Saturday, April 7, 2018

7 steps to secure linux

Linux/Unix have many species, here we talk about those species designed for efficiency and security instead of luxury and convenience.

Nowadays, the only safe computer system is the dead brick. The one has no network connections -- wifi, bluetooth, cable, etc. You can only interact with it by physically sitting in front of it and typing on the keyboard.

step 1. get the trusted linux/unix distribution. 

Since most linux are open source, that means everybody have access to the source code and can modify it. You want to make sure you get the trusted distribution. So never download the Linux images from anywhere other than the official sources. Always be sure to verify the SHA256 checksums of the file you’ve downloaded against the official values. It would be easy for a malicious entity to modify a installation to contain exploits or malware and host it unofficially.

step 2. set a complex password for root

Without guarding root access, any security hardening is a waste of time.

step 3. boot into dead brick.

A runlevel is one of the modes that a Unix -based operating system will run in. Each runlevel has a certain number of services stopped or started, giving the user control over the behavior of the machine.

During the boot process for Redhat 9.0 and Fedora Core systems, for example, a sample /etc/inittab file defines the runlevel as follows:

# Default runlevel. The runlevels used by RHS are:
#   0 - halt (Do NOT set initdefault to this)
#   1 - Single user mode
#   2 - Multiuser, without NFS (The same as 3, if you do not have networking)
#   3 - Full multiuser mode
#   4 - unused
#   5 - X11
#   6 - reboot (Do NOT set initdefault to this)
#
id:2:initdefault:

This tells the init process that the default run level for the system is run level 2. This runlevel disables network access, solely use command line without the overhead of X11 based GUI.

step 4. disabling linux services


Now you have a safe dead brick, you can take time to disable any services that you don't actually need which expose extra access ports into your linux server if you leave them running in the background.

On redhat, to list all service settings run the following command:

    /sbin/chkconfig --list

This will display a long list of services showing whether or not they are started up at various runlevels. An example line looks like:

    httpd           0:off   1:off   2:off   3:on    4:off   5:on    6:off

chkconfig can also be used to change the settings. If we wanted the HTTP service not to start up when we at runlevel 5 we would issue the following command:

    /sbin/chkconfig --level 5 httpd off

on the other hand, you want to enable syslog
   /sbin/chkconfig --level 235 syslog on

step 5. set up firewall

Software firewall on your linux box is the second line of defense for your linux system, the main defense is the hardware firewall on your network gateway. So if you are in a dangerous environment, such as in shared public network, your software firewall is the only defense for your linux system.

The following command list all the firewall rules defined by your iptable:
iptables -L -v

You can start by the most restrict rule, then open some connection for the ones you know for sure.
The following rules deny all connections except a one way connection to ip 10.10.10.10 on port 80. HTTP connections TO 10.10.10.10 are permitted, but HTTP connections FROM 10.10.10.10 are not. However, the system is permitted to send back information over HTTP as long as the session has already been established.

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -A OUTPUT -p http --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT

step 6. Update the OS

Keep the OS updated so that you get the latest security patches.

step 7. resist the temptation of installing unofficial applications

The single most common causes of a broken Linux installation are following unofficial advice, and particularly arbitrarily installing softwares from unofficial repositories.

No comments:

Post a Comment

Why I stopped publishing blog posts as information provider

Now the AI can generate content. Does that mean the web publishing industry reaches the end? ChatGPT said: ChatGPT Not at all. While AI can ...