How to secure a Linux system: 10 tips
GNU / Linux kernel creator Linus Torvalds shared his opinion on system security at the 2015 LinuxCon annual conference in 2015. He stressed the need to mitigate the effect of the presence of certain bugs competent protection, so that if one component fails, the next layer covers the problem.
In this article we will try to open this topic from a practical point of view:
')
/ photo by Dave Allen CC
You need to take care of system security before installing Linux. Here are a set of recommendations for setting up a computer that should be taken into account and executed before installing the operating system:
Most likely, you will choose popular distributions - Fedora, Ubuntu, Arch, Debian, or other close branches. In any case, you need to take into account the mandatory presence of these functions:
Recommendations for installing distributions
All distributions are different, but there are moments that you should definitely pay attention to and execute:
One of the main ways to keep your operating system safe is to update the software. Updates often fix found bugs and critical vulnerabilities.
In the case of server systems, there is a risk of failures during the upgrade, but, in our opinion, problems can be minimized by automatically installing only a security update .
Auto-update only works for installed from repositories, not for self-compiled packages:
To upgrade, use any of the available RPM package managers with the commands:
or
Linux can be configured to send email alerts for new updates.
Also, to maintain security in the Linux kernel, there are security extensions , for example, SELinux. Such an extension will help to save the system from incorrectly configured or dangerous programs.
SELinux is a flexible access control system that can work simultaneously with an access control system. Running programs get access to files, sockets, and other processes, and SELinux sets restrictions so that harmful applications cannot break the system.
The next method of protection after the upgrade is to restrict access to external services. To do this, you need to edit the files /etc/hosts.allow and /etc/hosts.deny.
Here is an example of how to restrict access to telnet and ftp:
In the /etc/hosts.allow file:
The example above allows telnet and ftp connections to any host in IP classes 123.12.41. * And 126.27.18. *, As well as to a host with the domains mydomain.name and another.name.
Next in the /etc/hosts.deny file:
Add user with limited rights
We do not recommend connecting to the server as the root user - he has the right to execute any commands, even critical for the system. Therefore, it is better to create a user with limited rights and work through it. Administration can be performed through sudo (substitute user and do) - this is a temporary elevation of rights to the administrator level.
How to create a new user:
In Debian and Ubuntu:
Create a user by replacing administrator with the desired name and enter the password in response to the corresponding request. The entered password characters are not displayed on the command line:
Add a user to the sudo group:
Now you can use the sudo prefix when executing commands that require administrative rights, for example:
On CentOS and Fedora:
Create a user by replacing administrator with the desired name, and create a password for his account:
Add the user to the wheel group to transfer him sudo rights:
Use only strong passwords - at least 8 letters of different case, numbers and other special characters. To search for weak passwords among users of your server, use utilities like “John the ripper”, change the settings in the pam_cracklib.so file to force passwords to be set.
Set the password aging period with the chage command:
You can disable password aging by using the following command:
Find out when a user's password expires:
You can also edit the fields in the / etc / shadow file:
Where,
It is also worth limiting the reuse of old passwords in the pam_unix.so module and setting the limit on the number of failed user login attempts.
To find out the number of failed login attempts:
Unlock account after login failed:
To block and unblock accounts, you can use the passwd command:
To make sure that all users have passwords, use the command:
Block users without passwords:
Make sure that the UID parameter is set to 0 only for the root account. Enter this command to view all users with a 0 UID.
You should only see:
If other lines appear, then check if you set the UID for them to 0, delete unnecessary lines.
After setting the passwords, it’s worth making sure that all users have access appropriate to their rank and responsibility. In Linux, you can set permissions on files and directories. So it is possible to create and control different levels of access for different users.
Access categories
Linux is based on working with multiple users, so each file belongs to one specific user. Even if the server is administered by one person, several accounts are created for different programs.
You can view users in the system with the command:
The / etc / passwd file contains a line for each user of the operating system. For services and applications, individual users can be created who will also be present in this file.
In addition to individual accounts, there is a category of access for groups. Each file belongs to one group. One user can belong to several groups.
You can view the groups your account belongs to with the command:
List all groups in the system, where the first field indicates the name of the group:
There is a category of access "other" if the user does not have access to the file and does not belong to the group.
Types of access
For categories of users it is possible to set access types. This is usually the rights to run, read and modify the file. In Linux, access types are marked with two kinds of notation: alphabetic and octal.
In alphabetical notation, the resolutions are marked with the letters:
In the octal notation, the level of access to files is defined by numbers from 0 to 7, where 0 means no access, and 7 means full access to change, read, and execute:
To connect to the host via SSH, password authentication is usually used. We recommend a more secure way - entering a pair of cryptographic keys. In this case, the private key is used instead of the password, which will seriously complicate the selection by brute-force.
For example, create a pair of keys. Actions must be performed on the local computer and not on the remote server. In the process of creating keys, you can specify a password to access them. If you leave this field empty, you will not be able to use the generated keys until they are saved in the computer's keychain manager.
If you have already created RSA keys before, then skip the generation command. To verify existing keys, run:
To generate new keys:
Upload public key to server
Replace administrator with the name of the key owner, and 1.1.1.1 with the ip-address of your server. From the local computer, type:
To check the connection, disconnect and reconnect to the server - the input should be based on the generated keys.
SSH setup
You can prohibit connecting via SSH as a root user, and use sudo at the beginning of the command to obtain administrator rights. On the server, in the / etc / ssh / sshd_config file, you need to find the PermitRootLogin parameter and set its value to no.
You can also disable the SSH connection by entering a password so that all users use the keys. In the / etc / ssh / sshd_config file, set the PasswordAuthentification parameter to no. If this line is not present or commented out, then add or uncomment it accordingly.
In Debian or Ubuntu, you can enter:
Connection can also be additionally secured using two-factor authentication .
Recently, a new vulnerability has been discovered that allows DDoS attacks against servers running Linux. A bug in the core of the system appeared with version 3.6 at the end of 2012. Vulnerability allows hackers to inject viruses into download files, web pages, and uncover Tor connections, and no need to make a lot of effort for hacking - the IP spoofing method will work.
The maximum harm for encrypted HTTPS or SSH connections is the interruption of the connection, but an attacker can put new content, including malicious programs, into unprotected traffic. To protect against such attacks, a firewall is suitable.
Block access using Firewall
Firewall is one of the most important tools to block unwanted incoming traffic. We recommend skipping only really needed traffic and completely banning the rest.
For packet filtering, most Linux distributions have an iptables controller. Usually it is used by experienced users, and for simplified configuration, you can use the UFW utilities in Debian / Ubuntu or FirewallD in Fedora.
Specialists from the University of Virginia recommend disabling all services that you do not use. Some background processes are set to autoload and work until the system is turned off. To configure these programs you need to check the initialization scripts. Start of services can be carried out through inetd or xinetd.
If your system is configured via inetd, then in /etc/inetd.conf you can edit the list of background programs “demons”, to turn off the service load, just put the “#” sign at the beginning of the line, turning it from executable into a comment.
If the system uses xinetd, its configuration will be in the /etc/xinetd.d directory. Each directory file defines a service that can be disabled by specifying disable = yes, as in this example:
Also worth checking out are the persistent processes that are not managed by inetd or xinetd. You can configure startup scripts in the /etc/init.d or / etc / inittab directories. After the changes are made, run the command as root.
It is impossible to completely defend against attacks from an attacker with physical access to the server. Therefore it is necessary to secure the room where your system is located. Data centers seriously monitor security, restrict access to servers, install security cameras and assign permanent security.
To enter the data center all visitors must pass certain stages of authentication. It is also strongly recommended to use motion sensors in all rooms of the center.
The unauthorized access system or IDS collects system configuration data and files, and further compares these data with new changes to determine if they are harmful to the system.
For example, Tripwire and Aide tools collect a database of system files and protect them with a set of keys. Psad is used to monitor suspicious activity using firewall reports.
Bro is designed to monitor the network, track suspicious action patterns, collect statistics, execute system commands, and generate alerts. RKHunter can be used to protect against viruses, most often rootkits. This utility scans your system against known vulnerabilities and may define unsafe settings in applications.
The tools and settings listed above will help you partially protect the system, but security depends on your behavior and understanding of the situation. Without care, caution and constant self-study, all protective measures may not work.
What else do we write about:
In this article we will try to open this topic from a practical point of view:
')
/ photo by Dave Allen CC
- Let's start with pre-settings and recommendations for choosing and installing Linux distributions;
- then we will tell about a simple and effective point of protection - updating the security system;
- further we consider how to configure restrictions for programs and users;
- how to secure a connection to the server via SSH;
- We give examples of setting up a firewall and restricting unwanted traffic;
- in the final part we will explain how to disable unnecessary programs and services, how to additionally protect servers from intruders.
1. Set up a preboot environment before installing Linux
You need to take care of system security before installing Linux. Here are a set of recommendations for setting up a computer that should be taken into account and executed before installing the operating system:
- Booting in UEFI mode (not legacy BIOS - about it subsection below)
- Set a password for setting UEFI
- Enable SecureBoot mode
- Set a password at UEFI level to boot the system
2. Choose a suitable Linux distribution
Most likely, you will choose popular distributions - Fedora, Ubuntu, Arch, Debian, or other close branches. In any case, you need to take into account the mandatory presence of these functions:
- Forced (MAC) and Role-Based Access Control (RBAC) support: SELinux / AppArmor / GrSecurity
- Security Bulletin Publishing
- Regular security updates
- Cryptographic packet verification
- UEFI and SecureBoot support
- Full native disk encryption support
Recommendations for installing distributions
All distributions are different, but there are moments that you should definitely pay attention to and execute:
- Use full disk encryption (LUKS) with a reliable key phrase.
- The paging process must be encrypted
- Set a password to edit the bootloader
- Strong root access password
- Use an account without privileges, belonging to the group of administrators
- Set a strong password for the user, different from the root password
3. Configure Automatic Security Updates
One of the main ways to keep your operating system safe is to update the software. Updates often fix found bugs and critical vulnerabilities.
In the case of server systems, there is a risk of failures during the upgrade, but, in our opinion, problems can be minimized by automatically installing only a security update .
Auto-update only works for installed from repositories, not for self-compiled packages:
- In Debian / Ubuntu, the unattended upgrades package is used for updates.
- At CentOS, auto-update uses yum-cron
- Fedora has dnf-automatic for this purpose.
To upgrade, use any of the available RPM package managers with the commands:
yum update or
apt-get update && apt-get upgrade Linux can be configured to send email alerts for new updates.
Also, to maintain security in the Linux kernel, there are security extensions , for example, SELinux. Such an extension will help to save the system from incorrectly configured or dangerous programs.
SELinux is a flexible access control system that can work simultaneously with an access control system. Running programs get access to files, sockets, and other processes, and SELinux sets restrictions so that harmful applications cannot break the system.
4. Restrict access to external systems
The next method of protection after the upgrade is to restrict access to external services. To do this, you need to edit the files /etc/hosts.allow and /etc/hosts.deny.
Here is an example of how to restrict access to telnet and ftp:
In the /etc/hosts.allow file:
hosts.allow in.telnetd: 123.12.41., 126.27.18., .mydomain.name, .another.name in.ftpd: 123.12.41., 126.27.18., .mydomain.name, .another.name The example above allows telnet and ftp connections to any host in IP classes 123.12.41. * And 126.27.18. *, As well as to a host with the domains mydomain.name and another.name.
Next in the /etc/hosts.deny file:
hosts.deny in.telnetd: ALL in.ftpd: ALL Add user with limited rights
We do not recommend connecting to the server as the root user - he has the right to execute any commands, even critical for the system. Therefore, it is better to create a user with limited rights and work through it. Administration can be performed through sudo (substitute user and do) - this is a temporary elevation of rights to the administrator level.
How to create a new user:
In Debian and Ubuntu:
Create a user by replacing administrator with the desired name and enter the password in response to the corresponding request. The entered password characters are not displayed on the command line:
adduser administrator Add a user to the sudo group:
adduser administrator sudo Now you can use the sudo prefix when executing commands that require administrative rights, for example:
sudo apt-get install htop On CentOS and Fedora:
Create a user by replacing administrator with the desired name, and create a password for his account:
useradd adminstrator && passwd administrator Add the user to the wheel group to transfer him sudo rights:
usermod –aG wheel administrator Use only strong passwords - at least 8 letters of different case, numbers and other special characters. To search for weak passwords among users of your server, use utilities like “John the ripper”, change the settings in the pam_cracklib.so file to force passwords to be set.
Set the password aging period with the chage command:
chage -M 60 -m 7 -W 7 You can disable password aging by using the following command:
chage -M 99999 Find out when a user's password expires:
chage -l You can also edit the fields in the / etc / shadow file:
{}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}: Where,
- Minimum_days: The minimum number of days until the password expires.
- Maximum_days: The maximum number of days until the password expires.
- Warn: Number of days before expiration, when the user will be warned about the approaching bottom of the shift.
- Expire: The exact date of expiration of the login.
It is also worth limiting the reuse of old passwords in the pam_unix.so module and setting the limit on the number of failed user login attempts.
To find out the number of failed login attempts:
faillog Unlock account after login failed:
faillog -r -u To block and unblock accounts, you can use the passwd command:
lock account passwd -l unlocak account passwd -u To make sure that all users have passwords, use the command:
awk -F: '($2 == "") {print}' /etc/shadow Block users without passwords:
passwd -l Make sure that the UID parameter is set to 0 only for the root account. Enter this command to view all users with a 0 UID.
awk -F: '($3 == "0") {print}' /etc/passwd You should only see:
root:x:0:0:root:/root:/bin/bash If other lines appear, then check if you set the UID for them to 0, delete unnecessary lines.
5. Set permissions for users
After setting the passwords, it’s worth making sure that all users have access appropriate to their rank and responsibility. In Linux, you can set permissions on files and directories. So it is possible to create and control different levels of access for different users.
Access categories
Linux is based on working with multiple users, so each file belongs to one specific user. Even if the server is administered by one person, several accounts are created for different programs.
You can view users in the system with the command:
cat /etc/passwd The / etc / passwd file contains a line for each user of the operating system. For services and applications, individual users can be created who will also be present in this file.
In addition to individual accounts, there is a category of access for groups. Each file belongs to one group. One user can belong to several groups.
You can view the groups your account belongs to with the command:
groups List all groups in the system, where the first field indicates the name of the group:
cat /etc/group There is a category of access "other" if the user does not have access to the file and does not belong to the group.
Types of access
For categories of users it is possible to set access types. This is usually the rights to run, read and modify the file. In Linux, access types are marked with two kinds of notation: alphabetic and octal.
In alphabetical notation, the resolutions are marked with the letters:
r = read
w = change
x = launch
In the octal notation, the level of access to files is defined by numbers from 0 to 7, where 0 means no access, and 7 means full access to change, read, and execute:
4 = read
2 = change
1 = start
6. Use keys to connect over SSH
To connect to the host via SSH, password authentication is usually used. We recommend a more secure way - entering a pair of cryptographic keys. In this case, the private key is used instead of the password, which will seriously complicate the selection by brute-force.
For example, create a pair of keys. Actions must be performed on the local computer and not on the remote server. In the process of creating keys, you can specify a password to access them. If you leave this field empty, you will not be able to use the generated keys until they are saved in the computer's keychain manager.
If you have already created RSA keys before, then skip the generation command. To verify existing keys, run:
ls ~/.ssh/id_rsa* To generate new keys:
ssh-keygen –b 4096 Upload public key to server
Replace administrator with the name of the key owner, and 1.1.1.1 with the ip-address of your server. From the local computer, type:
ssh-copy-id administrator@1.1.1.1 To check the connection, disconnect and reconnect to the server - the input should be based on the generated keys.
SSH setup
You can prohibit connecting via SSH as a root user, and use sudo at the beginning of the command to obtain administrator rights. On the server, in the / etc / ssh / sshd_config file, you need to find the PermitRootLogin parameter and set its value to no.
You can also disable the SSH connection by entering a password so that all users use the keys. In the / etc / ssh / sshd_config file, set the PasswordAuthentification parameter to no. If this line is not present or commented out, then add or uncomment it accordingly.
In Debian or Ubuntu, you can enter:
nano /etc/ssh/sshd_config ... PasswordAuthentication no Connection can also be additionally secured using two-factor authentication .
7. Install firewalls
Recently, a new vulnerability has been discovered that allows DDoS attacks against servers running Linux. A bug in the core of the system appeared with version 3.6 at the end of 2012. Vulnerability allows hackers to inject viruses into download files, web pages, and uncover Tor connections, and no need to make a lot of effort for hacking - the IP spoofing method will work.
The maximum harm for encrypted HTTPS or SSH connections is the interruption of the connection, but an attacker can put new content, including malicious programs, into unprotected traffic. To protect against such attacks, a firewall is suitable.
Block access using Firewall
Firewall is one of the most important tools to block unwanted incoming traffic. We recommend skipping only really needed traffic and completely banning the rest.
For packet filtering, most Linux distributions have an iptables controller. Usually it is used by experienced users, and for simplified configuration, you can use the UFW utilities in Debian / Ubuntu or FirewallD in Fedora.
8. Disable unnecessary services.
Specialists from the University of Virginia recommend disabling all services that you do not use. Some background processes are set to autoload and work until the system is turned off. To configure these programs you need to check the initialization scripts. Start of services can be carried out through inetd or xinetd.
If your system is configured via inetd, then in /etc/inetd.conf you can edit the list of background programs “demons”, to turn off the service load, just put the “#” sign at the beginning of the line, turning it from executable into a comment.
If the system uses xinetd, its configuration will be in the /etc/xinetd.d directory. Each directory file defines a service that can be disabled by specifying disable = yes, as in this example:
service finger { socket_type = stream wait = no user = nobody server = /usr/sbin/in.fingerd disable = yes } Also worth checking out are the persistent processes that are not managed by inetd or xinetd. You can configure startup scripts in the /etc/init.d or / etc / inittab directories. After the changes are made, run the command as root.
/etc/rc.d/init.d/inet restart 9. Protect the server physically
It is impossible to completely defend against attacks from an attacker with physical access to the server. Therefore it is necessary to secure the room where your system is located. Data centers seriously monitor security, restrict access to servers, install security cameras and assign permanent security.
To enter the data center all visitors must pass certain stages of authentication. It is also strongly recommended to use motion sensors in all rooms of the center.
10. Protect the server from unauthorized access
The unauthorized access system or IDS collects system configuration data and files, and further compares these data with new changes to determine if they are harmful to the system.
For example, Tripwire and Aide tools collect a database of system files and protect them with a set of keys. Psad is used to monitor suspicious activity using firewall reports.
Bro is designed to monitor the network, track suspicious action patterns, collect statistics, execute system commands, and generate alerts. RKHunter can be used to protect against viruses, most often rootkits. This utility scans your system against known vulnerabilities and may define unsafe settings in applications.
Conclusion
The tools and settings listed above will help you partially protect the system, but security depends on your behavior and understanding of the situation. Without care, caution and constant self-study, all protective measures may not work.
What else do we write about:
Source: https://habr.com/ru/post/309696/
All Articles