We often tend to believe that operating systems are secured by default, but securing your Linux servers to protect your data, intellectual property and time is the responsibility of the system administrator.
In this post we will review some of the basics operations that shall always be done while installing a new Linux server. We will use Debian as an example for the different commands but finding the rights commands for RedHat, CentOs or any other Linux distribution should be quite straight forward once you know what you are looking for and what you’d like to achieve.
Note that we won’t mention the encryption of your hard drives since most of the distributions will allow you to encrypt your disks during the installation. Useless to mention that this is a must for securing your systems and protect your data.
Secure Boot Settings: secure the bootloader and settings involved in the boot process
Permissions on bootloader configuration
Having access to the boot parameters may allow an attacker to spot weaknesses to exploit. Thus, the objective is to prevent non root users from seeing the boot parameters or changing them.
For Grub you need to run the following commands:
1 2 3 |
# chown root:root /boot/grub/grub.cfg # chmod 600 /boot/grub/grub.cfg |
Enable password on bootloader
Without a password, anyone rebooting the system is able to set the command line boot parameters and introduce weaknesses to exploit (e.g. disabling SELinux). Therefore, setting up a bootloader password prevents a malicious user from modifying the boot parameters, or changing the boot partition.
To do so:
1. Create an encrypted password
1 2 3 4 5 6 7 |
# grub-mkpasswd-pbkdf2 Enter password: Reenter password Your PBKDF2 is <encrypted-password> |
2. Edit /etc/grub.d/00_header or a custom /etc/grub.d configuration file by adding the following lines
1 2 3 |
set superusers=”<username>” password_pbkdf2 <username> <encrypted-password> |
3. Update grub configuration
1 |
# update-grub |
Secure your SSH configuration
Change the default port
One of the easiest ways to prevent your system from automatic SSH attacks is to change the default port used by the SSH server.
To do so, edit the sshd configuration file (/etc/ssh/sshd_config), change the value of the directive Port to the desired value (ideally a value in the open ports range from 49152 to 65535) and restart the SSH server.
Disable root login
Preventing direct root connection also limit automatic attacks since the attacker needs to guess the account login to use. Again, you need to edit the sshd configuration file (/etc/ssh/sshd_config), set the directive PermitRootLogin no and restart the SSH server.
Allow only specific users
Since the list of users who should be able to login on your server via SSH shall be very limited, you can provide in the sshd configuration file the list of these users in the directive AllowUsers.
Use SSH Keys
SSH key is an access credential in the SSH protocol, similar to username and password but far more secured and far less subject to brute force attacks.
If you are working on a windows workstation you need to generate a pair of keys using PuTTYgen available with PuTTY. On linux the command ssh-keygen should do the trick.
Once you have a pair of keys you need to configure the server to accept logins with these keys. On your Debian server:
1. Optional: create the .ssh directory in your home directory if it doesn’t exist
1 |
# mkdir ~/.ssh && chmod 700 !* |
2. Copy your public key to the authorized keys files
1 |
# vi ~/.ssh/authorized_keys |
And paste your public key
3. Modify the permission on the authorized keys file
1 |
# chmod 600 ~/.ssh/authorized_keys |
You should now be able to login via ssh without entering your password.
Prevent weak network protocols from exposing your credentials
To prevent an attacker from getting usernames and passwords by sniffing the network you should remove insecure services and promote the use protocols having an SSL or TLS encryption layer (i.e. SSH, SFTP, FTPS)
The following command should do the trick:
1 |
apt-get --purge remove xinetd nis yp-tools tftpd atftpd tftpd-hpa telnetd rsh-server rsh-redone-server |
Reduce the attack surface… remove the non-useful packages
The more services are running on your servers, the more potential vulnerabilities can be exploited. Removing all the unnecessary software will reduce drastically the attack surface and make the life of an attacker harder
1 2 3 4 5 |
# dpkg --list # dpkg --info <package-name> # apt-get --purge remove <package-name> |
Prevent brute force attacks
Fail2ban is a tool, with a quite self-explanatory name, which ban for a time given a person who unsuccessfully tried to login too many times on your server. It works for many different services such as SSH, SFTP, etc.
1. Install fail2ban
1 |
# apt-get install fail2ban |
2. On Debian, the default Fail2ban filter settings will be stored in both the /etc/fail2ban/jail.conf file and the /etc/fail2ban/jail.d/defaults-debian.conf file. Remember that settings in the latter file will override corresponding settings in the former one. (Don’t forget to mention the port used by SSH since you changed it ;-))
Enable AppArmor
AppArmor protects the system against both known and unknown vulnerabilities by confining programs according to a set of rules that specify what files a given program can access.
1. Install AppArmor
1 |
# apt-get install apparmor apparmor-utils |
2. Enable AppArmor
1 2 3 |
# echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' | tee /etc/default/grub.d/apparmor.cfg # update-grub |
3. Now you just need to find and enforce the profiles needed for your system. The profiles are located in /etc/apparmor.d
The intent of this article is not to give you an exhaustive list of all the actions that you could perform to protect your systems but to provide you with the basic steps to harden your system. Following these practices will drastically enhance the security posture of your servers and make the work of an attacker way more difficult.