April Release Confetti
70+ Courses, Challenges, and Learning Activities
Coming Out This Month!
Learn More

Linux Security And Server Hardening Part-1

Introduction

This guide aims to help all administrators with security concerns. While we are not going to discuss any security "rocket science," but we will go through the basic aspects of securing your Linux server from intruders and outside attack. In this first section, we will see the best practices for improved security, and in next part we will discuss some of tools that will help us to secure our server.

Why is security important for linux?

We know Linux is more secure and less prone to the virus than other popular operating systems, but there are still many issues out there that need to be fixed by the administrator. You must identify the needs of the server and what kind of application workload you are going to run on it. For example, if your server functionality is that of a web server, then it is also necessary to secure your web server services. Remember that Linux is open source, and thus it is open for anyone to identify the loopholes inside the operating system.

Securing SSH

Unlike the older Unix operating systems, nowadays nobody prefers to use telnet. SSH creates a secure data transfer between server and client, whereas telnet transfers the data in plain text. So SSH is the entry point for entering your operating system. You can improve the security of SSH sessions by doing below steps:

Disable root Login

The root user has superior power and can execute any command in the operating system. If your server is accessible by anyone on the internet, then it is better to disable root login directly from the SSH. Generally, intruders will try to crack or guess root user password first to penetrate your system.

Disable root login in the system by changing “PermitRootLogin” parameter in sshd_config file.

[root@ip-10-0-0-76 ~]# vi /etc/ssh/sshd_config

Find and uncomment the PermitRootLogin, and change the value to “no”.

PermitRootLogin no

Save the file and restart sshd service for Red Hat and CentOS. If you are running Ubuntu or Debian system, then restart the ssh service to reflect the changes.

Enable Detailed Logging for SSH

You can enable detailed logging for SSH through sshd_config file:


[root@ip-10-0-0-76 ~]# vi /etc/ssh/sshd_config

Find the “LogLevel” parameter and change the value to verbose:

LogLevel VERBOSE

If you want more detailed logging, then you can use the value DEBUG, DEBUG1, DEBUG2, and DEBUG3 instead of VERBOSE. Logging with a DEBUG level violates the privacy of users and is not recommended.


Linux Kernel Security Hardening

These are some more advanced security options. The kernel is complicated and performs micro-level operations. If you have to divide it down from security perspective, then it can include file systems, networking, processes, debugging, and more. Hardening the system in these areas are dependent upon the kernel you are using. By using system control interface, we can change the settings of the kernel. You can use sysctl command or edit the “/etc/sysctl.conf” file.

Open the “/etc/sysctl.conf” file:

root@ip-10-0-0-150:~# vi /etc/sysctl.conf

Add lines below at the end of file:

# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1

# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Turn on execshield for reducing worm or other automated remote attacks
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# Tune IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

# Increase system file descriptor limit
fs.file-max = 65535

# Allow for more PIDs (Prevention of fork() failure error message)
kernel.pid_max = 65536

# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000

# Tuning Linux network stack to increase TCP buffer size. Set the max OS send buffer size (wmem) and receive buffer size (rmem) to 12 MB for queues on all protocols.
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608

# set minimum size, initial size and max size
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912

# Value to set for queue on the INPUT side when incoming packets are faster then the kernel process on them.
net.core.netdev_max_backlog = 5000

# For increasing transfer window, enable window scaling
net.ipv4.tcp_window_scaling = 1

Save and exit from file and reboot your machine.

The purpose of each parameter has been explained with comments in the text. Remember, you need to identify whether these parameters are required for tuning your OS or not. For example, if you are increasing your buffer size, then it is going to cost you more memory usage on the server.


File and Directory Permissions

The major benefit of Linux is it can have more than one user. If your Linux server is multipurpose and many users are accessing the server then it is very important to restrict files and directory permissions. These permissions define who can read, write, and execute your files and directories. You can view directory permissions by “ls -l” command.

root@ip-10-0-1-128:~# ls -l /etc/passwd
-rw-r--r-- 1 root root 2378 Jul 12 12:08 /etc/passwd

In the above output, the first ten characters show the permissions of the file. The dash (-) character at first indicates whether it is file or directory. If the first character is a dash (-) then it is a file; d is for directory and s for special file. The next three characters define the file owner’s permissions. The above file has read and write permissions for the owner. Next three characters indicate the permissions for the group which file belongs. Here the group root has only read permission on the file. Last three characters indicate permissions for all other users, which are not the owner or part of the group.

You can change the permission of file or directory with chmod command:

[root@ip-10-0-0-222 ~]# chmod 644 document
[root@ip-10-0-0-222 ~]# ls -l document
-rw-r--r--. 1 root root 16 Jul 2 04:03 document

Above command provides read and write permissions to the file owner and read permissions to the group and others.

If you want to change ownership and group of file, you can use chown command:

[root@ip-10-0-0-222 ~]# chown linuxacademy:linuxacademy document
[root@ip-10-0-0-222 ~]# ls -l document
-rw-r--r--. 1 linuxacademy linuxacademy 16 Jul 2 04:03 document

We have changed the ownership of document file from root to linuxacademy.

Sticky Bit Permissions

A sticky bit permission is special permission which is useful when a directory has full permissions for everyone, but you don’t want anyone to delete a file or directory except the owner or group owner. You can assign sticky bit permissions in two ways:

[root@ip-10-0-0-222 ~]# chmod 1777 document
[root@ip-10-0-0-222 ~]# chmod +t document1

If you want to remove a sticky bit permission, then you can use one of the commands below:

[root@ip-10-0-0-222 ~]# chmod 0777 document
[root@ip-10-0-0-222 ~]# chmod -t document1


Firewall and Open Ports

Configuring firewalls are very important, as intruders can scan your open ports and might try to get into your system through those ports. Detect the listening ports, and close the ports which aren’t required. You can check listening ports by using the netstat command:

root@ip-10-0-0-58:~# netstat -tulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:ssh *:* LISTEN 1298/sshd
tcp6 0 0 [::]:ssh [::]:* LISTEN 1298/sshd
udp 0 0 *:bootpc *:* 926/dhclient

Attribute (t=TCP, u=UDP, p=Port, l=Listening)

You can use a firewall to block all the open ports. iptables is one option for advanced administrators. However, if you are using Red Hat 7 or CentOS 7 then firewalld is good alternative option, depending on what the administrator more comfortable using. Ubuntu also offers a default, less complicated firewall, "ufw" (uncomplicated firewall).

iptables

iptables allows the user to create security rules to meet the security requirements of Linux. You can configure rules for different protocols. You can configure rules for IPv4/IPv6, as well as UDP/TCP protocols. iptables requires superuser privileges to configure rules.

If you don’t have iptables installed by default on your machine, then you can install it by using the following commands:

For Ubuntu or Debian:

root@ip-10-0-0-159:~# apt-get install iptables

For CentOS:

[root@ip-10-0-0-222 ~]# yum install iptables-services

For RHEL:

[root@ip-10-0-0-222 ~]# yum install iptables

Display the status of iptables:

root@ip-10-0-0-159:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

If you want flush all the iptables rules, then use command below. Be careful, it will delete all your iptables rules:

root@ip-10-0-0-159:~# iptables -F

Below command will block all the input traffic in your server.  By default this will not allow any traffic to pass through in server. You need to open required ports for running services individully. 

root@ip-10-0-0-159:~# iptables -P INPUT DROP

The below rules will allow only SSH and HTTP traffic on your host:

root@ip-10-0-0-159:~# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
root@ip-10-0-0-159:~# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
root@ip-10-0-0-159:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

The below rule will block specific TCP traffic for port 3306 and 25:

root@ip-10-0-0-159:~# iptables -A INPUT -p tcp --dport 25 -j DROP
root@ip-10-0-0-159:~# iptables -A INPUT -p tcp --dport 3306 -j DROP
root@ip-10-0-0-159:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:smtp
DROP tcp -- anywhere anywhere tcp dpt:mysql

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

There are also more configurations, such as blocking IP addresses with specific ports, forwarding default ports to another port, and more. You can view the iptables man page to explore other options.

firewalld

firewalld works as frontend controller for iptables to configure firewall rules. Unlike iptables, firewalld uses services and zones instead of chain and rules. All the configuration changes will be applied without restarting firewall daemon.

Install and start the firewalld service on Red Hat or CentOS with the commands below:

[root@ip-10-0-0-202 ~]# yum install firewalld
[root@ip-10-0-0-202 ~]# systemctl start firewalld.service
[root@ip-10-0-0-202 ~]# systemctl enable firewalld.service

Add rule to allow HTTP traffic. "--permanent" will make this rule persistent. "--zone" will add this rule in public zone: 

[root@ip-10-0-0-202 ~]# firewall-cmd --zone=public --add-service=http --permanent
success

Reload the firewall so changes reflect immediately:

[root@ip-10-0-0-202 ~]# firewall-cmd --reload
Success

The below rules will allow or deny tcp traffic:

[root@ip-10-0-0-202 ~]# firewall-cmd --zone=public --add-port=10050/tcp --permanent
Success
[root@ip-10-0-0-202 ~]# firewall-cmd --zone=public --remove-port=10050/tcp --permanent
Success

Again, you can configure many things using firewalld; these are only some basic examples for firewall configuration.

ufw

ufw is an easy-to-use firewall frontend. iptables and firewalld can be difficult for the beginner or a non-administrator to understand, but ufw allows you to enhance your security with less difficulties. ufw is typically installed in Ubuntu, by default, but if it is not then install it by using:

root@ip-10-0-1-128:~# apt-get install ufw

You can define the default policies in ufw. You should allow only the specific ports which need to be listened for by server and rest of the ports should be closed.

root@ip-10-0-1-128:~# ufw default deny incoming

Above command will deny any incoming traffic from the outside by default. Now you need to allow the ports that are necessary for the server:

root@ip-10-0-1-128:~# ufw allow ssh
Rules updated
Rules updated (v6)
root@ip-10-0-1-128:~# ufw allow 8080
Rules updated
Rules updated (v6)

To enable ufw, use the command below:

root@ip-10-0-1-128:~# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

As with iptables and firewalld, you can also do many more things with ufw, like allowing source IP to specific ports, etc.


SuMmary

Hopefully you now have some insight into basic Linux server security and hardening.In the next guide, we will discuss some useful tools for server hardening. Stay tuned!

  • post-author-pic
    Terrence C
    08-06-2017

    Great guide!

  • post-author-pic
    Murtuza K
    08-07-2017

     @tcox  Thank you very much  

  • post-author-pic
    Andy W
    08-09-2017

    Awesome guide. Thanks!

  • post-author-pic
    Alexis E
    08-09-2017

    Excellent 

  • post-author-pic
    Murtuza K
    08-10-2017

    Thank you Andy and Alexis :)

  • post-author-pic
    Jason M
    09-14-2017

    Hi Murtuza, 

     just taken a quick look at this I was interested in the iptables bit. 

    I think the absoult first rule you should put into iptables is

    #iptables -P INPUT DROP

    to stop all inbound traffic on the input chain. Then build your firewall by punching holes in it for each service.
    If this was a basic firewall tutorial, simple rules are ok. But this is a server hardening tutorial.
    Just an idea, nicely written tutorials.

  • post-author-pic
    Anil L
    09-15-2017

    Excellent , Simple, Concise presentation.. Wonderfully written.. Thank you

  • post-author-pic
    Murtuza K
    09-15-2017

    Hi Jason, thanks for the suggestion. I have updated it in the guide above. Though, the purpose of this guide was not to deep dive into firewall basics but as you suggested, I made the changes. 

  • post-author-pic
    Murtuza K
    09-15-2017

    Thanks Anil!

  • post-author-pic
    Floyd Tebogo M
    10-04-2017

    Thanks... Now I have a good basic understanding of ufw, firewalld and iptables....

  • post-author-pic
    Murtuza K
    10-04-2017

    @floyd My Pleasure. Glad I could help

  • post-author-pic
    Juan M
    10-24-2017

    Hi guys. At "sticky bit" explanation there is an error because at explanation it says: chmod 1777(or chmod +t)  to document, but the special permission should be assigned to the directory instead of files inside of directory. e.g. chmod +t dirtest/ 


  • post-author-pic
    Chris M
    10-25-2017

    Something that might be helpful for others to learn more about the hardening process for Linux, especially RHEL.  


    Department of Defense (DoD) /DISA publish Secure Technical Implementation Guides (STIGS) that can be use to harden RHEL servers.  More information can be found here and can download the files that can guide in the stigging process: 

    https://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx


    STIG Viewer can be found here: 


    https://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx


  • post-author-pic
    Murtuza K
    10-25-2017

     @juanmoli  Hi Juan, If you read the explaination carefully, I have explained the same. It just directory name is document so it might be confusing for you. 

  • post-author-pic
    Murtuza K
    10-25-2017

     @37rellimcm91  Thank you for contribution !!

  • post-author-pic
    Robert N
    11-23-2017

    This a great write-up, thanks for sharing.

  • post-author-pic
    Adewale A
    12-12-2017

    This is really cool, thanks.

  • post-author-pic
    Charles C
    12-23-2017

    Very useful; put into action right away on my RPi! Thank for the write-up! :-)


  • post-author-pic
    Murtuza K
    01-04-2018

     @waleadedeji  Thank you 

  • post-author-pic
    Murtuza K
    01-04-2018

     @dunestalker  Glad I could help :)

  • post-author-pic
    Prakyath R
    01-04-2018

    Great guide!! Is there any similar guides for EC2 instances? also can I use kernel hardening steps provided above for EC2 instances?

  • post-author-pic
    Thomas F
    01-23-2018

    A Vera good Tool in Thüringen Contest are fail2ban.

  • post-author-pic
    Jeffery H
    01-25-2018

    I wanted to try and update this section within the text

    For RHEL:

    [root@ip-10-0-0-222 ~]# yum install iptables

    changed to

    [root@ip-10-0-0-222 ~]# dnf install iptables


  • post-author-pic
    Ben C
    01-25-2018

    Thanks for the info!  I will look at implementing some of these recommendations at work.

  • post-author-pic
    Murtuza K
    02-12-2018

     @prakxrj  Thank you.  EC2 instance mostly used amazon linux and other operating systems like redhat and ubuntu. You can use same thing. Amazon linux-1 is fork of redhat/centos 6 and amazon linux-2 is fork of centos/redhat 7.


  • post-author-pic
    Murtuza K
    02-12-2018

     @jeff1  Doesn't matter whatever package manager you use. Purpose here to show the usage of iptables. 

  • post-author-pic
    Murtuza K
    02-12-2018

     @linuxg33k  Thank you ben. 

  • post-author-pic
    Feng C
    03-30-2018

    Good Work!

  • post-author-pic
    Emanuel M
    04-09-2018

    thnks


Looking For Team Training?

Learn More