{"id":10168,"date":"2021-09-20T18:20:55","date_gmt":"2021-09-20T18:20:55","guid":{"rendered":"https:\/\/linuxways.net\/?p=10168"},"modified":"2021-09-20T18:20:55","modified_gmt":"2021-09-20T18:20:55","slug":"linux-server-hardening-best-practices","status":"publish","type":"post","link":"https:\/\/linuxways.net\/de\/centos\/linux-server-hardening-best-practices\/","title":{"rendered":"Linux Server Hardening – Best practices"},"content":{"rendered":"

Being an IT professional, it\u2019s challenging to get up to date with security vulnerabilities and threats. System patch updates, server, and network hardening are the most crucial factors to prevent security threats. Hardening Linux servers and network devices are important to reduce IT vulnerabilities and protect from a system compromise. In this article, we will learn some best practices used for Linux server hardening. For the demonstration purpose, CentOS\/RHEL server is being used so that some configurations might be different on other Linux distributions.<\/p>\n

Update Linux Server<\/h3>\n

It’s necessary to keep your system up to date. There might be security patch updates for vulnerable components. Run the following command to update the system.<\/p>\n

$ yum update -y<\/pre>\n
Enable and configure firewall<\/h3>\n
Most of the Linux server comes with a firewalld package installed. Make sure that the firewalld is running in the system. In the Linux system, firewall-cmd command-line utility tool can be used to configure the firewall rules.<\/p>\n
Start and enable firewall service<\/p>\n
$ systemctl start firewalld<\/pre>\n
$ systemctl enable firewalld<\/pre>\n
To add specific services and ports, use the following syntax<\/p>\n
$ firewall-cmd --add-service=http --permanent (Allow http service)<\/pre>\n
$ firewall-cmd --add-port=8000\/tcp --permanent (Allow specific port)<\/pre>\n
To reflect the changes, reload the firewall.<\/p>\n
$ firewall-cmd --reload<\/pre>\n
Block USB drives<\/h3>\n
In a Linux system, USB storage can be restricted by creating a configuration files under \/etc\/modprobe.d\/ <\/strong>directory.<\/p>\n
Create a configuration file<\/p>\n
$ touch \/etc\/modprobe.d\/usb_block.conf<\/pre>\n
$ echo \u201cinstall usb-storage \/bin\/false\u201d > \/etc\/modprobe.d\/usb_block.conf<\/pre>\n
Remove unwanted users and groups<\/h3>\n
Some users and groups are already added to the system by default which is not needed. Remove such users and groups.<\/p>\n
$ userdel postfix<\/pre>\n
$ groupdel postfix<\/pre>\n
$ userdel games<\/pre>\n
$ groupdel games<\/pre>\n
Search of such users and groups and delete if not needed.<\/p>\n
Remove unwanted packages<\/h3>\n
Some packages are already installed by default in the Linux system. For instance, postfix comes by default, and service starts up when the system is up. Identity such services and remove them<\/p>\n
$ yum remove postfix -y<\/pre>\n
Configure password policy<\/h3>\n
In the Linux machine, the password policy is specified in the \/etc\/login.defs file. Make changes in the password policy parameters as follows.<\/p>\n
PASS_MAX_DAYS 90\r\n\r\nPASS_MIN_DAYS 1\r\n\r\nPASS_MIN_LENTH 8\r\n\r\nPASS_WARN_AGE 30<\/pre>\n
Example:<\/p>\n
<\/p>\n
Configure SSH<\/h3>\n
To prevent unauthorized ssh access and attacks, make the following changes in \/etc\/ssh\/sshd_config file.<\/p>\n
# Set the custom ssh port\r\n\r\nPort 8022\r\n\r\n# Prevent from root login\r\n\r\nPermitRootLogin no\r\n\r\n# Restrict Empty password\r\n\r\nPermitEmptyPasswords no\r\n\r\n# Restrict host-based authentications\r\n\r\nHostbasedAuthentication no\r\n\r\nIgnoreRhosts yes\r\n\r\n# Use ssh protocol 2\r\n\r\nProtocol 2\r\n\r\n# Disable tools that have GUI\r\n\r\nX11Forwarding no<\/pre>\n
<\/p>\n
Check the configuration using the following command.<\/p>\n
$ sshd -t<\/pre>\n
Restart ssh service<\/p>\n
$ systemctl restart sshd<\/pre>\n
Umask<\/h3>\n
Some files require umask hardening.<\/p>\n
$ sed -i -e 's\/umask 022\/umask 027\/g' -e 's\/umask 002\/umask 027\/g' \/etc\/profile<\/pre>\n
$ sed -i -e 's\/umask 022\/umask 027\/g' -e 's\/umask 002\/umask 027\/g' \/etc\/csh.cshrc<\/pre>\n
$ sed -i -e 's\/umask 022\/umask 027\/g' -e 's\/umask 002\/umask 027\/g' \/etc\/init.d\/functions<\/pre>\n
$ sed -i -e 's\/umask 022\/umask 027\/g' -e 's\/umask 002\/umask 027\/g' \/etc\/bashrc<\/pre>\n
Disable core dump<\/h3>\n
Core dump stores information of an executable program. It can be used to determine why the program was aborted. Core dump also can be used to retrieve confidential information from a core file. Use the following command to disable core dump.<\/p>\n
$ echo \u201c* hard core 0\u201d >>\/etc\/security\/limits.conf<\/pre>\n
Use system auditing tools<\/h3>\n
The use of security tools makes it easy to identify system glitches. One of the free and open source tools is lynis which can be used to perform a regular audit of the system. Any findings are shown on the screen and also stored in the log file.<\/p>\n
Install the tool<\/p>\n
$ yum install epel-release -y<\/pre>\n
$ yum install lynis<\/pre>\n
Audit the system using the command below<\/p>\n
$ lynis audit system<\/pre>\n
<\/p>\n
There will be suggestions and warning results stored in the log file. Run the following command to see the result and solve accordingly.<\/p>\n
$ grep Suggestion \/var\/log\/lynis.log<\/pre>\n
Output:<\/p>\n
<\/p>\n
$ grep Warning \/var\/log\/lynis.log<\/pre>\n
<\/p>\n
Conclusion<\/h2>\n
In this article, we learned some best practices to harden Linux systems. If you have any tips and tricks to secure a Linux server, do not forget to leave a comment in the box below.<\/p>","protected":false},"excerpt":{"rendered":"
Being an IT professional, it\u2019s challenging to get up to date with security vulnerabilities and threats. System patch updates, server, and network hardening are the most crucial factors…<\/p>","protected":false},"author":1,"featured_media":10317,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,4,5,83,165,2],"tags":[549],"class_list":["post-10168","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-centos","category-debian","category-mint","category-opensuse","category-red-hat","category-ubuntu","tag-server-security"],"_links":{"self":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/posts\/10168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/comments?post=10168"}],"version-history":[{"count":0,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/posts\/10168\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/media\/10317"}],"wp:attachment":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/media?parent=10168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/categories?post=10168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/tags?post=10168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}