Securing Linux server is very important to protect your data, intellectual property from the hands of crackers (hackers). The system administrator is responsible for security of the Linux box. In this blog we will go through important tips for hardening a Linux server.
Note: In this blog we are targeting specifically CentOS & RHEL Linux Operating system but same concept can be applied to other Linux/Unix flavors as well.
Always keep system updated with latest releases patches, security fixes and kernel when it’s available. Applying security patches is an important part of maintaining Linux server and Linux provides all necessary tools to keep your system updated.
# yum updates
# yum check-update
For best practices you must protect Linux servers physical console access. Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS. Next, enable BIOSpassword & also protect GRUB with password to restrict physical access of your system.
Use secure medium to transfer files like scp, sftp etc.. and delete other services like ftp, telnet etc..
# yum erase xinetd ypserv tftp-server telnet-server rsh-server
It is important to delete unnecessary package to minimize vulnerability.
# yum list installed
# yum list packageName
# yum remove packageName
Disable all unnecessary services and daemons (services that runs in the background).
# chkconfig –list | grep ‘3:on’
To disable service, enter:
# service serviceName stop
# chkconfig serviceName off
With the help of ‘netstat‘ networking command you can view all open ports and associated programs. As I said above use ‘chkconfig‘ command to disable all unwanted network services from the system.
# netstat -tulpn
OR use the ss command as follows:
$ ss -tulpn
OR
nmap -sT -O localhost
nmap -sT -O server.example.com
Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel. Disabling SELinux means removing security mechanism from the system.
You can view current status of SELinux mode from the command line using ‘system-config-selinux‘, ‘getenforce‘ or ‘sestatus‘ commands.
# sestatus
If it is disabled, enable SELinux using the following command.
# setenforce enforcing
It also can be managed from ‘/etc/selinux/config‘ file, where you can enable or disable it.
If you’re not using a IPv6 protocol, then you should disable it
# vi /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no
For best practices it is recommended to enable and configure server firewall to allow only specific ports that are required and block all the remaining ports.
# service iptables start
Linux kernel and its related files are in /boot directory which is by default as read-write. Changing it to read-only reduces the risk of unauthorized modification of critical boot files. To do this, open “/etc/fstab” file.
# vi /etc/fstab
Add the following line at the bottom, save and close it.
LABEL=/boot /boot ext2 defaults,ro 1 2
Please note that you need to reset the change to read-write if you need to upgrade the kernel in future.
Add following line in “/etc/sysctl.conf” file to ignore ping or broadcast request.
Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1
Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Load new settings or changes, by running following command
#sysctl -p
In a production system, it is necessary to take important files backup and keep them in safety vault, remote site or offsite for Disasters recovery.
You must make sure all accounts have strong passwords and no one has any authorized access. Empty password accounts are security risks and that can be easily hackable.
# cat /etc/shadow | awk -F: ‘($2==””){print $1}’
If you are dealing with lots of users, then it’s important to collect the information of each user activities and processes consumed by them and analyse them at a later time or in case if any kind of performance, security issues
Monitor User Activity with psacct or acct Commands
In most Linux distributions, pressing ‘CTRL-ALT-DELETE’ will takes your system to reboot process. So, it’s not a good idea to have this option enabled at least on production servers, if someone by mistakenly does this.
# Trap CTRL-ALT-DELETE
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
A number of users use soft or weak passwords and their password might be hacked with a dictionary based or brute-force attacks. The ‘pam_cracklib‘ module is available in PAM (Pluggable Authentication Modules) module stack which will force user to set strong passwords. Open the following file with an editor.
# vi /etc/pam.d/system-auth
And add line using credit parameters as (lcredit, ucredit, dcredit and/or ocredit respectively lower-case, upper-case, digit and other)
/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1
X Windows on server is not required. There is no reason to run X Windows on your dedicated server. You can remove or disable them to increase security of server and performance.
yum groupremove “X Window System”
On CentOS 7/RHEL 7 server use the following commands:
# yum group remove “GNOME Desktop”
# yum group remove “KDE Plasma Workspaces”
# yum group remove “Server with GUI”
# yum group remove “MATE Desktop”
Anyone can modify world-writable file resulting into a security issue. Use the following command to find all world writable and sticky bits set files:
find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
You need to investigate each reported file and either set correct user and group permission or remove it.
Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group
find /dir -xdev \( -nouser -o -nogroup \) -print
You need to investigate each reported file and either assign it to an appropriate user and group or remove it.
USA408 365 4638
1301 Shoreway Road, Suite 160,
Belmont, CA 94002
Whether you are a large enterprise looking to augment your teams with experts resources or an SME looking to scale your business or a startup looking to build something.
We are your digital growth partner.
Tel:
+1 408 365 4638
Support:
+1 (408) 512 1812
COMMENTS (0)
Tweet