Monday, April 22, 2019

Linux Host Hardening



Linux systems are quite secure out of the box however, there are myriad ways to ratchet down the security to achieve near NSA level protections on your system. Whether you are running a server on your own network or your own personal laptop, you are the administrator and security manager of your domain. Keep this in mind as I present some of the options to secure your systems below. 

File Transfer Options

Encryption is your friend in the digital age and Linux has you covered. Services such as ssh, sftp, or rsync have encryption built in and the connection and data transfer is protected from prying eyes or interception. With the server version of these services enabled on your home network along with port forwarding on your router, you can securely access your systems and data from most any location on the planet. Of course, such access is heavily dependent upon the permissions and security level of the network you are using (cell provider, work network*, etc). *Be sure to verify you have permission and access rights before attempting to connect to your home network from your workplace.

Linux also has the widely used OpenVPN package available for installation and use as a client and a server. Connections to VPN service providers such as NordVPN, UnlimitedVPN, etc. provide encryption to allow anonymity and prevent snooping and interception of packet data by your ISP(s). The OpenVPN server package can be used on your own hardware such as a Raspberry Pi or router to allow you to securely access your own home network from a coffee shop, hotel or personal cell phone. 

Locking Down Insecure Services

Most Linux systems shipping today do not include insecure services by default, but they are available to install and make your system insecure. These include rsh, ftp, xinetd, and telnet and allow interception of unencrypted traffic on the network by anyone with access to your network. Below are the steps to remove them from the most common Linux distros available today.

On Red Hat, CentOS or Fedora systems, you can simply execute these commands to remove or verify telnet, rsh, rlogin and ftp are not installed.

               yum erase xinetd ypserv tftp-server telnet-server rsh-server

On an Arch linux system you will be secure in knowing these packages are not installed by default however, you can verify they are removed with the following command:

               sudo pacman –Rc xinetd, ypserv, tftpd, inetutils

Debian or Ubuntu systems the following command will verify the commands are removed from your system:
sudo apt remove --purge rsh-redone-server, xinetd, yp-tools, tftpd, telnetd, rsh-server, atftpd, tftpd-hpa, nis

Removing Unused Software or Services

Some Linux distros install far too many services or open too many network ports or sockets on a system by default. To help insure your system is safe, try to remove the number of services such as web services down to the minimum you require. 

One Linux distro preferred by many knowledgeable geeks is Arch Linux. Arch provides the keep it simple approach to package installation and keeps things down to the bare minimum: i.e. you install just what you need from the start and maintain your system in a much more secure manner.

Review your system list of packages installed:
Arch Linux systems: sudo pacman -Qe
Debian-based Linux systems: dpkg --list
Red Hat based Linux systems: yum list installed

Maintain Updates:

All Linux systems should be updated to include all security and patch updates as often as possible. Linux has all the tools to support and maintain your software and provides software repositories (repos) to keep them updated. Certain updates will require a system reboot, however there are newer options from Red Hat, OpenSuSE, and Ubuntu to allow reloading of the kernel without rebooting. 

               Arch Linux systems: sudo pacman –Syu
               Debian-based systems: apt update && apt upgrade
               Red Hat based systems: yum update && yum upgrade

Many Linux distro today will also provide a tool to inform you of available updates in the desktop panel. Do not ignore patches when they become available and insure you install and complete any steps provided by said patches to insure your system is as up-to-date as possible.

User Accounts and Strong Passwords:

One of the easiest methods crackers use to gain access to a system is a weak password. You as the administrator choose to use a week or a strong password. Strong passwords are made up of at least 2 upper, to lower, 2 numbers and to special characters.

Linux also provides the pam.d pam_cracklib.so library service to insure compliance with password policies. Configuration of this tool to force security on your system is as follows for these popular distros:
               Arch Linux, Red Hat, CentOS, Debian, Ubuntu:
               $ sudo vi  /etc/pam.d/system-auth

               Append or modify the following line:
     password required pam_cracklib.so retry=2 minlen=10 difok=6 dcredit=2   ucredit=2 lcredit=2 ocredit=2

These parameters will insure your password is different from the old one (difok=6), has the required number of numbers, upper and lower case characters, and special characters. Logins will be restricted to 2 times. These restrictions only apply to normal users and not the root account, which can allow for manual bypassing of these restrictions on user accounts should the need arise.

Setting password reuse limits:

$sudo vi /etc/pam.d/system-auth (or /etc/pam.d/common-password on debian systems)

             Add (or edit) the password line to append remember=13 which prevents reuse of the last 13 passwords:
               # password sufficient pam_unix.so use_authtok md5 shadow remember=13

Note that some systems used pam_unix2.so instead of pam_unix.so library.

Linux Password Aging:
Most Linux distros do not set user accounts to expire after a certain time period. To remedy this, the chage command is used to set expiration dates or time periods. Each system also contains the /etc/login.defs file with parameters to control expiration policy.

To set a user account to not expire:

               $sudo chage -M 99999 username

Or to set a user account to expire in 60 days:

               $sudo chage -M 60 username

Additional options to insure you do not forget to change your password should be applied. The following command will provide 60 days, 7 days notification and 7 days warning before expiring the account.

               $sudo chage -M 60 username –m 14 –w 14 username

Enable password aging in the /etc/login.defs with:

               $ PASS_MIN_DAYS=14

Most systems will have the /etc/security/opasswd file, but if it doesn’t exist it should be created. You create it if necessary using the following command:

               $ sudo touch /etc/security/opasswd


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Wireshark - A GUI Packet Analyzer

Wireshark Wireshark is a FLOSS (Free Libre Open Source Software) package for network troubleshooting and analysis which runs on Lin...

  • Computer Security - Part 2
    Malware - Backdoors ... Backdoors are methods of bypassing normal security or authentication on a system or within software which is of...
  • Encryption Methods - Part 2
    More PAM: In Linux PAM provides for separation of authentication tasks into each of four groups for management: Validation, Identity, P...