Securing Linux

Linux enjoys various benefits with regards to security, yet no operating system is absolutely secure. One issue at present confronting Linux is its fame.

For quite a long time, Linux was fundamentally utilized by a more modest, more tech-driven segment. Presently, its expanding use frees it up to the well-established issue of more clients prompting an expanded danger for malware invasions.

There are various frameworks available in the industry, but most commonly used is CIS benchmarking which we are going to cover today.

What is CIS?

CIS stands for Center for Internet Security which is non profit organizations whose mission is to make a digitally safe place.

For more info you can visit there website by Clicking here.

So today we are going to cover some important steps to configure a Linux machine to make it safe before entering it into the network.

Note: I advise you to take backup of the files before making any changes to it, if in case something goes wrong you can revert it.

1. Physical System Security
   • Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS.
   • Next, enable BIOS password & also protect GRUB with password to restrict physical access of your system.
     • Check Grub version: grub-install -V
     • Create a password for GRUB, be a root user and open command prompt, type below command. When prompted type grub password twice and press enter. This will return MD5 hash password. Please copy or note it down.  grub-mkpasswd-pbkdf2
     • Paste the encrypted long string into the file /etc/grub.d/40_custom together with the set superusers command. Remember to keep the commented lines at the beginning: set superusers=”root” password_pbkdf2 root grub.pbkdf2.sha512.10000.9CA4611006FE96BC77A…
     • In /etc/grub.d vim 40_custom Append the following part                                                           set superusers=”root” password_pbkdf2 root grub.pbkdf2.sha512.10000.05
     • Now you need to open the /boot/grub. grub-mkconfig -o /boot/grub/grub.cfg
     • Check if the above superuser and credentials is implemented in /boot/grub/grub.cfg
     • Reboot system and try it pressing ‘p‘ to enter password to unlock and enable next features.
2. Minimize Packages to Minimize Vulnerability
   • Do you really want all sort of services installed?
   • It’s recommended to avoid installing useless packages to avoid vulnerabilities in packages. This may minimize risk that compromise of one service may lead to compromise of other services. Find and remove or disable unwanted services from the server to minimize vulnerability.
   • Use the ‘systemctl‘ command to find out services which are running.
     • systemctl list-units –type=service
   • Use the ‘ss‘ command to find out sockets which are in use.
   • Use below mentioned command to remove those services               sudo apt-get remove package-name
3. Check Listening Network Ports
   • Use the ‘ss‘ command to find out ports which are in use.
4. Enabling SSH securely
   • Use “sudo” to execute commands. sudo are specified in /etc/sudoers file also can be edited with the “visudo” utility which opens in VI editor.
   • It’s also recommended to change default SSH 22 port number with some other higher level port number. Open the main SSH configuration file and make some following parameters to restrict users to access.
     • Disable root login gedit /etc/ssh/sshd_config Edit file to desire setting systemctl restart ssh
     • Allow Specific Users gedit /etc/ssh/sshd_config AllowUsers <username> systemctl restart ssh
     • Use Protocol 2 gedit /etc/ssh/sshd_config Protocol 2 systemctl restart ssh
     • Connection Timeout Idle Value gedit /etc/ssh/sshd_config ClientAliveInterval 180 systemctl restart ssh
     • Configure a Limit for Password Attempts gedit /etc/ssh/sshd_config MaxAuthTries 3 systemctl restart ssh
     • Disable User SSH Passwordless Connection Requests gedit /etc/ssh/sshd_config PermitEmptyPasswords no systemctl restart ssh
     • Setup SSH Passwordless Authentication gedit /etc/ssh/sshd_config PasswordAuthentication no systemctl restart ssh
5. Keep System updated
   • apt install unattended-upgrades
   • dpkg-reconfigure –priority=low unattended-upgrades
6. Disable USB usage
   • nano /etc/modprobe.d/blacklist.conf
     • blacklist usb_storage
     • save and close
   • nano /etc/rc.local
     • modprobe -r usb_storage
   • exit 0
7. Enable SELinux
   • apt install policycoreutils selinux-basics
   • selinux-activate
   • sestatus
   • nano /etc/selinux/config
     • SELINUX=enforcing
     • Save and close
   • Reboot
8. Password policies
   • sudo /etc/login.defs
     • Enforce users to change password every 30 days or less PASS_MAX_DAYS   30
     • sudo apt-get -y install libpam-pwquality cracklib-runtime
     • sudo vim /etc/pam.d/common-password change line 25 from password   requisite   pam_pwquality.so retry=3 to password    requisite      pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root
     • sudo reboot
   • To view the current password expiry/aging details, the command is:
     • sudo chage –l username

Options used.

retry=3: Prompt a user 3 times before returning with error.

minlen=8 : The password length cannot be less than this parameter

maxrepeat=3: Allow a maximum of 3 repeated characters

ucredit=-1 : Require at least one uppercase character

lcredit=-1 : Must have at least one lowercase character.

dcredit=-1 : must have at least one digit

difok=3 : The number of characters in the new password that must not have been present in the old password.

gecoscheck=1: Words in the GECOS field of the user’s passwd entry are not contained in the new password.

reject_username: Rejects the password if contains the name of the user in either straight or reversed form.

enforce_for_root: Enforce pasword policy for root user