Ensuring the high availability and availability of the applications and services of our networks and servers is an almost obligatory task today. We do not always work with a development-focused or secure deployments team and this can end up breaching malware, attackers, malware, and other types of malicious attack vectors that may end up compromising our business.
Therefore, I have prepared this simple manual with some protection tips for our Linux servers in order to share a small ‘checklist’ of secure implementations.
1. Encrypting information communications
Virtually all data traffic over the network is easily monitored and captured by sniffers, spoofing and other malicious techniques applied by malicious crackers and can be used in the future for purposes that are illegal or harmful to the company. However, securing layers of security for this information traffic is possible with the help of tokens, keys, and certificates.
- Capturing network passwords with SSL Strip
- Capturing network passwords with Setoolkit and Ettercap
- Performing Man in the Middle with Ruby attacks using Bettercap
- Encrypting users’ home on Linux with eCryptFS
- Secure Debian installation with encrypted LVM disk and file encryption
1.1 Use software that uses encryption such as OpenSSH, ProFTP with SSL Certificate, RSync
- Hardening Tips on SSH Services
- Auditing SSH Servers with Hydra and Metasploit Framework
- Creating an FTP server with ProFTPD
- ProFTPD with SSL certificate
1.2 Using GnuPC you can encrypt the data transfer using public and private keys between servers. It is a very broad resource that can be exploited from conventional user tasks to more specific tasks such as machine synchronization, XML sending, Json, and so on.
1.3 OpenVPN is a great and simple solution to create tunnels VPN, besides being Open Source it counts on the encryption of SSL certificates.
1.4 HTTPS in Apache is a very effective way of ensuring the encryption of client communication with your web server. The SSL solution does very little, but still it is very effective in preventing traffic intercepts and sessions.
2. Less is more. Decreasing services and packages, reducing vulnerabilities
It is common during the beginning of the career students and sysadmins adopt the installation of complete ISOs when it comes to uploading servers. However, it is a valuable tip (own experience) to keep as little as possible running on the server to ensure security and performance. Alias, who never installed a Debian ISO on a server, thus producing production services like Apache , MySQL , PHP , Samba , FTP along with other unnecessary services like Libreoffice and auxiliary packages.
2.1 Less is more, always use a minimal ISO.
Distros like Debian and CentOS always have in their download pages minor versions of the operating system. These versions have only the bare minimum of lifting the system along with other basic management packs such as ping, traceroute, and default Linux binaries. We should always make our applications as lean as possible to avoid performance losses and create safety holes.
2.2 View and remove everything that will not be used on the server.
In CentOS / Red Hat Distributions you can list, view and uninstall the software on the machine with the respective
# yum list installed # yum list packageName # yum remove packageName
Or in Debian distributions
# dpkg --list # dpkg --info packageName # apt-get remove packageName
3. Keep yourself minimalist, one system or instance for each service
Sometimes we do not have a lot of resources to use to set up our production environment the way we want to, and we end up by means of the need to upload several functions to the same server. There are cases and cases, but if there is the possibility of virtualisation or dedicated hardware to upload network services separately, it is a good practice for both disaster recovery and performance. If there are resources, use it, or you may end up managing machines or instances that run millions of services at the same time as DNS, DHCP, Samba, SQUID, Firewall, VPN and failure of it, all services would end up unavailable.
3. 1 Virtualize whenever possible.
Many network services do not require such processing power, such as DHCP, DNS, Firewall, and SQUID, of course … Depending on the business rule, then it is feasible to create virtual machines for the network to offer such services, thus enabling the cloning of Versioning and taking better advantage of the hardware that would be dedicated to these solutions.
4. Scheduled System Update
It is of great interest to Sysadmin, also a very controversial opinion, to keep your entire environment up to date. Of course this rule varies according to your business rule, but it is valid in some security points.
4.1 Schedule System Update
It is feasible to create Crontabs with scripts or operating system upgrade and upgrade commands. In CentOS and Debian systems, it’s very simple. Basca create a cron for a given day at a certain time and point the update arguments
In CentOS or Red Hat environments
# yum update
Or in Debian environments
# apt-get update && apt-get upgrade
5. Use and abuse of Linux security extensions
Linux has several security patches. They are often permissions managers who enforce the limitations of the network and other programs by accessing Kernel resources and enabling the deployment of security policies in the environment.
5.1 SELINUX, your best friend
SELINUX is one of the more flexible patches and comes native on both Red Hat and CentOS platforms. It has a Mandatory Access Control (MAC) and Discretionary Access Control (DAC) management and very deeply manages the applications, processes, users and groups, trying to create the maximum possible barriers against malicious actions against the server. It pays to take a closer look at the blocks and logs that it can generate for us.
6. Create password policies for server users
7. Disable root login
Root is the user with maximum permission on the system, the most powerful so to speak, but also the most obvious in Unix standards and the highest target of attacks. So it’s best never to use it directly. Choose to use sudo permissions on system users.
8. Rotate with minimum
Disable all unnecessary services. Both for performance and security. This tip is a direct extension of hint 2 and 3. You can use chkconfig to check what services are up in init 3 “Multiuser mode, that is, often default” and disable all those you do not use.
# chkconfig --list | grep '3:on'
# service nomedoserviço stop # chkconfig nomedoserviço off
9. Monitor the open ports and in listening
Many processes use ports and sockets to communicate with other services. It is important to always monitor our sockets to avoid commonplace vulnerabilities and check the processes that are listening for specific ports
# netstat -tulpn
9.2 Doors opened internally
#nmap -sS -sC localhost
9.3 Ports opened by Firewall
In my case I leave no door open for my workstation. The correct thing is to let only the really necessary ports run on the server.
#nmap -sS -sT -Pn 192.168.0.202
10. Detach X-Server
It is not good practice to leave X (graphical user interface) servers running on production servers. Both performance and unnecessary packages running there. Remove your graphical interface completely. Beware of apt -purge option.
# sudo apt-get autoremove kde gnome xfce lxde
# sudo yum remove kde gnome xfce lxde
11. Separate key folders on disk partitions
By separating the / home / opt / / var folders on different partitions of the disk, you gain a lot of performance, security, and a greater chance of recovering them in case of HD or operating system failures.
12. Use Firewall services for your Web application
We can not always rely on security knowledge and prevention of attack vectors from programmers, so it is good practice to have firewall services in Web applications. A very nice alternative is Mod Security. Here in the blog we have already discussed some of the same settings.
- Configuring ModSecurity for Log Generation and Attack Detection
- Configuring ModSecurity for locking with SQL Injection, XSS, and common vectors rules
- Hardening Tips on Apache Web Server