Intoduction
———–
Linux is not secured by default configurations.
Security can be added to it very high level, but must be balanced with functionality.
The correct Linux distribution must be chosen, and minimum installation done.
Patches must be diligently applied.
Syslog logs must be exported and analyzed periodically.
Network Services must be kept to a minimum.
User and groups must be periodically audited.
File/folder access control lists must be set.
File Integrity software may be used in high-security installations.
Application-specific security measures are also a must.
where to start
————–
Physical System Security.
Identifies open ports & running services.
Check installed software.
remote login security.
User Security.
Linux auditing using syslogd.
File System Security.
os security.
Physical System Security
————————
1)disable booting from CDs/DVDs, floppies, and external devices, and set a bios password.
2)set a password for the GRUB bootloader.
password hash using the command “grub-md5-crypt”.
Add the hash to the first line of /etc/grub.conf as follows:
password –md5 passwordhash
Identifies open ports & running services
—————————————-
# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 783814/httpd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 325048/master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4550/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 645920/sendmail
tcp 0 0 0.0.0.0:48000 0.0.0.0:* LISTEN 17535/nimbus(contro
tcp 0 0 0.0.0.0:48001 0.0.0.0:* LISTEN 17574/nimbus(spoole
tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN 7959/nrpe
tcp 0 0 0.0.0.0:48006 0.0.0.0:* LISTEN 17588/nimbus(hdb)
tcp 0 0 0.0.0.0:587 0. 0.0.0:* LISTEN 312402/master
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 135878/perl
tcp 0 0 127.0.0.1:10028 0.0.0.0:* LISTEN 312402/master
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 17020/mysqld
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 1009332/memcached
tcp 0 0 0.0.0.0:15243 0.0.0.0:* LISTEN 16806/vsftpd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 15386/httpd
tcp 0 0 :::22 :::* LISTEN 4550/sshd
tcp 0 0 :::80 :::* LISTEN 2180/httpd
udp 0 0 0.0.0.0:48000 0.0.0.0:* 17535/nimbus(contro
udp 0 0 127.0.0.1:11211 0.0.0.0:* 1009332/memcached
Stop unused service or filter port for specific ips.
Some services are not open port but create socket so find which service running
/sbin/chkconfig –list |grep ‘3:on’
(For EL7 /usr/bin/systemctl list-unit-files)
root@anil:~# /sbin/chkconfig –list |grep ‘3:on’
abrt-ccpp 0:off 1:off 2:off 3:on 4:off 5:on 6:off
abrt-oops 0:off 1:off 2:off 3:on 4:off 5:on 6:off
abrtd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:on 4:on 5:on 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
dkimproxy 0:off 1:off 2:off 3:on 4:on 5:on 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
icinga 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iscsi 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iscsid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
kdump 0:off 1:off 2:off 3:on 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
mailgraph 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
npcd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nrpe 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pmtadbloader 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pmtamc 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pmtapgsql 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off
puppetserver 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rrdcached 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
root@anil:~#
Also lsof can be used
Once you’ve find out any unwanted service are running, disable it using below command.
# chkconfig serviceName off
Note:- Do not stop services which you don’t know because it is create problem when booting any system .e.g you are on grapical mode (level 5) and stop gpm then at that time mouse will not working
Check installed software
————————
Check installed software using “rpm -qa –last” and ensure latest versions of packages are installed – especially those that are used by lower-privileged users: httpd, openssh, kernel, sendmail, etc.
Possibly not required software remove it from system.
NFS and related services: autofs, nfs, nfsserver, nfslock
Unused networking services: routed, gated, ratvf, snmpd, named, dhcpd, dhclient, dhrelay, nscd, smb.
Mail Services: Sendmail, postfix.
Optional network and local services: atd, ldap, kudzu, rhnsd, ypbind, apache, quota, quotad, myself, etc.
Printing services: lpr, cups, lprng.
# yum remove package-name.
Note:- Before type yes or “y”, make sure this package does not break your setup. For Eg, when you remove the postfix that will remove the dependent rpm crontab. It will break your scheduled service.
remote login security
———————
main configuration file sshd_config make necessary change as per below.
PermitRootLogin no
AllowUsers username
Protocol 2
remove telnet-server and rssh
Banner /some/Banner file path with security warning
No user must login directly as ‘root’.
Administrators must login with their own accounts, and then use ‘su’ to become root.
This ensures accountability
Viable alternative is the ‘sudo’ utility, which allows:
Listing of privileged accounts.
Actions that can be taken by these accounts.
Download from http://www.courtesan.com/sudo/intro.html
Time out of logged in user, so he has to re-authenticate in order to use ‘sudo’
User Security
————-
:- Restrict Users to Use Old Passwords
his is very useful if you want to disallow users to use same old passwords. The old password file is located at /etc/security/opasswd. This can be achieved by using PAM module.
Add the following line to ‘auth‘ section in “/etc/pam.d/system-auth”.
auth sufficient pam_unix.so likeauth nullok
:- Enforcing Stronger Passwords
vi /etc/pam.d/system-auth and set below line
/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1
(lcredit, ucredit, dcredit and/or ocredit respectively lower-case, upper-case, digit and other)
:- Check Password Expiration of Users
chage -l username
# chage -l sysadm
Last password change : Jul 02, 2014
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
set password expires
#chage -M 60 -m 7 -W 7 userName
-M Set maximum number of days
-m Set minimum number of days
-W Set the number of days of warning
:- Lock and Unlock Account
# passwd -l accountName
# passwd -u accountName
:- Lock Cronjobs for users
Cron has it’s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ‘ALL‘ line to cron.deny file.
# echo ALL >>/etc/cron.deny
:- Disable CTR+ALT+DEL Restart using /etc/sysctl.conf
# Disable CTR+ALT+DEL Restart Keys
kernel.ctrl-alt-del = 1
:- User with Empty Passwords
check user which created but password not set .
# cat /etc/shadow | awk -F: ‘($2==””){print $1}’
No dormant or generic accounts present Accounts of separated users not present.
All system (non-user) accounts have /bin/false for the shell.
All system accounts have *NP* or *LK* in their password fields in /etc/shadow.
SOP exists for verifying validity of accounts in these files Every account in passwd has a corresponding entry in shadow.
Only one line contains 0 in the uid field in the passwd file.
Also known as Password Cracking
Use ‘Crack’ from http://www.users.dircon.co.uk/~crypto/download/c50-faq.html
Works on almost all Unix platforms, and is very fast
Also viable password cracker is John the Ripper
Set these tools running for a day or two and ferret out all weak passwords
Linux auditing using syslogd
—————————-
Configuration file is /etc/syslog.conf
Format is:
Facility.Priority Action to be taken.
Facility – the application/program that is generating the logs.
Priority – Emerg, alert, crit, err, warning, notice, info, debug, none.
Action – send it to a file, send it to console, send it via email, send it to another system (loghost).
Segregation of responsibilities – send logs to another system, where the security administrator has control.
/var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.
useful command check login and process :- last,lastlog,lastb
other command :- atop ,top –n 1 –b ,ps- aux, who,w, whoami,uptime.
:-use Tools for Log Analysis
Swatch – real-time monitoring of logs
Logsentry
Logwatch
File System Security
——————–
Unix Permissions are applicable to three entities:
Owner:Group:Everyone.
Three main permissions apply, with numeric representations
Read = 4 Write = 2 Execute = 1.
First character identified type of file “D = directory” “- = file” “S = socket” “L = link” “P = pipe”
Permissions of a new files are determined by the value umask so make sure all user run with default umask 0022
:-for check umask
# for user in $(awk -F: ‘{print $1}’ /etc/passwd); do printf “%-10s” “$user” ; su -c ‘umask’ -l $user 2>/dev/null; done
To avoid checking system user do :
# for user in $(awk -F: ‘( $3 >= 500 ){print $1}’ /etc/passwd); do printf “%-10s” “$user” ; su -c ‘umask’ -l $user 2>/dev/null; done
SUID and SGID files are executables that can be executed by anyone, but they execute with privileges of owner (usually root) or group – very critical checks!
# find / -perm –4000
# find / -perm –2000
https://www.rfxn.com/downloads/faf-current.tar.gz is best software to find and fix system
:-File Integrity
File Integrity can be verified:
Size and timestamp – can be modified to fool the auditor
MD5 hashes – secured method, but tedious.
File Integrity Software:
Must be used immediately after the installation.
Create a database of MD5 hashes of all critical files.
Monitor changes to these files and send alerts.
Tripwire – commercial, scalable, central console
AIDE – open-source, reasonably enterprise-levels
os security
———–
use TCPWrappers to restric service and port access
set limits for user process and open file
Keep System updated using yum update
Turn on SELinux Permissive :-
Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.
Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues.
Disabled: SELinux is turned off.
do not use X Window System
Enable Iptables or other firewall
set /boot partition s read-only using vi /etc/fstab
LABEL=/boot /boot ext2 defaults,ro 1 2
Ignore ICMP or Broadcast Request using sysctl.conf
#Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1
#Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1
diable ipv6 using /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no
make system security check regularly
Snort
nmap
nessus
openvas
nikto and other tools.
Vulnerability Databases
———————–
www.SecurityFocus.com/bid Feed in vendor, software and version number Check the vulnerabilities and see if any exploits available
Portscan Report – Superscan
Portscan Report – Nmap