Post on 17-Jan-2016
Securing Linux
By Terrance Marcelle
The CIA Triad
ConfidentialityIntegrityAvailability
PartitionsDefault
PartitionsRecommended
Partitions• A user stores too many files in their home
directory
• A user intentionally runs malicious code or a bad command to fill up as much space as possible– cat /dev/zero > zerofile
• Excess logging
• /dev /tmp are not mounted with noexec, nodev
and nosuid
Encryption at RestShould you Encrypt?Depends on the type of informationYou may only want to encrypt portions of the
drive
What happens if……Server / hard-drive gets stolenThe drive space is reallocated to another VM
in a hypervisor setting.
Encryption in transitWhy encrypt data in transit ?
So your information doesn’t get stolen.
Recommendations:https over httpsftp,scp over ftpsnmpv3 over snmpv2 and 1
SSH and user loginsDefaultsAllowed to login with the root account via ssh (Centos)
Disallowed by default in Ubuntu
SSH and user loginRecommendations
Disable root account login via ssh
/etc/ssh/sshd_config
#PermitRootLogin
P.S. make sure you have console access or another user with privileges created
SSH and user loginInstall a third party programs like DenyHosts, fail2ban and dosdeflate to monitor invalid logins and block originating ipaddresses
Login information storageCentos (/var/log/secure)Ubuntu(/var/log/auth.log)
Passwords
What happens by defaultOnly gives a warning if the password is considered weak, but still lets you create it
Password are never set to expireOld passwords can be reused
PasswordsRecommendedEnforce password aging, minimum length, reuse
and complexity.
CentOS /etc/login.defs , /etc/pam.d/system-auth-ac
Ubuntu (install the cracklib pam module) /etc/login.defs , /etc/pam.d/common-password
Passwords
/etc/login.def Controls Max Age, Min Age, Warning,
PASS_MAX_DAYS 150 PASS_MIN_DAYS 0 PASS_WARN_AGE 7
/etc/pam.d/common-passwords and /etc/pam.d/system-auth-ac
Controls Password Complexity, Password re-use and Password Length. password required pam_cracklib.so minlen=8 difok=3 lcredit=-1
ucredit=-1 dcredit=-2 ocredit=-1
Why do we need to secure Linux
2011 2012 2013 2014 2015
password password 123456 123456 ??
123456 123456 password password ??
12345678 12345678 12345678 12345 ??
qwerty abc123 qwerty 12345678 ??
abc123 qwerty abc123 qwerty ??
monkey monkey 123456789 123456789 ??
1234567 letmein 111111 1234 ??
letmein dragon 1234567 baseball ??
trustno1 111111 iloveyou dragon ??
Updates and Upgrades
Keeping you systems up to dateSecurity Updates Bug Fixes
What programs are used?Centos (yum / rpm)Ubuntu (apttitude / dpkg)
Updates and Upgrades
Recommended
Consistent maintenance planCentralized package /patch management
System (spacewalk, redhat Satellite, Landscape, foreman, katello(candlepin, pulp) )
Automatic Updates ?
User Quotas What is it?
Limit the amount of storage a user or group can use.
Why is it necessary? Because people…
How is it implemented? /etc/fstab LABEL=/home /home ext2 defaults,usrquota,grpquota 1 2 mount -o remount /home quotacheck -cvug (creates the quota files) ls -l /home/ edquota username quotaon -a
Disk quotas for user username(uid 500): Filesystem blocks soft hard inodes soft hard /dev/sda3 1419352 0 0 1686 0 0
Firewalls Controls incoming and outgoing network traffic based on a
set of rules One of the last lines of defense for your server.
Both CentOS and Ubuntu come with iptables Tool allows you to perform very fine grained control of network related
transactions through a set of rules. iptables control network related rules for the IPV4 standard ip6tables deals with the ipv6 standard
Firewalls Example Configuration:
iptables -I INPUT 3 -p tcp -i eth0 -s 192.168.220.25 --dport 22 -m state --state NEW,ESTABLISHED -m comment --comment “SSH access limited to carl’s computer” -j ACCEPT
Alternative Mangaerment (ufw, apf)
Firewalld (centos 7)
Logging Logs are located in /var/log
/var/log/messages – Contains global system messages, system startup information,mail, cron, daemon, kern, auth, etc.
/var/log/boot.log – Logs system booting information.
/var/log/dmesg –kernel ring buffer information. Logs messages about hardware devices detected by the kernel kernel during boot. The content can also be viewed by typing the dmesg command.
/var/log/auth.log – Contains user logins and authentication mechanisms that were used in Ubuntu.
/var/log/secure - Contains user logins and authentication mechanisms that were used in Centos.
LoggingTHE AUDIT LOG: /var/log/audit Linux audit allows you to comprehensively log and track
access to files, directories, and resources of your system, as well as trace system calls. It enables you to monitor your system for application misbehavior or code malfunctions
Rule to log every attempt to read or modify the /etc/ssh/sshd_config file: auditctl -w /etc/ssh/sshd_config -p rwxa -k sshd_config
If the auditd daemon is running, running the following command creates a new event in the Audit log file:
~]# cat /etc/ssh/sshd_config
Logging
THE AUDIT LOG continued ausearch - a command that can query the audit daemon logs
based for events based on different search criteria. ausearch -f /etc/sshd_config (searches on file name) ausearch -k sshd_config (searches on keyname created to represent
file)
aureport - a tool that produces summary reports of the audit system logs.
Advanced Configurations Disable / blacklist devices (modprobe)
Tune Kernel Parameters (sysctl)
Limit system wide resource usage (ulimit)
Cron jobs (limit cron users cron.allow, cron.deny)
Control Keys (Ctrl-alt-delete)
ICMP (disable)
selinux and apparmor
Avanced Configurations continued Password protect grub Password protect Single user mode
Complete Security Packages
Are there any tools to help? http://www.ossec.net/ http://bastille-linux.sourceforge.net/index.html https://cisofy.com/lynis/http://www.open-scap.org/page/Main_Page
References General Hardening https://wiki.centos.org/HowTos/OS_Protection http://hardenubuntu.com/
Disk Encryption https://www.linux.com/community/blogs/133-general-linux/83
1121-how-to-full-encrypt-your-linux-system-with-lvm-on-luks https://access.redhat.com/documentation/en-US/Red_Hat_E
nterprise_Linux/7/html/Security_Guide/sec-Encryption.html
References
Password Hardening https://en.wikipedia.org/wiki/Linux_PAM http://xmodulo.com/set-password-policy-linux.html http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
Logs (Audit Logs) https://
access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html