Linux security hardening checklist

Linux security hardening checklist
This tutorial enumerates initial security measures both for desktop users and sysadmins managing servers. The tutorial specifies when a recommendation aims to home or professional users. Despite there is not deep explanation or instructions to apply each item at the end of each you’ll find useful links with tutorials.

Policy Home user Server
Disable SSH x
Disable SSH root access x
Change SSH port x
Disable SSH password login x
Iptables
IDS (Intrusion Detection System) x
BIOS Security
Disk Encryption x/✔
System update
VPN (Virtual Private Network) x
Enable SELinux
Common Practices

SSH Access

Home users:

Home users do not really use ssh, dynamic IP addresses and router NAT configurations made alternatives with reverse connection like TeamViewer more attractive. When a service is unused the port must be closed both by disabling or removing the service and by applying restrictive firewall rules.

Servers:
Contrary to domestic users workers accessing different servers, network administrators are frequent ssh/sftp users. If you must keep your ssh service enabled you can take the following measures:

  • Disable root access through SSH.
  • Disable password login.
  • Change the SSH port.

Common SSH Configuration Options Ubuntu

Iptables

Iptables is the interface to manage netfilter to define firewall rules. Home users may trend to UFW (Uncomplicated Firewall) which is a frontend for iptables to make firewall rules creation easy. Independent of the interface the point is immediately after the setup the firewall is among the first changes to apply. Depending on your desktop or server needs the most recommended for security concerns are restrictive policies allowing only what you need while blocking the rest. Iptables will be used to redirect the SSH port 22 to a different one, to block unnecessary ports, filter services and set rules for known attacks.

For more information on iptables check: Iptables for beginners

Intrusion Detection System (IDS)

Due the high resources they require IDS are not used by home users but they are a must on servers exposed to attacks. IDS brings the security to the next level allowing to analyze packets. Most known IDS are Snort and OSSEC, both previously explained at LinuxHint. IDS analyzes traffic over the network looking for malicious packets or anomalies, it is a network monitoring tool oriented to security incidents. For instructions on installation and configuration for the most 2 popular IDS solutions check: Configure Snort IDS and Create Rules

Getting started with OSSEC (Intrusion Detection System)

BIOS Security

Rootkits, malwares and server BIOS with remote access represent additional vulnerabilities for servers and desktops. The BIOS can be hacked through code executed from the OS or through update channels to get unauthorized access or forget information like security backups.

Keep BIOS update mechanisms updated. Enable BIOS Integrity Protection.

Understanding the Boot process — BIOS vs UEFI

Hard disk Encryption

This is a measure more relevant to Desktop users who may lose their computer, or be theft victim, it is especially useful for laptop users. Today almost every OS supports Disk and partition encryption, distributions like Debian allow to encrypt the hard disk during the installation process. For instructions on disk encryption check: How to Encrypt a Drive on Ubuntu 18.04

System update

Both desktop users and sysadmin must keep the system up to date to prevent vulnerable versions from offering unauthorized access or execution.  Additionally to using the OS provided package manager to check for available updates running vulnerability scans may help to detect vulnerable software which wasn’t updated on official repositories or vulnerable code which needs to be rewritten. Below some tutorials on updates:

VPN (Virtual Private Network)

Internet users must be aware that ISPs monitor all their traffic and the only way to afford this is using a VPN service. The ISP is able to monitor the traffic to the VPN server but not from the VPN to destinations. Due speed issues paid services are the most recommendable, but there are free good alternatives like https://protonvpn.com/.

Enable SELinux (Security-Enhanced Linux)

SELinux is a set of the Linux Kernel modifications focused on managing security aspects related to security policies by adding MAC (Mechanism Access Control), RBAC (Role Based Access Control), MLS (Multi Level Security) and Multi Category Security (MCS).  When SELinux is enabled an application can only access the resources it needs specified on a security policy for the application. Access to ports, processes, files and directories are controlled through rules defined on SELinux which allows or denies operations based on the security  policies. Ubuntu uses AppArmor as alternative.

Common Practices

Almost always security failures are due to user negligence. Additionally to all points numerated previously follow the next practices:

  • Do not use root unless necessary.
  • Never use X Windows or browsers as root.
  • Use password managers like LastPass.
  • Use strong and unique passwords only.
  • Try no to install non-free packages or packages unavailable at official repositories.
  • Disable unused modules.
  • On servers enforce strong passwords and prevent users from using old passwords.
  • Uninstall unused software.
  • Don’t use same passwords for different accesses.
  • Change all default access usernames.
Policy Home user Server
Disable SSH x
Disable SSH root access x
Change SSH port x
Disable SSH password login x
Iptables
IDS (Intrusion Detection System) x
BIOS Security
Disk Encryption x/✔
System update
VPN (Virtual Private Network) x
Enable SELinux
Common Practices

I hope you found this article useful to increase your security. Keep following LinuxHint for more tips and updates on Linux and networking.

Related Posts
Leave a Reply

Your email address will not be published.Required fields are marked *