Securing Linux Server is very important to protect data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for the security of the Linux box. In this first part of a Linux server security series, I will provide hardening tips for Linux system.
1. Minimize Packages to Minimize Vulnerability
Do you really want all sort of services installed?. It’s recommended to avoid installing useless packages to avoid vulnerabilities in packages. This may minimize risk that compromise of one service may lead to compromise of other services. Find and remove or disable unwanted services from the server to minimize vulnerability. Use the ‘chkconfig‘ command to find out services which are running on run level.
# /sbin/chkconfig –list |grep ‘3:on’
Once you’ve find out any unwanted service are running, disable them using the following command.
# chkconfig serviceName off
Use the RPM package manager such as “yum” or “apt-get” tools to list all installed packages on a system and remove them using the following command.
# yum -y remove package-name
# sudo apt-get remove package-name
2. Use Secure Shell(SSH)
Telnet and rlogin protocols use plain text, not the encrypted format which is the security breaches. SSH is a secure protocol that uses encryption technology during communication with the server.
Never login directly as root unless necessary. Use “sudo” to execute commands. sudo are specified in /etc/sudoers file also can be edited with the “visudo” utility which opens in VI editor.
It’s also recommended to change default SSH 22 port number with some other higher level port number. Open the main SSH configuration file and make some following parameters to restrict users to access.
# vi /etc/ssh/sshd_config
Disable root Login
Only allow Specific Users
Use SSH Protocol 2 Version
3. Keep System updated
Always keep the system updated with latest releases patches, security fixes, and kernel when it’s available.
# yum updates
# yum check-update
4. Turn on SELinux
Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel. Disabling SELinux means removing security mechanism from the system. Think twice carefully before removing, if your system is attached to the internet and accessed by the public, then think some more on it.
SELinux provides three basic modes of operation and they are.
Enforcing: This is default mode which enables and enforce the SELinux security policy on the machine.
Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues.
Disabled: SELinux is turned off.
You can view the current status of SELinux mode from the command line using ‘system-config-selinux‘, ‘getenforce‘ or ‘sestatus‘ commands.
If it is disabled, enable SELinux using the following command.
# setenforce enforcing
It also can be managed from ‘/etc/selinux/config‘ file, where you can enable or disable it.
5. Remove KDE/GNOME Desktops
There is no need to run X Window desktops like KDE or GNOME on your dedicated LAMP server. You can remove or disable them to increase the security of server and performance. To disable simple open the file ‘/etc/inittab‘ and set run level to 3. If you wish to remove it completely from the system use the below command.
# yum groupremove “X Window System”
6. Turn Off IPv6
If you’re not using a IPv6 protocol, then you should disable it because most of the applications or policies not required IPv6 protocol and currently it doesn’t require on the server. Go to network configuration file and add followings lines to disable it.
# vi /etc/sysconfig/network
7. Restrict Users to Use Old Passwords
This is very useful if you want to disallow users to use same old passwords. The old password file is located at /etc/security/opasswd. This can be achieved by using PAM module.
Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.
# vi /etc/pam.d/system-auth
Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux Mint.
# vi /etc/pam.d/common-password
Add the following line to ‘auth‘ section.
auth sufficient pam_unix.so likeauth nullok
Add the following line to ‘password‘ section to disallow a user from re-using last 5 password of his or her.
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=5
Only last 5 passwords are remember by server. If you tried to use any of last 5 old passwords, you will get an error like.
Password has been already used. Choose another.
46 total views, 1 views today