Securing Linux

By Terrance Marcelle

The CIA Triad

ConfidentialityIntegrityAvailability

PartitionsDefault

PartitionsRecommended

Partitions• A user stores too many files in their home

directory

• A user intentionally runs malicious code or a bad command to fill up as much space as possible– cat /dev/zero > zerofile

• Excess logging

• /dev /tmp are not mounted with noexec, nodev

and nosuid

Encryption at RestShould you Encrypt?Depends on the type of informationYou may only want to encrypt portions of the

drive

What happens if……Server / hard-drive gets stolenThe drive space is reallocated to another VM

in a hypervisor setting.

Encryption in transitWhy encrypt data in transit ?

So your information doesn’t get stolen.

Recommendations:https over httpsftp,scp over ftpsnmpv3 over snmpv2 and 1

SSH and user loginsDefaultsAllowed to login with the root account via ssh (Centos)

Disallowed by default in Ubuntu

SSH and user loginRecommendations

Disable root account login via ssh

/etc/ssh/sshd_config

#PermitRootLogin

P.S. make sure you have console access or another user with privileges created

SSH and user loginInstall a third party programs like DenyHosts, fail2ban and dosdeflate to monitor invalid logins and block originating ipaddresses

Login information storageCentos (/var/log/secure)Ubuntu(/var/log/auth.log)

Passwords

What happens by defaultOnly gives a warning if the password is considered weak, but still lets you create it

Password are never set to expireOld passwords can be reused

PasswordsRecommendedEnforce password aging, minimum length, reuse

and complexity.

CentOS /etc/login.defs , /etc/pam.d/system-auth-ac

Ubuntu (install the cracklib pam module) /etc/login.defs , /etc/pam.d/common-password

Passwords

/etc/login.def Controls Max Age, Min Age, Warning,

PASS_MAX_DAYS 150 PASS_MIN_DAYS 0 PASS_WARN_AGE 7

/etc/pam.d/common-passwords and /etc/pam.d/system-auth-ac

Controls Password Complexity, Password re-use and Password Length. password required pam_cracklib.so minlen=8 difok=3 lcredit=-1

ucredit=-1 dcredit=-2 ocredit=-1

Why do we need to secure Linux

2011 2012 2013 2014 2015

password password 123456 123456 ??

123456 123456 password password ??

12345678 12345678 12345678 12345 ??

qwerty abc123 qwerty 12345678 ??

abc123 qwerty abc123 qwerty ??

monkey monkey 123456789 123456789 ??

1234567 letmein 111111 1234 ??

letmein dragon 1234567 baseball ??

trustno1 111111 iloveyou dragon ??

Updates and Upgrades

Keeping you systems up to dateSecurity Updates Bug Fixes

What programs are used?Centos (yum / rpm)Ubuntu (apttitude / dpkg)

Updates and Upgrades

Recommended

Consistent maintenance planCentralized package /patch management

System (spacewalk, redhat Satellite, Landscape, foreman, katello(candlepin, pulp) )

Automatic Updates ?

User Quotas What is it?

Limit the amount of storage a user or group can use.

Why is it necessary? Because people…

How is it implemented? /etc/fstab LABEL=/home /home ext2 defaults,usrquota,grpquota 1 2 mount -o remount /home quotacheck -cvug (creates the quota files) ls -l /home/ edquota username quotaon -a

Disk quotas for user username(uid 500): Filesystem blocks soft hard inodes soft hard /dev/sda3 1419352 0 0 1686 0 0

Firewalls Controls incoming and outgoing network traffic based on a

set of rules One of the last lines of defense for your server.

Both CentOS and Ubuntu come with iptables Tool allows you to perform very fine grained control of network related

transactions through a set of rules. iptables control network related rules for the IPV4 standard ip6tables deals with the ipv6 standard

Firewalls Example Configuration:

iptables -I INPUT 3 -p tcp -i eth0 -s 192.168.220.25 --dport 22 -m state --state NEW,ESTABLISHED -m comment --comment “SSH access limited to carl’s computer” -j ACCEPT

Alternative Mangaerment (ufw, apf)

Firewalld (centos 7)

Logging Logs are located in /var/log

/var/log/messages – Contains global system messages, system startup information,mail, cron, daemon, kern, auth, etc.

/var/log/boot.log – Logs system booting information.

/var/log/dmesg –kernel ring buffer information. Logs messages about hardware devices detected by the kernel kernel during boot. The content can also be viewed by typing the dmesg command.

/var/log/auth.log – Contains user logins and authentication mechanisms that were used in Ubuntu.

/var/log/secure - Contains user logins and authentication mechanisms that were used in Centos.

LoggingTHE AUDIT LOG: /var/log/audit Linux audit allows you to comprehensively log and track

access to files, directories, and resources of your system, as well as trace system calls. It enables you to monitor your system for application misbehavior or code malfunctions

Rule to log every attempt to read or modify the /etc/ssh/sshd_config file: auditctl -w /etc/ssh/sshd_config -p rwxa -k sshd_config

If the auditd daemon is running, running the following command creates a new event in the Audit log file:

~]# cat /etc/ssh/sshd_config

Logging

THE AUDIT LOG continued ausearch - a command that can query the audit daemon logs

based for events based on different search criteria. ausearch -f /etc/sshd_config (searches on file name) ausearch -k sshd_config (searches on keyname created to represent

file)

aureport - a tool that produces summary reports of the audit system logs.

Advanced Configurations Disable / blacklist devices (modprobe)

Tune Kernel Parameters (sysctl)

Limit system wide resource usage (ulimit)

Cron jobs (limit cron users cron.allow, cron.deny)

Control Keys (Ctrl-alt-delete)

ICMP (disable)

selinux and apparmor

Avanced Configurations continued Password protect grub Password protect Single user mode

Complete Security Packages

Are there any tools to help? http://www.ossec.net/ http://bastille-linux.sourceforge.net/index.html https://cisofy.com/lynis/http://www.open-scap.org/page/Main_Page

References General Hardening https://wiki.centos.org/HowTos/OS_Protection http://hardenubuntu.com/

Disk Encryption https://www.linux.com/community/blogs/133-general-linux/83

1121-how-to-full-encrypt-your-linux-system-with-lvm-on-luks https://access.redhat.com/documentation/en-US/Red_Hat_E

nterprise_Linux/7/html/Security_Guide/sec-Encryption.html

References

Password Hardening https://en.wikipedia.org/wiki/Linux_PAM http://xmodulo.com/set-password-policy-linux.html http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html

Logs (Audit Logs) https://

access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html

http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html