Linux Server Hardening
Each time you work on a new Linux hardening job, you need to create a new document that has all the checklist items listed in this post, and you need to check off every item you applied on the system. Furthermore, on the top of the document, you need to include the Linux host information:
Linux Server Hardening
Another password policy that should be forced is strong passwords. The PAM module offers a pam_cracklib that protects your server from dictionary and brute-force attacks. To accomplish this task, open the file /etc/pam.d/system-auth using any text editor and add the following line:
Telnet and rlogin protocols uses plain text, not encrypted format which is the security breaches. SSH is a secure protocol that use encryption technology during communication with server.
NIC Bonding helps us to avoid single point of failure. In NIC bonding, we bond two or more Network Ethernet Cards together and make one single virtual Interface where we can assign IP address to talk with other servers. Our network will be available in case of one NIC Card is down or unavailable due to any reason.
Implementing secure configurations across your computing environment, including your Unix and Linux systems, is a key security best practice because it reduces your attack surface area and limits the damage that cyberattacks can do. Indeed, system hardening is a core control in many compliance directives.
The most secure Linux server or other computer is the one that is powered off and disconnected from the network. But if we want to actually use the machine to provide IT services, we need to maximize its security defenses when it is booted up and attached to the network or even the internet.
This is where hardening comes into play. Hardening a system means optimizing its configuration for secure operations and data protection. The range of exploitable vulnerabilities is vast, so there are three main rules to follow:
Start by stripping out any features, utilities and services that are not required for running the server. Uninstall unnecessary software and disable system services that are not needed. Since the hardware in your infrastructure also presents exploitable vulnerabilities, make sure any accessible interfaces, such as USB ports, are disabled or even physically removed from the machine.
As the primary route for remotely administering your Linux systems, SSH requires particular attention. There are a number of default settings in the /etc/ssh/sshd_config file that need to be enabled in order to harden the SSH server operation.
For example, the default configuration enables the outdated and less secure version 1 of the SSH protocol. CIS hardening guidance recommends enabling version 2 to enhance security. To do so, simply uncomment the Protocol 2 setting in the configuration file (/etc/ssh/sshd_config) by removing the #, as follows:
A simplified operating system with a reduced footprint is attractive when the full range of function usually provided by server-grade Linux devices is not required and hardware resources such as storage, memory and CPU have been minimized to save manufacturing costs. For example, the open-source Android platform developed by Google is optimized for smart phones and TVs, and the OpenWrt router firmware is used for a wide range of broadband routers.
The functionality included in the operating system varies widely depending upon the intended application. For example, Android includes screen lock, face recognition, PIN entry support and location services; these are not needed in operating systems for home routers, but VPN, guest Wi-Fi and bandwidth throttling features are included. As a result, hardening guidance is specifically linked to the particular device and platform in use.
Similarly for Linux Mint, as an Ubuntu-derived Desktop Linux platform, the same hardening procedures used for Debian-Linux should be adopted. Work through the earlier Linux Hardening Checklist steps and apply these to your Linux Mint systems.
When you perform an inside-looking-around vulnerability assessment, you are at an advantage since you are internal and your status is elevated to trusted. This is the point of view you and your co-workers have once logged on to your systems. You see print servers, file servers, databases, and other resources.
What is the target? Are we looking at one server, or are we looking at our entire network and everything within the network? Are we external or internal to the company? The answers to these questions are important as they help determine not only which tools to select but also the manner in which they are used.
Another potential networking pitfall is the use of centralized computing. A common cost-cutting measure for many businesses is to consolidate all services to a single powerful machine. This can be convenient as it is easier to manage and costs considerably less than multiple-server configurations. However, a centralized server introduces a single point of failure on the network. If the central server is compromised, it may render the network completely useless or worse, prone to data manipulation or theft. In these situations, a central server becomes an open door that allows access to the entire network.
A full installation of Red Hat Enterprise Linux 8 contains more than 1000 applications and library packages. However, most server administrators do not opt to install every single package in the distribution, preferring instead to install a base installation of packages, including several server applications.
A common occurrence among system administrators is to install the operating system without paying attention to what programs are actually being installed. This can be problematic because unneeded services may be installed, configured with the default settings, and possibly turned on. This can cause unwanted services, such as Telnet, DHCP, or DNS, to run on a server or workstation without the administrator realizing it, which in turn can cause unwanted traffic to the server or even a potential pathway into the system for crackers.
Most server applications that are included in a default installation are solid, thoroughly tested pieces of software. Having been in use in production environments for many years, their code has been thoroughly refined and many of the bugs have been found and fixed.
However, there is no such thing as perfect software and there is always room for further refinement. Moreover, newer software is often not as rigorously tested as one might expect, because of its recent arrival to production environments or because it may not be as popular as other server software.
Developers and system administrators often find exploitable bugs in server applications and publish the information on bug tracking and security-related websites such as the Bugtraq mailing list ( ) or the Computer Emergency Response Team (CERT) website ( ). Although these mechanisms are an effective way of alerting the community to security vulnerabilities, it is up to system administrators to patch their systems promptly. This is particularly true because crackers have access to these same vulnerability tracking services and will use the information to crack unpatched systems whenever they can. Good system administration requires vigilance, constant bug tracking, and proper system maintenance to ensure a more secure computing environment.
Administrators who fail to patch their systems are one of the greatest threats to server security. This applies as much to inexperienced administrators as it does to overconfident or amotivated administrators.
Some administrators fail to patch their servers and workstations, while others fail to watch log messages from the system kernel or network traffic. Another common error is when default passwords or keys to services are left unchanged. For example, some databases have default administration passwords because the database developers assume that the system administrator changes these passwords immediately after installation. If a database administrator fails to change this password, even an inexperienced cracker can use a widely-known default password to gain administrative privileges to the database. These are only a few examples of how inattentive administration can lead to compromised servers.
Even when using secure protocols, such as SSH, a remote user may be vulnerable to certain attacks if they do not keep their client applications updated. For instance, SSH protocol version 1 clients are vulnerable to an X-forwarding attack from malicious SSH servers. Once connected to the server, the attacker can quietly capture any keystrokes and mouse clicks made by the client over the network. This problem was fixed in the SSH version 2 protocol, but it is up to the user to keep track of what applications have such vulnerabilities and update them as necessary.
Access levels can be separated by partition as well. The boot directory, for example, contains several important files that are related to the Linux kernel. This directory should be set to read-only so that the data on this partition can be accessed, but not changed unless the server is booted into single-user recovery mode.
In his article 5 ways to harden a new system with Ansible, Enable Sysadmin Sudoer Anthony Critelli walks through developing an Ansible playbook to secure a new Linux server. He shows how to use Ansible to patch the system, lock remote access, disable unused software and services, and do other useful tasks.
While these recommendations are helpful, keep in mind that they don't guarantee your server is perfectly safe. It's unlikely that any servers exposed on the internet are completely secure, but these additional policies help improve their security, making it harder for anyone to attack or exploit your server.
Encoding these recommendations and policies into an Ansible playbook and automating their application allows you to apply them consistently across your servers, verify compliance, and remediate servers periodically. I've included a complete sample playbook at the end of this article with all recommendations below. 041b061a72