Linux Hardening and Protection Tips

Ensuring the high availability and availability of the applications and services of our networks and servers is an almost obligatory task today. We do not always work with a development-focused or secure deployments team and this can end up breaching malware, attackers, malware, and other types of malicious attack vectors that may end up compromising our business.
Therefore, I have prepared this simple manual with some protection tips for our Linux servers in order to share a small ‘checklist’ of secure implementations.

1. Encrypting information communications

Virtually all data traffic over the network is easily monitored and captured by sniffers, spoofing and other malicious techniques applied by malicious crackers and can be used in the future for purposes that are illegal or harmful to the company. However, securing layers of security for this information traffic is possible with the help of tokens, keys, and certificates.

See too:

1.1 Use software that uses encryption such as OpenSSH, ProFTP with SSL Certificate, RSync

1.2 Using GnuPC you can encrypt the data transfer using public and private keys between servers. It is a very broad resource that can be exploited from conventional user tasks to more specific tasks such as machine synchronization, XML sending, Json, and so on.

1.3 OpenVPN is a great and simple solution to create tunnels VPN, besides being Open Source it counts on the encryption of SSL certificates.

1.4 HTTPS in Apache is a very effective way of ensuring the encryption of client communication with your web server. The SSL solution does very little, but still it is very effective in preventing traffic intercepts and sessions.

2. Less is more. Decreasing services and packages, reducing vulnerabilities

It is common during the beginning of the career students and sysadmins adopt the installation of complete ISOs when it comes to uploading servers. However, it is a valuable tip (own experience) to keep as little as possible running on the server to ensure security and performance. Alias, who never installed a Debian ISO on a server, thus producing production services like Apache , MySQL , PHP , Samba , FTP along with other unnecessary services like Libreoffice and auxiliary packages.

2.1 Less is more, always use a minimal ISO.

Distros like Debian and CentOS always have in their download pages minor versions of the operating system. These versions have only the bare minimum of lifting the system along with other basic management packs such as ping, traceroute, and default Linux binaries. We should always make our applications as lean as possible to avoid performance losses and create safety holes.

2.2 View and remove everything that will not be used on the server.

In CentOS / Red Hat Distributions you can list, view and uninstall the software on the machine with the respective

 # yum list installed # yum list packageName # yum remove packageName

Or in Debian distributions

 # dpkg --list # dpkg --info packageName # apt-get remove packageName

3. Keep yourself minimalist, one system or instance for each service

Sometimes we do not have a lot of resources to use to set up our production environment the way we want to, and we end up by means of the need to upload several functions to the same server. There are cases and cases, but if there is the possibility of virtualisation or dedicated hardware to upload network services separately, it is a good practice for both disaster recovery and performance. If there are resources, use it, or you may end up managing machines or instances that run millions of services at the same time as DNS, DHCP, Samba, SQUID, Firewall, VPN and failure of it, all services would end up unavailable.

3. 1 Virtualize whenever possible.

Many network services do not require such processing power, such as DHCP, DNS, Firewall, and SQUID, of course … Depending on the business rule, then it is feasible to create virtual machines for the network to offer such services, thus enabling the cloning of Versioning and taking better advantage of the hardware that would be dedicated to these solutions.

4. Scheduled System Update

It is of great interest to Sysadmin, also a very controversial opinion, to keep your entire environment up to date. Of course this rule varies according to your business rule, but it is valid in some security points.

4.1 Schedule System Update

It is feasible to create Crontabs with scripts or operating system upgrade and upgrade commands. In CentOS and Debian systems, it’s very simple. Basca create a cron for a given day at a certain time and point the update arguments

In CentOS or Red Hat environments

 # yum update

Or in Debian environments

 # apt-get update && apt-get upgrade

5. Use and abuse of Linux security extensions

Linux has several security patches. They are often permissions managers who enforce the limitations of the network and other programs by accessing Kernel resources and enabling the deployment of security policies in the environment.

5.1 SELINUX, your best friend

SELINUX is one of the more flexible patches and comes native on both Red Hat and CentOS platforms. It has a Mandatory Access Control (MAC) and Discretionary Access Control (DAC) management and very deeply manages the applications, processes, users and groups, trying to create the maximum possible barriers against malicious actions against the server. It pays to take a closer look at the blocks and logs that it can generate for us.

6. Create password policies for server users

Add and manage Linux users securely by deploying password management to keep them always secure and strong. Preferences contain numeric, alphanumeric, lowercase, and special characters. You can use tools like John the Ripper and Hashcat to check for weak passwords on the server.

7. Disable root login

Root is the user with maximum permission on the system, the most powerful so to speak, but also the most obvious in Unix standards and the highest target of attacks. So it’s best never to use it directly. Choose to use sudo permissions on system users.

8. Rotate with minimum

Disable all unnecessary services. Both for performance and security. This tip is a direct extension of hint 2 and 3. You can use chkconfig to check what services are up in init 3 “Multiuser mode, that is, often default” and disable all those you do not use.

 # chkconfig --list | grep '3:on'
Stopping and disabling services

 # service nomedoserviço stop # chkconfig nomedoserviço off

9. Monitor the open ports and in listening

9.1 Listening Doors

Many processes use ports and sockets to communicate with other services. It is important to always monitor our sockets to avoid commonplace vulnerabilities and check the processes that are listening for specific ports

 # netstat -tulpn


9.2 Doors opened internally

 #nmap -sS -sC localhost

9.3 Ports opened by Firewall

In my case I leave no door open for my workstation. The correct thing is to let only the really necessary ports run on the server.

 #nmap -sS -sT -Pn 192.168.0.202

10. Detach X-Server

It is not good practice to leave X (graphical user interface) servers running on production servers. Both performance and unnecessary packages running there. Remove your graphical interface completely. Beware of apt -purge option.

Debian Environments

 # sudo apt-get autoremove kde gnome xfce lxde

CentOS Environments

 # sudo yum remove kde gnome xfce lxde

11. Separate key folders on disk partitions

By separating the / home / opt / / var folders on different partitions of the disk, you gain a lot of performance, security, and a greater chance of recovering them in case of HD or operating system failures.

12. Use Firewall services for your Web application

We can not always rely on security knowledge and prevention of attack vectors from programmers, so it is good practice to have firewall services in Web applications. A very nice alternative is Mod Security. Here in the blog we have already discussed some of the same settings.

13. Spend the fine comb on services

We have several tools that help us diagnose hardening of our system, as well as automatic vulnerability scanners at server and application level. It is also good practice to stay current on these tools in order to anticipate the obvious and avoid being the target of attacks and exploits. In addition it is clear that we ensure greater availability in our system.

14. Abuse of Backups

Whatever type of application is running on your server, ensuring redundancy, availability, and backup in the event of a disaster is critical to the smooth running of your business or project. So always ensure a healthy routine of backups of Fileserver, Databases, Storages and the like
Article always under construction 🙂
I hope I have helped!
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s