Best Practices for Securing Linux Systems

 
Securing Linux
 
By Terrance Marcelle
 
The CIA Triad
 
Confidentiality
Integrity
Availability
 
Partitions
 
Default
 
Partitions
 
Recommended
 
Partitions
 
 
A user stores too many files in their home directory
 
A user intentionally runs malicious code or a bad
command to fill up as much space as possible
cat /dev/zero > zerofile
 
Excess logging
/dev /tmp are not mounted with noexec, nodev and
nosuid
 
Encryption at Rest
 
Should you Encrypt?
Depends on the type of information
You may only want to encrypt portions of the
drive
 
 
What happens if……
Server / hard-drive gets stolen
The drive space is reallocated to another VM
in a hypervisor setting.
 
 
Encryption in transit
 
Why encrypt data in transit ?
So your information doesn’t get stolen.
 
Recommendations
:
https over http
sftp,scp over ftp
snmpv3 over snmpv2 and 1
 
 
SSH and user logins
 
Defaults
Allowed to login with the root account via
ssh (Centos)
Disallowed by default in Ubuntu
 
SSH and user login
 
Recommendations
 
Disable root account login via ssh
 
 
/etc/ssh/sshd_config
 
#PermitRootLogin
 
P.S. 
make sure you have console access or
another user with privileges created
 
SSH and user login
 
Install a third party programs like
DenyHosts, fail2ban and dosdeflate to
monitor invalid logins and block originating
ipaddresses
 
Login information storage
Centos (/var/log/secure)
Ubuntu(/var/log/auth.log)
 
Passwords
 
 
What happens by default
Only gives a warning if the password is
considered weak, but still lets you create it
Password are never set to expire
Old passwords can be reused
 
Passwords
 
Recommended
Enforce password aging, minimum length,
reuse and complexity.
 
CentOS
/etc/login.defs , /etc/pam.d/system-auth-ac
 
Ubuntu
 (install the cracklib pam module)
/etc/login.defs , /etc/pam.d/common-password
 
Passwords
 
 
/
e
t
c
/
l
o
g
i
n
.
d
e
f
Controls Max Age, Min Age, Warning,
PASS_MAX_DAYS 150
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
 
/
e
t
c
/
p
a
m
.
d
/
c
o
m
m
o
n
-
p
a
s
s
w
o
r
d
s
 
a
n
d
 
/
e
t
c
/
p
a
m
.
d
/
s
y
s
t
e
m
-
a
u
t
h
-
a
c
Controls Password Complexity, Password re-use and
Password Length.
password required pam_cracklib.so minlen=8 difok=3 lcredit=-1
ucredit=-1 dcredit=-2 ocredit=-1
 
Why do we need to secure Linux
 
Updates and Upgrades
 
 
Keeping you systems up to date
Security Updates
Bug Fixes
 
What programs are used?
Centos (yum / rpm)
Ubuntu (apttitude / dpkg)
 
 
Updates and Upgrades
 
 
Recommended
 
Consistent maintenance plan
Centralized package /patch management
System (spacewalk, redhat Satellite,
Landscape, foreman, katello(candlepin, pulp) )
Automatic Updates ?
 
 
User Quotas
 
What is it?
Limit the amount of storage a user or group can use.
 
Why is it necessary?
Because people…
 
How is it implemented?
/etc/fstab
LABEL=/home /home ext2 defaults,
usrquota,grpquota
 1 2
mount -o remount  /home
quotacheck -cvug    (creates the quota files)
ls -l /home/
edquota username
quotaon -a
 
Disk quotas for user username(uid 500):
  Filesystem           blocks       soft       hard     inodes     soft     hard
  /dev/sda3           1419352          0          0       1686        0        0
 
 
Firewalls
 
Controls incoming and outgoing network traffic based on a
set of rules
One of the last lines of defense for your server.
 
Both CentOS and Ubuntu come with iptables
Tool allows you to perform very fine grained control of network related
transactions through a set of rules.
iptables control network related rules for the IPV4 standard
ip6tables deals with the ipv6 standard
 
Firewalls
 
Example Configuration:
iptables -I INPUT 3 -p tcp -i eth0 -s 192.168.220.25 --dport 22 -m
state --state NEW,ESTABLISHED -m comment --comment “SSH
access limited to carl’s computer”  -j ACCEPT
Alternative Mangaerment (ufw, apf)
 
Firewalld (centos 7)
 
 
 
 
 
Logging
 
L
o
g
s
 
a
r
e
 
l
o
c
a
t
e
d
 
i
n
 
/
v
a
r
/
l
o
g
 
/
v
a
r
/
l
o
g
/
m
e
s
s
a
g
e
s
 
 
C
o
n
t
a
i
n
s
 
g
l
o
b
a
l
 
s
y
s
t
e
m
 
m
e
s
s
a
g
e
s
,
s
y
s
t
e
m
 
s
t
a
r
t
u
p
 
i
n
f
o
r
m
a
t
i
o
n
,
m
a
i
l
,
 
c
r
o
n
,
 
d
a
e
m
o
n
,
 
k
e
r
n
,
 
a
u
t
h
,
 
e
t
c
.
 
/
v
a
r
/
l
o
g
/
b
o
o
t
.
l
o
g
 
 
L
o
g
s
 
s
y
s
t
e
m
 
b
o
o
t
i
n
g
 
i
n
f
o
r
m
a
t
i
o
n
.
 
/
v
a
r
/
l
o
g
/
d
m
e
s
g
 
k
e
r
n
e
l
 
r
i
n
g
 
b
u
f
f
e
r
 
i
n
f
o
r
m
a
t
i
o
n
.
 
L
o
g
s
 
m
e
s
s
a
g
e
s
a
b
o
u
t
 
h
a
r
d
w
a
r
e
 
d
e
v
i
c
e
s
 
d
e
t
e
c
t
e
d
 
b
y
 
t
h
e
 
k
e
r
n
e
l
 
k
e
r
n
e
l
 
d
u
r
i
n
g
b
o
o
t
.
 
T
h
e
 
c
o
n
t
e
n
t
 
c
a
n
 
a
l
s
o
 
b
e
 
v
i
e
w
e
d
 
b
y
 
t
y
p
i
n
g
 
t
h
e
 
d
m
e
s
g
c
o
m
m
a
n
d
.
 
/
v
a
r
/
l
o
g
/
a
u
t
h
.
l
o
g
 
 
C
o
n
t
a
i
n
s
 
u
s
e
r
 
l
o
g
i
n
s
 
a
n
d
 
a
u
t
h
e
n
t
i
c
a
t
i
o
n
m
e
c
h
a
n
i
s
m
s
 
t
h
a
t
 
w
e
r
e
 
u
s
e
d
 
i
n
 
U
b
u
n
t
u
.
 
/
v
a
r
/
l
o
g
/
s
e
c
u
r
e
 
-
 
C
o
n
t
a
i
n
s
 
u
s
e
r
 
l
o
g
i
n
s
 
a
n
d
 
a
u
t
h
e
n
t
i
c
a
t
i
o
n
m
e
c
h
a
n
i
s
m
s
 
t
h
a
t
 
w
e
r
e
 
u
s
e
d
 
i
n
 
C
e
n
t
o
s
.
 
 
Logging
 
T
H
E
 
A
U
D
I
T
 
L
O
G
:
 
/
v
a
r
/
l
o
g
/
a
u
d
i
t
L
i
n
u
x
 
a
u
d
i
t
 
a
l
l
o
w
s
 
y
o
u
 
t
o
 
c
o
m
p
r
e
h
e
n
s
i
v
e
l
y
 
l
o
g
 
a
n
d
 
t
r
a
c
k
a
c
c
e
s
s
 
t
o
 
f
i
l
e
s
,
 
d
i
r
e
c
t
o
r
i
e
s
,
 
a
n
d
 
r
e
s
o
u
r
c
e
s
 
o
f
 
y
o
u
r
 
s
y
s
t
e
m
,
 
a
s
w
e
l
l
 
a
s
 
t
r
a
c
e
 
s
y
s
t
e
m
 
c
a
l
l
s
.
 
I
t
 
e
n
a
b
l
e
s
 
y
o
u
 
t
o
 
m
o
n
i
t
o
r
 
y
o
u
r
s
y
s
t
e
m
 
f
o
r
 
a
p
p
l
i
c
a
t
i
o
n
 
m
i
s
b
e
h
a
v
i
o
r
 
o
r
 
c
o
d
e
 
m
a
l
f
u
n
c
t
i
o
n
s
 
Rule to log  every attempt to read or modify the
/etc/ssh/sshd_config file:
auditctl -w /etc/ssh/sshd_config -p rwxa -k sshd_config
 
If the auditd daemon is running, running the following command
creates a new event in the Audit log file:
~
]
#
 
c
a
t
 
/
e
t
c
/
s
s
h
/
s
s
h
d
_
c
o
n
f
i
g
 
Logging
 
 
T
H
E
 
A
U
D
I
T
 
L
O
G
 
c
o
n
t
i
n
u
e
d
a
u
s
e
a
r
c
h
 
-
 
a
 
c
o
m
m
a
n
d
 
t
h
a
t
 
c
a
n
 
q
u
e
r
y
 
t
h
e
 
a
u
d
i
t
 
d
a
e
m
o
n
 
l
o
g
s
b
a
s
e
d
 
f
o
r
 
e
v
e
n
t
s
 
b
a
s
e
d
 
o
n
 
d
i
f
f
e
r
e
n
t
 
s
e
a
r
c
h
 
c
r
i
t
e
r
i
a
.
ausearch -f /etc/sshd_config  
(searches on file name)
ausearch -k sshd_config 
(searches on keyname created to represent
file)
 
a
u
r
e
p
o
r
t
 
-
 
a
 
t
o
o
l
 
t
h
a
t
 
p
r
o
d
u
c
e
s
 
s
u
m
m
a
r
y
 
r
e
p
o
r
t
s
 
o
f
 
t
h
e
 
a
u
d
i
t
s
y
s
t
e
m
 
l
o
g
s
.
 
 
Advanced Configurations
 
Disable / blacklist devices (modprobe)
 
Tune Kernel Parameters (sysctl)
 
Limit system wide resource usage (ulimit)
 
Cron jobs (limit cron users cron.allow, cron.deny)
 
Control Keys (Ctrl-alt-delete)
 
ICMP (disable)
 
selinux and apparmor
 
Avanced Configurations continued
 
Password protect grub
Password protect Single user mode
 
 
 
Complete Security Packages
 
A
r
e
 
t
h
e
r
e
 
a
n
y
 
t
o
o
l
s
 
t
o
 
h
e
l
p
?
h
t
t
p
:
/
/
w
w
w
.
o
s
s
e
c
.
n
e
t
/
h
t
t
p
:
/
/
b
a
s
t
i
l
l
e
-
l
i
n
u
x
.
s
o
u
r
c
e
f
o
r
g
e
.
n
e
t
/
i
n
d
e
x
.
h
t
m
l
h
t
t
p
s
:
/
/
c
i
s
o
f
y
.
c
o
m
/
l
y
n
i
s
/
h
t
t
p
:
/
/
w
w
w
.
o
p
e
n
-
s
c
a
p
.
o
r
g
/
p
a
g
e
/
M
a
i
n
_
P
a
g
e
 
 
 
 
References
 
General Hardening
https://wiki.centos.org/HowTos/OS_Protection
http://hardenubuntu.com/
 
Disk Encryption
https://www.linux.com/community/blogs/133-general-
linux/831121-how-to-full-encrypt-your-linux-system-with-lvm-
on-luks
https://access.redhat.com/documentation/en-
US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-
Encryption.html
 
 
References
 
 
Password Hardening
https://en.wikipedia.org/wiki/Linux_PAM
http://xmodulo.com/set-password-policy-linux.html
http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
 
Logs (Audit Logs)
https://access.redhat.com/documentation/en-
US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-
Understanding_Audit_Log_Files.html
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-
made-changes-to-a-file.html
 
Slide Note
Embed
Share

This resource covers essential security practices for Linux systems, including the CIA Triad (Confidentiality, Integrity, Availability), recommended partitions, encryption at rest and in transit, SSH and user login configurations, and password best practices. Learn about securing user directories, preventing malicious commands, encryption considerations, secure login options, and password security measures.

  • Linux Security
  • CIA Triad
  • Encryption
  • SSH Configuration
  • Password Management

Uploaded on Sep 19, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Securing Linux By Terrance Marcelle

  2. The CIA Triad Confidentiality Integrity Availability

  3. Partitions Default

  4. Partitions Recommended

  5. Partitions A user stores too many files in their home directory A user intentionally runs malicious code or a bad command to fill up as much space as possible cat /dev/zero > zerofile Excess logging /dev /tmp are not mounted with noexec, nodev and nosuid

  6. Encryption at Rest Should you Encrypt? Depends on the type of information You may only want to encrypt portions of the drive What happens if Server / hard-drive gets stolen The drive space is reallocated to another VM in a hypervisor setting.

  7. Encryption in transit Why encrypt data in transit ? So your information doesn t get stolen. Recommendations: https over http sftp,scp over ftp snmpv3 over snmpv2 and 1

  8. SSH and user logins Defaults Allowed to login with the root account via ssh (Centos) Disallowed by default in Ubuntu

  9. SSH and user login Recommendations Disable root account login via ssh /etc/ssh/sshd_config #PermitRootLogin P.S. make sure you have console access or another user with privileges created

  10. SSH and user login Install a third party programs like DenyHosts, fail2ban and dosdeflate to monitor invalid logins and block originating ipaddresses Login information storage Centos (/var/log/secure) Ubuntu(/var/log/auth.log)

  11. Passwords What happens by default Only gives a warning if the password is considered weak, but still lets you create it Password are never set to expire Old passwords can be reused

  12. Passwords Recommended Enforce password aging, minimum length, reuse and complexity. CentOS /etc/login.defs , /etc/pam.d/system-auth-ac Ubuntu (install the cracklib pam module) /etc/login.defs , /etc/pam.d/common-password

  13. Passwords /etc/login.def Controls Max Age, Min Age, Warning, PASS_MAX_DAYS 150 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 /etc/pam.d/common-passwords and /etc/pam.d/system- auth-ac Controls Password Complexity, Password re-use and Password Length. password required pam_cracklib.so minlen=8 difok=3 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1

  14. 2011 2012 2013 2014 2015 password password 123456 123456 ?? Why do we need to secure Linux 123456 123456 password password ?? 12345678 qwerty 12345678 abc123 12345678 qwerty 12345 12345678 ?? ?? abc123 qwerty abc123 qwerty ?? monkey monkey 123456789 123456789 ?? 1234567 letmein 111111 1234 ?? letmein dragon 1234567 baseball ?? trustno1 111111 iloveyou dragon ??

  15. Updates and Upgrades Keeping you systems up to date Security Updates Bug Fixes What programs are used? Centos (yum / rpm) Ubuntu (apttitude / dpkg)

  16. Updates and Upgrades Recommended Consistent maintenance plan Centralized package /patch management System (spacewalk, redhat Satellite, Landscape, foreman, katello(candlepin, pulp) ) Automatic Updates ?

  17. User Quotas What is it? Limit the amount of storage a user or group can use. Why is it necessary? Because people How is it implemented? /etc/fstab LABEL=/home /home ext2 defaults,usrquota,grpquota 1 2 mount -o remount /home quotacheck -cvug (creates the quota files) ls -l /home/ edquota username quotaon -a Disk quotas for user username(uid 500): Filesystem blocks soft hard inodes soft hard /dev/sda3 1419352 0 0 1686 0 0

  18. Firewalls Controls incoming and outgoing network traffic based on a set of rules One of the last lines of defense for your server. Both CentOS and Ubuntu come with iptables Tool allows you to perform very fine grained control of network related transactions through a set of rules. iptables control network related rules for the IPV4 standard ip6tables deals with the ipv6 standard

  19. Firewalls Example Configuration: iptables -I INPUT 3 -p tcp -i eth0 -s 192.168.220.25 --dport 22 -m state --state NEW,ESTABLISHED -m comment --comment SSH access limited to carl s computer -j ACCEPT Alternative Mangaerment (ufw, apf) Firewalld (centos 7)

  20. Logging Logs are located in /var/log /var/log/messages Contains global system messages, system startup information,mail, cron, daemon, kern, auth, etc. /var/log/boot.log Logs system booting information. /var/log/dmesg kernel ring buffer information. Logs messages about hardware devices detected by the kernel kernel during boot. The content can also be viewed by typing the dmesg command. /var/log/auth.log Contains user logins and authentication mechanisms that were used in Ubuntu. /var/log/secure - Contains user logins and authentication mechanisms that were used in Centos.

  21. Logging THE AUDIT LOG: /var/log/audit Linux audit allows you to comprehensively log and track access to files, directories, and resources of your system, as well as trace system calls. It enables you to monitor your system for application misbehavior or code malfunctions Rule to log every attempt to read or modify the /etc/ssh/sshd_config file: auditctl -w /etc/ssh/sshd_config -p rwxa -k sshd_config If the auditd daemon is running, running the following command creates a new event in the Audit log file: ~]# cat /etc/ssh/sshd_config

  22. Logging THE AUDIT LOG continued ausearch - a command that can query the audit daemon logs based for events based on different search criteria. ausearch -f /etc/sshd_config (searches on file name) ausearch -k sshd_config (searches on keyname created to represent file) aureport - a tool that produces summary reports of the audit system logs.

  23. Advanced Configurations Disable / blacklist devices (modprobe) Tune Kernel Parameters (sysctl) Limit system wide resource usage (ulimit) Cron jobs (limit cron users cron.allow, cron.deny) Control Keys (Ctrl-alt-delete) ICMP (disable) selinux and apparmor

  24. Avanced Configurations continued Password protect grub Password protect Single user mode

  25. Complete Security Packages Are there any tools to help? http://www.ossec.net/ http://bastille-linux.sourceforge.net/index.html https://cisofy.com/lynis/ http://www.open-scap.org/page/Main_Page

  26. References General Hardening https://wiki.centos.org/HowTos/OS_Protection http://hardenubuntu.com/ Disk Encryption https://www.linux.com/community/blogs/133-general- linux/831121-how-to-full-encrypt-your-linux-system-with-lvm- on-luks https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec- Encryption.html

  27. References Password Hardening https://en.wikipedia.org/wiki/Linux_PAM http://xmodulo.com/set-password-policy-linux.html http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html Logs (Audit Logs) https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec- Understanding_Audit_Log_Files.html http://www.cyberciti.biz/tips/linux-audit-files-to-see-who- made-changes-to-a-file.html

More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#