For today’s computing platforms, ease of access and openness are essential for web-based communications and for resource-poor IT management teams.

This is directly at odds with the growing need for comprehensive security measures in a world filled with malware, hacking threats, and potential data thieves.

Most organizations will adopt a layered security strategy, providing as many protection measures for their IT infrastructure as are available (firewalls, sandboxes, IPS and IDS, antivirus), but the most secure computing environments are those with a posture of security “from scratch”. .

If the data does not need to be stored on the public Linux web server, remove it completely; if the data is not there, it cannot be compromised.

If a user doesn’t need access to certain systems or parts of the network, say where your secure Ubuntu farm is located, then revoke their privileges to do so – they need to access systems to steal data, so keep them from getting close . first of all.

Similarly, if your CentOS server doesn’t need FTP or web services, disable or remove them. Reduce potential vectors of security breaches by reducing the means of access.

Simply put, you need to harden your Linux servers.

Background to the Linux hardening policy

The beauty of Linux is that it is so accessible and freely available that it is easy to get up and running with very little training or knowledge. The web-based support community offers all the tips and tutorials you’ll need to perform any Linux setup or troubleshooting task you may be experiencing.

Finding and interpreting the right protection checklist for your Linux hosts can still be challenging, so this guide gives you a concise checklist to work with, covering the highest priority protection measures for a typical Linux server.

account policies

  • Enforce password history – 365 days
  • Maximum password age – 42 days
  • Minimum password length – 8 characters
  • Password complexity -Allow
  • Account lockout duration – 30 minutes
  • Account lockout threshold – 5 attempts
  • Reset account lockout counter – 30 minutes

Edit /etc/pam.d/common-password to define the password policy parameters for your host.

access security

  • Make sure SSH version 2 is in use
  • Disable remote root logins
  • Enable AllowGroups for allowed group names only
  • Allow access only to valid devices
  • Restrict the number of concurrent root sessions to 1 or 2 only

Edit sshd.config to define the SSHD policy parameters for your host and /etc/hosts.allow and /etc/hosts.deny to control access. Spent /etc/security to restrict root access to tty1 gold tty1 and tty2 only.

Secure Boot Only

Remove options for booting from CDs or USB devices and password protect the computer to prevent editing of BIOS options.

Password protect the /boot/grub/menu.lst file, then delete the boot into rescue mode entrance.

Disable all unnecessary processes, services and daemons

Every system is unique, so it’s important to review which processes and services are unnecessary for your server to run your applications.

Evaluate your server by running the ps-ax command and see what is currently running.

Similarly, evaluate the startup status of all processes by running a chkconfig -list domain.

Disable any unnecessary services using the sysv-rc-conf service-name disabled

Restrict permissions on sensitive files and folders to root only

Make sure the following sensitive programs are only root executables

  • /etc/fstab
  • /etc/password
  • /bin/ping
  • /usr/bin/who
  • /usr/bin/w
  • /usr/bin/locate
  • /usr/bin/where is it
  • /sbin/ifconfig
  • /bin/nano
  • /usr/bin/vi
  • /usr/bin/what
  • /usr/bin/gcc
  • /usr/bin/make
  • /usr/bin/apt-get
  • /usr/bin/apt

Make sure the following folders are root access only

  • /etc
  • /usr/etc
  • /paper bin
  • /usr/bin
  • /sbin
  • /usr/sbin
  • /tmp
  • /var/tmp

Disable SUID and SGID binaries

Identify the SUID and SGID files on the system: find / ( -perm -4000 -o -perm -2000 ) -print.

Make these files safe by removing the SUID or SGID bits using chmod -s filename

You should also restrict access to all compilers on the system by adding them to a new ‘compiler’ group.

  • chgrp compilers *cc*
  • chgrp compiler *++*
  • chgrp ld compiler
  • chgrp compiler as

Once added to the group, restrict permissions using a build chmod 750

Deploy regular/real-time FIM on sensitive files and folders

File integrity should be monitored for all files and folders to ensure that permissions and files are not changed without approval.

Configuring auditing on Linux server

Make sure key security events are audited and forwarded to your syslog or SIEM server. edit the syslog.conf file Respectively.

General hardening of kernel variables

edit the /etc/sysctl.conf file to set all kernel variables to secure settings to prevent spoofing, sync flooding, and DOS attacks.