Linux security tricks
Server Administration

Useful Linux Security Tricks to Harden Your System

In the previous post, we talked about Linux network commands and we saw some useful examples used to troubleshoot your network, today we will talk about some Linux security commands that you will need to harden your system.

New vulnerabilities are discovered a lot these days, exploits are immediately built on those vulnerabilities after being discovered.

Maybe you are updating your system periodically, but this is not enough, you need to harden your system to protect your assets as much as possible.

 

 

Securing the Terminal

You can secure your console by limiting the root to use particular terminals. You can do this by specifying the terminals that the root will use in  /etc/securetty file.

It’s preferred but not required to allow root login from one terminal only and leave other terminals for other users.

 

Change Your Password Always

Strong password is a must these days, but to add another layer of security, you should change your password from time to time.

You may forget to change it yourself, so there must be something that reminds you about your password age and when to modify it.

There are two ways to achieve that, the first way is by command line using the change command like this:

  • Using chage command.
  • Set defaults in /etc/login.defs.

$ chage -M 20 likegeeks

We use the -M option is used to set the expiration days for your password.

You can type chage without options and it will ask you about the value.

$ chage likegeeks

Or you can set your default rules in  /etc/login.defs file.

You can change these values according to your needs.

Keep in mind that, you should force users to use strong password using pam_cracklib.

Once you’ve installed it, you can go to /etc/pam.d/system-auth  and type something like this:

password required pam_cracklib.so minlen=12 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1

 

sudo Notification

sudo command makes life easier and also can lead to Linux Security issues that can ruin your life.

All sudo configurations in the /etc/sudoers file.

You can prevent users from running the commands you want as root.

You can make sudo send an email when it is used by adding the following line to the file:

mailto yourname@yourdomain.com

And set mail_always to on.

mail_always on

 

Securing SSH

If we will talk about Linux security, we need to talk about SSH service. SSH is an important service to your system, it enables you to connect easily to your system, and sometimes it is the only way to make your system survive when things go bad, so tuning SSH is a must.

Since we use CentOS 7 in our posts, so the SSH configuration file is in:

/etc/ssh/sshd_config

The scanners or bots that the attackers use try to connect to SSH on port 22 which is the default.

It is common to change your SSH port to another unused port, let’s say 5555. You can change the SSH port by typing the Port number in the configuration file like this:

Port 5555

You can also restrict the root login by updating the value of PermitRootLogin to no:

PermitRootLogin no

And surely disable tunneled clear passwords and use public-private key login instead:

Regarding SSH timeouts. This traditional problem can be handled by configuring the following settings.

For example, the following settings imply that a packet will be sent every 60 seconds:

By adjusting these values, you can provide a longer connection:

You can specify the allowed users for using SSH service:

AllowUsers user1 user2

Or you can make it per group:

AllowGroup group1 group2

Securing SSH Using Google Authenticator

Further to this, you can use two-factor authentication for SSH like google authenticator.

$  yum install google-authenticator

Then run it to verify the installation.

$ google-authenticator

You should have Google authenticator application installed on your Mobile phone.

Edit /etc/pam.d/sshd file and add this:

auth required pam_google_authenticator.so

And the last thing to do is to tell SSH about this by adding the following line to /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

Now restart you SSH.

$ systemctl restart sshd

And when you log in using SSH, it will ask about verification code, so your SSH is secured and more solid now.

 

Intrusion Detection with Tripwire (Monitoring Filesystem)

Tripwire is one of the great tools in Linux security. It’s an intrusion detection system (HIDS).

Tripwire job is to monitor the filesystem, who changed the files, and when that change happened.

In order to get tripwire, you need access to EPEL repository. You can add it easily:

wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm

$ rpm -ivh epel-release-7-9.noarch.rpm

Once you’ve installed EPEL repo, you can install tripwire.

$ sudo yum install tripwire

First, create keyfiles like this:

$ tripwire-setup-keyfiles

It will prompt you to enter a passphrase for keyfiles. Tripwire will tell you to use a strong password.

Now you can customize Tripwire by making changes to this file:

/etc/tripwire/twpol.txt

This file is very easy to read and modify since every line has a comment that describes it well.

When Tripwire is completed, you should initialize it like this:

$ tripwire --init

It will take some time scanning the system depends on your file sizes.

Any modifications to the filesystem are considered to be system intrusion, the administrator will be notified and he will need to restore the system with files that can be trusted.

For this reason, any system changes should be validated through Tripwire. To do this, use the following command:

$ tripwire --check

One last thing about tripwire, I would recommend that you secure both the twpol.txt and twcfg.txt files as another step of security.

Tripwire has a lot of options and settings; you can check them with man tripwire

 

Using Firewalld

Firewalld is a replacement for iptables, it improves the management of Linux security. Firewalld can enable configuration changes without stopping the current connections.

Firewalld runs as a service that allows for rules to be added and changed immediately and it uses network zones.

To know if Firewalld is currently running or not, type this command:

$ firewall-cmd --state

linux security firewall-cmd state

You can list the predefined zones like this:

$ firewall-cmd --get-zones

linux security firewall-cmd --get-zones

Each zone of these has a trust level.

The value can be updated like this:

$ firewall-cmd --set-default-zone=<new-name>

You can get all the relevant information about any particular zone like this:

$ firewall-cmd --zone=<zone-name> --list-all

You can list all supported services like this:

$ firewall-cmd --get-services

linux security firewall get services

Then you can add additional services or remove them within a zone:

You can list all ports open in any particular zone:

$ firewall-cmd --zone=<zone-name> --list-ports

You can add ports to a zone like this:

You can add or remove port forwarding like this:

Firewalld is very comprehensive and the best thing about Firewalld is that you can manage firewall architecture without restarting or stopping service unlike iptables, where you should reload or restart the service.

 

Returning to Iptables

Some people prefer iptables firewall over Firewalld, you can return to iptables easily.

First, disable Firewalld:

Then install iptables:

Now you can start iptables service:

Finally, reboot your system.

 

Restricting the Compilers

The attacker might compile the exploits on his machine and upload it to the victim server without the need to the compilers, but anyway, it’s preferable to restrict the compilers if you don’t use them in production as most modern hosting panels do.

First, get a list of all binaries from packages, then set the permission for them.

$ rpm -q --filesbypkg gcc | grep 'bin'

linux security restrict compilers

Create a new group:

$ groupadd compilerGroup

Then change the group of the compiler binaries like this:

$ chown root:compilerGroup /usr/bin/gcc

And one last important thing is to change the permission of this binary to be only the compilers group.

$ chmod 0750 /usr/bin/gcc

Now, any user tries to use gcc will see permission denied message.

 

Awesome Immutable Files (Prevent File Modification)

Immutable files cannot be overwritten by any user, even root. He can’t modify it or delete it unless he removes the immutable bit from it and root user only can do this.

You can say that this feature protects you as root from any mistakes that can damage or harm your system. Awesome!!

You can protect configuration files or any file you want.

To make any file immutable, use the chattr command.

$ chattr +i /myscript

linux security immutable files

You can remove immutable attribute like this:

$ chattr -i /myscript

linux security remove immutalbe flag

You can protect any files in your system the same way, but keep in mind that, if you do this to the system binaries, you can’t update them unless you remove the immutable bit.

I will leave the rest of the examples about using immutable files to your imagination.

 

Managing SELinux with aureport

It is a common thing if you are using hosting control panels, you will find SELinux disabled.

Disabling SELinux will leave the system exposed. I agree, but SELinux has some complexity, but you can make your life easier if you manage it using aureport.

The aureport utility is developed to create tabular reports for audit log files.

$ aureport --avc

linux security aureport

You can create a list of executable files like this:

$ aureport -x

linux security aureport -x

You can use aureport to generate a full authentication report.

$ aureport -au -i

linux security aureport -au

Or you can list the failed authentication events.

$ aureport -au --summary -i --failed

linux security aureport failed summery

Or maybe a summary of successful authentication events.

linux security aureport success summery

Awesome!!

aureport tool makes working with SELinux pretty easy.

 

Using sealert Tool

In addition to aureport tool, you can use a good Linux security tool called sealert, you can install it with this command:

$ yum install setools

Now we have a tool that will actively return announcements from  /var/log/audit/audit.log  file and gives us something readable about SELinux problems.

You can use it like this:

$ sealert -a /var/log/audit/audit.log

linux security sealert -a

The best thing about the generated report is at the end of each alert if found, you will find how to resolve the problem.

In this post we’ve covered just some of the Linux security tricks that can help you harden your system, However, there are a lot of Linux security tricks for many running services that need hardening.

I hope you found the post useful and interesting.

Thank you.

  • Jouni Järvinen

    SSH’s DNS runs delay, and maybe even block SSH connections when the run takes too long for any reason. That’s the main reason I disable it, but I also switch from pw to key pair with very high bit size, which makes SSH intrusion impossible.

    • key pair login is very good option

      • Jouni Järvinen

        Normally the only option.

        • With two factor authentication life become easier.

  • Pingback: Linux security | Infrastructure:land()

  • Jared

    NIST has issued new guidelines that discourage frequent password expiration. If someone has to change their password often, they’ll choose less secure passwords that follow a predictable pattern
    https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

    • That should be done with password restrictions. so only complicated passwords are accepted

    • Jouni Järvinen

      Pw changing is impossible for some. It took me 15 years to make my current best pw !

      • No the system will enforce you to change it, otherwise you can’t login to the system.
        also you will be enforced to enter strong password.

        • Jouni Järvinen

          Inability to produce strong passwords doesn’t mean anything … ?

          • Sorry didn’t got your point.

            what do you mean by Inability to produce strong passwords?

  • Halim Ben

    Im glad to be one of your followers

    • Thanks for the warm feelings.

      Honor to me.