Do vulnerabilities for Linux systems exist? Yes, they do. Therefore, we must do everything that we can to make our systems as safe as possible.
The fact is that it is challenging to get up to date with security vulnerabilities and threats. System patch updates, server, and network hardening are the most crucial factors to prevent security threats. Hardening Linux servers and network devices are important to reduce IT vulnerabilities and protect from a system compromise.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related Linux system security queries.
In this context, we shall look into the best practices used for Linux server hardening.
It's necessary to keep your system up to date. There might be security patch updates for vulnerable components. Run the following command to update the system:
$ yum update -y
Most of the Linux server comes with a firewalld package installed. Make sure that the firewalld is running in the system. In the Linux system, firewall-cmd command-line utility tool can be used to configure the firewall rules.
To Start and enable firewall service, run the below commands:
$ systemctl start firewalld
$ systemctl enable firewalld
To add specific services and ports, use the following syntax:
$ firewall-cmd --add-service=http --permanent (Allow http service)
$ firewall-cmd --add-port=8000/tcp --permanent (Allow specific port)
To reflect the changes, reload the firewall:
$ firewall-cmd --reload
In a Linux system, USB storage can be restricted by creating a configuration files under /etc/modprobe.d/ directory.
To Create a configuration file, run the below commands:
$ touch /etc/modprobe.d/usb_block.conf
$ echo “install usb-storage /bin/false” > /etc/modprobe.d/usb_block.conf
Some users and groups are already added to the system by default which is not needed. Remove such users and groups by running the below command:
$ userdel postfix
$ groupdel postfix
$ userdel games
$ groupdel games
You can also Search for such users and groups and delete if not needed.
Some packages are already installed by default in the Linux system. For instance, postfix comes by default, and service starts up when the system is up. Identity such services and remove them:
$ yum remove postfix -y
In the Linux machine, the password policy is specified in the /etc/login.defs file. Make changes in the password policy parameters as follows:
To prevent unauthorized ssh access and attacks, make the following changes in /etc/ssh/sshd_config file:
# Set the custom ssh port
# Prevent from root login
# Restrict Empty password
# Restrict host-based authentications
# Use ssh protocol 2
# Disable tools that have GUI
To Check the configuration using the following command:
$ sshd -t
To Restart ssh service, simply execute the command:
$ systemctl restart sshd
Some files require umask hardening:
$ sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/profile
$ sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/csh.cshrc
$ sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/init.d/functions
$ sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/bashrc
Core dump stores information of an executable program. It can be used to determine why the program was aborted. Core dump also can be used to retrieve confidential information from a core file. Use the following command to disable core dump:
$ echo “* hard core 0” >>/etc/security/limits.conf
The use of security tools makes it easy to identify system glitches. One of the free and open source tools is lynis which can be used to perform a regular audit of the system. Any findings are shown on the screen and also stored in the log file.
To Install the tool, execute the below commands:
$ yum install epel-release -y
$ yum install lynis
To Audit the system using the command below:
$ lynis audit system
There will be suggestions and warning results stored in the log file. Run the following command to see the result and solve accordingly:
$ grep Suggestion /var/log/lynis.log
$ grep Warning /var/log/lynis.log
Utilities like rkhunter and chkrootkit can be used to detect known and unknown backdoors and rootkits. They verify installed packages and configurations to verify system’s security. To install execute:
$ sudo apt-get install rkhunter -y
To scan your system, run:
$ sudo rkhunter --check
Install software as minimum as possible to maintain small attack surface. The more software you have, the more chances of attacks you have. So remove any unneeded software from your system. To see installed packages, run:
$ dpkg --list
$ dpkg --info
$ apt-get list [PACKAGE_NAME]
To remove a package, execute:
$ sudo apt-get remove [PACKAGE_NAME] -y
$ sudo apt-get clean
This article covers some best practices to harden Linux systems. In fact, Securing your Linux server(s) is a difficult and time consuming task for System Administrators but its necessary to harden the server’s security to keep it safe from Attackers and Black Hat Hackers. You can secure your server by configuring the system properly and installing as minimum software as possible.