Securing
your Linux server is important to protect your data, your personal
information, and time, from the hands of crackers (hackers). The administrator is responsible for security Linux box. In
the first of a series of security of Linux server, will be addressed 20
security tips for default installation of Linux system.
1. Encrypt Data CommunicationAll data that is sent over the network is open to monitoring. Encrypt transmitted data whenever possible with password or using protectionism key certificate.Use scp, ssh, rsync, or sftp for file transfer. You can also mount remote server file system or your own home computer directory using sshfs protection and special tools.Use GnuPG that allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories.Use the function Fugu is a graphical frontend to the commandline Secure File Transfer application (SFTP). SFTP is similar to FTP, but unlike FTP, the entire session is encrypted, meaning no passwords are sent in cleartext form, and is thus much less vulnerable to third party interception. Another option is FileZilla - a cross-platform client that supports FTP, FTP over SSL / TLS (FTPS) and SSH File Transfer Protocol (SFTP).OpenVPN SSL VPN in order to save costs.Lighttpd SSL (Secure Server Layer) https Configuration and InstallationApache SSL (Secure Server Layer) HTTPS (mod_ssl) Configuration and InstallationAvoid Using FTP, Telnet, and rlogin / rshConfigure the network down, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. A common solution to this problem is to use either OpenSSH, SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP. Type the following command to delete NIS, rsh and other outdated service:# Yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve2. Minimize Software to Minimize VulnerabilityDo you really need all kinds of web services installed? Avoid installing unnecessary software to avoid flaws in the software. Use the RPM package manager such as yum or apt-get and / or dpkg to review all installed set of software packages on the system. Delete all unwanted packages with this code# Yum list installed# Yum list packagename# Yum remove packagenameor
# Dpkg-list# Dpkg-info packagename# Apt-get remove packagename3. One Network Service Per System or VM InstanceRun different network services on separate servers or VM instance. This limits the number of other services that can be compromised. For example, if an attacker successfully exploit a software such as Apache flow, he will gain access to the entire server including other services such as MySQL, e-mail server and so on. See how to install Virtualization software:Install and Setup XEN Virtualization Software on CentOS Linux 5How To Setup OpenVZ under RHEL / CentOS Linux4. Stay updated Linux Kernel and Software not until lateApplying security patches is an important part of maintaining Linux server. Linux provides all the necessary tools to keep your system and updating, and also allows for easy upgrade version. All security update should be reviewed and applied as soon as possible. Again, use the RPM package manager such as yum and / or apt-get and / or dpkg to apply all security updates. such an order under# Yum updateor# Apt-get update && apt-get upgradeYou can configure the Red Hat / CentOS / Fedora Linux to send yum package update notification via email. Another option is to apply all security updates via a cron job. In Debian / Ubuntu Linux you can use to send notification of security apticron.5. Use Linux Security ExtensionsLinux is available with various security patches which can be used to guard against misconfigured or compromised programs. If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel.Suggested use SELinux which provides a flexible Mandatory Access Control (MAC). Under standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has the user's permissions to objects such as files, sockets, and other processes. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. See the official Redhat documentation which explains SELinux configuration.6. User Account and Password Strength PolicyUse / useradd usermod commands to create and maintain user accounts. Make sure you have a good password policy and strong. For example, a good password includes at least 8 characters long and a mix of letters, numbers, special characters, upper & lower, etc. The most important point to choose a password that you remember. Use a tool such as "John the Ripper was" to find out weak users passwords on your server. pam_cracklib.so Configuration to enforce a password policy.Chage command changes the number of days between password changes and the date of last change password. This information is used by the system to determine when a user must change / password. The / etc / login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration. To disable password aging, enter:chage-M 99999 userNameTo get password expiration information, enter:chage-l userNameFinally, you can also edit the file / etc / shadow in the following areas:
{UserName}: {password}: {lastpasswdchanged}: {Minimum_days}: {Maximum_days}: {Warn}: {Inactive}: {Expire}:Where,Minimum_days: The minimum number of days required between password changes ie the number of days left before the user is allowed to change / password.Maximum_days: The maximum number of days a password is valid (after that user is forced to change the password / female).Warn: The number of days before the password expired users who warns you that the password must be changed.Expire: Days since January 1, 1970 that account is disabled ie an absolute date to determine when the login may no longer be used.Use the command: # chage-M 60-m 7-W 7 userName7. Disable root loginNever log in as the root user. You have to use sudo to run commands as root level and when needed. sudo does not improve the security of the system without sharing root password with other users and admins. sudo provides simple auditing and tracking features too.8. Physical Security ServerYou must protect the physical Linux server console access. Configuring the BIOS and disable booting from external devices such as DVD / CD / USB pen. Set BIOS and grub boot loader password to protect these settings. All production boxes must be locked in IDCs (Internet Data Center) and everyone had to pass some kind of security checks before accessing your server. See 9 Tips To Protect Linux Servers Physical Console Access.9. Disable Service is Not NeededDisable all services and unnecessary daemons (services running in the background). You must remove all unwanted services from the system start-up. Type the following command to list all the services are started at boot time at level 3:
# Chkconfig-list | grep '3: on 'To disable a service, enter the command# Service serviceName stop# Chkconfig serviceName off
10. Delete X WindowsX Windows on server is not required. There is no reason to run X Windows on a dedicated mail and Apache web server. You can disable and remove X Windows to improve server security and performance. Edit / etc / inittab and set run level to 3. Finally, remove the X Windows system, enter:# Yum groupremove "X Window System"11. Ip configuration tables and TC PWrappersIptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel. Use a firewall to filter traffic and allow only necessary traffic. Also using a host-based network system TCPWrappers ACL to filter network access to Internet. You can prevent many denial of service attacks with the help of Iptables:Lighttpd Traffic Shaping: Throttle Connections Per Single IP (Rate Limit).How to: Linux Iptables block common attacks.psad: Linux Detect And Block Port Scan Attacks In Real Time.12. Linux Kernel / etc / sysctl.conf HardeningFile / etc / sysctl.conf is used to configure kernel parameters at runtime. Linux to read and apply the settings from / etc / sysctl.conf at boot time. Sample / etc / sysctl.conf:# Turn on execshieldkernel.exec-shield = 1kernel.randomize_va_space = 1# Enable IP spoofing protectionnet.ipv4.conf.all.rp_filter = 1# Disable IP source routingnet.ipv4.conf.all.accept_source_route = 0# Ignoring broadcasts requestnet.ipv4.icmp_echo_ignore_broadcasts = 1net.ipv4.icmp_ignore_bogus_error_messages = 1# Make sure spoofed packets get loggednet.ipv4.conf.all.log_martians = 1
13. Separate Disk PartitionsSeparation of the operating system files from user files may result in a better system and secure. Make sure the following filesystems are mounted on separate partitions:* / Usr* / Home* / Var and / var / tmp* / TmpCreating separate partitions for Apache and FTP server roots. Edit / etc / fstab file and make sure you add the following configuration options:noexec - Do not set execution of any binaries on this partition (prevents execution of binaries but Allows scripts).nodev - Do not allow character or special devices on this partition (prevents use of device files such as zero, sda etc).nosuid - Do not set SUID / SGID access on this partition (Prevent the setuid bit).An example / etc / fstab for an entry to restrict user access on / dev/sda5 (ftp server root directory):/ Dev/sda5 / ftpdata ext3 defaults, nosuid, nodev, noexec 1 214. Turn off IPv6Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP / IP protocol that replaces Internet Protocol version 4 (IPv4) and provides many benefits. Currently there are no good tools to examine the system through the network for IPv6 security issues. Most Linux distributions start enabling IPv6 protocol by default. Crackers can send bad traffic via IPv6 as most admins are not monitoring. Unless network configuration requires it, disable IPv6 or configure Linux IPv6 firewall:15. Disable SUID and SGID Binaries unwantedAll the SUID / SGID bits allow files to be abused when the SUID / SGID executable security problems or bugs. All local or remote user can use that file. It is a good idea to find all the files. Use the find command as follows:# See all set user id files:find /-perm +4000# See all group id filesfind /-perm +2000# Or combine both in a single commandfind / \ (-perm -4000-o-perm -2000 \)-printfind /-path-prune-o-type f-perm +6000-ls
16. Use A Centralized Authentication ServiceWithout a centralized authentication system, user auth data becomes inconsistent, which can lead to a mandate out-of-date and forgot an account that should have been removed in the first place. A centralized authentication service allows you maintaining central control over Linux / UNIX account and authentication data. You can keep the data synchronized between the server auth. Do not use NIS for centralized authentication. Use OpenLDAP for clients and servers. You can use Kerberos17. Logging and AuditingYou must configure logging and auditing to collect all hacking and cracking attempts. By default syslog store data in / var / log / directory. It is also useful to find out software misconfiguration which may open your system to various attacks.18. Log Monitor Suspicious Messages In Logwatch / LogcheckRead the logs using logwatch or logcheck. These tools make your life easier log reading. You get detailed reports on unusual items in syslog via email.
Securing your Linux server
1. Encrypt Data CommunicationAll data that is sent over the network is open to monitoring. Encrypt transmitted data whenever possible with password or using protectionism key certificate.Use scp, ssh, rsync, or sftp for file transfer. You can also mount remote server file system or your own home computer directory using sshfs protection and special tools.Use GnuPG that allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories.Use the function Fugu is a graphical frontend to the commandline Secure File Transfer application (SFTP). SFTP is similar to FTP, but unlike FTP, the entire session is encrypted, meaning no passwords are sent in cleartext form, and is thus much less vulnerable to third party interception. Another option is FileZilla - a cross-platform client that supports FTP, FTP over SSL / TLS (FTPS) and SSH File Transfer Protocol (SFTP).OpenVPN SSL VPN in order to save costs.Lighttpd SSL (Secure Server Layer) https Configuration and InstallationApache SSL (Secure Server Layer) HTTPS (mod_ssl) Configuration and InstallationAvoid Using FTP, Telnet, and rlogin / rshConfigure the network down, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. A common solution to this problem is to use either OpenSSH, SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP. Type the following command to delete NIS, rsh and other outdated service:# Yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve2. Minimize Software to Minimize VulnerabilityDo you really need all kinds of web services installed? Avoid installing unnecessary software to avoid flaws in the software. Use the RPM package manager such as yum or apt-get and / or dpkg to review all installed set of software packages on the system. Delete all unwanted packages with this code# Yum list installed# Yum list packagename# Yum remove packagenameor
# Dpkg-list# Dpkg-info packagename# Apt-get remove packagename3. One Network Service Per System or VM InstanceRun different network services on separate servers or VM instance. This limits the number of other services that can be compromised. For example, if an attacker successfully exploit a software such as Apache flow, he will gain access to the entire server including other services such as MySQL, e-mail server and so on. See how to install Virtualization software:Install and Setup XEN Virtualization Software on CentOS Linux 5How To Setup OpenVZ under RHEL / CentOS Linux4. Stay updated Linux Kernel and Software not until lateApplying security patches is an important part of maintaining Linux server. Linux provides all the necessary tools to keep your system and updating, and also allows for easy upgrade version. All security update should be reviewed and applied as soon as possible. Again, use the RPM package manager such as yum and / or apt-get and / or dpkg to apply all security updates. such an order under# Yum updateor# Apt-get update && apt-get upgradeYou can configure the Red Hat / CentOS / Fedora Linux to send yum package update notification via email. Another option is to apply all security updates via a cron job. In Debian / Ubuntu Linux you can use to send notification of security apticron.5. Use Linux Security ExtensionsLinux is available with various security patches which can be used to guard against misconfigured or compromised programs. If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel.Suggested use SELinux which provides a flexible Mandatory Access Control (MAC). Under standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has the user's permissions to objects such as files, sockets, and other processes. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. See the official Redhat documentation which explains SELinux configuration.6. User Account and Password Strength PolicyUse / useradd usermod commands to create and maintain user accounts. Make sure you have a good password policy and strong. For example, a good password includes at least 8 characters long and a mix of letters, numbers, special characters, upper & lower, etc. The most important point to choose a password that you remember. Use a tool such as "John the Ripper was" to find out weak users passwords on your server. pam_cracklib.so Configuration to enforce a password policy.Chage command changes the number of days between password changes and the date of last change password. This information is used by the system to determine when a user must change / password. The / etc / login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration. To disable password aging, enter:chage-M 99999 userNameTo get password expiration information, enter:chage-l userNameFinally, you can also edit the file / etc / shadow in the following areas:
{UserName}: {password}: {lastpasswdchanged}: {Minimum_days}: {Maximum_days}: {Warn}: {Inactive}: {Expire}:Where,Minimum_days: The minimum number of days required between password changes ie the number of days left before the user is allowed to change / password.Maximum_days: The maximum number of days a password is valid (after that user is forced to change the password / female).Warn: The number of days before the password expired users who warns you that the password must be changed.Expire: Days since January 1, 1970 that account is disabled ie an absolute date to determine when the login may no longer be used.Use the command: # chage-M 60-m 7-W 7 userName7. Disable root loginNever log in as the root user. You have to use sudo to run commands as root level and when needed. sudo does not improve the security of the system without sharing root password with other users and admins. sudo provides simple auditing and tracking features too.8. Physical Security ServerYou must protect the physical Linux server console access. Configuring the BIOS and disable booting from external devices such as DVD / CD / USB pen. Set BIOS and grub boot loader password to protect these settings. All production boxes must be locked in IDCs (Internet Data Center) and everyone had to pass some kind of security checks before accessing your server. See 9 Tips To Protect Linux Servers Physical Console Access.9. Disable Service is Not NeededDisable all services and unnecessary daemons (services running in the background). You must remove all unwanted services from the system start-up. Type the following command to list all the services are started at boot time at level 3:
# Chkconfig-list | grep '3: on 'To disable a service, enter the command# Service serviceName stop# Chkconfig serviceName off
10. Delete X WindowsX Windows on server is not required. There is no reason to run X Windows on a dedicated mail and Apache web server. You can disable and remove X Windows to improve server security and performance. Edit / etc / inittab and set run level to 3. Finally, remove the X Windows system, enter:# Yum groupremove "X Window System"11. Ip configuration tables and TC PWrappersIptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel. Use a firewall to filter traffic and allow only necessary traffic. Also using a host-based network system TCPWrappers ACL to filter network access to Internet. You can prevent many denial of service attacks with the help of Iptables:Lighttpd Traffic Shaping: Throttle Connections Per Single IP (Rate Limit).How to: Linux Iptables block common attacks.psad: Linux Detect And Block Port Scan Attacks In Real Time.12. Linux Kernel / etc / sysctl.conf HardeningFile / etc / sysctl.conf is used to configure kernel parameters at runtime. Linux to read and apply the settings from / etc / sysctl.conf at boot time. Sample / etc / sysctl.conf:# Turn on execshieldkernel.exec-shield = 1kernel.randomize_va_space = 1# Enable IP spoofing protectionnet.ipv4.conf.all.rp_filter = 1# Disable IP source routingnet.ipv4.conf.all.accept_source_route = 0# Ignoring broadcasts requestnet.ipv4.icmp_echo_ignore_broadcasts = 1net.ipv4.icmp_ignore_bogus_error_messages = 1# Make sure spoofed packets get loggednet.ipv4.conf.all.log_martians = 1
13. Separate Disk PartitionsSeparation of the operating system files from user files may result in a better system and secure. Make sure the following filesystems are mounted on separate partitions:* / Usr* / Home* / Var and / var / tmp* / TmpCreating separate partitions for Apache and FTP server roots. Edit / etc / fstab file and make sure you add the following configuration options:noexec - Do not set execution of any binaries on this partition (prevents execution of binaries but Allows scripts).nodev - Do not allow character or special devices on this partition (prevents use of device files such as zero, sda etc).nosuid - Do not set SUID / SGID access on this partition (Prevent the setuid bit).An example / etc / fstab for an entry to restrict user access on / dev/sda5 (ftp server root directory):/ Dev/sda5 / ftpdata ext3 defaults, nosuid, nodev, noexec 1 214. Turn off IPv6Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP / IP protocol that replaces Internet Protocol version 4 (IPv4) and provides many benefits. Currently there are no good tools to examine the system through the network for IPv6 security issues. Most Linux distributions start enabling IPv6 protocol by default. Crackers can send bad traffic via IPv6 as most admins are not monitoring. Unless network configuration requires it, disable IPv6 or configure Linux IPv6 firewall:15. Disable SUID and SGID Binaries unwantedAll the SUID / SGID bits allow files to be abused when the SUID / SGID executable security problems or bugs. All local or remote user can use that file. It is a good idea to find all the files. Use the find command as follows:# See all set user id files:find /-perm +4000# See all group id filesfind /-perm +2000# Or combine both in a single commandfind / \ (-perm -4000-o-perm -2000 \)-printfind /-path-prune-o-type f-perm +6000-ls
16. Use A Centralized Authentication ServiceWithout a centralized authentication system, user auth data becomes inconsistent, which can lead to a mandate out-of-date and forgot an account that should have been removed in the first place. A centralized authentication service allows you maintaining central control over Linux / UNIX account and authentication data. You can keep the data synchronized between the server auth. Do not use NIS for centralized authentication. Use OpenLDAP for clients and servers. You can use Kerberos17. Logging and AuditingYou must configure logging and auditing to collect all hacking and cracking attempts. By default syslog store data in / var / log / directory. It is also useful to find out software misconfiguration which may open your system to various attacks.18. Log Monitor Suspicious Messages In Logwatch / LogcheckRead the logs using logwatch or logcheck. These tools make your life easier log reading. You get detailed reports on unusual items in syslog via email.
Securing your Linux server
Tags:
securing
Posts
