Home

Categories

Archives

About

Contact
Search:type,hitenter

RootUsers

Guides,tutorials,reviewsandnewsforSystemAdministrators.

23HardeningTipstoSecureyourLinuxServer
PostedbyJarrodonSeptember1,2015

Gotocomments

Leaveacomment(1)

ItisimportanttosecureaLinuxsystemasmuchaspossibleinordertoreducethelikelihoodof
compromise.
Hereare23securitytipstoguideyouthroughhardeningyourLinuxoperatingsystem.

Index
1. PatchtheOperatingSystem
2. PatchThirdPartyApplications
3. DisableRemoteRootAccess
4. DisableRootConsoleAccess
5. RestrictRootPrivileges
6. EnableandConfigureFirewall
7. EncryptNetworkTransmissions
8. TwoFactorAuthentication
9. SecurityEnhancedLinux(SELinux)
10. ReduceAttackSurface
11. LogReview
12. LimitSSHAccess
13. PhysicalSecurity
14. SecuringtheBIOS
15. SecuringtheBootLoader
16. EncryptData
17. CentralizedAuthentication
18. EnforceStrongPasswords
19. PasswordAging
20. AccountLockout
21. UsingSSHKeys
22. HostBasedIntrusionDetectionSystem(HIDS)
23. Virus/MalwareScanning
Note:ThisguidereferstoaLinuxsystemasaserver,computer,orclient.Thesetermsshouldberead
interchangeablyasalltipsapplytoanysystemrunningLinux.

LinuxServerSecurityHardeningTips
1.PatchtheOperatingSystem
Itisextremelyimportantthattheoperatingsystemandvariouspackagesinstalledbekeptuptodateasitis
thecoreoftheenvironment.Withoutastableandsecureoperatingsystemmostofthefollowingsecurity
hardeningtipswillbemuchlesseffective.Toperformanupdateofallpackagesinstalledyoucanmakeuse
ofthesecommandswhichwilllistallavailableupdatesforinstallationandpromptyoutoproceed.
RHELBasedOS:
yumupdate

DebianBasedOS:
aptgetupgrade

Thesecommandswillinstallallavailablepackageupdatesfromtherepository,whichmayincludetheLinux
kernel.Checkthelistofupdatestobeinstalledtoseeifthereisakernelupdateasthiswillrequireareboot
toapply.
InLinuxthekernelisthecorecomponentoftheoperatingsystem,itmanagescomponentssuchas
memory,theCPU,processschedulingandmore.Duetothiscentralrolethekernelcannotberestarted
withoutarebootofthewholeoperatingsystem,sotocompleteakernelupdatethesystemwillneedtobe
rebooted.Therearethirdpartyoptionsavailabletoavoidsystemreboot,suchasthoseofferedbyKsplice
orKernelCare.
Otherpackagesthatruninuserspacecansimplyberestartedtomakeuseoftheupdatedversionwithout
systemreboot.
Itisadvisablethatsecurityupdatesbeinstalledassoonaspossible,thiscaneitherbedonemanuallyor
automaticallyviacrontab.Itisalsosuggestedthatyousubscribetothemailinglistforyouroperating
systemasthesewillkeepyouupdatedonanysecurityupdatestothekernelandothercommonpackages
astheybecomeavailable.

2.PatchThirdPartyApplications
Anyothercustomapplicationsthatyouhaveinstalledthatarenotmaintainedbyapackagemanagermust
alsobepatchedfrequentlysothatthelatestsecurityupdatescanbeapplied.Someexamplesofsuch
applicationsincludepopularwebapplicationslikeWordPress,JoomlaorDrupal.Thesetypesof
applicationsareinstalledoutsideofthepackagemanager,soayumupdateoraptgetupgradewillnot
updatethem.

SomeapplicationsmayupdateautomaticallysuchasWordPress,whileothersmayrequireamanual
processtoupdatesuchasWordPressplugins.Theupdateprocessfortheparticularapplicationwilldiffer
onacasebycasebasis,soifyouareunsurechecktheofficialdocumentationfromthevendorand
scheduleregularupdates.Itisrecommendedthatyousubscribetoanymailinglistsoralertsprovidedby
theapplicationvendortokeepuptodatewithanyvulnerabilitiesthatbecomedisclosedsothatyoucan
updateinatimelymanner.

3.DisableRemoteRootAccess
InLinuxtherootuserhasfullunrestrictedaccesstothesystem,bydisablingloggingindirectlyastheroot
userwecanimprovesecurityasattackerstypicallyattempttocompromisetherootaccount.Thiscanbe
donebyeditingthe/etc/passwdfileandchangingtherootshellfrom/bin/bashto/sbin/nologin
Default/etc/passwdforroot
root:x:0:0:root:/root:/bin/bash

Afterdisablingrootlogin
root:x:0:0:root:/root:/sbin/nologin

ThiswillpreventrootaccessthroughtheGUI,SSH,SCP,SFTPandwithsu.Itwillnotdisablesudoor
consoleaccesshowever.
Servicescanalsobeexplicitlyconfiguredtodisallowrootlogin.RemoteaccessthroughSSHforinstance
canbedisabledfortherootuserbymodifyingthe/etc/ssh/sshd_configfileasbelow.Aftereditingthefile,
restarttheservicetoapplythechange.
PermitRootLoginno

Rootprivilegescanbedelegatedouttootheruseraccountsasrequired.Asabestpracticeyoudonotwant
toprovidetherootpasswordtomultipleusersasitmakesauditingandtrackingwhoisdoingwhatwiththe
accountmoredifficult.Toproviderootaccesstootherusers,theuseraccountcanbeaddedtothesudoers
filewhichwillgrantthemrootprivileges.Thisfilecanbemodifiedwiththevisudocommand.
[root@centos~]#visudo
...
rootALL=(ALL)ALL
bobALL=(ALL)ALL
...

Therootaccountwillbetherebydefault,otheraccountscanalsobespecified.Inthisinstancethebob
accounthasbeenaddedtoalsohavefullsudoprivilegesandcanrunallcommandsasrootbyprefixing

themwithsudoandcorrectlyenteringtheirpassword.

4.DisableRootConsoleAccess
Thepreviousstepdisablesremoteaccessfortherootaccount,howeveritwillstillbepossibleforroottolog
inthroughanyconsoledevice.Dependingonthesecurityofyourconsoleaccessyoumaywishtoleave
rootaccessinplace,otherwiseitcanberemovedbyclearingthe/etc/securettyfileasshownbelow.
echo>/etc/securetty

Thisfilelistsalldevicesthatrootisallowedtologinto,thefilemustexistotherwiserootwillbeallowed
accessthroughanycommunicationdeviceavailablewhetherthatbeconsoleorother.
Withnodeviceslistedinthisfilerootaccesshasbeendisabled.Itisimportanttonotethatthisdoesnot
preventrootfromlogginginremotelywithSSHforinstance,thatmustbedisabledasoutlinedinpoint3
Disableremoterootaccessabove.
Accesstotheconsoleitselfshouldalsobesecured,aphysicalconsolecanbeprotectedbytheinformation
coveredinpoint13Physicalsecurity.

5.RestrictRootPrivileges
Asmentionedaboveusersthatrequirerootprivilegescanbeaddedtothesudoersfile,howeverwecan
furtherrestrictwhattheuserscanrunasrootratherthansimplyprovidingfullaccessbyexplicitlyspecifying
thecommandsinthesudoersfile.Forinstancewithbobremovedfromthesudoersfile,heisnotableto
reboottheserver.
[bob@centos~]$sudoreboot
[sudo]passwordforbob:
bobisnotinthesudoersfile.Thisincidentwillbereported.

Howeverafterrunningvisudoandeditingthesudoersfileasbelow,thisbecomespossible.
bobALL=/usr/sbin/reboot

Afterthischangebobisnowabletoperformtherebootasrootbutnothingelse.

6.EnableandConfigureFirewall
Afirewallsuchasiptablesorfirewalldshouldbeusedtorestrictinboundandoutboundtraffictoandfrom
yourLinuxserver.Whileitisidealtorestrictbothinboundandoutboundtraffic,itismorecommonfora
servertoallowanyoutboundtrafficandonlyrestrictincomingtraffic.Thisisgenerallybecauseattacks
initiateexternallyespeciallyfromtheInternet,theseexternalnetworksarethereforelesstrustworthythan

theserveritself.Ifaserviceontheserveriscompromisedandtheserveriscapableofconnectingouttothe
Internetwithoutrestrictionthenitcouldcausefurthercompromiseofthesystem.
ThefirewallshouldbeusedtospecifysourceanddestinationIPaddressesandportsifpossible.For
example,wecanallowSSHaccesstoTCPport22toonlycomeinfromtrustedIPaddress1.2.3.4which
willpreventanyoneelsefromattemptingtoconnecttotheserverviaSSH.Destinationaddressescanalso
belimited,forinstancewemayonlywantourservertoconnectouttoaparticulartrustedrepositoryfor
packageupdatesoverTCPport443.Byallowingthisoutboundaccessandnootherexternalconnections
totheInternetwecanpreventtheserverfromdownloadingotherfiles,oratleastrestrictwhatisavailable.
RestrictingbasedonsourceanddestinationIPaddresseswithportsismuchbetterthansimplychanging
theportthataserviceislisteningon.ForinstanceyoucouldchangetheSSHportto4567ratherthanthe
defaultof22.Whilethismaystopsomeautomatedattacksitwillbetrivialforaportscannersuchasnmap
todetectasitsonlysimplesecuritythroughobscurity,assoonasthesecrecyhasbeenlostsohasthe
security.Oncefirewallrulesareinplacenmapcanalsobeusedtoscanasystemforopenports,allowing
youtoconfirmtherulesareworkingasintended.

7.EncryptNetworkTransmissions
Whileafirewallwilldeterminetheallowedinboundandoutboundtrafficitisimportantthatyouencryptall
inboundandoutbounddatacommunicationstokeepthemsecure.Thisinvolvesusingtoolsthatsupport
encryptionsuchasSSL/TLS.ForexampleifyourLinuxserverisrunningawebserversuchasApacheand
thewebsitehasaloginpagewhereusersenterausernameandpassword,ratherthanconfiguringthisto
useplaintextHTTPitshouldbesettouseHTTPSwhichwillensurethecommunicationbetweentheserver
andtheclientisencrypted.Thiswillpreventdatatransferoverthewirefrombeingseenbyanyoneelse,
assumingtheprivatekeyonthewebserverissecureofcourse.
Toachievethisessentiallyyouneedtoactivelymakethechoicetousetoolsandprotocolsthatsupport
encryptionwhencommunicatingoverthenetwork,forinstanceusingSSHratherthantelnet,usingSFTP
ratherthanFTP,orusingIMAPSratherthanIMAP.OthertoolssuchasVPNcanbeusedtoestablish
secureandencryptedtunnelsbetweentwohosts.

8.TwoFactorAuthentication
TwofactorauthenticationcanbeimplementedforSSHaccessorotherapplicationlogin,itwillimprove
loginsecuritybyaddingasecondfactorofauthentication,thatisthepasswordistypicallyknownas
somethingyouknow,whilethesecondfactormaybeaphysicalsecuritytokenormobiledevicewhichacts
assomethingyouhave.Thecombinationofsomethingyouknowandsomethingyouhaveensuresthatyou
aremorelikelywhoyousayyouare.
TherearecustomapplicationsavailableforthissuchasDuoSecurityandGoogleAuthenticatoraswellas
manyothers.Thesetypicallyinvolveinstallinganapplicationonasmartphoneandthenenteringthe
generatedcodealongsideyourusernameandpasswordwhenyouauthenticate.

GoogleAuthenticatorcanbeusedformanyotherapplicationsthanjustSSH,suchasforWordPresslogin
withthirdpartypluginsupport.

9.SecurityEnhancedLinux(SELinux)
SELinuxwasoriginallydevelopedbytheNSAasasetofpatchestotheLinuxkernel.SELinuxreduces
vulnerabilitytoprivilegeescalation,providesfinegrainaccesscontrolandseparatesprocessesfromeach
other.Processesrunintheirowndomainwhichpreventsthemfromaccessingfilesusedbyother
processes.
ForexampletheApache(httpd)webserverrunswiththecontextsystem_u:system_r:httpd_t:s0,ifthis
processiscompromisedbyanattackertheiraccesstofurtherresourcesandcausingpotentialdamageis
limitedbySELinuxpolicy.BydefaultApachecanaccessfileslabelledwiththehttpd_sys_content_ttype,
filescreatedwithin/var/www/htmlwillbelabelledwiththisbydefaultsothatApachecanservewebfiles.
OtherfilesanddirectorieselsewhereinthefilesystemwillnothavethisbydefaultsoApachewillnotbe
abletoaccessnonwebfilesstoredelsewhereduetoSELinuxpolicyrestrictions.YoucanviewtheSELinux
typeofafileordirectorywithlsz.
SELinuxcomesenabledwithRHELbasedoperatingsystemssuchasCentOSbydefaultanditis
recommendedtouse.OvertimeIhaveseenlotsofLinuxbasedguidessimplyadvisethatSELinuxbe
disabledanddiscardedratherthanconfiguredcorrectly.Thisisnotideal,SELinuxshouldalwaysbe
enabledpreferablyinenforcingmodehoweveryoucaninsteadsetittopermissivemodewhichwillnot
enforceanythingbutinsteadloganythingthatwouldhaveotherwisebeenblockedinenforcingmode,which
isbetterthanhavingitdisabledentirely.
TogetdetailedlogsinplainEnglishthatwillgiveyousuggestedcommandsonhowtoresolveSELinux
problems,installthesetroubleshootandsetroubleshootserverpackages.Thiswillprovidethesealert
command,whichcanberunagainsttheaudit.logfileandwillprovideadviceonfixinganyproblemsthat
havebeenlogged.
SELinuxcanbequiteintimidatingatfirsthoweveritsdefinitelyworthlearningtotakeadvantageofthe
increasedsecuritythatitcanoffer,IhavefoundtheofficialRedHatdocumentationSELinuxUsersand
AdministratorsGuidetobeanexcellentresource.

10.ReduceAttackSurface
EverytimeyouinstallanotherpackageorstartanadditionalserviceonyourLinuxserveryouareeffectively
increasingtheattacksurface.Bydoingthistherearemorethingsavailableforanattackertoattemptto
targetasthereismorecodeandmovingpartsavailable,increasingthelikelihoodofavulnerability.
WheninstallingLinuxbydefaultagraphicaluserinterface(GUI)isusuallyinstalled,inaserverenvironment
itishighlyrecommendedthatyoudonotinstallthistohelpreducetheattacksurfaceandresourceusage.If
theGUIisalreadyinstalleditispossibletouninstallit.

AnothergoodoptionwheninstallingLinuxistoselectaminimalinstallation,thiswillinstallabasesetof
importantpackagesthatarerequiredwithnotmuchextrabloat.Thisispreferableasyouwillhavefewer
packagesinstalled,youcaneasilyinstallanythingthatyourequireafterinstallationfromtherepository
ratherthanhavingabunchofpackagespreinstalledthatmayneverevenbeused.
Yourattacksurfacecanbereducedbydisablingservicesthatarenotneededandbyuninstallingor
removingpackagesandsoftwarethatarenotrequired.Thefollowingcommandscanbeusedtoviewthe
statusofinstalledservices,theywilllistservicesthatareconfiguredtostartuponboot.
CentOS6andearlier
chkconfiglist

CentOS7
systemctllistunitfilestype=service

Shouldyoufindaservicethatyouknowisnotrequireditcanbedisabledsothatitdoesnotstartonboot,
onlydothisifyouaresurethattheserviceisnotrequiredassomemaybeneededbytheoperatingsystem
orotherservicesthatyoumakeuseof.
CentOS6andearlier
chkconfigoffservicename

CentOS7
systemctldisableservicename

Toviewafulllistofinstalledpackagesyoucanrunyumlistinstalled,shouldyoudeterminethatthereare
packagesthatarenolongerrequiredyoucanremovethemwithyumremovepackagename.
Withthenetstatcommandyoucanlisttheportsthataprocessontheserverisactivelylisteningfor
connectionson.Thiscanhelpidentifysomethingmaliciousthatisrunningwaitingtoacceptanexternal
connection,ormayshowanalreadyestablishedconnectionthatshouldnotbeallowed.Thisiswhyyou
wouldwanttorestricttheconnectivityinthefirewallasoutlinedinpoint6Enableandconfigurefirewall.If
youfindsomethingmaliciousyoucantrytostoptheserviceorkillthelistedPID,thoughthislikelywillnot
stopitfromstartingupagain.

[root@centos~]#netstatantup
ActiveInternetconnections(serversandestablished)
ProtoRecvQSendQLocalAddressForeignAddressStatePID/Programnam
tcp000.0.0.0:220.0.0.0:*LISTEN1218/sshd

tcp00127.0.0.1:250.0.0.0:*LISTEN1736/master
tcp064192.168.0.100:221.2.3.4:29667ESTABLISHED2716/sshd:root@pts
tcp600:::80:::*LISTEN2859/httpd
tcp600:::22:::*LISTEN1218/sshd
tcp600::1:25:::*LISTEN1736/master
tcp600:::443:::*LISTEN2859/httpd
tcp600:::8443:::*LISTEN2859/httpd
udp000.0.0.0:1230.0.0.0:*701/chronyd
udp00127.0.0.1:3230.0.0.0:*701/chronyd
udp600:::123:::*701/chronyd
udp600::1:323:::*701/chronyd

InthisexamplesshdislisteningonTCPport22forSSHconnectionsandthereisoneestablished
connectionfrom1.2.3.4.Therearemanyotherserviceslisteningonvariousportssuchashttpdlisteningfor
port80and443connectionstoserveHTTPandHTTPSrequests.
Anothergoodmethodofreducingtheattacksurfaceistosegregateimportantrolesbetweendifferent
servers.Ratherthanhavingoneserverdoingeverythingitispreferabletosplitimportantrolesupinto
differentinstances.Forexampleyoumayhaveoneserverthatactsasthewebserver,anotherthatactsas
thedatabaseserver,anotherthatactsastheemailserverandanotherthatactsastheDNSserver.
Withtheincreaseinvirtualizationtechnologiesovertherecentyearsthisisbecomingcheaperandeasierto
takeadvantageof.Bysplittingthedifferentrolesintodifferentserversyourereducingtheattacksurface,if
oneoftheservicesisvulnerabletocompromisethenyouonlyhavetoworryaboutthatserverrunningthat
particularvulnerableserviceatleastinitiallyuntiltheyworktheirwayindeeper!

11.LogReview
WhilenotdirectlyhardeningyourLinuxserver,byreviewingthelogsyoucanidentifypossibleproblemsthat
shouldberesolved,suchasunauthorizeduseraccess.Securityeventsandothermessagesarestoredin
thelogfilesforareasonandshouldbereviewed.Itcanbedifficultandtimeconsumingtomanuallyreview
thelogfilesoneachserver,soyoucouldinsteadlookatimplementingasystemsuchaslogstashora
syslogservertocentrallycollectalllogs.
Accesslogsshouldbemonitoredsothatunauthorizedaccessattemptsaremadeawareanddealtwithas
required.Evensuccessfulaccessattemptsshouldbeloggedasthatwillprovidevisibilityoverwhatuser
accountsaredoinginthecaseofanattackerthathasgainedaccess,oralegitimateuserthatis
misbehaving.Logwatchcanalsobeinstalledandconfiguredtoemailperiodicsummariesofeventsthatare
loggedsuchaspackagesinstalledorusersthathaveloggedin.Beingawareofwhatishappeningonyour
systemswillhelpyoudetectanypotentialattacks.

12.LimitSSHAccess
BydefaultanyuserthatyoucreateonaLinuxserverwiththedefault/bin/bashshelliscapableofloggingin
remotelybySSHonceithashadapasswordset.SSHaccesscanberestrictedtoadefinedsetofusersor

groupsbyusingAllowUsersorAllowGroupsin/etc/ssh/sshd_configrespectively.Notallusersonaserver
willtypicallyneedSSHaccesssothiscanberestrictedtoonlythosethatneedaccesstomanagethe
server.
Forexample,thebelowconfigurationin/etc/ssh/sshd_configwillonlyallowusersrootandbobSSH
access,anyotheruserwillbedeniedaccesswhentheyattempttologinviaSSH.
AllowUsersrootbob

UsersthatshareacommonattributecanbegroupedtogetherandallowedinsteadwithAllowGroupswhich
ismorescalablewithalargernumberofusers.Besuretorestartthesshdservicetoapplyanychanges
madehere.

13.PhysicalSecurity
Physicalaccesstoyourservercaneasilyundoalotofthestepsoutlinedhere,soitisequallyimportantto
ensurethatyourserverisphysicallysecuresothatitcantbeaccessedbyanunauthorizeduser.
Ifyourserverishostedwithinadatacenterenvironmenttheywilllikelyalreadyrestrictphysicalaccessand
havevarioussecuritymeasuresinplace,itisrecommendedthatyoudiscusstheprotectionmeasuresin
placeforyourserverandensurethatthesemeetyourrequirements.
Alternativelyifyouhostyourserveronpremisesathomeorinanofficeitshouldbelockedsecurelyina
dedicatedserverroomifpossibleinacentrallocationofthebuilding,withaccessonlygrantedtothosethat
needtophysicallymaintaintheserver.Keepinganyserverracksorcaseslockedisalsorecommended.

14.SecuringtheBIOS
PasswordprotectingtheBIOScanhelpslowdownanattackerwithphysicalaccessfromchangingBIOS
settingsorbootingthesystemfromCDorUSBdrive.AstheBIOSwilldifferbetweenmanufacturersyou
shouldrefertoyourspecificdocumentationregardingsettingthis.
Itisimportanttonotethatthisdoesnotprotectthesystemverywelliffullphysicalaccessispossible,asthe
BIOSpasswordcanusuallybeeasilyresetwithjumpersonthemotherboardorbyremovingtheCMOS
battery.Youwouldthereforebebetteroffprotectingsystemdatawithencryptionascoveredinpoint16
Encryptdata.Thisalsofurtherenforcestheimportanceofpoint13Physicalsecurity.
WhiletherearebettermethodsofsecuringaLinuxsystemassuggested,BIOSpasswordscanstillbe
usefulforpubliccomputerssuchasinapubliclibraryforexample.InthisinstanceaBIOSpasswordwill
stoprandompeoplefrominsertingaCDorUSBdriveandtryingtobootintoadifferentoperatingsystem,
yestheycouldgetaroundthisprotectionbyopeningthecomputerandresettingtheBIOSpassword
howevertheyareprobablylesslikelytostartdoingthisinapublicplaceasitsmoredifficulttodo
undetectedcomparedtosimplyinsertingaCDorUSBdrive.

15.SecuringtheBootLoader
Bysecuringthebootloaderwecanpreventaccesstosingleusermodewhichlogsinautomaticallyasroot.
ThisisdonewithGRUB2bysettingapasswordwhichisstoredinplaintextbydefault,itisrecommended
thatyousetanencryptedpasswordinsteadsothatthegrubpasswordcannotbeeasilyretrievedoffthe
disk.

16.EncryptData
SensitivedatastoredontheLinuxservershouldbeencrypted.Ifphysicalaccesstotheserverissomehow
obtainedandtheunencryptedharddrivesarestolenitwillbepossibleforalldatatobereadbyanattacker.
Althoughphysicalsecuritycanhelpprotectagainstthisscenarioyoushouldplanfortheworstandencrypt
thedata.Physicalsecuritymaybemoredifficulttoimplementforportabledevicessuchasalaptopsand
tablets,strongencryptioncanhelpprotectdataonstolendevices.
Thisproblemalsoexistswithvirtualmachineshoweverpossiblytoalesserextent,ifthevirtualharddiskfile
iscopiedthenitispossibletoaccessthedatacontainedwithin.Topreventthisandsecurethedatait
needstobeencryptedatrestandnotstoredondiskincleartext.Therearemanywaystohandle
encryption,LinuxUnifiedKeySetupondiskformat(LUKS)isoneofthemandworksquitewell.Oncedata
hasbeenencryptedifyoulosethepasswordorkeytoaccessthatdatayouwillnolongerbeabletoaccess
thedata.

17.CentralizedAuthentication
Usingacentraldirectorytomaintainuseraccountsistypicallymoresecureandmuchmorescalableasyou
increasetheamountofclients/serversthatyouneedtoaccess.Examplesofsuchadirectoryinclude
MicrosoftsActiveDirectoryandRedHatsIdentityManagement,eithercanbeusedforauthentication
withinaLinuxenvironment.
Acentraldirectoryprovidesseveralsecurityadvantages.Bystoringalluseraccountsinthedirectory,
shouldauseraccountbelockedoutitwillbelockedoutregardlessoftheclientcomputertryingtologin.
Withoutadirectoryserverlocalaccountswouldbedefinedonaperserverbasis,soanattackerperforming
abruteforceattackcouldsimplylockouttheaccountononecomputerandthenstarttheattackupagain
onanother.
Thiscentralizedmanagementalsoensuresthattheuserspasswordmeetsadefinedglobalpasswordpolicy
suchaslengthandcomplexityrequirementswhichwouldotherwisebemanuallydefinedonindividual
servers.Definingthingslikepasswordpolicyonindividualserverslocallyhasthepotentialtoreduce
securityiftheyareallnotconfiguredtothesamelevelasitbecomespossibleforsometobeincorrectly
configuredtohaveweakersecuritysettingsovertime.
Itcanalsobemuchmoredifficulttocompromisethepasswordhashesofanaccountastheyarestored
withinthecentraldirectoryserver,ratherthanoneachindividualserver.Althoughaccesstothe/etc/shadow
filerequiresrootaccesstoreaditmaybepossiblethatanattackerhascompromisedoneofyourservers

anddoesindeedhaverootaccesstothelocalserver.Theattackerwouldthenbeabletoviewthe
passwordhashesforallusersontheserverandperformanofflinebruteforceattackwhichcouldresultin
themgainingfurtherusercredentialsthatmayberequiredtoaccessadditionalsystems.

18.EnforceStrongPasswords
Byenforcingstrongpasswordswecanimprovethesecurityofanaccountasbruteforceattackbecomes
moredifficult,strongerpasswordsrequiremoretimeandcomputingpowertodiscover.Thisisgenerally
donethroughpolicyonthedirectoryserverwheretheaccountsexist,butcanalsobeconfiguredlocallyon
aperserverbasis.InCentOS7strongpasswordsareenforcedbythepwqualityPAMmoduleratherthan
thecracklibmodule,howeverbothusethesamebackend.
pwqualitychecksthestrengthofapasswordagainstasetofrules,firstitchecksifthepasswordisa
dictionarywordandthenifnotitchecksthecustomsetofrulesdefinedwithin/etc/security/pwquality.conf.
Toenablethepwqualitymoduleaddthefollowinglineintothe/etc/pam.d/passwdfile.
passwordrequiredpam_pwquality.soretry=3

The/etc/security/pwquality.conffileisthenusedtoconfigurethecheckssuchasminimumlength,thisfile
documentsallavailablevariableswell,belowisanexampleconfiguration.
minlen=8
minclass=4
maxsequence=3
maxrepeat=3

Inthiscasetheminimumacceptablesizeforthenewpasswordislength8,theminimumnumberof
requiredclassesofcharactersis4(digits,uppercase,lowercase,andsymbols),themaximumsequenceis
3(suchasabcor123),andthemaximumnumberofallowedconsecutivesamecharactersis3(suchas
aaaor111)
Itsalsoimportanttonotethatarootuserisabletosetanypasswordforthemselforanyotheruser
accountregardlessofthis,theywillbewarnediftheyareusingaweakpasswordhowevertheycanavoid
thepasswordenforcement.

19.PasswordAging
Passwordagingdefendsagainstbadpasswordsbeingdiscoveredandreusedbyanattacker,evenifa
passwordiscompromiseditwillonlybeusableforasetperiodoftime.Accountswhicharenolonger
requiredbuthavenotbeenlockedoutwillbecomeinaccessiblewhenthepasswordexpires.Thisneedsto
beconfiguredasbydefaultapasswordchangewillnotberequiredfor99999days.
Passwordagingcaneitherbemanagedlocallyonaperserverbasis,orasmentionedabovewithina

centraldirectorysuchasActiveDirectoryorIdentityManagement.Ideallyyoureusingacentraldirectoryto
makethesepolicychangesmucheasier,youwouldsettheminoneplaceandtheywouldapplyforall
usersthatloginoveramultitudeofservers.
Itispossibletomanagepasswordagingonaperserverbasislocally,itwilljustrequiremoreadministration
timeandincreasesthelikelihoodofaconfigurationmistakewhichcanresultinlesssecureaccounts.Below
aresomeexamplecommandstoapplypasswordaging.
Showaccountaginginformation,thesevaluescanbemodifiedfurtherwiththechagecommand.
[root@centos~]#chagelbob
Lastpasswordchange:Aug19,2015
Passwordexpires:never
Passwordinactive:never
Accountexpires:never
Minimumnumberofdaysbetweenpasswordchange:0
Maximumnumberofdaysbetweenpasswordchange:99999
Numberofdaysofwarningbeforepasswordexpires:7

Torunchageinteractivelytosetthesevaluesonauseraccountrunchageusername.

20.AccountLockout
Whilehavingstrongpasswordsinplaceforuseraccountscanhelpthwartbruteforceattacksasmentioned
previouslyinpoint18Enforcestrongpasswords,thisisonlyonewayofslowingdownthistypeofattack.
Agoodindicationofbruteforceattackisauseraccountthathasfailedtologinsuccessfullymultipletimes
withinashortperiodoftime,thesesortsofactionsshouldbeblockedandreported.Wecanblockthese
attacksbyautomaticallylockingouttheaccount,eitheratthedirectoryifinuseorlocally.
Thepam_tally2.soPAMmodulecanbeusedtolockoutlocalaccountsafterasetnumberoffailures.To
getthisworkingIhaveaddedthebelowlinetothe/etc/pam.d/passwordauthfile.

authrequiredpam_tally2.sofile=/var/log/tallylogdeny=3even_deny_rootunlock_time=

Thiswilllogallfailurestothe/var/log/tallylogfileandlockoutanaccountafter3consecutivefailures.By
defaultitwillnotdenytherootaccounthoweverwecanalsolockoutrootbyspecifyingeven_deny_root
(thoughthismaynotberequiredifyouhavedisabledrootaccessasperpoint3Disableremoteroot
accessandpoint4Disablerootconsoleaccess).Theunlocktimeistheamountofsecondsafterafailed
loginattemptthatanaccountwillautomaticallyunlockandbecomeavailableagain.
Failedloginscanbeviewedasbelow,toviewallfailuressimplyremovetheuserflag.
[root@centos~]#pam_tally2user=bob
LoginFailuresLatestfailureFrom
bob408/21/1519:38:23localhost

Thefailurecountcanbemanuallyresetbyappendingresetontothiscommand.
pam_tally2user=bobreset

Ifaloginissuccessfulbeforethelimithasbeenreachedthefailurecountwillresetto0.Formoredetails
seethepam_tally2manualpagebytypingmanpam_tally2.
Itsworthnotingthatthemanualpageadvisestoconfigurethiswiththe/etc/pam.d/loginfile,howeverI
foundthatunderCentOS7thisdidnotworkandneededtousethe/etc/pam.d/passwordauthfileinstead.I
alsotriedusing/etc/pam.d/systemauthwhichIfounddocumentedelsewherebutthisalsofailed,sothis
maydifferbasedonyouroperatingsystem.
Youcanalsomanuallylockandunlocklocaluseraccountsratherthanwaitingforthefailurelimittobe
reached.
Locktheuseraccountbob.
[root@centos~]#passwdlbob
Lockingpasswordforuserbob.
passwd:Success

Unlocktheuseraccountbob.
[root@centos~]#passwdubob
Unlockingpasswordforuserbob.
passwd:Success

Becarefulwhenenablingaccountlockout,asautomaticlocksonaccountsusedbyvariousservicescould
possiblyleadtooutages.
OthertoolssuchasFail2BancanalsobeusedtoblockthesourceIPaddressesthefailedloginsinitiate
frominthefirewall.Thishastheadvantageofblockingtheattackwithoutlockingtheaccountand
preventinglegitimateuseraccess.

21.UsingSSHKeys
SSHkeyscanbeusedtoincreasethelevelofsecurityforauserremotelyauthenticatingtoaLinuxserver
throughSSH.SSHkeysaretypicallypreferableintermsofsecuritywhencomparedtoapasswordasthey
arefarlessvulnerabletobruteforceattack,thereissimplyalotmoreentropyinakeythanpassword.
SSHkeysarebaseduponpublickeycryptography,wherebyyouwillgenerateakeypairwhichincludesa
publickeyandaprivatekey.Thepublickeyisstoredonthedestinationserverthatyouwishtoaccessand

willallowonlythecorrespondingprivatekeyaccess.
Itisthereforeextremelyimportantthatyouprotectyourprivatekey,ifanattackerisabletoaccessthiskey
thentheywillbeabletologinasyouruser.Bestpracticesdictatethatyourprivatekeybeencryptedwitha
passphrasewhichcanbeconfiguredwhenyoucreatethekeypair.Itsalsoimportantthattheprivatekey
filebereadableandwritableonlybytheuserthatownsthekey,thiswouldbepermissions0600andisset
asdefaultoncreation.
Createthekeypairwiththesshkeygencommand,thetspecifiesthetypeofkeytocreate,hereweare
usingrsaversion2.
[bob@centosroot]$sshkeygentrsa
Generatingpublic/privatersakeypair.
Enterfileinwhichtosavethekey(/home/bob/.ssh/id_rsa):
Createddirectory'/home/bob/.ssh'.
Enterpassphrase(emptyfornopassphrase):
Entersamepassphraseagain:
Youridentificationhasbeensavedin/home/bob/.ssh/id_rsa.
Yourpublickeyhasbeensavedin/home/bob/.ssh/id_rsa.pub.
Thekeyfingerprintis:
8e:dc:08:bb:8d:0e:12:04:22:ae:5e:f5:0a:21:3e:b0bob@centos
Thekey'srandomartimageis:
+[RSA2048]+
|+|
|=|
|.+..|
|=..o.|
|Eoo..S|
|..o.+.=|
|.....+o|
|..+|
|.+.|
++
[bob@centos~]$lsla/home/bob/.ssh/
rw.1bobbob1766Aug1916:41id_rsa
rwrr.1bobbob398Aug1916:41id_rsa.pub

Intheaboveexamplewecreatedtheid_rsaprivatekeyfileandcorrespondingid_rsa.pubpublickeyfile.
Nextuploadthepublickeytotheremoteserverthatyouwishtoaccess,thiscanbedonemanuallyorwith
thesshcopyidcommandasshownbelow.

[bob@centos.ssh]$sshcopyidbob@1.2.3.4
Theauthenticityofhost'1.2.3.4'can'tbeestablished.
ECDSAkeyfingerprintis97:b6:fc:11:49:20:3c:10:ac:16:49:46:e5:56:03:30.
Areyousureyouwanttocontinueconnecting(yes/no)?yes
/usr/bin/sshcopyid:INFO:attemptingtologinwiththenewkey(s),tofilteroutanythatar
/usr/bin/sshcopyid:INFO:1key(s)remaintobeinstalledifyouarepromptednowitisto
bob@1.2.3.4'spassword:
Numberofkey(s)added:1

Nowtryloggingintothemachine,with:"ssh'bob@1.2.3.4'"
andchecktomakesurethatonlythekey(s)youwantedwereadded.

Thiswillplacetheid_rsa.pubpublickeyfileonthedestinationserver,inthiscase1.2.3.4withinthe
~/.ssh/authorized_keysfile,youcanthenSSHtothedestinationbysimplyrunningsshbob@1.2.3.4and
youshouldbepromptedforthepassphraseforyourprivatekey.
OnceanaccounthasbeensetuptomakeuseofSSHkeysratherthanapasswordyoucanoptionally
disablepasswordauthenticationthrough/etc/ssh/sshd_configtoincreasesecurityasshownbelow.
PasswordAuthenticationno
PubkeyAuthenticationyes

Reloadsshdtoapplythesechanges.

22.HostBasedIntrusionDetectionSystem(HIDS)
Evenafterimplementingadditionalsecuritymeasuresitisstillpossiblethatyourservermaybecome
compromised,noservershouldeverbeconsidered100%secure.Shouldthishappenyouwouldwanttobe
alertedsothatyoucaninvestigatefurther.Thiscanbedonebyusingahostbasedintrusiondetection
systemwhichistypicallyinstalledontheserverasanagentwhichmonitorstheinternalsofthesystemand
canalertifanattemptedorsuccessfulintrusionisdetected.Whilethisdefinitelywillnotdetectandalertfor
everypossibleintrusionitisagoodprotectionmeasuretoputinplace.
OSSECisacrossplatformopensourceHIDSthatiscapableofperformingloganalysis,fileintegrity
checking,policymonitoring,rootkitdetectionandrealtimealertingandresponse.

23.Virus/MalwareScanning
Inadditiontodetectingintrusionitisalsoimportanttofrequentlyscanthefilesystem,memoryandrunning
processesforknownvirusesormalwarethreatsthatmayhavemadeitontoyourLinuxserver.Thescan
shouldbeabletoactivelyquarantineknownbadfilesthataredetectedandsendoutanotificationalertfor
furtherinvestigation.
Itisagoodideatorunsuchscansduringperiodsoflowresourceusagesothatthescandoesnotconflict
withnormalservice.Thiswilldependontheworkloadofyourserver,howeverscanningovernightoron
theweekendusuallyworkswellandmosttoolsallowyoutospecifyaloadlevelthresholdtopauseatand
continueafteritdropsbackdown.
ClamAVisapopularopensourceantivirusavailableforLinuxtodetectviruses,trojans,malwareandother
maliciousthreatsandworksquitewell.AlotofothertoolsalsoincorporateClamAVsuchasMaldetwhichis
anothergreattool.OtheroptionssuchasConfigeXploitScanner(CXS)alsomakesuseofClamAVandwill
activelyscanfilesastheyareuploadedormodified,forinstanceifanattackerisabletomodifyafilewith

knownmaliciouscodeitwillbedetectedandquarantinedwithinseconds.

Conclusion
AlthoughitisimpossibletoperfectlyfullysecureaLinuxsystem,wecansignificantlyreducetheamountof
vulnerabilitieswithinasystemandbyextensionthechanceofacompromisebybeingsecurityconscious
andimplementingthesehardeningtips.Thereisalwaysgoingtobeatradeoffbetweensecurityand
usability,wherethatlineisdrawninyourenvironmentisuptoyou.
DoyouhaveanyothersecuritytipsthatyouuseinyourLinuxenvironment?Letmeknowinthecomments
andIllbehappytoupdatethepostsothatwecanimproveuponitandhaveausefulanduptodate
communityresource.

Sharethis:

Related

HowToConfigureKey
BasedAuthenticationfor
SSH
September8,2015
In"HowTo"

Linux,Security

HowToInstallandConfigure
MariaDB
September3,2015
In"HowTo"

LinuxServerMaintenance
Checklist
January7,2015
In"Linux"

Linux,Security

HowtoCreateaWebsiteorBlogwithWordPress

Leaveacomment?

HowToInstallandConfigureMariaDB

1Comments.

HowToConfigureKeyBasedAuthenticationforSSH|RootUserspingbackonNovember21,2015at10:26
pm

LeaveaComment

NOTEYoucanusetheseHTMLtagsandattributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote
cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s>
<strike> <strong>
NAME
EMAIL
WebsiteURL

SUBMIT
Notifymeoffollowupcommentsbyemail.
Notifymeofnewpostsbyemail.

TrackbacksandPingbacks:
HowToConfigureKeyBasedAuthenticationforSSH|RootUsersPingbackon2015/11/21/22:26

LikeRootUsersonFacebook

RootUsers
69likes

LikePage

Bethefirstofyourfriendstolikethis

Subscribe

Share

Subscribetoreceivenotificationsofnewpostsbyemail.

EmailAddress
Subscribe

SupportUs
Youcanhelpsupportthissitebyleavingatip.

Donate
BitcoinAddress:
13HwADqUucxk7LYR57iqPXXabhQJMkuFD8

FollowRootUsersonTwitter
Tweets

Follow

RootUsers
@RootUsers_

10h

LearnHowToSetGNOMEDisplayManager
BannerMessagesinCentOS7#Linux
rootusers.com/howtosetgno
pic.twitter.com/weegEdhXFh

Tweetto@RootUsers_

RecentPosts
HowToSetGNOMEDisplayManagerBanner
Message
OverviewofKiwicon2015
HowToViewBitlockerDiskStatus
ConfigureSquidProxyToForwardToAParent
Proxy
HowToDisableUSBStorageDevicesInLinux

RecentComments
JarrodonHowtoconvertanOVAvirtualmachineto
VHD
breadmasteronHowtoconvertanOVAvirtual
machinetoVHD
JarrodonGzipvsBzip2vsXZPerformance
Comparison
grokonGzipvsBzip2vsXZPerformance
Comparison
JarrodonHowtoIncreasethesizeofaLinuxLVMby
expandingthevirtualmachinedisk

Categories

ExamGuides
HowTo
Linux
Security
Technology
Uncategorized
Windows
XenServer

Copyright2015RootUsers