At the annual LinuxCon conference in 2015 the Creator of the GNU/Linux core Linus Torvalds has shared his opinion about the safety of the system. He stressed the need to mitigate the effect of the presence of certain bugs by competent protection order in violation of one component to the next layer overlaps the problem.
In this article we will try to uncover this subject from a practical point of view:
- start with the presets and recommendations for choosing and installing Linux distributions;
- then talk about simple and effective item of protection — security update;
- next, consider how to set restrictions for programs and users.
- how to secure the connection to the server via SSH;
- we give some examples of configuring firewall and limit unwanted traffic;
- in the concluding part will explain how to disable unnecessary programs and services, as further to protect the servers from intruders.
-
To configure the environment preloading before installing Linux
Take care of the security of the system is necessary before installing Linux. Here is a set of recommendations for the settings of the computer, which should be considered and executed before the installation of the operating system:
- Booting in UEFI mode (not legacy BIOS –a sub-section of it below)
- Set a password on the UEFI setup
- Activate SecureBoot mode
- Set a password on UEFI level to boot the system
-
Select the appropriate Linux distribution
Most likely, you will choose popular distributions — Fedora, Ubuntu, Arch, Debian, or other similar branches. In any case, you need to consider the obligatory presence of these functions:
- Support of forced (MAC) and role-based access control (RBAC): SELinux/AppArmor/GrSecurity
- Publication of security bulletins
- Regular release of security updates
- Cryptographic verification of packages
- Support for UEFI and SecureBoot
- Support of full native disk encryption
Recommendations for installing distributions
All distributions are different, but there are moments that are worth to pay attention and perform:
- Use full disk encryption (LUKS) with reliable key phrase
- The process of paging needs to be encrypted
- Set a password for editing the boot-loader
- Reliable password on root access
- Use an account without the privileges, belongs to the group of administrators
- Set for user a strong password different from the password for root
-
Set up automatic security updates
One of the main ways to ensure the safety of the operating system – to update the software. Updates often fix found bugs and critical vulnerabilities.
In the case of server systems, there is the risk of failure during the upgrade, but, in our opinion, problems can be minimized if automatically install only security update.
Auto-update works only for installed from the repositories, not compiled independently packages:
- In Debian/Ubuntu for updates use the package unattended upgrades
- In CentOS to auto-update use yum-cron
- In Fedora for these purposes there is the dnf-automatic
To upgrade, use any of the available RPM-managers of packages by commands:
yum update
or
apt-get update && apt-get upgrade
Linux can be configured to send notifications of new updates by email.
Also , to maintain the security of the Linux core there are protective extensions, e.g. SELinux. This extension will help keep the system from incorrectly configured or dangerous programs.
SELinux is a flexible system of forced access control, which can work simultaneously with selective access control system. Running programs are allowed to access files, sockets and other processes, and SELinux sets limits so that harmful applications are unable to break the system.
-
Limit access to external systems
Next after the update method of protection is to limit access to external services. For this you need to edit the file /etc/hosts.allow and /etc/hosts.deny.
Here is an example of how to restrict access to telnet and ftp:
In file /etc/hosts.allow:
hosts.allow in.telnetd: 123.12.41., 126.27.18., .mydomain.name, .another.name
in.ftpd: 123.12.41., 126.27.18., .mydomain.name, .another.name
Example of the above will allow you to perform telnet and ftp connections to any host in IP-classes 123.12.41.* and 126.27.18.*, and also the host with the domain mydomain.name and another.name.
Next, in file /etc/hosts.deny’:
hosts.deny
in.telnetd: ALL
in.ftpd: ALL
Adding a user with limited rights
We do not recommend to connect to the server as root user — it has the right to run any commands, even critical to the system. Therefore, it is better to create user with restricted rights and work through it. Administration can be performed through sudo (substitute user and do) – this is a temporary elevation to administrator level.
How to create a new user:
In Debian and Ubuntu:
Create a user, replacing administrator with the desired name and specify the password in response to the request. Input password characters are not displayed it the command line:
adduser administrator
Add the user to the sudo group:
adduser administrator sudo
Now you can use the prefix sudo when executing commands that require administrator rights, for example:
sudo apt-get install htop
In CentOS and Fedora:
Create a user, replacing administrator with your desired name, and create a password for his account:
useradd adminstrator && passwd administrator
Add the user to the group wheel for the transfer of the rights sudo:
usermod –aG wheel administrator
Use only strong passwords — minimum of 8 letters of the different register, digits and other special characters. To search for weak passwords among users of your server, use the utilities as “John the ripper”, change the settings in file pam_cracklib.so to set passwords forcibly.
Set the expiration period of the password with the command chage:
chage -M 60 -m 7 -W 7 UserName
Disable password aging with the command:
chage -M 99999 UserName
Find out when a user’s password will expire:
chage -l UserName
Also, you can edit the fields in the file /etc/shadow:
{UserName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:
where
- Minimum_days: the Minimum number of days before the expiration of the password.
- Maximum_days: the Maximum number of days before password expiration.
- Warn: Number of days before expiration when the user will be warned of the approaching day shift.
- Expire: the exact date of the expiration of the login.
Also it is necessary to limit reuse of old passwords in module pam_unix.so to set a limit on the number of failed login attempts of the user.
To see the number of failed login attempts:
faillog
Unblock account after failed login:
faillog -r -u UserName
To lock and unlock accounts, you can use the command passwd:
lock account
passwd -l UserName
unlocak account
passwd -u UserName
To make sure that all users set passwords with the command:
awk -F: '($2 == "") {print}' /etc/shadow
To block users without passwords:
passwd -l UserName
Make sure that the UID parameter was set to 0 only for root account. Enter this command to see all users with UID equal to 0.
awk -F: '($3 == "0") {print}' /etc/passwd
You should see only:
root:x:0:0:root:/root:/bin/bash
If there are other lines, then check whether you have installed for them UID to 0, delete unnecessary lines.
-
Set access rights for users
After you install the password is worth to make sure that all users have access appropriate to their rank and responsibility. In Linux you can set access permissions on files and directories. So there is the ability to create and control different levels of access for different users.
Access categories
Linux is based on work with multiple users, so each file belongs to one specific user. Even if the server is administered by one person for various programs created multiple accounts.
To view users in the system with the command:
cat /etc/passwd
The file /etc/passwd contains a line for each user of the operating system. Under services and applications can be created separate users who will also be present in this file.
In addition to the individual accounts there is a category of access for groups. Each file belongs to one group. One user can belong to several groups.
View the groups to which belongs your account, use the command:
groups
Display a list of all groups in the system, where the first field indicates the name of the group:
cat /etc/group
There is a category of access “other”, if the user does not have access to the file and does not belong to the group.
Types of access
For categories of users there is the ability to set types of access. Usually it’s right to run, read and modify the file. In Linux, access types are marked by two types of notations: alphabetic and octal.
In alphabetic notation, permissions are indicated by letters:
r = reading
w = change
x = start
In octal notation the level of access to files is determined by the numbers from 0 to 7, where 0 indicates no access, and 7 means full access to modify, read and execute:
4 = read
2 = change
1 = start
-
Use the keys to connect via SSH
To connect to the host via SSH is usually used password authentication. We recommend a more secure way – input a pair of cryptographic keys. In this case, the private key is used instead of a password, which will seriously complicate the selection by brute-force.
For example, let’s create a key pair. Actions should be performed on the local computer, not on a remote server. In the process of key generation you can specify a password to access them. If you leave this field blank, you will not be able to use the generated keys to store them in keychain-manager of the computer.
If you have already created the RSA keys before, then skip command generation. To check the existing keys for a start:
ls ~/.ssh/id_rsa*
To generate new keys:
ssh-keygen –b 4096
Download of the public key to the server
Replace administrator with the name of the key owner, and 1.1.1.1 with the ip-address of your server. From the local computer, type:
ssh-copy-id administrator@1.1.1.1
To test the connection, disconnect and re-connect to server — login must occur with the created keys.
Setting up SSH
You can disable connect via SSH as root-user, and to obtain administrator rights to use sudo at the beginning of the command. On the server in the file /etc/ssh/sshd_config you need to find the parameter PermitRootLogin and set the value to no.
You can also deny SSH connection by entering the password so that all users use keys. In the file /etc/ssh/sshd_config, set for parameter PasswordAuthentification value no. If this line doesn’t exist or it is commented out, respectively, add or uncomment it.
In Debian or Ubuntu you can enter:
nano /etc/ssh/sshd_config
... PasswordAuthentication no
The connection can also additionally secure with two-factor authentication.
-
Install firewalls
Recently was discovered a new vulnerability, allowing to carry out DDoS attacks on servers running Linux. A bug in the core system came with version 3.6 at the end of 2012. The vulnerability allows the hackers to embed viruses into boot files, web page and open up the Tor-connection, with no need for hacking a lot of effort to make — work the IP-spoofing method.
Maximum damage for encrypted HTTPS connection or SSH – termination of the connection, but in the unsecured traffic, the attacker can put new content, including malware. To protect against such attacks is suitable firewall.
Block access using Firewall
Firewall is one of the most important tools for blocking unwanted incoming traffic. We recommend you to skip only really need the traffic and fully deny all the rest.
To filter packages in most Linux distributions there is iptables controller. Usually it is used by advanced users, and to simplify configuration, you can use utilities UFW on Debian/Ubuntu or FirewallD in Fedora.
-
Disable unnecessary services
Experts from the University of Virginia recommend to disable all services that you don’t use. Some background processes installed on the startup and operate to shutdown the system. To configure these programs, you need to check the initialization scripts. Starting services can be done using inetd or xinetd.
If your system is configured with inetd, in the file /etc/inetd.conf you can edit the list of background programs “demons”, to disable startup of service enough to put in the beginning of the line the sign “#”, turning it from the executable to comment.
If the system uses xinetd, its configuration will be in the directory /etc/xinetd.d. Every file in the directory defines a service, which can be disabled by specifying the item disable = yes, as in this example:
service finger
{
socket_type = stream
wait = no
user = nobody
server = /usr/sbin/in.fingerd
disable = yes }
Also worth checking out an ongoing processes that are not managed by inetd or xinetd. To configure the startup scripts in the directories /etc/init.d or /etc/inittab. After done the changes, run the command under root account.
/etc/rc.d/init.d/inet restart
9.Protect the server physically
It is impossible to completely defend against malicious attacks with physical access to the server. It is therefore necessary to protect the premises where your system is located. The data centers seriously monitor the safety, restrict access to servers, install security cameras and assign permanent guards.
To enter the data center all visitors must pass certain stages of authentication. Also, it is strongly recommended to use motion sensors in all areas of the centre.
-
To protect the server from unauthorized access
System of unauthorized access or IDS collects data about system configuration and files, and further compares these data with the new changes to determine whether they are harmful for the system.
For example, tools Tripwire and Aide collected a database of system files and protect them with a set of keys. Psad is used to track suspicious activity by using reports firewall.
Bro is created for network monitoring, tracking suspicious schemes of actions, collection of statistics, perform system commands, and generating alerts. RKHunter can be used to protect from viruses, most rootkits. This utility checks your system by database of known vulnerabilities and can identify unsafe settings it applications.
Conclusion
The above tools and settings will help you to partially protect the system, but safety depends on your behavior and understanding of the situation. Without care, caution and constant self learning all the safety measures might not work.
This text is a translation of the article “Как обезопасить Linux-систему: 10 советов” published by @1cloud on habrahabr.ru.
About the CleanTalk service
CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).
