Enhancing Security Of Linux And Unix-Like Os Through Hardening Techniques

ByThe Aha Unix Team

Securing Accounts and Passwords

Implementing strong password policies is a critical first step towards securing Linux and Unix systems. Short, simple, or default passwords provide easy targets for attackers to gain initial access. Here are some best practices for enhancing password security:

  • Enforce password complexity requirements through modules like pam_cracklib. This ensures passwords have a minimum length, mix of letters, numbers and special characters.
  • Configure password aging policies to force users to change passwords every 60-90 days. This limits the use of stale passwords if a system is compromised.
  • Set password expiration policies to automatically disable accounts after a defined number of days. This reduces the duration an inactive account can be abused.
  • Lock user accounts after several failed login attempts to protect against brute force attacks. Accounts can be manually or automatically unlocked after a cool down period.
  • Delete unnecessary default system accounts that are included in the distro but not required. This reduces the attack surface on the server.

Technical Implementation Tips

Here are some useful commands and files for implementing stronger password policies on Linux:

  • Edit /etc/pam.d/common-password and add pam_cracklib module.
  • Set password aging policies in /etc/login.defs like PASS_MAX_DAYS and PASS_MIN_DAYS.
  • Use chage -M 90 user to force password expires every 90 days.
  • Lock accounts after 5 invalid attempts with pam_tally2 PAM module.
  • Delete default accounts like ftp, games, and nfsnobody if not required.

Limiting Access and Privileges

The principle of least privilege is key for hardening Linux. All users should operate with the minimum permissions required for their role. Unnecessary privileges provide opportunities for abuse if an account is compromised. Here are some best practices around access controls and privileges:

  • Leverage sudo for granting temporary privilege escalation. Require re-authentication and configure tight rules on allowed commands.
  • Carefully plan user groups like sysadmin, developers, accounting rather than relying on a broad ‘wheel’ group.
  • Set the root account to restrict direct logins. Require use of sudo for privilege escalation so actions are auditable.
  • Tightly restrict and monitor any accounts with direct su or sudo access without authentication.
  • Apply strict permissions like 750 on sensitive configs and binaries, 644 on files like /etc/shadow.
  • Disable root SSH logins in /etc/ssh/sshd_config. Only permit authenticated sudo sessions for administration.

Implementing Least Privilege Access

Here are some useful commands for implementing tighter access controls on Linux servers:

  • Add users to /etc/sudoers for allowed commands e.g. bob ALL=(ALL) /usr/bin/apt-get
  • Disable direct root login with PermitRootLogin no in sshd_config.
  • Remove sudo access to leave an audit trail e.g. alice ALL=(ALL) NOPASSWD: ALL
  • Assign users to groups like webadmin, dbadmin, accounting to align privileges.
  • Restrict sensitive file perms with chmod o-rwx file and chmod 770 /etc/shadow.

Hardening the Filesystem

The Linux filesystem contains a variety of sensitive components that need to be secured against unauthorized changes. Attackers often target areas like directories in /etc, libraries, and binary directories that can be tampered with to achieve persistence. Some key areas to focus on include:

  • Setting the nosuid and nodev mount options on filesystems with user files and external devices. This blocks suid/sgid bits and character/block devices.
  • Restricting permissions with chmod and tight ACLs on files like /etc/shadow, application configs and SSH keys.
  • Making folders like /home, /opt and /tmp group writable but not globally writable to prevent access by other users.
  • Encrypting non-boot partitions containing sensitive data to prevent unauthorized data extraction.
  • Enabling read-only mounts through remount where possible, especially for shared directories.

Useful Filesystem Hardening Commands

Some useful implementation examples include:

  • Add nosuid,nodev to removable media mounts in /etc/fstab.
  • chmod 700 /etc/shadow to tighten permissions.
  • chmod g+w,o-w /tmp for group write only.
  • Use cryptsetup to encrypt partitions & mount at boot.
  • mount -o remount,ro /mnt/share for read-only.

Mitigating Network Threats

Hardening also involves protecting Linux systems from network-based attacks. The network attack surface needs to be minimized by closing unnecessary ports, locking down services and inspecting traffic at edge firewalls. Key focus areas include:

  • Configuring default-deny firewall policies with iptables and only allowing required ports.
  • Disabling dangerous services like Telnet and enabling only secure protocols like SSH and SFTP.
  • Limiting network connections to services through wrappers like TCPD or libwrap.
  • Setting up DMZ zones for externally facing systems to restrict attacks from spreading.
  • Blocking traffic from unauthorized IP addresses with ACLs and blackhole routing.

Protecting from Network Attacks

Some useful commands for mitigating threats include:

  • iptables -P INPUT DROP for default-deny policies.
  • Disable services with update-rc.d telnet disable.
  • Allow SSH connections from office IPs in hosts.allow file.
  • Route traffic from suspicious IPs to null interface like ip route add blackhole 123.123.123.123.

Monitoring for Intrusions

Detecting unauthorized access or changes is critical for containing breaches on Linux systems. Analysing logs and wiring up notifications on critical system events can help admins respond faster to incidents. Key aspects include:

  • Centralising logs from multiple servers to a SIEM system for correlation and dashboards.
  • Graphing login counts from auth.log to spot brute force attack spikes.
  • Generating alerts on events like repeated failed logins, new user additions or access to cron/sudo.
  • Installing file integrity monitoring tools like Tripwire and Samhain to detect filesystem changes.
  • Setting up process accounting tools to log all commands executed on a system.

Detecting Intrusions with Logging

Some ways to implement better monitoring include:

  • Stream ssh logs to central SIEM and create brute force detection alerts.
  • Graph sudo commands each day with sudoreplay to spot anomalies.
  • Check users with shells and monitor /etc/shadow and /etc/passwd changes.
  • Install OSSEC for file change monitoring and system log tracking.

Applying Security Updates

Continuously patching and upgrading Linux distros is critical to address vulnerabilities before attackers can exploit them in the wild. Unpatched flaws in both the operating system and application layers enable many break-ins. Key aspects to focus on include:

  • Enabling automated security updates on packages, kernel and services.
  • Reviewing distro security bulletins for exposure to vulnerabilities.
  • Testing updates on staging environments before deploying to production.
  • Monitoring public vulnerability feeds and tools like Lynis for security gaps.
  • Planning regular maintenance windows to apply outstanding patches.

Useful Commands for Updates

Some useful commands include:

  • unattended-upgrades to enable automatic security updates.
  • apt update && apt full-upgrade to pull latest packages.
  • Check /var/log/dpkg.log to verify update installs.
  • Review changes in Debian Security site and US-CERT bulletins.
  • Use Lynis system audit tool to inspect and harden systems.

Leave a Reply

Your email address will not be published. Required fields are marked *