For today’s computing platforms, ease of access and openness are essential for web-based communications and for IT management teams with limited resources.
This is directly at odds with the growing need for comprehensive security measures in a world full of malware, hacking threats, and potential data thieves.
Most organizations will adopt a layered security strategy, providing as many protection measures for their IT infrastructure as available (firewalls, sandboxes, IPS and IDS, antivirus), but the most secure computing environments are those with a posture of security “ from scratch ”. .
If the data does not need to be stored on the Linux web server for the public, remove it entirely; if the data is not there, it cannot be compromised.
If a user does not need access to certain systems or parts of the network, for example where your secure Ubuntu farm is located, then revoke their privileges to do so; You need access systems to steal data, so avoid getting close to it in the first place.
Likewise, if your CentOS server doesn’t need FTP or web services, disable or remove them. You reduce the potential vectors of security breaches each time you reduce the means of access.
Simply put, you need to harden your Linux servers.
Linux hardening policy background
The beauty of Linux is that it is so accessible and available for free that it is easy to get up and running with very little training or knowledge. The web-based support community places all the tips and tutorials you will need to carry out any Linux setup or troubleshooting tasks you may experience.
Finding and interpreting the right hardening checklist for your Linux hosts can still be a challenge, so this guide gives you a concise checklist to work with, covering the highest priority hardening measures for a Linux server. typical.
- Enforce password history – 365 days
- Maximum password age – 42 days
- Minimum password length – 8 characters
- Password complexity – Enable
- Duration of account lockout – 30 minutes
- Account lockout threshold – 5 attempts
- Reset Account Lockout Counter – 30 minutes
Edit /etc/pam.d/common-password to define the password policy parameters for your host.
- Make sure SSH version 2 is in use
- Disable remote root logins
- Enable AllowGroups only for allowed group names
- Allow access only to valid devices
- Restrict the number of concurrent root sessions to 1 or 2 only
Edit sshd.config to define the SSHD policy parameters for your host and /etc/hosts.allow and /etc/hosts.deny to control access. Use / etc / securetty to restrict root access to tty1 gold tty1 and tty2 only.
Safe boot only
Remove the options to boot from CDs or USB devices and password protect the computer to prevent the BIOS options from being edited.
Password protect the /boot/grub/menu.lst file, then delete the boot into rescue mode entry.
Disable all unnecessary processes, services and daemons
Each system is unique, so it is important to review what processes and services are unnecessary for your server to run your applications.
Evaluate your server by running the ps -ax command and see what is currently running.
Similarly, evaluate the start state of all processes by running a chkconfig -list command.
Disable any unnecessary services using the sysv-rc-conf service name disabled
Restrict permissions on sensitive files and folders to root only
Make sure the following confidential programs are only executable from root
- / etc / fstab
- / etc / passwd
- / bin / ping
- / usr / bin / who
- / usr / bin / w
- / usr / bin / locate
- / usr / bin / whereis
- / sbin / ifconfig
- / bin / nano
- / usr / bin / vi
- / usr / bin / what
- / usr / bin / gcc
- / usr / bin / make
- / usr / bin / apt-get
- / usr / bin / aptitude
Make sure the following folders are root access only
- / etc
- / usr / etc
- / bin
- / usr / bin
- / sbin
- / usr / sbin
- / tmp
- / var / tmp
Disable SUID and SGID binaries
Identify the SUID and SGID files on the system: find / (-perm -4000 -or -perm -2000 ) -print.
Render these files safely by removing the SUID or SGID bits using chmod -s filename
You should also restrict access to all compilers on the system by adding them to a new group of ‘compilers’.
- chgrp * cc * compilers
- chgrp compilers * ++ *
- chgrp ld compilers
- chgrp compilers like
Once added to the group, restrict permissions using a compile chmod 750
Deploy regular / real-time FIM on sensitive files and folders
The integrity of all files and folders should be monitored to ensure that permissions and files do not change without approval.
Configure auditing on the Linux server
Make sure key security events are audited and forwarded to your syslog or SIEM server. Edit the syslog.conf file respectively.
General hardening of kernel variables
Edit the /etc/sysctl.conf file to set all kernel variables to safe settings to prevent spoofing, sync flooding, and DOS attacks.