Skip to content

Endpoint Security Linux

Understand Linux OS and security concerns

Discuss Linux Installation and patching

Discuss Linux OS hardening techniques

Discuss Linux user access and password management

Discuss Linux network and remote access security

Discuss various Linux security tools and frameworks

Understand Linux OS and security concerns

Linux is an open-source OS widely used across enterprises and government bodies

Components of Linux OS:

Hardware:

Consists of physical devices like monitor, RAM, HDD, CPU, etc.

Kernel: A core component of the OS having complete control over system resources.

Shell: An interface that takes inputs from the users, sends it to the kernel, and sends the output of the kernel back

Applications or utilities: Utility programs that can be launched by running the shell. Utilities gives most of the functionalities provided by an operating system to the user.

System libraries: Special functions that do not require any access rights to the kernel modules to implement the functionality of the OS

Daemons: Services that run to perform tasks like printing, scheduling them etc.

Graphical server: Sub-system responsible for displaying graphics on the monitor and is referred as X

Linux Features

Portability – Linux kernel and applications can be installed on different hardware platforms

Open Source – Source code of Linux is available for free and it is a community-based development project

Multiuser – Multiple number of applications / programs can run at the same time

Hierarchical File System – Linux standard hierarchical file structure arranges directories and files in a tree like structure

Shell – A special interpreter program used to execute programs or applications

Security – Linux provides security features like authentication, controlled access to files using passwords, data encryption

Linux Security Concerns

Linux security is becoming a concern as hackers have exploited many vulnerabilities in Linux in the recently

Discuss Linux Installation and patching

Enable Minimal Installation Option

The Ubuntu Linux OS provides minimal installation option

The minimal installation option minimizes the number of packages being install during the operating system installation

This option prevents Ubuntu OS from downloading: Unnecessary packages, applications, Third-party applications or untrusted applications that may be vulnerable to new exploits

Password protect BIOS and Bootloader

BIOS password protects unauthorized users from:

Changing the BIOS settings

Booting the system

Navigate the BIOS configuration menu to add a password

Bootloader password protects unauthorized users from:

Accessing Single User mode

Accessing GRUB console

Accessing non-secure operating system in case of presence of dual operating system

GRUB and LILO are two bootloaders found in Linux

Password Protecting GRUB – grub-mkpasswd-pbkdf2

Linux Patch Management

Apply the latest security patches to keep the Linux kernel and software up-to-date

Method 1

Deploy the patches manually – Download updated packages from a distributions website and manually install it.

Method 2

Automate patching – Download and install updates using third-party patch management software

Command to manually patch Debian-based Linux OS

apt-get update fetches the list of available updates

sudo apt-get update

apt-get upgrade strictly upgrades the current packages

sudo apt-get upgrade

apt-get dist-upgrade installs new updates

sudo apt-get dist-upgrade

Add yum based info here

Linux Hardening Checklist: System Installation and Patching

  1. Use latest version for installing the OS and protect the new installed system from malicious network traffic till it is hardened
  2. Create a separate volume with the nodev, nosuid, and noexec options set for /tmp
  3. Create separate volumes for /var, /var/log, and /home
  4. Set sticky bit on all writable directories
  5. Configure the system to enable automatic software updates

Discuss Linux OS hardening techniques

Disabling Unnecessary Services

The open ports of services running on the system can be used by the intruders. Hence, to protect the system, disable all unnecessary services.

Disable unnecessary services using the service command (systemctl)

Disable services such as FTP, Telnet, Rlogin /Rsh, etc. if not in use

sudo systemctl stop [service]

sudo systemctl disable [service]

sudo kill -9 [process_id}

Remove or Uninstall Unnecessary Software / Packages

Uninstall unnecessary software to protect the system from vulnerabilities in software

To uninstall unnecessary software, review the installed software using the package manager like apt-get, dpkg, or yum and delete all unwanted packages.

Use tools like UnusedPkg diagnostics and Deborphan to list out and remove the unused packages or libraries in a Linux distribution.

dpkg list displays all installed packages

dpkg –list

apt-get autoremove removes libs and packages that were installed automatically

apt remove [package name] uninstalls the package

Install Antivirus

Install antivirus software to protect uploading infected files to Linux

Antivirus example: ClamAV

clamscan –help

clamscan

Linux Hardening Checklist: OS Hardening

  1. Restrict core dump
  2. Remove legacy services
  3. Disable any services and applications started by xinetd or inetd that are not being utilized. Remove xinetd.
  4. Disable or remove server services (FTP, DNS, LDAP, SMB, DHCP, NFS, SNMP, etc) that are not used
  5. Ensure syslog (rsyslog, syslong, syslogng) service is running
  6. Enable a network time protocol (NTP) services to ensure clock accuracy
  7. Restrict the use of the cron and at services

Discuss Linux user access and password management

Enforce strong password policy using PAM (Pluggable Authentication Module).

Password Policy Settings

Password maximum days

Password minimum days

Password warning days

Minimum uppercase characters

Minimum lowercase characters

Minimum digits characters

Minimum other characters (cymbols)

Account lock – retries

Account unlock time

Restrict Users from using previous passwords

For a secure password policy, it is recommended to restrict user from using previous passwords

To prevent users from reusing old passwords, use the remember option for the PAM module

/etc/pam.d

Ensure No Accounts Have Empty Passwords

All accounts should have passwords to prevent misuse of the account by an unauthorized user.

Type # awk -F: ‘($2 == “”) {print}’ /etc/shadow

command to list all the accounts with empty passwords

Disable Unnecessary Accounts

Disable inactive user account that have not been used over a long period of time

Do remember to disable user account of employees who have resigned from the oraganization

Attackers can gain access to a system through compromised unused / inactive user accounts.

Command to view users who have been inactive for the last 90 days

lastlog -b 90 |tail -n+2 | grep -v ‘Never logged in’

Commanded to disable a users

usermod -L bob

Secure Shared Memory

By default, shared memory mounted with read/write permissions, making the /run/shm (implementation of shared memory) space exploitable

Shared memory can be exploitable to attacks targeted towards services like apache2, httpd, etc.

To make shared memory secure, mount /run/shm in read-only mode without the permission to execute programs

Edit /etc/fstab file and include the following line of code to set /run/shm to read-only:

tmpfs /run/shm tmpfs defaults, noexec, nosuids 0 0

Delete X Windows Systems (X11)

CentOS / RHEL 5.x Fedoara Linux comes with X Windows systems

X Windows System is the graphical interface for Linux is not required for dedicated Linux based mail and Apache / Nginx web servers. Vulnerabilities in X Windows can help non-root users to escalate their to higher level

Disable and remove X Windows to prevent from exploiting vulnerabilities in the X11 code.

To disable X Windows at System Boot, edit /etc/inittab and set run level to 3

  1. Open inittab file in editor: vi or nano /etc/inittab
  2. Find line: id:5:initdefault:
  3. Replace with id:3:initdefault:

To remove X Windows, type the following command:

yum groupremove “X Window System”

Create Separate Disk Partitions for Linux Systems

Separate OS files from user files for higher data security

Ensure that the following file systems are mounted on separate partitions:

/usr

/home

/var and /var/tmp

/tmp

Create separate partitions for Apache and FTP server roots

Edit and update the following configuration settings in /etc/fstab file

noexec – Do not set execution of any binaries on this partition (prevents execution of binaries but allows script

nodev – Do not allow character or special devices on this partition (prevents use of device files such as zero, sda, etc.)

nosuid – Do not set SUID/SGID acces on this partition (prevent the setuid bit)

Enable disk quota for all users

Implement disk quotas for users to limit the number of files a user can create on the system

sudo edquota Bob

sudo quota -vs Bob

Understanding and checking Linux file permissions

Type ls -l command to display the list of files and their permissions under home directory

Types of Permissions:

r – denotes read permissions

w – denotes write permissions

x – denotes execute permissions

– – refers to No permissions

Permissions Details:

The first character in the directory list denotes file type d (if directory else a file

The next three characters denote user permissions

The next three denote group permissions

The final three characters denote other permissions

Permission Groups: Owner and Group

First name after number is owner name

Second name after number ID group name

Changing File Permissions

Check for permissions on sensitive files

Use chmod command to change the permissions of a file or directory

chmod [permission value] [file name]

Common directory permissions settings

Value – Meaning

777 – (rwxrwxrwx) no restrictions on permissions. Anybody can list files, create new files in the directory, and delete files in the directory

755 – (rwxr-xr-x) the directory owner has full access. All others can list the directory but cannot read or delete it. This settings is useful for directories that you wish to share with other users

700 – (rwx——) the directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the user can use and must be kept private from others.

Common file permissions

777 – (rwxrwxrwx) no restrictions on anything, Anybody can do anything. Generally, not a desirable settings.

755 – (rwxr-xr-x) the file owner may read, write and execute the file. Others can read and execute the file. This setting is useful for all programs that are used by all users

700 – (rwx——) the file owern my read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only user may use and are kept private from others

666 – (rw-rw-rw-) all users can read and write the file

644 – (rw-r–r–) the owner can read and write a file. Everybody else may only read the file. A very common setting where everybody may read but only the owner can make changes

600 – (rw——-) owner can read and write a file. Others have no rights. A common setting for files that the owner wants to keep private

Check and verify permissions for sensitive files and directories

Permissions – File Pathname – Description

  1. 600 – /boot/grub/menu.lst – GRUB boot loader menu file
  2. 400 – /etc/cron.allow – List of users permitted to use cron
  3. 400 – /etc/cron.deny – List of users who cannot use cron
  4. 644 – /etc/crontab – System-wide periodic jobs
  5. 644 – /etc/hosts.allow – List of hosts allowed to use Internet services that are started using TCP wrappers
  6. 644 – /etc/host.deny – List of hosts denied access to internet services that are started using TCP wrappers
  7. 644 – /etc/logrotate.conf – File that controls how log files rotate
  8. 644 – /etc/xinetd.conf – Configuration file for the xinetd server
  9. 755 – /etc/xinetd.d – Directory containing configuration files for xinetd
  10. 755 – /var/log – Directory with all log files
  11. 644 – /var/log/lastlog – Information about all previous logins
  12. 644 – /var/log/messages – Main system message log file
  13. 664 – /var/log/wtmp – Information about current logins
  14. 755 – /etc/pam.d – Directory with configuration files for pluggable authentication modules (PAMs)
  15. 644 – /etc/passwd – Old-style password file with user account information but not the passwords
  16. 755 – /etc/rc.d – Directory with system-startup scripts
  17. 600 – /etc/securetty – TTY interfaces (terminals) from which root can log in
  18. 755 – /etc/security – Policy files that control system access
  19. 400 – /etc/shadow – Files with encrypted passwords and password expiration information
  20. 400 – /etc/shutdown.allow – Users who can shut down or reboot by pressing Ctrl+Alt+Delete
  21. 755 – /etc/ssh – Directory with configuration files for the Secure Shel (SSH)
  22. 755 – /etc/sysconfig – System configuration files
  23. 644 – /etc/sysct1.conf – Kernel configuration parameters
  24. 644 – /etc/syslog.conf – Configuration file for the syslogd server that logs messages
  25. 644 – /etc/udev/udev.conf – Configuration file for udev – the program that provides the capability to dynamically name hot-pluggable devices and create the devices files in the /dev directory
  26. 600 – /etc/vsftpd – Configuration file for the very secre FTP server
  27. 600 – /etc/vsftpd.ftpusers – List of users who are not allowed to use FTP to transfer files

Disable Unwanted SUID and SGID Binaries

SUID/SGID bits, if enabled, helps local or remote users in getting root privileges by exploiting the existing vulnerabilities in the file

Find and remove “s” bits from the files to disable SUID/SGID bits

View all files with SUID set

find / -perm /4000

View all files with SGID set

find / -perm /2000

Remove the setuid bit from a file

chmod a-s /usr/bin/chfn

Remove or Rectify Permissions for World-Writeable Files

Any user can edit the word-writeable files which can pose security risk to system

View all world-writeable file and set correct user and group permission to the required files or delete the unnecessary files

View World-writeable files without sticky bit

find /home/alice -xdev -type d \ ( -perm -0002 -a ! -perm -1000 \) -print

View Noowner FIles

find /home/alice -xdev \( -nouser -o -nogroup \) -print

Disable USB Storage

By default, Linux allows mounting of removable devices to the system

Disable USB storage in Linux to prevent data theft using a removable media

  1. Disable USB storage using the system BIOS configuration option
  2. Disable kernel support for USB via GRUB
  3. In Debian distribution – Block USB storage module from loading into the Linux Kernal
  4. In Red Hat distribution – Block USB storage using fake install or blacklist usb-storage

Linux Hardening Checklist: User access and passwords

  1. Create an account for each user who should access the system
  2. Enforce the use of strong passwords
  3. Use sudo to delegate admin access

Application Sandboxing in Linux: Firejail

Firejail is a Set owner User ID up on execution (SUID) program that restricts the running environment of untrusted applications using Linux namespaces and seccomp-bpf

It makes a process and all its descendants have their own private view of globally shared kernel resources such as the network stack, process table, and mount table

It sandboxes various processes such as servers, graphical applications, and user login sessions

Firejail includes security profiles for a large number of Linux programs such as Mozilla Firefox, Chromium, VLC, and Transmission.

Prefix a launch command with “firefail” to start the app in a sandbox

firejail firefox

firejail transmission-gtk

firejail vlc

sudo firejail /etc/init.d/nginix start

Discuss Linux network and remote access security

System Control Interface (sysctl) help you make changes to a running Linux kernal. Configure Linux kernal for certain security settings to secure Linux kernal.

/etc/sysctl.conf is a file that contains sysctl values that are set and read during booting

Edit /etc/sysctl.conf to:

  1. Restrict network-transmitted configuration for IPv4
  2. Restrict network-transmitted configuration for IPv6
  3. Tun on execshiled protection
  4. Prevent syn flood attack
  5. Turn on source IP address verification
  6. Prevent spoofing attack against the IP address of the server
  7. Logs various suspicious packets (spoofed packets, source-routed packets, and redirects)

Host-based Firewall Protection with Iptables

Iptables is a built-in firewall utility for Linux OS’s

Iptables comes preinstalled on Linux distributions. You can install it using sudo apt-get install iptables

To list out all the possible commands associated with iptables, use the following command:

iptables -h

Task – Iptables Commands

Filtering non TCP packets – iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

Blocking XMAS scan Attack – iptables -A INPUT -p tcp –tcp-flags ALL -j DROP

Drop any NULL packets – iptables -A INPUT -f -j DROP

Drop any fragmented packets – iptables -A INPUT -f -j DROP

Host-based Firewall Protection with Iptables

Existing rules can be checked using the following command:

sudo iptables -L -n -v

Specific IP address can be blocked using Iptables Firewall:

iptables -A INPUT -s 10.0.0.1 -j DROP

TCP Wrappers

TCP Wrappers or TCPD is a host-based network access control list (ACL) system that provides firewall services by monitoring network traffic.

TCP Wrappers authorizes the entities to support the connection over the network

It allows the entities according to /etc/hosts.allow rule and denies the connection requests base on /etc/hosts.deny rule

A given service is said to be TCP wrapped only when it gives output for ldd [/path/to/binary] | grep libwrap command

ldd $(which sshd) | grep libwrap

ldd $(which ufw) | grep libwrap

Monitor Open Ports and Services

Monitoring open ports and the associated services running on each port helps understand the associated vulnerabilities and hidden security risks

Use netstat -tulpn or ss-tulpn command displays all open ports and associated services

To list active sockets (servers and established)

netstat -anop

To list active Internet connections

netstat -tulpn

For greater details use the ss command instead of netstat

ss -anop

ss -tulpn

Turn off IPv6 if not in use

Running misconfigured IPv6 leaves the system exposed to various attacks.

It is recommended to switch off IPv6 if not in use

Secure SSH login root login

SSH enables secure data transfer communication between client and server.

Attackers can use SSH to attack the operating system.

Disable SSH root login

To prevent users from logging in directly as root:

Disable SSH root login using any of the following methods

Disable PermitRootLogin in the /etc/ssh/sshd_config file

add the root user in DenyUsers list on /etc/ssh/sshd_config file

Deny the root user via /etc/ssh/sshd.deny file

Enable detailed logging for SSH

To enable detail logging for SSH

Edit the /etc/ssh/sshd_config file

Change the LogLevel parameter value to verbose

Setup Chroot SFTP

By default, SFTP logged in users can browse other users directories like SCP, SSH, etc.

You should create a chroot director to avoid access to their SFTP home directory:

To create a chroot directory, execute sudo mkdir /sftp/(name) command and to give root user rights to it, use: sudo chown root:root /sftp/

Create sftponly group by executing sudo groupadd sftponly command and add users using: sudo useradd -g sftponly -d / (name) -s /sbin/nolongin (new user)

Create a password for that account: sudo passwd (user)

Execute the following commands to restrict the rights to access the home directory

sudo chown senthil:sftponly /sftp/bob

sudo chmod 700 /sftp/bob

Edit /etc/ssh/sshd_config file by commenting out the following line by adding hash (#) in front of it:

#Subsystem sftp /usr/lib/openssh/sftp-server

Add Subsystem sftp internal-sftp, match group sftponly, ChrootDirectory, /sftp/ X11Forwarding no, AllowTCPForwarding no, ForceCommand internal-sftp at the end of the file

Linux Hardening Checklist: Network Security and Remote Access:

  1. Implement firewall and other access controls to restrict connections to services running on the host to authorized users of the service
  2. Disable IP forwarding, send packet redirects, source routed packet acceptance, and ICMP redirect acceptance
  3. Enable IP ignore broadcast requests, bad error message protection, TCP/SYN cookies
  4. Ensure that SSH server configuration Protocol version is set to 2, LogLevel is set to INFO, and PermitEmptyPasswords is set to No.
  5. Disable root login over SSH

Discuss various Linux security tools and frameworks

Security Auditing and System Hardening using Lynis

Lynis performs an extensive health scan of the systems to support system hardening and compliance testing

Lynis is used for:

  1. Security Auditing
  2. Compliance Testing (e.g. PCI, HIPAA, SOX, etc.)
  3. Penetration Testing
  4. Vulnerability detection
  5. System Hardening

Turn on AppArmor

AppArmor is a Linux kernel security module that allows folks to restrict programs capabilities through per-program profiles.

It is Mandatory Access Control (MAC) system implemented upon Linux Security Modules (LSM).

It allows folks to apply MAC to a limit the access to a set of resources.

apparmor_status

Turn on Security-Enhanced Linux (SELinux)

SELinux (security-enhanced Linux) is a kernel level MAC (Mandatory Access Control) implementation for Linux

It uses the LSM framework to implement MAC

Protects against damages caused by unknown or unpatched exploits

Enables fine-grained control in the system

Allows implementation of a customized level of security

sestatus

Audit Linux System for Security Compliance using OpenSCAP

SCAP (security content automation protocol) is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.

To install OpenSCAP use the following command:

On Fedora:

dnf install openscap-scanner

On RHEL 6, 7 & CentOS 6, 7:

yum install openscap-scanner

On Debian and Ubuntu:

apt-get install libopenscap8

oscap xccdf eval –profile xccdf_org.ssproject.content_profile_rht-ccp –results-arf arf.xml –report report.html /usr/share/sxml/scap/ssg/content/ssg-rhel6-ds.xml

Additional Linux Hardening Tools

Bastille Linux – sourceforge.net

JShielder – github.com

Comodo Antivirus – comodo.com

nixarmor – github.com

bane – github.com

Grsecurity – grsecurity.net

Summary

Linux is an open source OS widely used across enterprises and government bodies

Linux security is becoming a concern as hackers have exploited many of Linux’s vulnerabilities in the recent past.

The use of latest version for installing the OS help you prevent from many attacks.

Removing or disabling unnecessary services and software packages helps you reduce the attack surface.

Appropriate user access permission and strong password management policies discourages any unauthorized access.