Linux Security

grsec

New Member
Rating - 0%
0   0   0
#1
Most people install Linux due to it's "security". Sure Linux is secure, but Linux is made for customization. Linux is very customizable .. This mean's that it's security is customizable as-well. Don't limit your security in Linux just because it's main purpose is "Security". I am going to show you how to secure your Linux system properly.

  • Restrict/ Disable root access

Let's say you don't want a user to able to log into a root account. You can disable the ability to have "root" privileges in your Linux system. To prevent users from logging in directly as root, a system administrator can set the root account's shell to /sbin/nologin in the /etc/passwd file. This prevents access to the root shell and logs any such attempts. You may be asking "How do I do this?". I'll show you exactly how. First, what is the /etc/passwd file? This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface. This is dangerous, because a user can log in to their machine as root via Telnet, which transmits the password in plain text over the network. By default, it only allows the root user to log in at the console physically attached to the machine. To prevent the root user from logging in, remove the contents of this file by typing the following command at a shell prompt as a sudoer. Please that a blank /etc/securetty file does not prevent the root user from logging in remotely using the OpenSSH suite of tools because the console is not opened until after authentication

PHP:
echo > /etc/securetty
Now that we've disabled root access, let's remove the option to log into root via SSH. This will disable root SSH login's which means if you try to connect to your server via SSH, it will not allow you connect using the user root. Now, to do this, you're going to want to edit the /etc/ssh/sshd_config file. You will find a ton of lines that are begun by a "#". These lines are commented and won't effect anything. We're going to want to find the line "#PermitRootLogin yes" and change it to "PermitRootLogin no". This will remove root login via SSH.


  • Passwords

Often, Linux machine users normally can change the password of their own account. A lot of users use weak passwords and their password might be cracked with a dictionary-, or brute-force attack. We're going to want to make sure this doesn't happen, to do so, we're going to want to use the PAM module(pam_cracklib). What this module will do is prevent the new password may not match the old password, the new password may not be the old password reversed neither the same password but in different case. PAM will also not allow weak passwords of any type (These check are also done by the module pam_unix if set to obscure). By default the user get one 'credit' for each type of character. Therefor the system might still accept a users password with less charaters then set in minlen if the user uses all types of characters. For example if you modify /etc/pam.d/system-auth

PHP:
password required pam_cracklib.so minlen=12 lcredit=1 ucredit=1 dcredit=2 ocredit=1
Now, this will set it to accept a password with a lenght of total 8 characters as 1 'credit' is give for at least 1 lower-case character, 1 'credit' for at least 1 upper-case character, 1 'credit' for at least 2 digits and 1 'credit' for 1 other. You can however disable the 'credits' but force the use of mixing characters/digits with a minimum length.

  • Securing SSH Logins

SSH or Secure Shell is considered to be the secure alternative to Telnet. Allowing you to log into your server remotely and/or transfer files through an encrypted tunnel, SSH is one of the most-used, critical pieces of software. This will require editing our sshd_config file again(as we did by removing sudoer access via SSH.). We're going to change the port number that is able to be connected to via SSH(This will prevent bruteforce attacks and other type of dictionary attacks.). To do so, we're going to want to nano into our sshd_config file.

PHP:
#Port 22 // Port number is basic SSH port number
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::
Now, all these lines are default and are commented(as I stated in the sudoer part of this tutorial). We're going to want to change the line by removing the comment option(#) and change the port to whatever port that we wish to access our server with via SSH. Now that we press ctrl+x, y. We will need to execute the command "reboot". This will make the server go under a re-boot and will cause you to be able to connect to your server with your new and fresh SSH port number.

  • Remove unnecessary software

Disable all unnecessary services and daemons (services that runs in the background). You need to remove all unwanted services from the system start-up. Type the following command to list all services which are started at boot time in run level #3 then I follow this up with how to disable/remove a service that you may believe will interfere with your system remaining secure.

PHP:
chkconfig --list | grep '3:on
service serviceName stop
chkconfig serviceName off
  • Staying updated

Often, Linux is completely out of the patch management loop. With the focus on patching Windows, many network administrators forget about the Linux systems they have on their network. Don’t fall into this trap. Ongoing patching is perhaps the best thing you can do to enhance the security of your Linux systems and avoid those pesky hackers. Regardless of the Linux distribution you use, using a tool to assist in your patching efforts makes your job a lot easier(RPM, dpkg, pkgtool, YaST2).

  • System Logs

Built in to your policies should be a routine to check the system logs on your server. This task can be done manually or it can be automated which can save a lot of time on your part. syslogd(A system logging daemon) or klogd(A kernel logging daemon) are built into your Linux system. I recommend going over your logs from syslogd and klogd to make sure no unwanted people are on your system. If so, do the correct step on removing them. Also, make sure that only a root user has access to read/write/delete your log folder. If you've followed these steps, make the folder only readable which means you'd be able to read the folder being a normal user but you wouldn't have access to remove it unless you're root.
 
Rating - 0%
0   0   0
#6
Nice guide! This reminded me of the kids who download Linux to look like elite hackers, but then end up having the most absolutely putrid and insecure infrastructure.
 

Top