT-GET and APT-CACHE Commands to Manage Package Management<\/a><\/li>\n<\/ol>\n
      4. Check Listening Network Ports<\/h3>\n
      With the help of \u2018netstat<\/strong>\u2018 networking command you can view all open ports and associated programs. As I said above use \u2018chkconfig<\/strong>\u2018 command to disable all unwanted network services from the system.<\/p>\n
      # netstat -tulpn<\/pre>\n
        \n
      1. 20 Netstat Commands for Network Management in Linux<\/a><\/li>\n<\/ol>\n
        5. Use Secure Shell(SSH)<\/h3>\n
        Telnet<\/strong>\u00a0and\u00a0rlogin<\/strong>\u00a0protocols uses plain text, not encrypted format which is the security breaches.\u00a0SSH<\/strong>\u00a0is a secure protocol that use encryption technology during communication with server.<\/p>\n
        Never login directly as\u00a0root<\/strong>\u00a0unless necessary. Use \u201csudo<\/strong>\u201d to execute commands. sudo are specified in\u00a0\/etc\/sudoers<\/strong>\u00a0file also can be edited with the \u201cvisudo<\/strong>\u201d utility which opens in\u00a0VI<\/strong>\u00a0editor.<\/p>\n
        It\u2019s also recommended to change default\u00a0SSH 22<\/strong>\u00a0port number with some other higher level port number. Open the main\u00a0SSH<\/strong>\u00a0configuration file and make some following parameters to restrict users to access.<\/p>\n
        # vi \/etc\/ssh\/sshd_config<\/pre>\n
        Disable root Login<\/h5>\n
        PermitRootLogin no<\/pre>\n
        Only allow Specific Users<\/h5>\n
        AllowUsers username<\/pre>\n
        Use SSH Protocol 2 Version<\/h5>\n
        Protocol 2<\/pre>\n
          \n
        1. 5 Best Practices to Secure and Protect SSH Server<\/a><\/li>\n<\/ol>\n
          6. Keep System updated<\/h3>\n
          Always keep system updated with latest releases patches, security fixes and kernel when it\u2019s available.<\/p>\n
          # yum updates\r\n# yum check-update<\/pre>\n
          7. Lockdown Cronjobs<\/h3>\n
          Cron<\/strong>\u00a0has it\u2019s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called\u00a0\/etc\/cron.allow<\/strong>\u00a0and\u00a0\/etc\/cron.deny<\/strong>. To lock a user using cron, simply add user names in\u00a0cron.deny<\/strong>\u00a0and to allow a user to run cron add in\u00a0cron.allow<\/strong>\u00a0file. If you would like to disable all users from using cron, add the \u2018ALL<\/strong>\u2018 line to\u00a0cron.deny<\/strong>\u00a0file.<\/p>\n
          # echo ALL >>\/etc\/cron.deny<\/pre>\n
            \n
          1. 11 Cron Scheduling Examples in Linux<\/a><\/li>\n<\/ol>\n
            8. Disable USB stick to Detect<\/h3>\n
            Many times it happens that we want to restrict users from using\u00a0USB<\/strong>\u00a0stick in systems to protect and secure data from stealing. Create a file \u2018\/etc\/modprobe.d\/no-usb<\/strong>\u2018 and adding below line will not detect\u00a0USB<\/strong>\u00a0storage.<\/p>\n
            install usb-storage \/bin\/true<\/pre>\n
            9. Turn on SELinux<\/h3>\n
            Security-Enhanced Linux<\/strong>\u00a0(SELinux<\/strong>) is a compulsory access control security mechanism provided in the kernel. Disabling\u00a0SELinux<\/strong>\u00a0means removing security mechanism from the system. Think twice carefully before removing, if your system is attached to internet and accessed by the public, then think some more on it.<\/p>\n
            SELinux<\/strong>\u00a0provides three basic modes of operation and they are.<\/p>\n
              \n
            1. Enforcing<\/strong>: This is default mode which enable and enforce the\u00a0SELinux<\/strong>\u00a0security policy on the machine.<\/li>\n
            2. Permissive<\/strong>: In this mode,\u00a0SELinux<\/strong>\u00a0will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting\u00a0SELinux<\/strong>\u00a0related issues.<\/li>\n
            3. Disabled<\/strong>:\u00a0SELinux<\/strong>\u00a0is turned off.<\/li>\n<\/ol>\n
              You can view current status of\u00a0SELinux<\/strong>\u00a0mode from the command line using \u2018system-config-selinux<\/strong>\u2018, \u2018getenforce<\/strong>\u2018 or \u2018sestatus<\/strong>\u2018 commands.<\/p>\n
              # sestatus<\/pre>\n
              If it is disabled, enable\u00a0SELinux<\/strong>\u00a0using the following command.<\/p>\n
              # setenforce enforcing<\/pre>\n
              It also can be managed from \u2018\/etc\/selinux\/config<\/strong>\u2018 file, where you can enable or disable it.<\/p>\n
              10. Remove KDE\/GNOME Desktops<\/h3>\n
              There is no need to run\u00a0X Window<\/strong>\u00a0desktops like\u00a0KDE<\/strong>\u00a0or\u00a0GNOME<\/strong>\u00a0on your dedicated\u00a0LAMP<\/a>\u00a0server. You can remove or disable them to increase security of server and performance. To disable simple open the file \u2018\/etc\/inittab<\/strong>\u2018 and set run level to\u00a03<\/strong>. If you wish to remove it completely from the system use the below command.<\/p>\n
              # yum groupremove \"X Window System\"<\/pre>\n
              11. Turn Off IPv6<\/h3>\n
              If you\u2019re not using a\u00a0IPv6<\/strong>\u00a0protocol, then you should disable it because most of the applications or policies not required\u00a0IPv6<\/strong>\u00a0protocol and currently it doesn\u2019t required on the server. Go to network configuration file and add followings lines to disable it.<\/p>\n
              # vi \/etc\/sysconfig\/network<\/pre>\n
              NETWORKING_IPV6=no\r\nIPV6INIT=no<\/pre>\n
              12. Restrict Users to Use Old Passwords<\/h3>\n
              This is very useful if you want to disallow users to use same old passwords. The old password file is located at\u00a0\/etc\/security\/opasswd<\/strong>. This can be achieved by using\u00a0PAM<\/strong>\u00a0module.<\/p>\n
              Open \u2018\/etc\/pam.d\/system-auth<\/strong>\u2018 file under\u00a0RHEL \/ CentOS \/ Fedora<\/strong>.<\/p>\n
              # vi \/etc\/pam.d\/system-auth<\/pre>\n
              Open\u00a0\u2018\/etc\/pam.d\/common-password<\/strong>\u2018 file under\u00a0Ubuntu\/Debian\/Linux Mint<\/strong>.<\/p>\n
              # vi \/etc\/pam.d\/common-password<\/pre>\n
              Add the following line to \u2018auth<\/strong>\u2018 section.<\/p>\n
              auth        sufficient    pam_unix.so likeauth nullok<\/pre>\n
              Add the following line to \u2018password<\/strong>\u2018 section to disallow a user from re-using last\u00a05<\/strong>\u00a0password of his or her.<\/p>\n
              password   sufficient    pam_unix.so nullok use_authtok md5 shadow remember=5<\/pre>\n
              Only last\u00a05<\/strong>\u00a0passwords are remember by server. If you tried to use any of last\u00a05<\/strong>\u00a0old passwords, you will get an error like.<\/p>\n
              Password has been already used. Choose another.<\/pre>\n
              13. How to Check Password Expiration of User<\/h3>\n
              In Linux, user\u2019s passwords are stored in \u2018\/etc\/shadow<\/strong>\u2018 file in encrypted format. To check password expiration of user\u2019s, you need to use \u2018chage<\/strong>\u2018 command. It displays information of password expiration details along with last password change date. These details are used by system to decide when a user must change his\/her password.<\/p>\n
              To view any existing user\u2019s aging information such as\u00a0expiry date<\/strong>\u00a0and\u00a0time<\/strong>, use the following command.<\/p>\n
              #chage -l username<\/pre>\n
              To change password aging of any user, use the following command.<\/p>\n
              #chage -M 60 username\r\n#chage -M 60 -m 7 -W 7 userName<\/pre>\n
              Parameters<\/h5>\n
                \n
              1. -M<\/strong>\u00a0Set maximum number of days<\/li>\n
              2. -m<\/strong>\u00a0Set minimum number of days<\/li>\n
              3. -W<\/strong>\u00a0Set the number of days of warning<\/li>\n<\/ol>\n
                14. Lock and Unlock Account Manually<\/h3>\n
                The lock and unlock features are very useful, instead of removing an account from the system, you can lock it for an week or a month. To lock a specific user, you can use the follow command.<\/p>\n
                # passwd -l accountName<\/pre>\n
                Note<\/strong>\u00a0: The locked user is still available for\u00a0root<\/strong>\u00a0user only. The locking is performed by replacing encrypted password with an (!<\/strong>) string. If someone trying to access the system using this account, he will get an error similar to below.<\/p>\n
                # su - accountName\r\nThis account is currently not available.<\/pre>\n
                To unlock or enable access to an locked account, use the command as. This will remove (!<\/strong>) string with encrypted password.<\/p>\n
                # passwd -u accountName<\/pre>\n
                15. Enforcing Stronger Passwords<\/h3>\n
                A number of users use soft or weak passwords and their password might be hacked with a\u00a0dictionary based<\/strong>\u00a0or\u00a0brute-force<\/a>\u00a0attacks. The \u2018pam_cracklib<\/strong>\u2018 module is available in\u00a0PAM<\/strong>\u00a0(Pluggable Authentication Modules<\/strong>) module stack which will force user to set strong passwords. Open the following file with an editor.<\/p>\n
                Read Also:<\/p>\n
                # vi \/etc\/pam.d\/system-auth<\/pre>\n
                And add line using credit parameters as (lcredit<\/strong>,\u00a0ucredit<\/strong>,\u00a0dcredi<\/strong>t and\/or\u00a0ocredit<\/strong>\u00a0respectively lower-case, upper-case, digit and other)<\/p>\n
                \/lib\/security\/$ISA\/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1<\/pre>\n
                16. Enable Iptables (Firewall)<\/h3>\n
                It\u2019s highly recommended to enable\u00a0Linux firewall<\/strong>\u00a0to secure unauthorised access of your servers. Apply rules in\u00a0iptables<\/strong>\u00a0to filters\u00a0incoming<\/strong>,\u00a0outgoing<\/strong>\u00a0and\u00a0forwarding<\/strong>\u00a0packets. We can specify the source and destination address to allow and deny in specific\u00a0udp\/tcp<\/strong>\u00a0port number.<\/p>\n
                  \n
                1. Basic IPTables Guide and Tips<\/a><\/li>\n<\/ol>\n
                  17. Disable Ctrl+Alt+Delete in Inittab<\/h3>\n
                  In most Linux distributions, pressing \u2018CTRL-ALT-DELETE\u2019<\/strong>\u00a0will takes your system to reboot process. So, it\u2019s not a good idea to have this option enabled at least on production servers, if someone by mistakenly does this.<\/p>\n
                  This is defined in \u2018\/etc\/inittab<\/strong>\u2018 file, if you look closely in that file you will see a line similar to below. By default line is not commented out. We have to comment it out. This particular key sequence signalling will shut-down a system.<\/p>\n
                  # Trap CTRL-ALT-DELETE\r\n#ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now<\/pre>\n
                  18. Checking Accounts for Empty Passwords<\/h3>\n
                  Any account having an empty password means its opened for unauthorized access to anyone on the web and it\u2019s a part of security within a Linux server. So, you must make sure all accounts have strong passwords and no one has any authorized access. Empty password accounts are security risks and that can be easily hackable. To check if there were any accounts with empty password, use the following command.<\/p>\n
                  # cat \/etc\/shadow | awk -F: '($2==\"\"){print $1}'<\/pre>\n
                  19. Display SSH Banner Before Login<\/h3>\n
                  It\u2019s always a better idea to have an legal banner or security banners with some security warnings before SSH authentication. To set such banners read the following article.<\/p>\n
                    \n
                  1. Display SSH Warning Message to Users<\/a><\/li>\n<\/ol>\n
                    20. Monitor User Activities<\/h3>\n
                    If you are dealing with lots of users, then its important to collect the information of each user activities and processes consumed by them and analyse them at a later time or in case if any kind of performance, security issues. But how we can monitor and collect user activities information.<\/p>\n
                    There are two useful tools called \u2018psacct<\/strong>\u2018 and \u2018acct<\/strong>\u2018 are used for monitoring user activities and processes on a system. These tools runs in a system background and continuously tracks each user activity on a system and resources consumed by services such as\u00a0Apache<\/strong>,\u00a0MySQL<\/strong>,\u00a0SSH<\/strong>,\u00a0FTP<\/strong>, etc. For more information about installation, configuration and usage, visit the below url.<\/p>\n
                      \n
                    1. Monitor User Activity with psacct or acct Commands<\/a><\/li>\n<\/ol>\n
                      21. Review Logs Regularly<\/h3>\n
                      Move logs in dedicated log server, this may prevents intruders to easily modify local logs. Below are the Common Linux default log files name and their usage:<\/p>\n
                        \n
                      1. \/var\/log\/message<\/strong>\u00a0\u2013 Where whole system logs or current activity logs are available.<\/li>\n
                      2. \/var\/log\/auth.log<\/strong>\u00a0\u2013 Authentication logs.<\/li>\n
                      3. \/var\/log\/kern.log<\/strong>\u00a0\u2013 Kernel logs.<\/li>\n
                      4. \/var\/log\/cron.log<\/strong>\u00a0\u2013 Crond logs (cron job).<\/li>\n
                      5. \/var\/log\/maillog<\/strong>\u00a0\u2013 Mail server logs.<\/li>\n
                      6. \/var\/log\/boot.log<\/strong>\u00a0\u2013 System boot log.<\/li>\n
                      7. \/var\/log\/mysqld.log<\/strong>\u00a0\u2013 MySQL database server log file.<\/li>\n
                      8. \/var\/log\/secure<\/strong>\u00a0\u2013 Authentication log.<\/li>\n
                      9. \/var\/log\/utmp<\/strong>\u00a0or\u00a0\/var\/log\/wtmp<\/strong>\u00a0: Login records file.<\/li>\n
                      10. \/var\/log\/yum.lo<\/strong>g: Yum log files.<\/li>\n<\/ol>\n
                        22. Important file Backup<\/h3>\n
                        In a production system, it is necessary to take important files backup and keep them in safety vault, remote site or offsite for Disasters recovery.<\/p>\n
                        23. NIC Bonding<\/h3>\n
                        There are two types of mode in\u00a0NIC<\/strong>\u00a0bonding, need to mention in bonding interface.<\/p>\n
                          \n
                        1. mode=0<\/strong>\u00a0\u2013 Round Robin<\/li>\n
                        2. mode=1<\/strong>\u00a0\u2013 Active and Backup<\/li>\n<\/ol>\n
                          NIC Bonding<\/strong>\u00a0helps us to avoid single point of failure. In\u00a0NIC<\/strong>\u00a0bonding, we bond two or more\u00a0Network Ethernet Cards<\/strong>\u00a0together and make one single virtual Interface where we can assign\u00a0IP<\/strong>\u00a0address to talk with other servers. Our network will be available in case of one\u00a0NIC Card<\/strong>\u00a0is down or unavailable due to any reason.<\/p>\n
                          Read Also<\/strong>\u00a0:\u00a0Create NIC Channel Bonding in Linux<\/a><\/p>\n
                          24. Keep \/boot as read-only<\/h3>\n
                          Linux kernel and its related files are in\u00a0\/boot<\/strong>\u00a0directory which is by default as\u00a0read-write<\/strong>. Changing it to\u00a0read-only<\/strong>reduces the risk of unauthorized modification of critical boot files. To do this, open \u201c\/etc\/fstab<\/strong>\u201d file.<\/p>\n
                          # vi \/etc\/fstab<\/pre>\n
                          Add the following line at the bottom, save and close it.<\/p>\n
                          LABEL=\/boot     \/boot     ext2     defaults,ro     1 2<\/pre>\n
                          Please note that you need to reset the change to read-write if you need to upgrade the kernel in future.<\/p>\n
                          25. Ignore ICMP or Broadcast Request<\/h3>\n
                          Add following line in \u201c\/etc\/sysctl.conf<\/strong>\u201d file to ignore\u00a0ping<\/strong>\u00a0or\u00a0broadcast<\/strong>\u00a0request.<\/p>\n
                          Ignore ICMP request:\r\nnet.ipv4.icmp_echo_ignore_all = 1\r\n\r\nIgnore Broadcast request:\r\nnet.ipv4.icmp_echo_ignore_broadcasts = 1<\/pre>\n
                          Load new settings or changes, by running following command<\/p>\n
                          #sysctl -p<\/pre>\n
                          If you\u2019ve missed any important security or hardening tip in the above list, or you\u2019ve any other tip that needs to be included in the list. Please drop your comments in our comment box.<\/p>\n
                          Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
                          Everybody says that\u00a0Linux\u00a0is secure by default and agreed to some extend (It\u2019s debatable topics). However, Linux has in-built security model in place by default. Need to tune it up and customize as per your need which may help to make more secure system. Linux is harder to manage but offers more flexibility and configuration options. … <\/p>\n
                          Continue reading “25 Hardening Security Tips for Linux Servers”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-13229","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13229","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=13229"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13229\/revisions"}],"predecessor-version":[{"id":13230,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13229\/revisions\/13230"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=13229"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=13229"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=13229"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}