12 Linux Tips/Tricks That Will Help You to Improve Security
We live in a dangerous time: almost every day new vulnerabilities are discovered, exploits are created on their basis, under the impact there can be both an ordinary home computer on Linux, and a server on which a huge organization depends.
Perhaps you pay attention to security and periodically update the system, but usually, this is not enough. Therefore, today we will share twelve tips for improving the security of Linux-based systems using CentOS 7 as an example.
1) Terminal Protection
In order to improve the security of the system, you can protect console access to it, limiting the root user to the use of certain terminals. You can do this by specifying the terminals that the superuser can use in the /etc/securetty file.
It is recommended, although it is not necessary, to allow the superuser to log in from only one terminal, leaving the rest for other users.
2) Password Change Reminders
Today, a complex password is an absolutely necessary thing. However, it’s even better when passwords are changed regularly. It’s easy to forget about that, so it’s good to use some kind of system reminders about the age of the password, and about when it needs to be changed.
We offer you two ways to organize such reminders. The first is to use the change command, the second is to set the default values in /etc/login.defs.
The call to the change command looks like this:
$ chage -M 20 likegeeks
Here we use the -M switch to set the expiry date for the password in days.
You can use this command without keys, then she herself will propose to enter the necessary value:
$ chage likegeeks
The second way is to modify the /etc/login.defs file. Here is an example of how the values of interest to us might look. You can change them to the ones you need:
PASS_MAX_DAYS 10 PASS_MIN_DAYS 0 PASS_WARN_AGE 3
Remember that if you are playing the role of administrator, you should encourage users to use complex passwords. You can do this with pam_cracklib.
After installing this program, you can go to /etc/pam.d/system-auth and enter something like this:
password required pam_cracklib.so minlen=12 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1
3) Notifications sudo
The sudo team, on the one hand, makes life easier, and on the other, can cause problems with Linux security, which can lead to irreparable consequences. The sudo settings are stored in the /etc/sudoers file. With this file, you can prevent ordinary users from running some commands on behalf of the superuser. In addition, you can make sure that the sudo command sends an email when it is used, adding the following to the above file:
You also need to set the mail_always property to on:
4) Secure SSH
If we are talking about Linux security, then we should remember about the SSH service. SSH is an important system service, it allows you to remotely connect to the system, and sometimes this is the only way to save the situation when something goes wrong, so we are not talking about disabling SSH here.
Here we use CentOS 7, so the SSH configuration file can be found at etc/ssh/sshd_config. Scanners or bots used by attackers try to connect to SSH using the default port 22.
It is common practice to change the standard SSH port to another, unused port, for example, to 5555. The SSH port can be changed by specifying the desired port number in the configuration file. For example, this:
In addition, you can limit the SSH login for the root user by changing the value of the PermitRootLogin parameter to no:
And, of course, it is necessary to disable authentication using a password and use public and private keys instead:
PasswordAuthentication no PermitEmptyPasswords no
Now let’s talk about timeouts for SSH. The problem of time-outs can be solved by setting some parameters. For example, the following settings assume that packets that support a connection will be sent automatically after a specified number of seconds:
ServerAliveInterval 15 ServerAliveCountMax 3 TCPKeepAlive yes
Having adjusted these parameters, you can increase the connection time:
ClientAliveInterval 30 ClientAliveCountMax 5
You can specify which users are allowed to use SSH:
AllowUsers user1 user2
Permissions can also be assigned at the group level:
AllowGroup group1 group2
5) Secure SSH using Google Authenticator
For the even more reliable protection of SSH, you can use two-factor authentication, for example, using Google Authenticator. To do this, you first need to install the appropriate program:
$ yum install google-authenticator
Then run it to test the installation:
It also requires that the Google Authenticator application is installed on your phone.
Edit the /etc/pam.d/sshd file with the following:
auth required pam_google_authenticator.so
Now all that’s left is to report all this to SSH by adding the following line to the /etc/ssh/sshd_config file:
Now restart SSH:
$ systemctl restart sshd
When you try to log in using SSH, you will be asked to enter a verification code. As a result, now SSH-access to your system is much better protected than before.
6) Monitoring the file system with Tripwire
A tripwire is a great tool for improving Linux security. This is an intrusion detection system (HIDS).
The task of Tripwire is to monitor actions with the file system, monitor who changes files, and when these changes occur.
In order to install Tripwire, you need access to the EPEL repository. This task is not difficult, you can solve it by the following commands:
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm $ rpm -ivh epel-release-7-9.noarch.rpm
After installing the EPEL repository, you can also install Tripwire:
$ sudo yum install tripwire
Now create a key file:
You will be asked to enter a complicated password for the key file. After that, you can configure Tripwire, making changes to the file /etc/tripwire/twpol.txt. It is not difficult to work with this file because each line is equipped with a meaningful comment.
When the program setup is complete, initialize it:
$ tripwire --init
The initialization, during which the system is scanned, will take some time, depending on the size of your files.
Any modification of the protected files is regarded as an intrusion, the administrator will be notified about this and he will need to restore the system using files in the origin of which he does not doubt.
For this reason, the necessary changes to the system must be confirmed with Tripwire. To do this, use the following command:
$ tripwire --check
And here’s another recommendation regarding Tripwire. Protect the files twpol.txt and twcfg.txt. This will increase the security of the system.
Tripwire has many parameters and settings. To see the help on it it is possible to:
7) Using Firewalld
Firewalld is a replacement for iptables, this program improves Linux network security. Firewalld allows you to make changes to settings without stopping current connections. The firewall works as a service that allows you to add and change rules without restarting and uses network zones.
In order to find out if firewalld is currently running, enter the following command:
$ firewall-cmd --state
You can see the predefined network zones as follows:
$ firewall-cmd --get-zones
Each of these zones has a certain level of trust.
You can update this value as follows:
$ firewall-cmd --<span class="hljs-keyword">set</span>-<span class="hljs-keyword">default</span>-zone=<<span class="hljs-keyword">new</span>-name>
You can get detailed information about a specific zone as follows:
$ firewall-cmd --zone=<zone-name> --<span class="hljs-keyword">list</span>-<span class="hljs-keyword">all</span>
To see a list of all supported services, use the following command:
$ firewall-cmd --<span class="hljs-keyword">get</span>-services
Then you can add new services to the zone or remove existing ones:
$ firewall-cmd --zone=<span class="hljs-tag"><<span class="hljs-name">zone-name</span>></span> --add-service=<span class="hljs-tag"><<span class="hljs-name">service-name</span>></span> $ firewall-cmd --zone=<span class="hljs-tag"><<span class="hljs-name">zone-name</span>></span> --remove-service=<span class="hljs-tag"><<span class="hljs-name">service-name</span>></span>
You can display information about all open ports in any zone:
$ firewall-cmd --zone=<zone-<span class="hljs-built_in">name</span>> --<span class="hljs-built_in">list</span>-ports
Add ports to the zone and remove them from it like this:
$ firewall-cmd --zone=<zone-name> --<span class="hljs-built_in">add</span>-port=<port-<span class="hljs-keyword">number</span>/protocol> $ firewall-cmd --zone=<zone-name> --<span class="hljs-built_in">remove</span>-port=<port-<span class="hljs-keyword">number</span>/protocol>
You can configure and redirect ports:
$ firewall-cmd --zone=<zone-name> --<span class="hljs-keyword">add</span>-<span class="hljs-keyword">forward</span>-port=<port-number> $ firewall-cmd --zone=<zone-name> --<span class="hljs-keyword">remove</span>-<span class="hljs-keyword">forward</span>-port=<port-number>
Firewalld is a very advanced tool. The most remarkable thing about it is that it can work normally, for example, when making changes to settings, without restarts or service stops. This distinguishes it from the iptables tool, which requires you to restart the service in similar situations.
8) Switching from firewalld to iptables
Some prefer the firewall iptables firewalld. If you use firewalld but want to go back to iptables, it’s pretty simple.
First, disable firewalld:
$ systemctl disable firewalld $ systemctl stop firewalld
Then install iptables:
$ yum install iptables-services $ touch /etc/sysconfig/iptables $ touch /etc/sysconfig/ip6tables
Now you can start the iptables service:
$ systemctl start iptables $ systemctl start ip6tables $ systemctl enable iptables $ systemctl enable ip6tables
After all, this, restart the computer.
9) Restriction of compilers
The attacker can compile an exploit on his computer and upload it to the server of interest. Naturally, with this approach, the presence of compilers on the server does not play a role. However, it is better to limit compilers if you do not use them for work, as is the case with most modern server management systems.
First, list all the binary compiler files from the packages, and then set the permissions for them:
$ rpm -<span class="hljs-keyword">q</span> --filesbypkg gcc | <span class="hljs-keyword">grep</span> <span class="hljs-string">'bin'</span>
Create a new group:
$ groupadd compilerGroup
Then change the group of binary compiler files:
$ chown <span class="hljs-string">root:</span>compilerGroup <span class="hljs-regexp">/usr/</span>bin/gcc
And one more important thing. You need to change the permissions of these binary files:
$ <span class="hljs-keyword">chmod</span> <span class="hljs-number">0750</span> /usr/bin/gcc
Now any user who tries to use gcc will receive an error message.
10) Preventing modification of files
Immutable files cannot be overwritten by any user, even having root-rights. The user can not modify or delete such a file until the immunity flag is set, which can only be removed by the root user.
It’s easy to see that this feature protects you, as a superuser, from errors that can disrupt the system. Using this approach, you can protect configuration files or any other files you want.
The attribute of immunity can be deleted by such a command chattr:
$ chattr +<span class="hljs-selector-tag">i</span> /myscript
In order to make any file immune, use the chattr command:
$ chattr -<span class="hljs-selector-tag">i</span> /myscript
So you can protect any files, but remember that if you processed binary system files in this way, you will not be able to update them until you remove the immunity flag.
11) Managing SELinux with aureport
Often the system of forced access control SELinux turns out, by default, to be disabled. This does not affect the performance of the system, and it’s quite difficult to work with SELinux. However, for the sake of security, SELinux can be enabled, and it is possible to simplify the management of this mechanism using aureport.
The aureport utility allows you to create reports based on audit log files.
$ aure<span class="hljs-keyword">port</span> <span class="hljs-comment">--avc</span>
The list of executable files can be displayed with the following command:
$ aure<span class="hljs-keyword">port</span> -x
You can use aureport to create a full authentication report:
$ aure<span class="hljs-keyword">port</span> -au -i
You can also display information about unsuccessful authentication attempts:
$ aureport -au --<span class="hljs-selector-tag">summary</span> -<span class="hljs-selector-tag">i</span> --failed
Or, perhaps, a summary of successful authentication attempts:
$ aureport -au --<span class="hljs-selector-tag">summary</span> -<span class="hljs-selector-tag">i</span> --success
The aureport utility greatly simplifies the work with SELinux.
12) Using a sealert
In addition to aureport, you can use a good Linux security tool called sealert. You can install it like this:
$ yum install setools
Now we have a tool that will issue alerts from the file /var/log/audit/audit.log and give us more information about the problems detected by SELinux.
You can use it like this:
$ sealert -<span class="hljs-keyword">a</span> /var/<span class="hljs-built_in">log</span>/audit/audit.<span class="hljs-built_in">log</span>
The most interesting thing here is that it alerts you can find tips on how to solve the relevant problems.
We hope that the tips are given here help you make your Linux installation safer. However, if it is a question of information protection, it is impossible, using some measures, to consider that now nothing threatens you. Any security software should always be vigilant and careful.