This article want to be a step by step guide into making your Linux box more secure !
As CentOS 7 is similar to Red Hat (derived from) I used several Red Hat advice about securing your server and I applied it to my box. My main reference is “A Guide to Secure Red Hat Enterprise Linux 7” which is free and available to download from Red Hat website (check the reference at the bottom of this page).
1) What to look for !
Unused ports and unused services
You need to check which are the open ports (listening services) on your system and if the related services are not in use (or you don't need it) ... just stop the service and disable it.
To find which ports are in use [a: socket in use, t: tcp, u: udp, n: print numbers for ports/IP]
# netstat -atun
You may add the option "l" if you want to list the listening sockets. If a socket is listening it does not mean that the related service is available from the outside as you have a perimeter protection thanks to the OS firewall ...
To stop and then disable a service:
# systemctl stop service-name
# systemctl disable service-name
You need to check which are the open ports (listening services) on your system and if the related services are not in use (or you don't need it) ... just stop the service and disable it.
To find which ports are in use [a: socket in use, t: tcp, u: udp, n: print numbers for ports/IP]
# netstat -atun
You may add the option "l" if you want to list the listening sockets. If a socket is listening it does not mean that the related service is available from the outside as you have a perimeter protection thanks to the OS firewall ...
To stop and then disable a service:
# systemctl stop service-name
# systemctl disable service-name
Unpatched services
Always keep track of security patches for the services/software which are facing the network or used by services facing the network. In example you may have a webserver which make use of phpMailer. phpMailer is not a service but it may have vulnerabilities (perhaps at the time of writing - Jan 2017 - it has just been discovered a big one !!). You need to keep it patched as an attacker may be able to get root of your system by exploiting phpMailer.
Always keep track of security patches for the services/software which are facing the network or used by services facing the network. In example you may have a webserver which make use of phpMailer. phpMailer is not a service but it may have vulnerabilities (perhaps at the time of writing - Jan 2017 - it has just been discovered a big one !!). You need to keep it patched as an attacker may be able to get root of your system by exploiting phpMailer.
Unchanged default password (SQL server)
Many forget to change the default password of services such as SQL ... that's a bad idea !! Check all the package you installed and verify if they are using a default password. If this is the case just use the provided tools to change the password and use the below consideration to select an appropriate password.
Many forget to change the default password of services such as SQL ... that's a bad idea !! Check all the package you installed and verify if they are using a default password. If this is the case just use the provided tools to change the password and use the below consideration to select an appropriate password.
Inherently Insecure Services (Telnet, FTP)
Try to avoid using inherently insecure services such as Telnet and FTP. These services transmit data in clear (without encryption) and the authentication is in clear as well (an hacker can get your password by sniffing your network traffic).
Try to avoid using inherently insecure services such as Telnet and FTP. These services transmit data in clear (without encryption) and the authentication is in clear as well (an hacker can get your password by sniffing your network traffic).
Bad password
The
OS use Secure Hash Algorithm 512 (SHA 512) to hash the password which
are not contain in the /etc/passwd file but in a shadow file (
/etc/shadow ). It is not a good idea to alter this setting. While the
passwd file can be read by most of the users, the shadow file can be
accessed only by root.
If you are not using CentOS 7 or you just want to be 100% sure that the hashing algorithm is SHA-512, just type the below command:
# authconfig --test | grep hashing
password hashing algorithm is sha512
If you are not using CentOS 7 or you just want to be 100% sure that the hashing algorithm is SHA-512, just type the below command:
# authconfig --test | grep hashing
password hashing algorithm is sha512
It
is highly important, if not the most important thing at all, to use
strong password. The topic about “what is the best password” require an
entire new chapter and we will write about it later on! Anyhow remember
the following good sense recommendation:
- Use more than 12 characters ... perhaps it is important to use a "full dictionary" using letters (uppercase and lowercase), numbers and special character. Currently computer are fast enough to be able to discover a 12 symbols password (even a totally random one) in a really short time.
- Never use a dictionary word, inverted word, only numbers or a word in a foreign language (there are tools to hack password which use dictionary containing words in multiple languages).
- Never write down your password (use a password keeper tool which encrypt the password).
- Never use multiple times the same password
- Periodically change the password
- Configure your system to lock for an increasing amount of time if the user fail to login after a specified number of attempts.
2) How to start in the right way !
Start with BIOS password protection …. If an attacker can control your BIOS he can get control of the boot order and chose to boot from USB or DVD and then mount your disk and get access to your data and hashed password. You should also use password to prevent system for booting (I am talking about your workstation or laptop not about a production server which you wish to be back online after a reboot without an engineer interaction to allow it to boot).
Leave your laptop or computer locked in a cabinet or rack as ... even if it has a BIOS password, an attacker can open the chassis, remove the CMOS battery and reset the BIOS (or find another way to reset it to default).
If you leave your computer unattended, even in your office with trusted people around, remember to lock the keyboard (lock the screen).
So you protected your BIOS ... but after POST, the boot-loader start GRUB ... and it is not password protected ... so your malicious friend (the black hacker) interrupt the boot process and modify the boot to go in single-mode ... he just rooted your workstation ! That's it !! So ... why not to password protect GRUB ?!?
For the same reason you may require to use a password for single-mode.
I would suggest to read this article about BIOS/GRUB and single-mode password protection: Securing Your Network [CentOS org]
So you protected your BIOS ... but after POST, the boot-loader start GRUB ... and it is not password protected ... so your malicious friend (the black hacker) interrupt the boot process and modify the boot to go in single-mode ... he just rooted your workstation ! That's it !! So ... why not to password protect GRUB ?!?
For the same reason you may require to use a password for single-mode.
I would suggest to read this article about BIOS/GRUB and single-mode password protection: Securing Your Network [CentOS org]
Installation recommendation
Partition your system with at least these partitions:
- /boot
- /home/
- /tmp
- /
By partitioning the system you can fine tune the permission. You should check each entry within fstab (/etc/fstab) and customized using the following options when needed/possible:
nodev: "Interpret/do not interpret block special devices on the filesystem" [fstab - Wikipedia].
noexec: "exec lets you execute binaries that are on that partition, whereas noexec does not let you do that. noexec might be useful for a partition that contains no binaries, like /var, or contains binaries you do not want to execute on your system, or that cannot even be executed on your system, as might be the case of a Windows partition" [fstab - Wikipedia].
nosuid: "Permit/Block the operation of suid, and sgid bits" [fstab - Wikipedia].
Do a minimal installation. Just install the bare minimum packages as each package may have bugs and vulnerabilities (they really have !) and … why to install packages which you don’t need !
To know which packages you have installed:
# yum list installed
Check which service are active on your system:
# systemctl list-units | grep service
Encrypt your home partition. While it is not a good idea to encrypt all the file systems, it is normally recommended to protect your data with encryption. This allow to maintain Confidentiality.
Whenever the system is up and running, perform the network configuration to allow your workstation/laptop to connect to Internet then update your packages:
# yum update
Enable your firewall: normally it is enable by default by why not to check for it ! CentOS use Firewalld utility set.
# systemctl status firewalld
# systemctl start firewalld
# systemctl enable firewalld
If you need to check which is the current configuration of the firewall you can run the following iptables command:
# iptables --list
User rights
As you should normally work as "standard user" while only running specific commands as root, you should not be able to remote into a system as root (via ssh) and you should be able to only login to the local console with root privileges.
The key file for the root login is /etc/securetty. This configuration file list the virtual console (tty1 to tty6) which the root user can log in into. PAM is the service which "use" the /etc/securetty file. When the user "root" attempt a to login on a virtual console such as tty1, the program "login" check using PAM if "tty1" is in the /etc/securetty file; if so the user root can login. PAM menage several other authentication mechanism (both for local and remote authentication).
The single user mode login does not use PAM (the application for login is called sulogin which does not use PAM for authentication).
3) Keep your system secure
# yum check-update --security
As the above command run in a non interactive way, you can use the exit code to automate your system update.
The possible exit codes are:
0: for no available update
100: for available update (it does not tell you how many …)
-1: if there was an error along the check
Before installing any update it is always good to read the “errata” and to know which is the best procedure to stop the running package and replace/update it with the new package.
Reference
No comments:
Post a Comment