Technology

Linux server hardening

Posted on by admin

For today’s computing platforms, ease of access and openness are essential for web-based communications and for IT management teams with limited resources.

This is directly at odds with the growing need for comprehensive security measures in a world full of malware, hacking threats, and potential data thieves.

Most organizations will adopt a layered security strategy, providing as many protection measures for their IT infrastructure as available (firewalls, sandboxes, IPS and IDS, antivirus), but the most secure computing environments are those with a posture of security “ from scratch ”. .

If the data does not need to be stored on the Linux web server for the public, remove it entirely; if the data is not there, it cannot be compromised.

If a user does not need access to certain systems or parts of the network, for example where your secure Ubuntu farm is located, then revoke their privileges to do so; You need access systems to steal data, so avoid getting close to it in the first place.

Likewise, if your CentOS server doesn’t need FTP or web services, disable or remove them. You reduce the potential vectors of security breaches each time you reduce the means of access.

Simply put, you need to harden your Linux servers.

Linux hardening policy background

The beauty of Linux is that it is so accessible and available for free that it is easy to get up and running with very little training or knowledge. The web-based support community posts all the tips and tutorials you will need to carry out any Linux setup or troubleshooting tasks you may experience.

Finding and interpreting the right hardening checklist for your Linux hosts can still be a challenge, so this guide provides you with a concise checklist to work with, covering the highest priority hardening measures for a Linux server. typical.

Account Policies

  • Enforce password history – 365 days
  • Maximum password age – 42 days
  • Minimum password length – 8 characters
  • Password complexity – Enable
  • Duration of account lockout – 30 minutes
  • Account lockout threshold – 5 attempts
  • Reset Account Lockout Counter – 30 minutes

Edit /etc/pam.d/common-password to define the password policy parameters for your host.

Access security

  • Make sure SSH version 2 is in use
  • Disable remote root logins
  • Enable AllowGroups only for allowed group names
  • Allow access only to valid devices
  • Restrict the number of concurrent root sessions to just 1 or 2

Edit sshd.config to define the SSHD policy parameters for your host and /etc/hosts.allow and /etc/hosts.deny to control access. Use / etc / securetty to restrict root access to tty1 gold tty1 and tty2 only.

Safe boot only

Remove the options to boot from CDs or USB devices and password protect the computer to prevent the BIOS options from being edited.

Password protect the /boot/grub/menu.lst file, then delete the boot into rescue mode entry.

Disable all unnecessary processes, services, and daemons

Each system is unique, so it is important to review what processes and services are unnecessary for your server to run your applications.

Evaluate your server by running the ps -ax command and see what is currently running.

Similarly, evaluate the start state of all processes by running a chkconfig -list command.

Disable any unnecessary services using the sysv-rc-conf service name disabled

Restrict permissions on sensitive files and folders to root only

Make sure the following confidential programs are only executable from root

  • / etc / fstab
  • / etc / passwd
  • / bin / ping
  • / usr / bin / who
  • / usr / bin / w
  • / usr / bin / locate
  • / usr / bin / whereis
  • / sbin / ifconfig
  • / bin / nano
  • / usr / bin / vi
  • / usr / bin / what
  • / usr / bin / gcc
  • / usr / bin / make
  • / usr / bin / apt-get
  • / usr / bin / aptitude

Make sure the following folders are root access only

  • / etc
  • / usr / etc
  • / bin
  • / usr / bin
  • / sbin
  • / usr / sbin
  • / tmp
  • / var / tmp

Disable SUID and SGID binaries

Identify the SUID and SGID files on the system: find / (-perm -4000 -or -perm -2000 ) -print.

Render these files safely by removing SUID or SGID bits using chmod -s filename

You should also restrict access to all compilers on the system by adding them to a new group of ‘compilers’.

  • chgrp * cc * compilers
  • chgrp compilers * ++ *
  • chgrp ld compilers
  • chgrp compilers like

Once added to the group, restrict permissions using a compile chmod 750

Deploy regular / real-time FIM on sensitive files and folders

The integrity of all files and folders should be monitored to ensure that permissions and files do not change without approval.

Configure auditing on the Linux server

Make sure key security events are audited and forwarded to your syslog or SIEM server. Edit the syslog.conf file respectively.

General hardening of kernel variables

Edit the /etc/sysctl.conf file to set all kernel variables to safe settings to avoid spoofing, sync flooding, and DOS attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *