Gus Khawaja. Most people assume Linux is secure, and that's a false assumption . Imagine your laptop is stolen without first being hardened.
Table of contents
- If You Appreciate What We Do Here On TecMint, You Should Consider:
- How to Cheat at Securing Linux
- Linux Server Hardening Checklist and Tips
- 25 Hardening Security Tips for Linux Servers
Get rid of the end user and hire someone who can remember a password.. Best practice is 60 or 90 day, 14 characters minimum, and complexity requiring minimum of — 1 upper, 1 lower, 1 alpha, 1 symbol, 1 numeric. Why because exploits move forward every day as do caps.. Its a best practice… As yourself this.. If you are sued..
If You Appreciate What We Do Here On TecMint, You Should Consider:
What will you tell the prosecuting atty. All the attorney of the guy suing you has to prove is negligence.. Because so many passwords have been compromised.. Not saying it is right or easy.. Really a very good and concise article that is informative and addresses various security issues. Thank you for writing and posting this article. Nice round up of some common server hardening techniques. While not specific to the server, I would add having a web application firewall, e. According to SANS, most exploits these days happen via web applications.
Even with these tips SELinux excepted , attackers can often setup shell kits, spam bots or similar tools. Also, never just rely on the hardening. Using something like Nessus to audit the server. With a professional feed, you can actually audit against a variety of policies, such as the Center for Internet Security guidelines. This is an amazing article. Lots of things about securing a server that I either overlooked, or simply forgot about! Not a very good idea?
Everybody are using yellow stickers, excel files etc.
There is so many passwords to rember, most of for absolutely pointless accounts, which nobody cares. Sudo is crap for security period except leaving an audit trail… which any user with sudo access can get rid of trivially. Lets say you have 5 admins each who needs root level access. There are things you can do to help with that like using rootpw or disabling the ability to get a true shell with sudo but this breaks much of sudos functionality.
It does very little for non-legitimate users.
How to Cheat at Securing Linux
I was searching how to disable the root access. I love this site. I switched from shared web hosting to vps web hosting and I love it. Especially for data partitions why would you wanna run binaries from a data partition anyway? Programs should have no business there. I thought this flag also applied for scripts. Hi Sir, Am fan to your article.. Really these are very excellent sessions.. Really Am so happy and we are improving our confidential levels by following your articles..
One small request, Why dont you keep an article on Solaris server issues.. Because now a days, both unix and linux are growing popular across the world.. So, if the send an article based on linux and unix solaris then, so many administrators feel much better.. I studied and gathered so many books and articles.. So, could you send openldap server configuration article in CentOS5. Then i can follow your help to complete the task.. And i need exactly what is ldap? I have so many doubts are there on ldap scenario. And how can join windows client to linux openldap server?
If joins, how to do that?
Linux Server Hardening Checklist and Tips
So, could you explain detailedly…. I have heard the arguments for and against 7, disable root login, and am for it… But you never tell me HOW to. Tmp may be set noexec, nosuid, etc. To harden, may need to write pre-process script and post-process scriipt after apt-get upgrade. Advanced persistent threats and rootkits. Kernel is the last line of defense.
Just another one of those valuable well written article. Thank you vivek for sharing this with the rest of us. I want to show appreciation to this writer just for bailing me out of this type of issue. Right after searching throughout the world wide web and finding ways which were not helpful, I believed my life was gone. Your ability and kindness in maneuvering all the details was crucial. Thank you very much for the reliable and amazing guide. Encryption — This is good, but the suggestion to remove xinetd wholesale is generally bad, ideally use chef to only enable xinetd where needed.
One service one box — This is a good goal, much more achievable in the virtualization era. Exceptions can be made, particularly with lightweight internal services. Password policy — Largely you have to do this, auditors expect it. Disable root login — Yes, remote root needs to be disabled to prevent non-reputability, I actually agree here. Disable services — Very good. Highly likely that unneeded and unmaintained services lead to actual security compromise. Sysctl hardening — Good and reasonably cheap. Logging and Auditing — Past some point this just becomes using a loghost with enough disk to retain logs, and the noise level becomes insane.
In PCI situations you have to not only watch this, but respond and it becomes mandatory. Kernel upgrades — This is expensive in time, but worthwhile. Centralized Auth — I actually like spending the time to do Kerberos. SElinux — Also largely a waste of time, and ongoing maintenance nightmare, most actual intrusions would be prevented by getting easier stuff right 8: Locking down BIOS and Grub — Servers should be secure in datacenters, physical access means a compromise anyway and grub passwords get in the way of administration Complete waste of my time.
Turn off IPv6 — this is laughable and becoming more indefensible now IDS — Also mostly a source of noise. I suggest using fail2ban to automate iptables blocking in response to attacks, which does something useful e. Just get your account management right. That should be policy 0 that comes before all else. Well , one forgot about , port needed in some apps like ISPConfig or whatever. Put firefox using socksV5 Let Mysql as default to listen only And keep it in mind ,everything made by humans will be cracked by humans , it is just a matter of time!
Thanks a lot for your work and information to all of us….. What about setting up a catch-all mailbox for all the root email on your servers? Reading one mailbox is better than logging into every server to check status. I love you, Vivek. You save me everytime I have issues or questions.
You make me look like an elite linux user and server admin. Thank you so much for your hard work and please do keep on keeping on. Everything in one place and so neat…Thanks for sharing such a useful info…Thanks in tons…. Hey thanks for writing up an article on securing server. Anyway, I had to go in and kill apache via ssh and had to switch it off for 12 hours until the hacking went away. I later realised that my wordpress sites were getting a whacked via the login path. It is a complete manual about security issues, from RedHat …, that has it.
IDS software essentially takes the place of all those people who used to monitor forensic logging components. Auditing the software on your distributed network is essential. YES, chroot was invented for a totally different purpose. It is that it has risks some of which depend on if the file systems are properly separated i.
And yes, chroot has uses, many uses e. But this question is all one needs to think about:. Why is it that the chroot system call see chroot 2 will give an unprivileged user the error EPERM ie permission denied? Sort of like why is it that chown has similar restrictions. Still, there is a reason chroot is restricted just like chown. Another useful security measure is to protect SSH with two-factor authentication. You can use the Google authenticator. It can be easily installed and configured. Do you have any updated link for that? Post it on our forum!
25 Hardening Security Tips for Linux Servers
Thanks for posting this. It saves a lot of time and trouble once configured and is recommended for system administrators who are overwhelmed by log files and perhaps do not use them for that reason. Scanlogd Scanlogd is an open source program that detects and logs TCP-port scanning on a system. For example, it can detect nmap scans. It is often the first step a hacker takes once he or she has access to your network to determine which system to hack. Scanlogd can alert an administrator when the network is being mapped, but it cannot stop the intrusion.
Scanlogd was originally designed to illustrate attacks, not to fix them. Therefore, even though it is safe to run on your system, it does not prevent hacking attacks. You must read the system log to discover what happened to your system, and then determine the appropriate solution.
Scanlogd writes one line per scan using the syslog 3 mechanism. It also logs when a source address sends many packets to several different ports in a short amount of time. You can learn about scanlogd and download the program at www. The scanlogd home page is shown in Figure 2. In addition, scanlogd supports the raw socket interface on libnids, libpcap, and Linux. Syslogd-ng Syslogd-ng is a logging daemon that is the replacement for the traditional syslogd. Syslogd-ng is easier to configure and offers additional logging features, such as more configurations. We have to comment it out.
This particular key sequence signalling will shut-down a system. So, you must make sure all accounts have strong passwords and no one has any authorized access. Empty password accounts are security risks and that can be easily hackable. To check if there were any accounts with empty password, use the following command. To set such banners read the following article. If you are dealing with lots of users, then its important to collect the information of each user activities and processes consumed by them and analyse them at a later time or in case if any kind of performance, security issues.
But how we can monitor and collect user activities information. For more information about installation, configuration and usage, visit the below url. Move logs in dedicated log server, this may prevents intruders to easily modify local logs. Below are the Common Linux default log files name and their usage:. In a production system, it is necessary to take important files backup and keep them in safety vault, remote site or offsite for Disasters recovery.
There are two types of mode in NIC bonding, need to mention in bonding interface. NIC Bonding helps us to avoid single point of failure. Our network will be available in case of one NIC Card is down or unavailable due to any reason. Changing it to read-only reduces the risk of unauthorized modification of critical boot files. Please note that you need to reset the change to read-write if you need to upgrade the kernel in future.
Please drop your comments in our comment box. TecMint is always interested in receiving comments, suggestions as well as discussion for improvement. We are thankful for your never ending support. I am Ravi Saive, creator of TecMint.
- 40 Linux Server Hardening Security Tips [ edition] - nixCraft?
- Alpha Males.
- 40 Linux Server Hardening Security Tips [2017 edition]!
Your name can also be listed here. Submit it here to become an TecMint author. Thanks for the tutorial. You may change the step 1. Md5 is deprecated and now the command is grub-mkpasswd-pbkdf2. Otherwise a very good article for linux security. Kindly help me understand tip number