In the previous post, we talked about Linux network commands and we saw some useful examples of troubleshooting your network, today we will talk about some Linux security commands that you will need to harden your system.
At the beginning, we need to ask a question. Is Linux secured 100% or at least secured enough? The answer is no. The danger posed by these unskilled attackers has also increased these days. New vulnerabilities are discovered daily and sometimes hourly.
Exploits are rapidly built on these vulnerabilities within a few hours of them being discovered. Some vulnerabilities are not even discovered until someone uses them to exploit a host.
The security is the main concern for all of us and we will see some practical examples of how to harden your system security.
No single post on Linux security, even a book, will ever answer all the security questions or address all the possible threats. So what we will cover in this post is not everything. If the people like the post I’m going to make more posts about Linux security tricks.
Table of Contents
Securing the Console
You can limit where root can log on by restricting it to a specific set of terminals. To do this, edit the contents of the /etc/securetty file.
All devices you want to allow root to log in from should be listed in the file.
It is recommend allowing root login only on one terminal and forcing all other logins to be a non-root user and if required use su to gain root privileges.
Password aging enables you to specify a period of time for which a password is valid. After the time period has expired, so that will force the user to enter a new password. This has the benefit of ensuring passwords are changed regularly and that a password that is stolen, cracked or known by somebody.
There are two ways to achieve that, the first way is by command line using the change command like this:
$ chage -M 20 likegeeks
We use the -M option to set the password expiry period for the user likegeeks to 20 days.
You can type chage without options and it will prompt you about your choices.
$ chage likegeeks
The second way is to set defaults for all users in the /etc/login.defs file.
You can change these values according to your needs.
Keep in mind that you should force users to use strong password using pam_cracklib.
Once you’ve installed it you can go to /etc/pam.d/system-auth and type something like this:
password required pam_cracklib.so minlen=8 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1
sudo command makes life easier and can lead to Linux Security issues that can ruin your life.
We know that sudo command enables non root users to run commands as if they were root, you can check all sudo configurations in the /etc/sudoers file.
You can disable users from running the commands you want as root.
You can configure sudo to send an e-mail when the sudo command is used by adding the following line to the file.
And then modify when sudo sends that e-mail.
If we will talk about Linux security we must talk about SSH service.SSH is a vital service to your system, it enables you to connect easily to your system, and sometimes it is the only way to make your system survive when things go bad, so tuning SSH is very important.
Since we use CentOS 7 in our posts, so the SSH configuration file is in:
Let’s take a deep look into it.
The scanners or bots that the attackers use try to connect to SSH on port 22 which is the default.
It is common to change your SSH port to another unused port, let’s say 5555 or whatever.
You can also restrict the root login by updating the value of PermitRootLogin to no.
And surely disable tunneled clear passwords and use public-private key login instead.
Another tweak that may not prevent an attack, but by requiring SSH to look up, the remote hostname through forward and reverse DNS will generate the appropriate warnings in the system log files. To do this, simply enabling UseDNS value.
Additionally, it is possible that a difficulty may come from the use of GSSAPI authentication. This is not common as it is a feature of SSH that is called upon when a GSSAPI server is required to validate the associated user credentials. To avoid this set GSSAPIAuthentication to no.
Regarding SSH timeouts. This traditional problem can be handled by configuring the correct ServerAliveInterval, ServerAliveCountMax, and TCPKeepAlive values.
For example, the following rules imply that a packet will be issued every 60 seconds.
By adjusting those values you can provide a longer connection.
You can make the SSH service just a little bit more secure by specifying the usernames that will be allowed to use SSH.
AllowUsers user1 user2
Or you can make it per group.
AllowGroup group1 group2
Further to this, you can use two-factor authentication for SSH like google authenticator.
$ yum install google-authenticator
Then run it to verify the installation.
You should have Google authenticator application installed on your Mobile phone.
And add the following line to /etc/pam.d/sshd
auth required pam_google_authenticator.so
And the last thing to do is to tell SSH about this by adding the following line to /etc/ssh/sshd_config
Now restart you SSH.
$ systemctl restart sshd
And when you log in using SSH, will ask about verification code, so your SSH is secured against brute-force attacks and more solid now.
Intrusion Detection with Tripwire
Tripwire is one of the great tools in Linux security. It’s a host-based intrusion detection system (HIDS). It works by collecting configuration and filesystem details and uses this information to provide a reference point between the previous state of a system and its current state, a process that is achieved by monitoring which files or directories were added or modified recently, who changed them, what changes were made, and when that change happened. So you have an eye on your files.
In order to get tripwire, you need access to EPEL repository. You can add it easily:
$ rpm -ivh epel-release-7-9.noarch.rpm
Once you’ve installed EPEL repo you can install tripwire.
$ sudo yum install tripwire
To begin using Tripwire, you will need to create the appropriate local and site keys like this:
It will prompt you to enter a passphrase for both the site and local key file. Tripwire will advise you to use a combination of uppercase and lowercase letters, digits, and punctuation marks.
Now you can customize Tripwire by making changes to this file.
This file is very easy to read and modify since every line has a comment that describes it well.
You can update Tripwire policy file like this:
$ tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt
Tripwire will now step over many onscreen phases to reference your changes; when it has finished, you should now be able to initialize the Tripwire database like this:
$ tripwire --init
Tripwire will now begin to scan the system, it will take some time depends on the overall size of the system.
Any changes to the filesystem are considered to be system intrusion, the administrator will be notified and he will need to restore the system with files that can be trusted. For this reason, any system changes must be validated through Tripwire. You can validate your current policy file like this:
$ tripwire --check
One last thing about tripwire, I would recommend that you secure both the twpol.txt and twcfg.txt files as another step of security.
Tripwire has a lot of options and settings; you can check them with man tripwire.
Firewalld is a replacement for iptables and improves the management of Linux security by enabling configuration changes without stopping the current connections.
Firewalld runs as a service that allows for rules to be added and changed immediately and it uses network zones to define a level of trust for any and all associated network connections.
To know if Firewalld is currently running type this command:
$ firewall-cmd --state
You can list the predefined zones like this:
$ firewall-cmd --get-zones
The value can be updated like this:
$ firewall-cmd --set-default-zone=<new-zone-name>
You can obtain all the relevant information about any particular zone like this:
$ firewall-cmd --zone=<zone-name> --list-all
You can list all supported services:
$ firewall-cmd --get-services
Then you can add additional services or remove them within a zone:
$ firewall-cmd --zone=<zone-name> --add-service=<service-name>
$ firewall-cmd --zone=<zone-name> --remove-service=<service-name>
You can list all ports open in any particular zone:
$ firewall-cmd --zone=<zone-name> --list-ports
You can manage the addition or removal of TCP/UDP ports like this:
$ firewall-cmd --zone=<zone-name> --add-port=<port-number/protocol>
$ firewall-cmd --zone=<zone-name> --remove-port=<port-number/protocol>
You can add or remove port forwarding like this:
$ firewall-cmd --zone=<zone-name> --add-forward-port=<port-number>
$ firewall-cmd --zone=<zone-name> --remove-forward-port=<port-number>
Firewalld is very comprehensive and the best thing about Firewalld is that you can manage firewall architecture without ever needing to stop or restart the firewall service and this is something that cannot be achieved with iptables.
Returning to Iptables
Some people prefer iptables over Firewalld, so in case you find yourself in a situation where you do not want to use Firewalld, you can return to iptables, you can do that easily.
First, disable Firewalld:
$ systemctl disable firewalld
$ systemctl stop firewalld
Then install iptables:
$ yum install iptables-services
$ touch /etc/sysconfig/iptables
$ touch /etc/sysconfig/ip6tables
Now you can start iptables service:
$ systemctl start iptables
$ systemctl start ip6tables
$ systemctl enable iptables
$ systemctl enable ip6tables
And in order for the kernel to account for the new configuration, you have to reboot your system.
Restricting the Compilers
If your system compromised, there is an important thing that the attacker interested in, which is compilers, but why? Because he could download a simple C file (POC) and compile it on your system and become root user in a matter of seconds, or even he could do some serious things on your system if the compilers are ON.
First, you need to query individual packages to see what binaries are contained in them. Then you need to restrict the permissions of those binaries.
$ rpm -q --filesbypkg gcc | grep 'bin'
Now we need to create a group that will have access to the compiler binaries.
$ groupadd compilerGroup
Then you can change the ownership of any binary you want to this group.
$ chown root:compilerGroup /usr/bin/gcc
And one last important thing is to change the permission of this binary to be only the compilers group.
$ chmod 0750 /usr/bin/gcc
Now, any user tries to use gcc will see permission denied message.
I know that some people might say that the attacker will download the compiler itself if he found the compilers OFF, this is another story we can cover in future posts.
Awesome Immutable Files
Immutable files are one of the most powerful Linux security features available on Linux systems. Immutable files cannot be written to by any user, even by the root user, regardless of their file permissions. They cannot be removed or renamed, and you can’t create a hard link from them.
They are ideal for securing configuration files or you can think about securing any files that you want to prevent changes to them.
To make any file immutable use chattr command.
$ chattr +i /myscript
You can remove immutable attribute like this:
$ chattr -i /myscript
The contents of the /sbin and /usr/lib directories can be made immutable to prevent an attacker from replacing a critical binary or library file with an altered malicious version.
I will leave the rest of the examples about using immutable files to your imagination.
Managing SELinux with aureport
It is a common thing if you are using hosting control panels, or when a specific application seem to be experiencing such difficulties that they will not run with SELinux enabled, you will find SELinux disabled.
Disabling SELinux will leave the system exposed. I agree, SELinux has some complexity, and for those of us who wish to enjoy the security it offers, you live can be made simpler through the option of running aureport.
The aureport utility is designed to create column-based reports that show the events recorded in the audit log files.
$ aureport --avc
You can also use this same utility to create a list of executable files.
$ aureport -x
You can use aureport to generate a full authentication report.
$ aureport -au -i
Or you can list the failed authentication events.
$ aureport -au --summary -i --failed
Or maybe a summary of successful authentication events.
$ aureport -au --summary -i --success
When you are working with a system that runs SELinux, your first point of call as a system administrator is to consider the benefits of aureport when troubleshooting the system.
Using sealert Tool
In addition to aureport tool, you can use a good Linux security tool called sealert, you can install it with this command.
$ yum install setools
Now we have a tool that will actively return announcements from the log file found at /var/log/audit/audit.log and translate them into something far more “human-friendly”.
This tool is called sealert and its goal is to issue reports regarding any issues related to SELinux.
You can use it like this:
$ sealert -a /var/log/audit/audit.log
The best thing about the generated report is at the end of each alert if found, you will find what explains how to resolve the problem.
In this post we’ve covered just some of the Linux security tricks that could help you harden your system, However, there are a lot of Linux security tricks for many running services that needs hardening.
I hope you found the post useful and interesting.