Hardening Your Linux Server

It cannot be stressed enough how important it is to appreciation the evolution of security. Whether it is a system or a network, security cannot be a result – when a network security professional talks about security, he understands that it is a continuous process. There are, however, certain tools which security experts prefer to use because of the control and flexibility they provide. Because of its functionality, Linux is a preferred tool of choice for many security consultants and while you might think that the Open Source was ‘born’ secure, such isn’t the case. It does take a great deal of effort to marinate the Linux Operating System so that it is considered to be more secure than when it came out of the box.

Hardening is process used on Operating Systems where unnecessary services and software are removed and the system kept with minimum required services in attempt to make it more secure and dedicated for its core function. There are several steps are involved in the hardening process and a combination of these can be used depending on the balance of functionality and security required on the system.

1.Basic Linux Hardening
Removing Unnecessary Packages:
It is more secure to install a Linux System with bare minimum packages, so that you are aware about all the packages in your system and they are easier to maintain. You can add additional libraries and packages as required by your server to perform the core business function.
Depending on your Linux distribution, you can use rpm or yum commands to list and delete packages.

List packages:
rpm –qa
or
yum list installed

Delete packages:
rpm –e <package name>
or
yum remove <package name>

2.Patching:
A security policy should be enforced in the organization that allows the system administrators to receive the latest security updates for the operating systems and the packages/applications installed on that system. Any vulnerability discovered in existing packages should be remediated through patches or compensational controls. Some Linux distributions, such as Red Hat for example, have excellent support options through which it can keep the system updated automatically. The updates are provided through Red Hat Network but require subscription. All modern Linux distributions have one of more package management utilities, like RPM, APT/DPKG and YUM, and these can be used to manage and update the packages manually.

The Red Hat Linux can be updated using the ‘up2date’ command. The other versions of Linux with YUM can be updated using yum update command.

3.Disabling Non-Required Processes:
All system processes that are not required on the server should be stopped. The network services should be identified and only require services should be left enabled. Unsecured network services like telnet and ftp should be replaced with SSH and SCP. You can find the active network services and its related process ids using the following

command:
netstat –l
You can find out the active processes using ps –ax command.

The best way to remove the active processes is by removing them through start up scripts using the following command:
/sbin/chkconfig [process-name] off

Some services may need to be manually removed from /etc/inetd.conf or /etc/xinetd.d files.

You can open these files in text editor and put # symbol
at beginning of all lines for which you want to disable services.

4.Checking For Security on Key Files:
The file system table is a key system file that is loaded during boot time and contains the mapping of all partitions and their mount points.

The path of file is /etc/fstab and its owner/group should be set to root:root and permissions are 644.
The permissions on other key files /etc/passwd, /etc/group and /etc/shadow are set to 644 (400 for shadow) and ownership is root:root

To check permissions, type:
ls –l /etc/

To change ownership and permissions, type:
chown root:root /etc/passwd
chmod 644 /etc/passwd

5.Root User:
Root login should be avoided as much as possible. Users requiring root access should login with their own usernames and use sudo (Superuser Do) to execute the required commands. This ensures that non-root users do not accidently delete important system files and log for each sudo command is saved on the system for audit purpose.

6.Remote Access:
Unencrypted telnet access should be disabled as all the communications is in plain text and can be sniffed. SSH should be used instead and version 2 should be preferred.

The following configuration is recommended in the /etc/ssh/sshd_config file to make SSH more secure. Remote login for root user should be disabled and only allowed through su or sudo from non-root accounts.

Protocol 2
PermitRootLogin no
PermitEmptyPasswords no
Banner /etc/issue
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
LoginGraceTime 1m (or less – default is 2 minutes)
SyslogFacility AUTH (provides logging under syslog AUTH)
AllowUser [list of users allowed access]
DenyUser [list of system accounts and others not allowed]
MaxStartups 10 (or less – use 1/3 the total number of remote users)

7.Logging and Auditing:
Logging should be configured on the Linux systems and the log outputs should be sent to a centralized logging server in the organization.
To configure external logging, put the following line in /etc/syslog.conf file:
# send to syslog server
*.emerg;*.info;*.err  @hostname

8.Automating the Hardening Process:
There is a tool available for all major flavors of Linux or Unix that can assess the security of your existing installation and can also automate the hardening of unsecured system.
The tool is available from www.Bastille-UNIX.org

The definition from the website is as follows:
The Bastille Hardening program “locks down” an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system’s current state of hardening, granularly reporting on each of the security settings with which it works.

Bastille currently supports the Red Hat (Fedora Core, Enterprise, and Numbered/Classic), SUSE, Debian, Gentoo, and Mandrake distributions, along with HP-UX. Full Mac OS X is ready for download today. Bastille’s focuses on letting the system’s user/administrator choose exactly how to harden the operating system. In its default hardening mode, it interactively asks the user questions, explains the topics of those questions, and builds a policy based on the user’s answers. It then applies the policy to the system. In its assessment mode, it builds a report intended to teach the user about available security settings as well as inform the user as to which settings have been tightened.