linux security tricks
Server Administration

Useful Linux Security Tricks to Harden Your System

In the previous post, we talked about Linux network commands and we saw some useful examples used to troubleshoot your network, today we will talk about some Linux security commands that you will need to harden your system.

New vulnerabilities are discovered a lot these days, exploits are immediately built on those vulnerabilities after being discovered. Some of those vulnerabilities are not even discovered until some attacker uses them to exploit a host.

Maybe you are updating your system periodically, but this is not enough, you need to harden your system to protect your assets as much as possible.

The security is the main concern for all of us and we will see some practical examples of how to harden your system security.

 

Securing the Console

You can limit where the root user can log on by restricting him to a specific set of terminals. To do this, edit /etc/securetty file.

Any device the root need to log in from should be listed in the file.

It is preferable allowing root login only on one terminal and forcing all other logins to be a non-root user and if required use su to gain root privileges.

Password Aging

Password aging enables you to specify a period of time for which a password is valid. After the period has expired, the user will have to enter a new password. This has the advantage of ensuring passwords are changed regularly.

There are two ways to achieve that, the first way is by command line using the change command like this:

$ chage -M 20 likegeeks

We use the -M option to set the password expiry period for the user likegeeks to 20 days.

You can type chage without options and it will ask you about the value.

$ chage likegeeks

The second way is to set defaults for all users in the /etc/login.defs file.

You can change these values according to your needs.

Keep in mind that, you should force users to use strong password using pam_cracklib.

Once you’ve installed it, you can go to /etc/pam.d/system-auth  and type something like this:

password required pam_cracklib.so minlen=8 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1

sudo Notification

sudo command makes life easier and also can lead to Linux Security issues that can ruin your life.

We know that sudo command enables normal users to run commands as if they were root, you can check all sudo configurations in the /etc/sudoers file.

You can prevent users from running the commands you want as root.

You can make sudo send an email when it is used by adding the following line to the file:

mailto yourname@yourdomain.com

And then modify when sudo sends that email.

mail_always on

Tuning SSH

If we will talk about Linux security, we need to talk about SSH service. SSH is an important service to your system, it enables you to connect easily to your system, and sometimes it is the only way to make your system survive when things go bad, so tuning SSH is a must.

Since we use CentOS 7 in our posts, so the SSH configuration file is in:

/etc/ssh/sshd_config

The scanners or bots that the attackers use try to connect to SSH on port 22 which is the default.

It is common to change your SSH port to another unused port, let’s say 5555. You can change the SSH port by typing the Port number in the configuration file like this:

Port 5555

You can also restrict the root login by updating the value of PermitRootLogin to no.

PermitRootLogin no

And surely disable tunneled clear passwords and use public-private key login instead.

Regarding SSH timeouts. This traditional problem can be handled by configuring the right ServerAliveCountMax, ServerAliveInterval, and TCPKeepAlive values.

For example, the following settings imply that a packet will be issued every 60 seconds.

By adjusting these values, you can provide a longer connection.

You can make the SSH service just a little bit more secure by specifying the usernames for those who will be allowed to use SSH.

AllowUsers user1 user2

Or you can make it per group.

AllowGroup group1 group2

Further to this, you can use two-factor authentication for SSH like google authenticator.

$  yum install google-authenticator

Then run it to verify the installation.

$ google-authenticator

You should have Google authenticator application installed on your Mobile phone.

And add the following line to /etc/pam.d/sshd

auth required pam_google_authenticator.so

And the last thing to do is to tell SSH about this by adding the following line to /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

Now restart you SSH.

$ systemctl restart sshd

And when you log in using SSH, it will ask about verification code, so your SSH is secured and more solid now.

Intrusion Detection with Tripwire

Tripwire is one of the great tools in Linux security. It’s an intrusion detection system (HIDS).

It works by gathering configuration and filesystem details and uses this information to provide a reference point between the previous state of a system and its current state.

Tripwire capable of monitoring which files or directories were added or modified recently, who changed them, what changes were made, and when that change happened.

In order to get tripwire, you need access to EPEL repository. You can add it easily:

wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm

$ rpm -ivh epel-release-7-9.noarch.rpm

Once you’ve installed EPEL repo, you can install tripwire.

$ sudo yum install tripwire

To begin using Tripwire, you will need to create the appropriate local and site keys like this:

$ tripwire-setup-keyfiles

It will prompt you to enter a passphrase for both the site and local key file. Tripwire will tell you to use a strong password.

Now you can customize Tripwire by making changes to this file:

/etc/tripwire/twpol.txt

This file is very easy to read and modify since every line has a comment that describes it well.

You can update Tripwire policy file like this:

$ tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt

When Tripwire is completed, you should now be able to initialize the Tripwire database like this:

$ tripwire --init

Tripwire will now begin to scan the system, it will take some time depends on the overall size of the system.

Any modifications to the filesystem are considered to be system intrusion, the administrator will be notified and he will need to restore the system with files that can be trusted.

For this reason, any system changes should be validated through Tripwire. To do this, use the following command:

$ tripwire --check

One last thing about tripwire, I would recommend that you secure both the twpol.txt and twcfg.txt files as another step of security.

Tripwire has a lot of options and settings; you can check them with man tripwire

Using Firewalld

Firewalld is a replacement for iptables, it improves the management of Linux security by enabling configuration changes without stopping the current connections.

Firewalld runs as a service that allows for rules to be added and changed immediately and it uses network zones to define a level of trust for any associated network connections.

To know if Firewalld is currently running, type this command:

$ firewall-cmd --state

linux security firewall-cmd state

You can list the predefined zones like this:

$ firewall-cmd --get-zones

linux security firewall-cmd --get-zones

The value can be updated like this:

$ firewall-cmd --set-default-zone=<new-zone-name>

You can get all the relevant information about any particular zone like this:

$ firewall-cmd --zone=<zone-name> --list-all

You can list all supported services:

$ firewall-cmd --get-services

linux security firewall get services

Then you can add additional services or remove them within a zone:

You can list all ports open in any particular zone:

$ firewall-cmd --zone=<zone-name> --list-ports

You can manage the addition or removal of TCP/UDP ports like this:

You can add or remove port forwarding like this:

Firewalld is very comprehensive and the best thing about Firewalld is that you can manage firewall architecture without ever needing to stop or restart the firewall service and this is something that cannot be achieved with iptables.

Returning to Iptables

Some people prefer iptables firewall over Firewalld, so in case you find yourself in a situation where you do not want to use Firewalld, you can return to iptables, you can do that easily.

First, disable Firewalld:

Then install iptables:

Now you can start iptables service:

And in order for the kernel to account for the new configuration, you have to reboot your system.

Restricting the Compilers

The attacker might compile the exploits on his machine and upload it to the victim server without the need to the compilers, but anyway, it’s preferable to restrict the compilers if you don’t use them in production as most modern hosting panels do.

First, you need to query individual packages to see what binaries are contained in them. Then you have to adjust the permissions of those binaries.

$ rpm -q --filesbypkg gcc | grep 'bin'

linux security restrict compilers

Now we need to create a group that will have access to the compiler binaries.

$ groupadd compilerGroup

Then you can change the ownership of any binary you want to this group.

$ chown root:compilerGroup /usr/bin/gcc

And one last important thing is to change the permission of this binary to be only the compilers group.

$ chmod 0750 /usr/bin/gcc

Now, any user tries to use gcc will see permission denied message.

Awesome Immutable Files

Immutable files are one of the most powerful Linux security features available on Linux systems. Immutable files cannot be overwritten by any user, regardless of their permission, even root. They cannot be removed or renamed, and you can’t create a hard link from them.

Awesome!!

They are excellent for securing configuration files, or you can think about securing any files that you want to prevent changes to them.

To make any file immutable, use the chattr command.

$ chattr +i /myscript

linux security immutable files

You can remove immutable attribute like this:

$ chattr -i /myscript

linux security remove immutalbe flag

The contents of the /sbin and /usr/lib directories can be made immutable to prevent an attacker from replacing a critical binary or library file with an altered malicious version, but in this case, you should remove the immutable attribute before updating your system.

I will leave the rest of the examples about using immutable files to your imagination.

Managing SELinux with aureport

It is a common thing if you are using hosting control panels, you will find SELinux disabled.

Disabling SELinux will leave the system exposed. I agree, but SELinux has some complexity, and for those of us who wish to enjoy the security it offers, your live can be easier if you manage it using aureport.

The aureport utility is developed to create column-based reports that show the events recorded in the audit log files.

$ aureport --avc

linux security aureport

You can also use this same utility to create a list of executable files.

$ aureport -x

linux security aureport -x

You can use aureport to generate a full authentication report.

$ aureport -au -i

linux security aureport -au

Or you can list the failed authentication events.

$ aureport -au --summary -i --failed

linux security aureport failed summery

Or maybe a summary of successful authentication events.

$ aureport -au --summary -i --success

linux security aureport success summery

Awesome!!

When you are working with a system that runs SELinux, your first point of call as a system administrator is to consider the benefits of aureport when troubleshooting the system.

Using sealert Tool

In addition to aureport tool, you can use a good Linux security tool called sealert, you can install it with this command:

$ yum install setools

Now we have a tool that will actively return announcements from the log file found at /var/log/audit/audit.log  and translate them into something far more “human-friendly”.

This tool is called sealert and its goal is to issue reports regarding any issues related to SELinux.

You can use it like this:

$ sealert -a /var/log/audit/audit.log

linux security sealert -a

The best thing about the generated report is at the end of each alert if found, you will find how to resolve the problem.

In this post we’ve covered just some of the Linux security tricks that could help you harden your system, However, there are a lot of Linux security tricks for many running services that needs hardening.

I hope you found the post useful and interesting.

Thank you.

  • Jouni Järvinen

    SSH’s DNS runs delay, and maybe even block SSH connections when the run takes too long for any reason. That’s the main reason I disable it, but I also switch from pw to key pair with very high bit size, which makes SSH intrusion impossible.

    • key pair login is very good option

      • Jouni Järvinen

        Normally the only option.

        • With two factor authentication life become easier.

  • Pingback: Linux security | Infrastructure:land()

  • Jared

    NIST has issued new guidelines that discourage frequent password expiration. If someone has to change their password often, they’ll choose less secure passwords that follow a predictable pattern
    https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

    • That should be done with password restrictions. so only complicated passwords are accepted

    • Jouni Järvinen

      Pw changing is impossible for some. It took me 15 years to make my current best pw !

      • No the system will enforce you to change it, otherwise you can’t login to the system.
        also you will be enforced to enter strong password.

        • Jouni Järvinen

          Inability to produce strong passwords doesn’t mean anything … ?

          • Sorry didn’t got your point.

            what do you mean by Inability to produce strong passwords?

  • Halim Ben

    Im glad to be one of your followers

    • Thanks for the warm feelings.

      Honor to me.