Linux Security Tips
Today i’m going to show you some Linux security tips, so you can sleep well tonight.
Developing a security policy
Create a generic policy that applies on all your system, and your users can readily understand and follow. It should protect the data and the privacy of the users. Some things to consider adding are: who has access to the system, who’s allowed to install software on the system, who owns what data, disaster recovery, and appropriate use of the system. Remember:
That which is not permitted is prohibited
Unless you grant access to a service for a user, that user shouldn’t be using that service until you do grant access. Make sure the policies work on your regular user account. Saying, “Ah, I can’t figure out this permissions problem, I’ll just do it as root” can lead to security holes that are very obvious, and even ones that haven’t been exploited yet.
Also read: Managing Linux Permissions
Physical System Security
On BIOS disable booting from CD/DVD or external devices, also enable BIOS password and protect GRUB with password to restrict physical access of your system.
Use secure remote login
Ssh key authentication is one of the most secure methods to authenticate using Secure Shell. Public key authentication uses a pair of computer generated keys – one public and one private. This provides the benefit of turning off password authentication in SSH so that your server can’t be Brute-Force cracked.
Lear how to setup a ssh key by reading: SSH Key On Linux
Keep your system up to date
Constantly applying security patches is an important part of the day to day of a Linux sysadmin. Linux provides all necessary tools to keep your system updated, All security updates should be reviewed and applied as soon as possible. To apply all security updates use the RPM default package manager.
# yum update
# apt-get update && apt-get upgrade
Check listening network ports
With the help of ‘netstat‘ networking command you can view all open ports and associated programs. As I said above use ‘chkconfig‘ command to disable all unwanted network services from the system.
Disable root login
An user should never login as root user. You should use sudo to execute root level commands as and when required.
Check system logs regularly
Constantly check your system logs to track errors and changes to your servers. Here is the most common Linux log files name and their usage:
- /var/log/message – Where whole system logs or current activity logs are available.
- /var/log/auth.log – Authentication logs.
- /var/log/kern.log – Kernel logs.
- /var/log/cron.log – Crond logs (cron job).
- /var/log/maillog – Mail server logs.
- /var/log/boot.log – System boot log.
- /var/log/mysqld.log – MySQL database server log file.
- /var/log/secure – Authentication log.
- /var/log/utmp or /var/log/wtmp : Login records file.
- /var/log/yum.log: Yum log files.
Consider configuring a remote logging server that is updated regularly to protect against an intruder compromising your log files without your knowledge.
Always keep a backup of your system
In a production system, it is necessary to take important files backup and keep them in safety vault, remote site or offsite for Disasters recovery.
Also read: Linux Backup Tools
Display SSH banners
It’s always a good idea to have an legal banner or security banners with some security warnings before SSH authentication you can include information of what not to do on your system and legal or work repercussions.
Disable unwanted services
Your servers will most likely have many services running which are not required and some may be configured to run on start-up, its a good idea to disable all unnecessary services and daemons (services that runs in the background). If you want remove all unwanted services from the system start-up. Type the following command to list all services which are started at boot time in run level # 3:
# chkconfig --list | grep '3:on'
# service serviceName stop
# chkconfig serviceName off
Also read: Systemd
Turn on SELinux
Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel. Disabling SELinux means removing security mechanism from the system. Think twice carefully before removing, if your system is attached to internet and accessed by the public, then think some more on it.
SELinux provides three basic modes of operation and they are.
- Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.
- Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues.
- Disabled: SELinux is turned off.
You can view current status of SELinux mode from the command line using ‘system-config-selinux‘, ‘getenforce‘ or ‘sestatus‘ commands.
Remove unnecessary software
Avoid installing unnecessary software to avoid vulnerabilities in software. Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system and delete all unwanted packages.
# yum list installed # yum list packageName # yum remove packageName
# dpkg --list # dpkg --info packageName # apt-get remove packageName
Review the firewall rules
It is important to constantly review the rules firewall, use firewall to filter out traffic and allow only necessary traffic.
Also read: Some Linux Iptables Examples
Remove X Windows
There is no need to run desktops environments like KDE or GNOME on your dedicated server (mail or Apache web server). You can remove or disable them to increase security. To disable simple open and edit the file:
/etc/inittab and set run level to 3
If you wish to remove it completely from the system use the below command.
# yum groupremove "X Window System"