Linux Server Hardening Step by Step

Submitted by admin on Wed, 03/29/2017 - 13:59

1. Physical System Security

Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS.

Next, enable BIOSpassword & also protect GRUB with password to restrict physical access of your system.

 

2. Disk Partitions

It’s important to have different partitions to obtain higher data security in case if any disaster happens. By creating different partitions, data can be separated and grouped. When an unexpected accident occurs, only data of that partition will be damaged, while the data on other partitions survived. Make sure you must have following separate partitions and sure that third party applications should be installed on separate file systems under /opt.

/

/boot

/usr

/var

/home

/tmp

/opt

3. Minimize Packages to Minimize Vulnerability

It’s recommended to avoid installing useless packages to avoid vulnerabilities in packages. This may minimize risk that compromise of one service may lead to compromise of other services.

Use chkconfig –list |grep '3:on' to find out which services are running on it

 

4. Check Listening Network Ports

With the help of ‘netstat‘ networking command you can view all open ports and associated programs. As I said above use ‘chkconfig‘ command to disable all unwanted network services from the system.

#netstat -tulpn

 

5. Use Secure Shell(SSH)

Never login directly as root unless necessary. Use “sudo” to execute commands. sudo are specified in/etc/sudoers file also can be edited with the “visudo” utility which opens in VI editor.

It’s also recommended to change default SSH 22 port number with some other higher level port number. Open the main SSH configuration file and make some following parameters to restrict users to access.

#vi /etc/ssh/sshd_config

  • Disable root Login

PermitRootLogin no

  • Only allow Specific Users

AllowUsers username

  • Use SSH Protocol 2 Version

Protocol 2

6. Keep System updated

Always keep system updated with latest releases patches, security fixes and kernel when it’s available.

# yum updates

#yum check-update

 

7. Lockdown Cronjobs

cron has it’s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ‘ALL‘ line to cron.deny file.

#echo ALL >>/etc/cron.deny

8. Disable USB stick to Detect

Create a file ‘/etc/modprobe.d/no-usb‘ and adding below line will not detect USB storage

Install usb-storage /bin/true

9. Turn on SELinux(genrally we should keep it desable)

#sestatus

#getenforce

#vi /etc/selinux/config

Change Enforcing to desable

10. Remove KDE/GNOME Desktops

There is no need to run X Window desktops like KDE or GNOME on your dedicated LAMP server. You can remove or disable them to increase security of server and performance. To disable simple open the file ‘/etc/inittab‘ and set run level to 3. If you wish to remove it completely from the system use the below command.

#yum groupremove "X Windows System"

11. Turn Off IPv6

We should desable ipv6 (currently most of company not migrated to ipv6)

#vi /etc/sysconfig/network

NETWORKING_IPV6=no

IPV6INIT=no

12. Restrict Users to Use Old Passwords

This is very useful if you want to disallow users to use same old passwords. The old password file is located at/etc/security/opasswd. This can be achieved by using PAM module.

Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.

#vi /etc/pam.d/system-auth

Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux Mint.

#vi /etc/pam.d/common-password

Add the following line to ‘auth‘ section.

auth sufficient pam_unix.so likeauth nullok

 

Add the following line to ‘password‘ section to disallow a user from re-using last 5 password of his or her.

 

password sufficient pam_unix.so nullok use_authtok md5 shadow remember=5

Only last 5 passwords are remember by server. If you tried to use any of last 5 old passwords, you will get an error like.

 

Password has been already used. Choose another.

13. Set and check Password Expiration of User

In Linux, user’s passwords are stored in ‘/etc/shadow‘ file in encrypted format. To check password expiration of user’s, you need to use ‘chage‘ command. It displays information of password expiration details along with last password change date. These details are used by system to decide when a user must change his/her password.

To view any existing user’s aging information such as expiry date and time, use the following command.

#chage -l username

To change password aging of any user, use the following command.

 

#chage -M 60 username

#chage -M 60 -m 7 -W 7 userName

Parameters

  1. -M Set maximum number of days

  2. -m Set minimum number of days

  3. -W Set the number of days of warning

15. Enforcing Stronger Passwords

A number of users use soft or weak passwords and their password might be hacked with a dictionary based or brute-force attacks. The ‘pam_cracklib‘ module is available in PAM (Pluggable Authentication Modules) module stack which will force user to set strong passwords. Open the following file with an editor.

 

Read Also:

 

# vi /etc/pam.d/system-auth

And add line using credit parameters as (lcredit, ucredit, dcredit and/or ocredit respectively lower-case, upper-case, digit and other)

 

/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1

16. Enable Iptables (Firewall)

 

17. Disable Ctrl+Alt+Delete in Inittab

In most Linux distributions, pressing ‘CTRL-ALT-DELETE’ will takes your system to reboot process. So, it’s not a good idea to have this option enabled at least on production servers, if someone by mistakenly does this.

 

This is defined in ‘/etc/inittab‘ file, if you look closely in that file you will see a line similar to below. By default line is not commented out. We have to comment it out. This particular key sequence signalling will shut-down a system.

 

# Trap CTRL-ALT-DELETE

#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

 

18. Checking Accounts for Empty Passwords

Any account having an empty password means its opened for unauthorized access to anyone on the web and it’s a part of security within a Linux server. So, you must make sure all accounts have strong passwords and no one has any authorized access. Empty password accounts are security risks and that can be easily hackable. To check if there were any accounts with empty password, use the following command.

 

# cat /etc/shadow | awk -F: '($2==""){print $1}'

19. Display SSH Banner Before Login

It’s always a better idea to have an legal banner or security banners with some security warnings before SSH authentication. To set such banners read the following article.

# vi /etc/issue.net

###############################################################

#                                                  Welcome to jkitweb.com

#                                All connections are monitored and recorded

#                      Disconnect IMMEDIATELY if you are not an authorized user!

 

# vi /etc/ssh/sshd_config

Banner /etc/issue.net (you can use any path you want)

Next, restart the SSH daemon to reflect new changes.

 

# /etc/init.d/sshd restart

Stopping sshd: [ OK ]

Starting sshd:

 

21. Review Logs Regularly

Move logs in dedicated log server, this may prevents intruders to easily modify local logs. Below are the Common Linux default log files name and their usage:

  1. /var/log/message – Where whole system logs or current activity logs are available.

  2. /var/log/auth.log – Authentication logs.

  3. /var/log/kern.log – Kernel logs.

  4. /var/log/cron.log – Crond logs (cron job).

  5. /var/log/maillog – Mail server logs.

  6. /var/log/boot.log – System boot log.

  7. /var/log/mysqld.log – MySQL database server log file.

  8. /var/log/secure – Authentication log.

  9. /var/log/utmp or /var/log/wtmp : Login records file.

  10. /var/log/yum.log: Yum log files.

22. Important file Backup

In a production system, it is necessary to take important files backup and keep them in safety vault, remote site or offsite for Disasters recovery.

23. NIC Bonding

There are two types of mode in NIC bonding, need to mention in bonding interface.

  1. mode=0 – Round Robin

  2. mode=1 – Active and Backup

NIC Bonding helps us to avoid single point of failure. In NIC bonding, we bond two or more Network Ethernet Cards together and make one single virtual Interface where we can assign IP address to talk with other servers. Our network will be available in case of one NIC Card is down or unavailable due to any reason.

 

24. Keep /boot as read-only

Linux kernel and its related files are in /boot directory which is by default as read-write. Changing it to read-only reduces the risk of unauthorized modification of critical boot files. To do this, open “/etc/fstab” file.

 

# vi /etc/fstab

Add the following line at the bottom, save and close it.

 

LABEL=/boot /boot ext2 defaults,ro 1 2

Please note that you need to reset the change to read-write if you need to upgrade the kernel in future.

 

25. Ignore ICMP or Broadcast Request

 

Add following line in “/etc/sysctl.conf” file to ignore ping or broadcast request.

 

Ignore ICMP request:

net.ipv4.icmp_echo_ignore_all = 1

Ignore Broadcast request:

net.ipv4.icmp_echo_ignore_broadcasts = 1

Load new settings or changes, by running following command

 

#sysctl -p