Securing Unix Systems: Best Practices And Common Pitfalls

ByThe Aha Unix Team

Hardening Unix Systems Against Attacks

Unix systems connected to networks are under constant threat of cyber attacks. A compromised server can lead to data breaches, ransomware attacks, cryptojacking, and more. That’s why hardening and securing Unix systems is critical for organizations. Here are some best practices to secure your Unix servers, workstations, and devices:

Enabling Firewalls to Filter Network Traffic

Firewalls create a buffer zone between trusted internal networks and untrusted external networks. They filter incoming and outgoing packets based on a defined set of security rules. Here are some tips on firewall hardening for Unix systems:

  • Enable packet filtering on network ports by allowing only connections from trusted IP addresses and protocols required for essential services
  • Set up the default deny stance to drop all packets that do not match the firewall allow rules
  • Use the firewall logs to detect abnormal traffic and intrusion attempts for further investigation
  • Test firewall rules without disrupting services to identify and fix misconfigurations

Configuring SSH for Key-Based Authentication

SSH enables secure remote access shell and tunneling capacities for admins and developers. In its default state, SSH can expose Unix servers to brute force attacks. Here is how to properly configure it:

  • Disable password-based login and enforce public-private key-based authentication which is very difficult to crack
  • Prohibit root login over SSH and provide privileged access via sudo to authorized users
  • Use SSH user jails and chroot to isolate access and limit damage from stolen credentials
  • Configure SSH to use non-standard ports to avoid attacks targeting port 22

Keeping Software Up-To-Date with Security Patches

Hackers are always finding new flaws in software packages to launch their attacks. That’s why applying the latest security updates is important. Here are some pointers on software patching:

  • Subscribe to vendor and CVE mailing lists to stay updated about new vulnerabilities
  • Test patches on non-production environments first before deploying to production servers
  • Automate security updates and patch management using tools like Ansible
  • Monitor versions of installed packages and libraries to remove obsolete libraries with known vulnerabilities

Using Permissions to Limit Access to Sensitive Files

The Unix permissions model allows carefully defining access to sensitive customer data, credentials, and configuration files. Follow these permission hardening tips:

  • Set Unix discretionary access control lists to grant read-write permissions only to owners and groups that need them
  • Revoke execute permissions on scripts, config files to prevent accidental or malicious runtime modifications
  • Enforce restricted permissions with security-enhanced Linux modules like SELinux and AppArmor policies
  • Use Unix file integrity monitoring tools like Tripwire and AIDE to detect unauthorized permission changes

Monitoring System Logs for Signs of Intrusion Attempts

Syslog and audit logs capture critical system events like user logins, command execution, network connections etc. Log monitoring can reveal attacks in progress and help expedite incident response. Some guidelines include:

  • Centralize and correlate logs from different sources for holistic monitoring and analysis
  • Use log analyzers like Splunk to slice and dice events to uncover anomalies
  • Configure verbose logging and log shipping to external secure storage to prevent log tampering
  • Set up alerts for log events indicating malicious activities like enumeration scans, privilege escalations etc.

Avoiding Misconfigurations That Expose Vulnerabilities

In their rush to support business needs, overwhelmed admins often misconfigure Unix systems in ways that open security holes attackers exploit. Avoid these common pitfalls:

Setting Strong Passwords for All Users

Weak passwords continue to be the bane of account security. Enforce a strong password policy covering complexity, aging, history, and rotation requirements. For example:

  • Minimum of 8 characters with upper, lower, numeric and special characters
  • 90 days expiry with 10 unique new passwords before reuse
  • Initial setup must involve changing the vendor default password
  • Automated password vaulting with tools like Ansible Vault and Password Safe

Removing Unused Default Accounts

Unix environments like AWS EC2 ship with default accounts like root, ec2-user etc. with known passwords that attackers exploit. Some tips include:

  • Delete unnecessary default accounts on servers and network devices
  • Disable default admin accounts requiring their use like root and rename them
  • Block root login over SSH and enforce sudo access with 2FA to the root account
  • Use account security tools like Security Onion and Auth0 to discover and monitor unused accounts

Disabling Unused Services and Open Ports

Running unused services and open ports expose a wider attack surface for attackers to exploit. Minimize these by:

  • Inventory services and open ports to categorize essential vs unused
  • Disable unused native Unix services via service masks or TCP wrappers
  • Block unused ports via firewalls and kernel settings
  • Scan periodically with Nmap to discover unauthorized services and ports

Testing Configuration Files Before Deployment

Typos and oversights in configuration files controlling access, services, accounts etc. can lead to exploitation. Hence:

  • Leverage DevOps CI/CD pipelines invoking automated testing and scanning of configurations
  • Sandbox test configuration changes before rolling out to production instances
  • Use infrastructure as code tools like Ansible and Terraform to auto-generate and validate configurations
  • Scan running environments against configuration benchmarks like CIS Linux to catch gaps

Following Principle of Least Privilege for Permissions

Overly permissive account permissions result in unauthorized privilege escalations. Apply these guidelines:

  • Provision precise access based on roles – administrate servers vs develop applications vs audit logs
  • Segment environments into subnets and access tiers to minimize risks from excessive permissions
  • Revoke temporary access when user leaves the project or organization with automated offboarding scripts
  • Audit effective account privileges periodically to prune redundant access not needed for duties

Detecting and Recovering From Intrusions

Despite best efforts, determined attackers can still penetrate defenses leading to breaches. Rapid detection, containment, eradication and recovery is key. Some tips:

Inspecting Files for Malware or Altered Content

Attackers often modify executables, scripts, configs to plant backdoors, logic bombs, crypto miners etc. Detect such changes via:

  • File analysis tools like YARA rules and ClamAV to fingerprint malware footprints
  • File integrity checking tools to spot unauthorized tampering to binaries and configs
  • Rootkit scans to uncover malware hiding processes, files, registry keys etc.
  • Difference analysis to compare existing files against known good versions

Scanning Memory Processes for Signs of Exploitation

Attackers actively inject code and binaries into running software. Detection methods involve:

  • Runtime behavioral monitoring for anomalies in memory, network use etc.
  • Memory dump analysis with pattern matching against malware signatures
  • Sandbox executing suspicious processes to uncover malicious activities
  • Canary honey tokens to detect unexpected process and memory accesses

Restoring Compromised Files from Backups

Clean restoration leveraging file backups provides the ultimate recovery when malware detection fails. Useful capabilities include:

  • Periodically backing up critical application, configs, secrets, logs etc.
  • Storing immutable, tamper-proof backups on offline media or cloud repositories
  • Testing backup and restoration procedures periodically as part of DR exercises
  • Isolating backups time windows to maximize chances of getting a clean copy

Rotating Credentials in Case of Password Leaks

Password leaks provide perpetual access until reset or rotation. Some guidelines:

  • Enforce periodic credential rotation via access re-certification or resets
  • Provide mitigation windows balancing convenience vs risks when credentials are suspected to be compromised
  • Prevent password re-use across systems via centralized access management systems
  • Automate credential revocation, resets upon suspicious activities from dormant accounts

Tracking Down Attack Source and Blocking Access

Pinpointing and blocking attackers is important to prevent repeated attempts. Methods include:

  • Analyze firewall, IDS logs to glean attack source IP, domain, signatures etc.
  • Scrape web server access logs to construct evidence and locate compromised hosts
  • Set up IP, domain blacklists shared across security layers – firewall, proxy etc.
  • Report persistent attack sources to ISPs and law enforcement to neutralize threats

Securing Unix Web Servers and Applications

Websites and web apps pose increased risks due to remote public access. Lock them down via:

Enforcing TLS/SSL for All Connections

Encrypting traffic prevents data theft and tampering:

  • Configure site-wide HTTPS redirect so all web sessions use TLS by default
  • Disable insecure protocols like SSLv2, SSLv3, or TLS 1.0 due to crypto flaws
  • Use perfect forward secrecy ciphers like ECDHE for securing session keys
  • Purchase and install valid certificates signed by trusted certificate authorities

Sanitizing and Validating User Input

Much of website hacking occurs via malicious inputs like XSS, SQLi etc. Protect against them by:

  • Setting up whitelist allow lists for validated input formats, data types and lengths
  • Sanitize all user inputs to remove embedded malicious scripts and query constructs
  • Use security encoding libraries to neutralize dangerous characters like encoder/decoder
  • Secure coding practices via input validation wrappers, parameterized interfaces etc.

Separating Web Server Privileges from Application Codes

Isolate risks from exposed web apps via:

  • Run web apps and servers as low privileged Unix users, without shell access
  • Chroot jails to restrict file system access for respective web app users
  • Systrace policies to contain apps from calling risky system functions
  • Leverage SELinux and AppArmor profiles to impose access constraints on web apps

Jailing or Sandboxing Web Apps in Containers

Additional app security through isolated containers via:

  • Docker containers with app process running as non-root users by default
  • AppArmor and SELinux policies tailored for individual containers
  • Seccomp policies limiting container system calls to authorized list
  • User namespaces for mapping container users to low privilege host users

Monitoring Web Traffic for Attacks in Real-Time

Early attack detection via traffic analysis:

  • Deploy web application firewalls inspecting Layer 7 activities
  • Tap site traffic to feed into intrusion detection systems
  • Analyze access logs in real time for attack indicators and blocking
  • Decoy web pages serving as honeypots to divert and monitor attacker activities

Leave a Reply

Your email address will not be published. Required fields are marked *