In the previous post, we talked about Linux network commands and we saw some useful examples used to troubleshoot your network, today we will talk about some Linux security commands that you will need to harden your system.
New vulnerabilities are discovered a lot these days, exploits are immediately built on those vulnerabilities after being discovered.
Maybe you are updating your system periodically, but this is not enough, you need to harden your system to protect your assets as much as possible.
The security is the main concern for all of us and we will see some practical examples of how to harden your system security.
Table of Contents
Securing the Console
You can limit where the root user can log on by restricting him to a specific set of terminals. To do this, edit /etc/securetty file.
Any device the root need to log in from should be listed in the file.
It is preferable allowing root login only on one terminal and forcing all other logins to be a non-root user and if required use su to gain root privileges.
Password aging enables you to specify a period of time for which a password is correct. After the period has finished, the user will have to enter a new password. This has the advantage of ensuring passwords are changed regularly.
There are two ways to achieve that, the first way is by command line using the change command like this:
$ chage -M 20 likegeeks
We use the -M option to set the password expiry period for the user likegeeks to 20 days.
You can type chage without options and it will ask you about the value.
$ chage likegeeks
The second way is to set defaults for all users in the /etc/login.defs file.
You can change these values according to your needs.
Keep in mind that, you should force users to use strong password using pam_cracklib.
Once you’ve installed it, you can go to /etc/pam.d/system-auth and type something like this:
password required pam_cracklib.so minlen=8 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1
sudo command makes life easier and also can lead to Linux Security issues that can ruin your life.
We know that sudo command enables normal users to run commands as if they were root, you can check all sudo configurations in the /etc/sudoers file.
You can prevent users from running the commands you want as root.
You can make sudo send an email when it is used by adding the following line to the file:
And then modify when sudo sends that email.
If we will talk about Linux security, we need to talk about SSH service. SSH is an important service to your system, it enables you to connect easily to your system, and sometimes it is the only way to make your system survive when things go bad, so tuning SSH is a must.
Since we use CentOS 7 in our posts, so the SSH configuration file is in:
The scanners or bots that the attackers use try to connect to SSH on port 22 which is the default.
It is common to change your SSH port to another unused port, let’s say 5555. You can change the SSH port by typing the Port number in the configuration file like this:
You can also restrict the root login by updating the value of PermitRootLogin to no.
And surely disable tunneled clear passwords and use public-private key login instead.
Regarding SSH timeouts. This traditional problem can be handled by configuring the following settings.
For example, the following settings imply that a packet will be issued every 60 seconds.
By adjusting these values, you can provide a longer connection.
You can make the SSH service just a little bit more secure by specifying the usernames for those who will be allowed to use SSH.
AllowUsers user1 user2
Or you can make it per group.
AllowGroup group1 group2
Further to this, you can use two-factor authentication for SSH like google authenticator.
$ yum install google-authenticator
Then run it to verify the installation.
You should have Google authenticator application installed on your Mobile phone.
And add the following line to /etc/pam.d/sshd
auth required pam_google_authenticator.so
And the last thing to do is to tell SSH about this by adding the following line to /etc/ssh/sshd_config
Now restart you SSH.
$ systemctl restart sshd
And when you log in using SSH, it will ask about verification code, so your SSH is secured and more solid now.
Intrusion Detection with Tripwire
Tripwire is one of the great tools in Linux security. It’s an intrusion detection system (HIDS).
It works by gathering configuration and filesystem details and uses this information to provide a reference point between the previous state of a system and its current state.
Tripwire capable of monitoring which files or directories were added or modified recently, who changed them, what changes were made, and when that change happened.
In order to get tripwire, you need access to EPEL repository. You can add it easily:
$ rpm -ivh epel-release-7-9.noarch.rpm
Once you’ve installed EPEL repo, you can install tripwire.
$ sudo yum install tripwire
To begin using Tripwire, you will need to create the appropriate local and site keys like this:
It will prompt you to enter a passphrase for both the site and local key file. Tripwire will tell you to use a strong password.
Now you can customize Tripwire by making changes to this file:
This file is very easy to read and modify since every line has a comment that describes it well.
You can update Tripwire policy file like this:
$ tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt
When Tripwire is completed, you should now be able to initialize the Tripwire database like this:
$ tripwire --init
Tripwire will now begin to scan the system, it will take some time depends on the overall size of the system.
Any modifications to the filesystem are considered to be system intrusion, the administrator will be notified and he will need to restore the system with files that can be trusted.
For this reason, any system changes should be validated through Tripwire. To do this, use the following command:
$ tripwire --check
One last thing about tripwire, I would recommend that you secure both the twpol.txt and twcfg.txt files as another step of security.
Tripwire has a lot of options and settings; you can check them with man tripwire
Firewalld is a replacement for iptables, it improves the management of Linux security. Firewalld can enable configuration changes without stopping the current connections.
Firewalld runs as a service that allows for rules to be added and changed immediately and it uses network zones to define a level of trust for any associated network connections.
To know if Firewalld is currently running, type this command:
$ firewall-cmd --state
You can list the predefined zones like this:
$ firewall-cmd --get-zones
The value can be updated like this:
$ firewall-cmd --set-default-zone=<new-name>
You can get all the relevant information about any particular zone like this:
$ firewall-cmd --zone=<zone-name> --list-all
You can list all supported services:
$ firewall-cmd --get-services
Then you can add additional services or remove them within a zone:
$ firewall-cmd --zone=<zone-name> --add-service=<service-name>
$ firewall-cmd --zone=<zone-name> --remove-service=<service-name>
You can list all ports open in any particular zone:
$ firewall-cmd --zone=<zone-name> --list-ports
You can manage the addition or removal of TCP/UDP ports like this:
$ firewall-cmd --zone=<zone-name> --add-port=<port-number/protocol>
$ firewall-cmd --zone=<zone-name> --remove-port=<port-number/protocol>
You can add or remove port forwarding like this:
$ firewall-cmd --zone=<zone-name> --add-forward-port=<port-number>
$ firewall-cmd --zone=<zone-name> --remove-forward-port=<port-number>
Firewalld is very comprehensive and the best thing about Firewalld is that you can manage firewall architecture without ever needing to stop or restart the firewall service and this is something that cannot be achieved with iptables.
Returning to Iptables
Some people prefer iptables firewall over Firewalld, so in case you find yourself in a situation where you do not want to use Firewalld, you can return to iptables, you can do that easily.
First, disable Firewalld:
$ systemctl disable firewalld
$ systemctl stop firewalld
Then install iptables:
$ yum install iptables-services
$ touch /etc/sysconfig/iptables
$ touch /etc/sysconfig/ip6tables
Now you can start iptables service:
$ systemctl start iptables
$ systemctl start ip6tables
$ systemctl enable iptables
$ systemctl enable ip6tables
And in order for the kernel to account for the new configuration, you have to reboot your system.
Restricting the Compilers
The attacker might compile the exploits on his machine and upload it to the victim server without the need to the compilers, but anyway, it’s preferable to restrict the compilers if you don’t use them in production as most modern hosting panels do.
First, you need to query individual packages to see what binaries are contained in them. Then you have to adjust the permissions of those binaries.
$ rpm -q --filesbypkg gcc | grep 'bin'
Now we need to create a group that will have access to the compiler binaries.
$ groupadd compilerGroup
Then you can change the ownership of any binary you want to this group.
$ chown root:compilerGroup /usr/bin/gcc
And one last important thing is to change the permission of this binary to be only the compilers group.
$ chmod 0750 /usr/bin/gcc
Now, any user tries to use gcc will see permission denied message.
Awesome Immutable Files
Immutable files are one of the most powerful Linux security features available on Linux systems. Immutable files cannot be overwritten by any user, regardless of their permission, even root. They cannot be removed or renamed, and you can’t create a hard link from them.
They are excellent for securing configuration files, or you can think about securing any files that you want to prevent changes to them.
To make any file immutable, use the chattr command.
$ chattr +i /myscript
You can remove immutable attribute like this:
$ chattr -i /myscript
The contents of the /sbin and /usr/lib directories can be made immutable to prevent an attacker from replacing a critical binary or library file with an altered malicious version, but in this case, you should remove the immutable attribute before updating your system.
I will leave the rest of the examples about using immutable files to your imagination.
Managing SELinux with aureport
It is a common thing if you are using hosting control panels, you will find SELinux disabled.
Disabling SELinux will leave the system exposed. I agree, but SELinux has some complexity, and for those of us who wish to enjoy the security it offers, your life can be easier if you manage it using aureport.
The aureport utility is developed to create tabular like reports that show the events recorded in the audit log files.
$ aureport --avc
You can create a list of executable files like this:
$ aureport -x
You can use aureport to generate a full authentication report.
$ aureport -au -i
Or you can list the failed authentication events.
$ aureport -au --summary -i --failed
Or maybe a summary of successful authentication events.
$ aureport -au --summary -i --success
When you are working with a system that runs SELinux, your first point of call as a system administrator is to consider the benefits of aureport when troubleshooting the system.
Using sealert Tool
In addition to aureport tool, you can use a good Linux security tool called sealert, you can install it with this command:
$ yum install setools
Now we have a tool that will actively return announcements from the log file found at /var/log/audit/audit.log and gives us something readable.
This tool is called sealert and its goal is to issue reports regarding any issues related to SELinux.
You can use it like this:
$ sealert -a /var/log/audit/audit.log
The best thing about the generated report is at the end of each alert if found, you will find how to resolve the problem.
In this post we’ve covered just some of the Linux security tricks that could help you harden your system, However, there are a lot of Linux security tricks for many running services that need hardening.
I hope you found the post useful and interesting.