Toughening Security for Linux Servers

By Des Nnochiri

 

As with any other operating system, security is a prime concern with Linux network hardware. In this article, we’ll be giving some recommendations on how to toughen the security posture of your Linux servers. Screenshots and example syntax relate to systems running Kali Linux, CentOS, RHEL, Ubuntu, and Debian-based Linux distributions.

 

Encrypt Data for Greater Information Security

 

Unencrypted or plaintext data held at rest or in transit across a network is vulnerable to packet-sniffing and extraction. At the very least, data in transit should be scrambled or encrypted, using a strong encryption protocol with keys and/or digital certificates.

 

File transfers should be executed under secure protocols such as scp, ssh, rsync, or sftp. OpenSSH, SFTP, or FTPS (FTP over SSL) add Secure Sockets Layer (SSL)—or Transport Layer Security (TLS) encryption—to the standard file transfer protocol (FTP). Using special sshfs and fuse tools, mounting a remote server file system or your own secure home directory is also possible.

 

You can use the following syntax to remove outdated file transfer services such as NIS or rsh from your system:

 

# yum erase xinetd ypserv tftp-server telnet-server rsh-server

 

On Debian- or Ubuntu-based Linux servers, the apt-get or apt commands may be used to eliminate insecure services:

 

$ sudo apt-get –purge remove xinetd nis yp-tools tftpd atftpd tftpd-hpa telnetd rsh-server rsh-redone-server

 

For data at rest, most Linux distributions will allow you to encrypt your hard drives before installation. On Kali Linux, choose the options “Guided-use entire disk” and “set up encrypted LVM” to set up your encrypted logical volume manager.

 

 

(Image source: Network World)

 

Isolate Network Services

 

To limit the number of other services that could be compromised by a security breach, Linux administrators should run different network services on separate servers or virtual machine (VM) instances. Virtualization software such as OpenVZ may be set up as a separate install on RHEL and CentOS Linux distributions.

 

To further secure your host network on Kali Linux, you can take the following steps:

 

  • Disable IP Forwarding by setting the ipv4.ip_forward parameter to 0 in “/etc/sysctl.conf”
  • Disable Send Packet Redirects by setting the ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in “/etc/sysctl.conf”
  • Disable ICMP Redirect Acceptance by setting the ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in “/etc/sysctl.conf”
  • Enable Bad Error Message Protection by setting the ipv4.icmp_ignore_bogus_error_responses parameter to 1 in “/etc/sysctl.conf”

 

Keep Software Installations Lean and Up-to-Date

 

The more applications or web services you have installed, the greater the potential for falling victim to software vulnerabilities or for attackers to compromise your programs. So limit the number of installations you add to the core system only to those applications that are strictly necessary. The apt-get and/or dpkg commands, or a dedicated RPM package manager such as yum, may be used to review all the installed software on your system—and they include commands for removing any unwanted packages or services.

 

Here’s a syntax example using dpkg and apt-get:

 

# dpkg –list

# dpkg –info packageName

# apt-get remove packageName

 

It’s also important to regularly update and patch your software to install the latest security fixes and benefit from the latest tools and features of your applications. On Debian or Ubuntu Linux systems, it’s possible to configure unattended upgrades for your server software using the apt-get or apt commands:

 

$ sudo apt-get install unattended-upgrades apt-listchanges bsd-mailx

 

Use Linux Security Extensions

 

Linux includes a number of security tools that can enforce limitations on networks and other programs and guard against poorly-configured or compromised software.

 

(Image source: Network World)

 

SELinux (Security Enhanced Linux) provides a range of security policies for the Linux kernel, including a flexible Mandatory Access Control (MAC). The mechanism has three configuration modes:

 

  1. Disabled: Protection is inactive.
  2. Permissive: Prints warnings if issues are detected.
  3. Enforcing: Security policy is enforced.

 

Running a MAC kernel protects a Linux server from malicious or flawed applications that might damage or destroy the system.

 

Set a Strong Password Policy

 

You can use the useradd or usermod commands to create and maintain Linux user accounts. As in any IT environment, the standard criteria for strong passwords apply (eight characters or more, a mix of letters, numbers, and symbols, changed regularly). You can use the change command to configure the number of days between password changes and the date of the last password change.

 

The passwd command can lock and unlock accounts:

 

# lock account

passwd -l userName

# unlock account

passwd -u userName

 

The faillog command displays failed login attempts in the form of faillog records and enables administrators to set login failure limits

 

Use Centralized Authentication

 

To guard against the presence of out-of-date credentials and forgotten accounts on a network, use a centralized authentication system. A service such as OpenLDAP for clients and servers allows administrators to exercise central control over Linux or UNIX accounts and authentication data. It also allows them to keep authentication data synchronized between servers.

 

Kerberos performs authentication as a trusted third-party authentication service. It uses a “cryptographic shared secret” policy, which assumes that packets traveling along an insecure network can be read, modified, and re-inserted. Remote login, remote copy, secure inter-system file-copying, and other high-risk tasks may be performed using symmetric-key cryptography.

 

Enforce Physical Security Measures

 

Finally, don’t neglect the physical aspects of Linux network security. These include restricting physical access to data centers and hardware (authorized users, screening, surveillance, etc.). Physical security measures also encompass specific protocols for safeguarding network hardware.

 

For example, you can disable the booting of Linux servers from external devices such as DVDs, CDs, or USB sticks. To do this, you can set BIOS and grub boot loader passwords so that other users won’t be able to change and override the security settings of the server. You can also access the security settings on the admin page of any internal web servers on your Linux motherboard to change the default passwords and administrative privileges.