Best Practices for Securing Linux Systems
This resource covers essential security practices for Linux systems, including the CIA Triad (Confidentiality, Integrity, Availability), recommended partitions, encryption at rest and in transit, SSH and user login configurations, and password best practices. Learn about securing user directories, preventing malicious commands, encryption considerations, secure login options, and password security measures.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Securing Linux By Terrance Marcelle
The CIA Triad Confidentiality Integrity Availability
Partitions Default
Partitions Recommended
Partitions A user stores too many files in their home directory A user intentionally runs malicious code or a bad command to fill up as much space as possible cat /dev/zero > zerofile Excess logging /dev /tmp are not mounted with noexec, nodev and nosuid
Encryption at Rest Should you Encrypt? Depends on the type of information You may only want to encrypt portions of the drive What happens if Server / hard-drive gets stolen The drive space is reallocated to another VM in a hypervisor setting.
Encryption in transit Why encrypt data in transit ? So your information doesn t get stolen. Recommendations: https over http sftp,scp over ftp snmpv3 over snmpv2 and 1
SSH and user logins Defaults Allowed to login with the root account via ssh (Centos) Disallowed by default in Ubuntu
SSH and user login Recommendations Disable root account login via ssh /etc/ssh/sshd_config #PermitRootLogin P.S. make sure you have console access or another user with privileges created
SSH and user login Install a third party programs like DenyHosts, fail2ban and dosdeflate to monitor invalid logins and block originating ipaddresses Login information storage Centos (/var/log/secure) Ubuntu(/var/log/auth.log)
Passwords What happens by default Only gives a warning if the password is considered weak, but still lets you create it Password are never set to expire Old passwords can be reused
Passwords Recommended Enforce password aging, minimum length, reuse and complexity. CentOS /etc/login.defs , /etc/pam.d/system-auth-ac Ubuntu (install the cracklib pam module) /etc/login.defs , /etc/pam.d/common-password
Passwords /etc/login.def Controls Max Age, Min Age, Warning, PASS_MAX_DAYS 150 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 /etc/pam.d/common-passwords and /etc/pam.d/system- auth-ac Controls Password Complexity, Password re-use and Password Length. password required pam_cracklib.so minlen=8 difok=3 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1
2011 2012 2013 2014 2015 password password 123456 123456 ?? Why do we need to secure Linux 123456 123456 password password ?? 12345678 qwerty 12345678 abc123 12345678 qwerty 12345 12345678 ?? ?? abc123 qwerty abc123 qwerty ?? monkey monkey 123456789 123456789 ?? 1234567 letmein 111111 1234 ?? letmein dragon 1234567 baseball ?? trustno1 111111 iloveyou dragon ??
Updates and Upgrades Keeping you systems up to date Security Updates Bug Fixes What programs are used? Centos (yum / rpm) Ubuntu (apttitude / dpkg)
Updates and Upgrades Recommended Consistent maintenance plan Centralized package /patch management System (spacewalk, redhat Satellite, Landscape, foreman, katello(candlepin, pulp) ) Automatic Updates ?
User Quotas What is it? Limit the amount of storage a user or group can use. Why is it necessary? Because people How is it implemented? /etc/fstab LABEL=/home /home ext2 defaults,usrquota,grpquota 1 2 mount -o remount /home quotacheck -cvug (creates the quota files) ls -l /home/ edquota username quotaon -a Disk quotas for user username(uid 500): Filesystem blocks soft hard inodes soft hard /dev/sda3 1419352 0 0 1686 0 0
Firewalls Controls incoming and outgoing network traffic based on a set of rules One of the last lines of defense for your server. Both CentOS and Ubuntu come with iptables Tool allows you to perform very fine grained control of network related transactions through a set of rules. iptables control network related rules for the IPV4 standard ip6tables deals with the ipv6 standard
Firewalls Example Configuration: iptables -I INPUT 3 -p tcp -i eth0 -s 192.168.220.25 --dport 22 -m state --state NEW,ESTABLISHED -m comment --comment SSH access limited to carl s computer -j ACCEPT Alternative Mangaerment (ufw, apf) Firewalld (centos 7)
Logging Logs are located in /var/log /var/log/messages Contains global system messages, system startup information,mail, cron, daemon, kern, auth, etc. /var/log/boot.log Logs system booting information. /var/log/dmesg kernel ring buffer information. Logs messages about hardware devices detected by the kernel kernel during boot. The content can also be viewed by typing the dmesg command. /var/log/auth.log Contains user logins and authentication mechanisms that were used in Ubuntu. /var/log/secure - Contains user logins and authentication mechanisms that were used in Centos.
Logging THE AUDIT LOG: /var/log/audit Linux audit allows you to comprehensively log and track access to files, directories, and resources of your system, as well as trace system calls. It enables you to monitor your system for application misbehavior or code malfunctions Rule to log every attempt to read or modify the /etc/ssh/sshd_config file: auditctl -w /etc/ssh/sshd_config -p rwxa -k sshd_config If the auditd daemon is running, running the following command creates a new event in the Audit log file: ~]# cat /etc/ssh/sshd_config
Logging THE AUDIT LOG continued ausearch - a command that can query the audit daemon logs based for events based on different search criteria. ausearch -f /etc/sshd_config (searches on file name) ausearch -k sshd_config (searches on keyname created to represent file) aureport - a tool that produces summary reports of the audit system logs.
Advanced Configurations Disable / blacklist devices (modprobe) Tune Kernel Parameters (sysctl) Limit system wide resource usage (ulimit) Cron jobs (limit cron users cron.allow, cron.deny) Control Keys (Ctrl-alt-delete) ICMP (disable) selinux and apparmor
Avanced Configurations continued Password protect grub Password protect Single user mode
Complete Security Packages Are there any tools to help? http://www.ossec.net/ http://bastille-linux.sourceforge.net/index.html https://cisofy.com/lynis/ http://www.open-scap.org/page/Main_Page
References General Hardening https://wiki.centos.org/HowTos/OS_Protection http://hardenubuntu.com/ Disk Encryption https://www.linux.com/community/blogs/133-general- linux/831121-how-to-full-encrypt-your-linux-system-with-lvm- on-luks https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec- Encryption.html
References Password Hardening https://en.wikipedia.org/wiki/Linux_PAM http://xmodulo.com/set-password-policy-linux.html http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html Logs (Audit Logs) https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec- Understanding_Audit_Log_Files.html http://www.cyberciti.biz/tips/linux-audit-files-to-see-who- made-changes-to-a-file.html