Understand Linux OS and security concerns
Discuss Linux Installation and patching
Discuss Linux OS hardening techniques
Discuss Linux user access and password management
Discuss Linux network and remote access security
Discuss various Linux security tools and frameworks
Understand Linux OS and security concerns
Linux is an open-source OS widely used across enterprises and government bodies
Components of Linux OS:
Hardware:
Consists of physical devices like monitor, RAM, HDD, CPU, etc.
Kernel: A core component of the OS having complete control over system resources.
Shell: An interface that takes inputs from the users, sends it to the kernel, and sends the output of the kernel back
Applications or utilities: Utility programs that can be launched by running the shell. Utilities gives most of the functionalities provided by an operating system to the user.
System libraries: Special functions that do not require any access rights to the kernel modules to implement the functionality of the OS
Daemons: Services that run to perform tasks like printing, scheduling them etc.
Graphical server: Sub-system responsible for displaying graphics on the monitor and is referred as X
Linux Features
Portability – Linux kernel and applications can be installed on different hardware platforms
Open Source – Source code of Linux is available for free and it is a community-based development project
Multiuser – Multiple number of applications / programs can run at the same time
Hierarchical File System – Linux standard hierarchical file structure arranges directories and files in a tree like structure
Shell – A special interpreter program used to execute programs or applications
Security – Linux provides security features like authentication, controlled access to files using passwords, data encryption
Linux Security Concerns
Linux security is becoming a concern as hackers have exploited many vulnerabilities in Linux in the recently
Discuss Linux Installation and patching
Enable Minimal Installation Option
The Ubuntu Linux OS provides minimal installation option
The minimal installation option minimizes the number of packages being install during the operating system installation
This option prevents Ubuntu OS from downloading: Unnecessary packages, applications, Third-party applications or untrusted applications that may be vulnerable to new exploits
Password protect BIOS and Bootloader
BIOS password protects unauthorized users from:
Changing the BIOS settings
Booting the system
Navigate the BIOS configuration menu to add a password
Bootloader password protects unauthorized users from:
Accessing Single User mode
Accessing GRUB console
Accessing non-secure operating system in case of presence of dual operating system
GRUB and LILO are two bootloaders found in Linux
Password Protecting GRUB – grub-mkpasswd-pbkdf2
Linux Patch Management
Apply the latest security patches to keep the Linux kernel and software up-to-date
Method 1
Deploy the patches manually – Download updated packages from a distributions website and manually install it.
Method 2
Automate patching – Download and install updates using third-party patch management software
Command to manually patch Debian-based Linux OS
apt-get update fetches the list of available updates
sudo apt-get update
apt-get upgrade strictly upgrades the current packages
sudo apt-get upgrade
apt-get dist-upgrade installs new updates
sudo apt-get dist-upgrade
Add yum based info here
Linux Hardening Checklist: System Installation and Patching
- Use latest version for installing the OS and protect the new installed system from malicious network traffic till it is hardened
- Create a separate volume with the nodev, nosuid, and noexec options set for /tmp
- Create separate volumes for /var, /var/log, and /home
- Set sticky bit on all writable directories
- Configure the system to enable automatic software updates
Discuss Linux OS hardening techniques
Disabling Unnecessary Services
The open ports of services running on the system can be used by the intruders. Hence, to protect the system, disable all unnecessary services.
Disable unnecessary services using the service command (systemctl)
Disable services such as FTP, Telnet, Rlogin /Rsh, etc. if not in use
sudo systemctl stop [service]
sudo systemctl disable [service]
sudo kill -9 [process_id}
Remove or Uninstall Unnecessary Software / Packages
Uninstall unnecessary software to protect the system from vulnerabilities in software
To uninstall unnecessary software, review the installed software using the package manager like apt-get, dpkg, or yum and delete all unwanted packages.
Use tools like UnusedPkg diagnostics and Deborphan to list out and remove the unused packages or libraries in a Linux distribution.
dpkg list displays all installed packages
dpkg –list
apt-get autoremove removes libs and packages that were installed automatically
apt remove [package name] uninstalls the package
Install Antivirus
Install antivirus software to protect uploading infected files to Linux
Antivirus example: ClamAV
clamscan –help
clamscan
Linux Hardening Checklist: OS Hardening
- Restrict core dump
- Remove legacy services
- Disable any services and applications started by xinetd or inetd that are not being utilized. Remove xinetd.
- Disable or remove server services (FTP, DNS, LDAP, SMB, DHCP, NFS, SNMP, etc) that are not used
- Ensure syslog (rsyslog, syslong, syslogng) service is running
- Enable a network time protocol (NTP) services to ensure clock accuracy
- Restrict the use of the cron and at services
Discuss Linux user access and password management
Enforce strong password policy using PAM (Pluggable Authentication Module).
Password Policy Settings
Password maximum days
Password minimum days
Password warning days
Minimum uppercase characters
Minimum lowercase characters
Minimum digits characters
Minimum other characters (cymbols)
Account lock – retries
Account unlock time
Restrict Users from using previous passwords
For a secure password policy, it is recommended to restrict user from using previous passwords
To prevent users from reusing old passwords, use the remember option for the PAM module
/etc/pam.d
Ensure No Accounts Have Empty Passwords
All accounts should have passwords to prevent misuse of the account by an unauthorized user.
Type # awk -F: ‘($2 == “”) {print}’ /etc/shadow
command to list all the accounts with empty passwords
Disable Unnecessary Accounts
Disable inactive user account that have not been used over a long period of time
Do remember to disable user account of employees who have resigned from the oraganization
Attackers can gain access to a system through compromised unused / inactive user accounts.
Command to view users who have been inactive for the last 90 days
lastlog -b 90 |tail -n+2 | grep -v ‘Never logged in’
Commanded to disable a users
usermod -L bob
Secure Shared Memory
By default, shared memory mounted with read/write permissions, making the /run/shm (implementation of shared memory) space exploitable
Shared memory can be exploitable to attacks targeted towards services like apache2, httpd, etc.
To make shared memory secure, mount /run/shm in read-only mode without the permission to execute programs
Edit /etc/fstab file and include the following line of code to set /run/shm to read-only:
tmpfs /run/shm tmpfs defaults, noexec, nosuids 0 0
Delete X Windows Systems (X11)
CentOS / RHEL 5.x Fedoara Linux comes with X Windows systems
X Windows System is the graphical interface for Linux is not required for dedicated Linux based mail and Apache / Nginx web servers. Vulnerabilities in X Windows can help non-root users to escalate their to higher level
Disable and remove X Windows to prevent from exploiting vulnerabilities in the X11 code.
To disable X Windows at System Boot, edit /etc/inittab and set run level to 3
- Open inittab file in editor: vi or nano /etc/inittab
- Find line: id:5:initdefault:
- Replace with id:3:initdefault:
To remove X Windows, type the following command:
yum groupremove “X Window System”
Create Separate Disk Partitions for Linux Systems
Separate OS files from user files for higher data security
Ensure that the following file systems are mounted on separate partitions:
/usr
/home
/var and /var/tmp
/tmp
Create separate partitions for Apache and FTP server roots
Edit and update the following configuration settings in /etc/fstab file
noexec – Do not set execution of any binaries on this partition (prevents execution of binaries but allows script
nodev – Do not allow character or special devices on this partition (prevents use of device files such as zero, sda, etc.)
nosuid – Do not set SUID/SGID acces on this partition (prevent the setuid bit)
Enable disk quota for all users
Implement disk quotas for users to limit the number of files a user can create on the system
sudo edquota Bob
sudo quota -vs Bob
Understanding and checking Linux file permissions
Type ls -l command to display the list of files and their permissions under home directory
Types of Permissions:
r – denotes read permissions
w – denotes write permissions
x – denotes execute permissions
– – refers to No permissions
Permissions Details:
The first character in the directory list denotes file type d (if directory else a file
The next three characters denote user permissions
The next three denote group permissions
The final three characters denote other permissions
Permission Groups: Owner and Group
First name after number is owner name
Second name after number ID group name
Changing File Permissions
Check for permissions on sensitive files
Use chmod command to change the permissions of a file or directory
chmod [permission value] [file name]
Common directory permissions settings
Value – Meaning
777 – (rwxrwxrwx) no restrictions on permissions. Anybody can list files, create new files in the directory, and delete files in the directory
755 – (rwxr-xr-x) the directory owner has full access. All others can list the directory but cannot read or delete it. This settings is useful for directories that you wish to share with other users
700 – (rwx——) the directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the user can use and must be kept private from others.
Common file permissions
777 – (rwxrwxrwx) no restrictions on anything, Anybody can do anything. Generally, not a desirable settings.
755 – (rwxr-xr-x) the file owner may read, write and execute the file. Others can read and execute the file. This setting is useful for all programs that are used by all users
700 – (rwx——) the file owern my read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only user may use and are kept private from others
666 – (rw-rw-rw-) all users can read and write the file
644 – (rw-r–r–) the owner can read and write a file. Everybody else may only read the file. A very common setting where everybody may read but only the owner can make changes
600 – (rw——-) owner can read and write a file. Others have no rights. A common setting for files that the owner wants to keep private
Check and verify permissions for sensitive files and directories
Permissions – File Pathname – Description
- 600 – /boot/grub/menu.lst – GRUB boot loader menu file
- 400 – /etc/cron.allow – List of users permitted to use cron
- 400 – /etc/cron.deny – List of users who cannot use cron
- 644 – /etc/crontab – System-wide periodic jobs
- 644 – /etc/hosts.allow – List of hosts allowed to use Internet services that are started using TCP wrappers
- 644 – /etc/host.deny – List of hosts denied access to internet services that are started using TCP wrappers
- 644 – /etc/logrotate.conf – File that controls how log files rotate
- 644 – /etc/xinetd.conf – Configuration file for the xinetd server
- 755 – /etc/xinetd.d – Directory containing configuration files for xinetd
- 755 – /var/log – Directory with all log files
- 644 – /var/log/lastlog – Information about all previous logins
- 644 – /var/log/messages – Main system message log file
- 664 – /var/log/wtmp – Information about current logins
- 755 – /etc/pam.d – Directory with configuration files for pluggable authentication modules (PAMs)
- 644 – /etc/passwd – Old-style password file with user account information but not the passwords
- 755 – /etc/rc.d – Directory with system-startup scripts
- 600 – /etc/securetty – TTY interfaces (terminals) from which root can log in
- 755 – /etc/security – Policy files that control system access
- 400 – /etc/shadow – Files with encrypted passwords and password expiration information
- 400 – /etc/shutdown.allow – Users who can shut down or reboot by pressing Ctrl+Alt+Delete
- 755 – /etc/ssh – Directory with configuration files for the Secure Shel (SSH)
- 755 – /etc/sysconfig – System configuration files
- 644 – /etc/sysct1.conf – Kernel configuration parameters
- 644 – /etc/syslog.conf – Configuration file for the syslogd server that logs messages
- 644 – /etc/udev/udev.conf – Configuration file for udev – the program that provides the capability to dynamically name hot-pluggable devices and create the devices files in the /dev directory
- 600 – /etc/vsftpd – Configuration file for the very secre FTP server
- 600 – /etc/vsftpd.ftpusers – List of users who are not allowed to use FTP to transfer files
Disable Unwanted SUID and SGID Binaries
SUID/SGID bits, if enabled, helps local or remote users in getting root privileges by exploiting the existing vulnerabilities in the file
Find and remove “s” bits from the files to disable SUID/SGID bits
View all files with SUID set
find / -perm /4000
View all files with SGID set
find / -perm /2000
Remove the setuid bit from a file
chmod a-s /usr/bin/chfn
Remove or Rectify Permissions for World-Writeable Files
Any user can edit the word-writeable files which can pose security risk to system
View all world-writeable file and set correct user and group permission to the required files or delete the unnecessary files
View World-writeable files without sticky bit
find /home/alice -xdev -type d \ ( -perm -0002 -a ! -perm -1000 \) -print
View Noowner FIles
find /home/alice -xdev \( -nouser -o -nogroup \) -print
Disable USB Storage
By default, Linux allows mounting of removable devices to the system
Disable USB storage in Linux to prevent data theft using a removable media
- Disable USB storage using the system BIOS configuration option
- Disable kernel support for USB via GRUB
- In Debian distribution – Block USB storage module from loading into the Linux Kernal
- In Red Hat distribution – Block USB storage using fake install or blacklist usb-storage
Linux Hardening Checklist: User access and passwords
- Create an account for each user who should access the system
- Enforce the use of strong passwords
- Use sudo to delegate admin access
Application Sandboxing in Linux: Firejail
Firejail is a Set owner User ID up on execution (SUID) program that restricts the running environment of untrusted applications using Linux namespaces and seccomp-bpf
It makes a process and all its descendants have their own private view of globally shared kernel resources such as the network stack, process table, and mount table
It sandboxes various processes such as servers, graphical applications, and user login sessions
Firejail includes security profiles for a large number of Linux programs such as Mozilla Firefox, Chromium, VLC, and Transmission.
Prefix a launch command with “firefail” to start the app in a sandbox
firejail firefox
firejail transmission-gtk
firejail vlc
sudo firejail /etc/init.d/nginix start
Discuss Linux network and remote access security
System Control Interface (sysctl) help you make changes to a running Linux kernal. Configure Linux kernal for certain security settings to secure Linux kernal.
/etc/sysctl.conf is a file that contains sysctl values that are set and read during booting
Edit /etc/sysctl.conf to:
- Restrict network-transmitted configuration for IPv4
- Restrict network-transmitted configuration for IPv6
- Tun on execshiled protection
- Prevent syn flood attack
- Turn on source IP address verification
- Prevent spoofing attack against the IP address of the server
- Logs various suspicious packets (spoofed packets, source-routed packets, and redirects)
Host-based Firewall Protection with Iptables
Iptables is a built-in firewall utility for Linux OS’s
Iptables comes preinstalled on Linux distributions. You can install it using sudo apt-get install iptables
To list out all the possible commands associated with iptables, use the following command:
iptables -h
Task – Iptables Commands
Filtering non TCP packets – iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
Blocking XMAS scan Attack – iptables -A INPUT -p tcp –tcp-flags ALL -j DROP
Drop any NULL packets – iptables -A INPUT -f -j DROP
Drop any fragmented packets – iptables -A INPUT -f -j DROP
Host-based Firewall Protection with Iptables
Existing rules can be checked using the following command:
sudo iptables -L -n -v
Specific IP address can be blocked using Iptables Firewall:
iptables -A INPUT -s 10.0.0.1 -j DROP
TCP Wrappers
TCP Wrappers or TCPD is a host-based network access control list (ACL) system that provides firewall services by monitoring network traffic.
TCP Wrappers authorizes the entities to support the connection over the network
It allows the entities according to /etc/hosts.allow rule and denies the connection requests base on /etc/hosts.deny rule
A given service is said to be TCP wrapped only when it gives output for ldd [/path/to/binary] | grep libwrap command
ldd $(which sshd) | grep libwrap
ldd $(which ufw) | grep libwrap
Monitor Open Ports and Services
Monitoring open ports and the associated services running on each port helps understand the associated vulnerabilities and hidden security risks
Use netstat -tulpn or ss-tulpn command displays all open ports and associated services
To list active sockets (servers and established)
netstat -anop
To list active Internet connections
netstat -tulpn
For greater details use the ss command instead of netstat
ss -anop
ss -tulpn
Turn off IPv6 if not in use
Running misconfigured IPv6 leaves the system exposed to various attacks.
It is recommended to switch off IPv6 if not in use
Secure SSH login root login
SSH enables secure data transfer communication between client and server.
Attackers can use SSH to attack the operating system.
Disable SSH root login
To prevent users from logging in directly as root:
Disable SSH root login using any of the following methods
Disable PermitRootLogin in the /etc/ssh/sshd_config file
add the root user in DenyUsers list on /etc/ssh/sshd_config file
Deny the root user via /etc/ssh/sshd.deny file
Enable detailed logging for SSH
To enable detail logging for SSH
Edit the /etc/ssh/sshd_config file
Change the LogLevel parameter value to verbose
Setup Chroot SFTP
By default, SFTP logged in users can browse other users directories like SCP, SSH, etc.
You should create a chroot director to avoid access to their SFTP home directory:
To create a chroot directory, execute sudo mkdir /sftp/(name) command and to give root user rights to it, use: sudo chown root:root /sftp/
Create sftponly group by executing sudo groupadd sftponly command and add users using: sudo useradd -g sftponly -d / (name) -s /sbin/nolongin (new user)
Create a password for that account: sudo passwd (user)
Execute the following commands to restrict the rights to access the home directory
sudo chown senthil:sftponly /sftp/bob
sudo chmod 700 /sftp/bob
Edit /etc/ssh/sshd_config file by commenting out the following line by adding hash (#) in front of it:
#Subsystem sftp /usr/lib/openssh/sftp-server
Add Subsystem sftp internal-sftp, match group sftponly, ChrootDirectory, /sftp/ X11Forwarding no, AllowTCPForwarding no, ForceCommand internal-sftp at the end of the file
Linux Hardening Checklist: Network Security and Remote Access:
- Implement firewall and other access controls to restrict connections to services running on the host to authorized users of the service
- Disable IP forwarding, send packet redirects, source routed packet acceptance, and ICMP redirect acceptance
- Enable IP ignore broadcast requests, bad error message protection, TCP/SYN cookies
- Ensure that SSH server configuration Protocol version is set to 2, LogLevel is set to INFO, and PermitEmptyPasswords is set to No.
- Disable root login over SSH
Discuss various Linux security tools and frameworks
Security Auditing and System Hardening using Lynis
Lynis performs an extensive health scan of the systems to support system hardening and compliance testing
Lynis is used for:
- Security Auditing
- Compliance Testing (e.g. PCI, HIPAA, SOX, etc.)
- Penetration Testing
- Vulnerability detection
- System Hardening
Turn on AppArmor
AppArmor is a Linux kernel security module that allows folks to restrict programs capabilities through per-program profiles.
It is Mandatory Access Control (MAC) system implemented upon Linux Security Modules (LSM).
It allows folks to apply MAC to a limit the access to a set of resources.
apparmor_status
Turn on Security-Enhanced Linux (SELinux)
SELinux (security-enhanced Linux) is a kernel level MAC (Mandatory Access Control) implementation for Linux
It uses the LSM framework to implement MAC
Protects against damages caused by unknown or unpatched exploits
Enables fine-grained control in the system
Allows implementation of a customized level of security
sestatus
Audit Linux System for Security Compliance using OpenSCAP
SCAP (security content automation protocol) is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.
To install OpenSCAP use the following command:
On Fedora:
dnf install openscap-scanner
On RHEL 6, 7 & CentOS 6, 7:
yum install openscap-scanner
On Debian and Ubuntu:
apt-get install libopenscap8
oscap xccdf eval –profile xccdf_org.ssproject.content_profile_rht-ccp –results-arf arf.xml –report report.html /usr/share/sxml/scap/ssg/content/ssg-rhel6-ds.xml
Additional Linux Hardening Tools
Bastille Linux – sourceforge.net
JShielder – github.com
Comodo Antivirus – comodo.com
nixarmor – github.com
bane – github.com
Grsecurity – grsecurity.net
Summary
Linux is an open source OS widely used across enterprises and government bodies
Linux security is becoming a concern as hackers have exploited many of Linux’s vulnerabilities in the recent past.
The use of latest version for installing the OS help you prevent from many attacks.
Removing or disabling unnecessary services and software packages helps you reduce the attack surface.
Appropriate user access permission and strong password management policies discourages any unauthorized access.