IE3062 – Data and Operating Systems Security

Linux Hardening

IE3062 | Data and Operating Systems Security | Laneesha Ruggahakotuwa

 Introduction
 Hardening is usually the process of securing a system by
reducing its surface of vulnerability, which is larger when a
system performs more functions.
 Single function system is more secure than multi purpose

system.
 There are hardening scripts and tools like Lynis, Bastile

Linux, JASS for Solaris system, Apache/PHP harder that can

deactivate unnecessary features in the configuration files or
perform various other protective measures.
 Hardening Process in Linux
 Linux is a powerful operating system
 It has inbuilt security model.

 Still it requires hardening to make it more secure

IE3062 | Data and Operating Systems Security | Laneesha Ruggahakotuwa 3

 Patch your Servers
 It is critical that the patches & security fixes are applied to ensure the OS is up to
date.
 Patches will mitigate known threats.
 Be aware that patches can cause problems, proper testing is required.
– Separate system
– Virtualization make reversing of patching very easy with snapshots
 Manual patching /update is not a viable option.
 Automated means of patching & roll-back essential.
 Linux distros do not commonly support the roll-back of updates
 OS Specific Patching
1. Fedora, RedHat
– rpm -Uvh package.rpm < rpm {-U|--upgrade} [install-options] PACKAGE_FILE ... >
– yum update package
2. SuSe
– yast --install package
– zypper patch package
3. Solaris
– Local Patch Server smpatch update package
– pkg update --be-name updateBEname package
4. Ubuntu
– dpkg -i package.deb
– apt-get update package
 Password Checks & Root Privileges
Password authentication used by most systems
 Stored password information is generally protected in a multitude of ways

– Hashing
– File permissions
 Password hashes should only be found /etc/shadow

Root user UID is 0

 Should be only one account with UID 0

 Multiple accounts are a security problem

 Check for other accounts for UID 0 (meaning that they have root privileges clear

evidence of malicious activity. (privilege escalation was successful))

 UIDs & Usernames
 File ownership is determined by UID
 Duplication need to be prevented

 shared IDs make security risk

 Account tools designed to prevent duplication.

 Root user can manually make mods that lead to duplication.
 Administrator can manually edit /etc/passwd to change username
or UID field.
 Password Security Enhancement
 Keep user awareness sessions by aware about password
policy and social-engineering attacks.
 Password strength
Length
Character set allowed
Add salt
 Prevent repeat/recycle of passwords
 Frequency of password change (min, max age)

 Password lifespan
Password Security : PAM Module
PAM configuration file located at /etc/pam.d
Minimum password length

Minimum complexity

Avoiding reuse of old passwords

 Password Security (Expiration Period)

1. Minimum password length.

2. Should be determined to a large extent by the password
complexity.
3. 90-120 days commonly used.
4. If password length is < 8 shorter expiration period may be
needed.
 Defining a security policy
 Discussing security in Broad Strokes is impossible
 Some questions you need to answer ?

- What are you trying to protect ? Computers ? Data ?

- What are you trying to protect against ?

- Who are you trying to protect ?

We always trying to talk about risk when talking about above 3

factors.
Once you know the answers you can start thinking about
security policy.
 Defining a security policy
 Suppose you have an old PC which is a server that holds
some photos

 You have a computer which you use to just to play around

on to learn new things.

 A computer where you store your financial data, bit coin,

bank accounts, credit card info. Etc.
 Constraints
 How far you willing to go to secure a system ?
 Security = Less Performance - How much of that can your

applications stand ?
 Default Account Cleanup
 Most distros will create a significant number of default accounts
 Most never used ; remove them.
 Easier to detect unusual activity
 Limits options for hackers to get a toehold in the system
 Default accounts that need to be kept for system operational reasons
 Do not delete accounts that you are unsure
 To block accounts, change user's entry in /etc/shadow to an invalid
hash value
 Suggestion: Look up documentation of /etc/shadow and /etc/passwd
 Attempt should be logged and alert generated
 Attack Surface
 A computer system can be segmented in to consistence and
independent sub systems
 Each sub system has its own set of risks and most likely

policies around them.

 A smaller attack surface is easier to defend than a large one.

Eg:
1. A sensitive network services should be accessible by the fewest possible number of computer
systems (routers and check points)
2. It is easier to secure a check point than a whole group of individual systems
 Possible Security Measures
 Servers - if the servers are publicly accessible
1. Secure the network ports (firewall)
2. Only enable network services you need
3. Change default password
4. Use two factor logins
5. Use failZban to limit brute force password attempts
6. If HTTP, you want to use HTTPS to prevent intermediaries
from sniffing your network traffic
 Possible Security Measures
 Laptop
1. Travelling with laptop?
2. Risk of being stolen
3. Risk of data being collected from open WIFI hotspots.
4. Full Disk Encryption is needed.
5. Firewall is needed to prevent access to services which are
running
6. VPN to access home servers.
IE3062 | Data and Operating Systems Security | Laneesha Ruggahakotuwa 17
 Possible security measures
 Network
1. Disable services that are not being used or needed
2. If no firewall and a network service is up, its available to
anyone.
3. Some services have no authorization credentials

IE3062 | Data and Operating Systems Security | Laneesha Ruggahakotuwa 18

 OpenSSH
 Always use encryption to mitigate the risk from MITM attacks
 Not installed by default in many Linux distros
 Install it as it should be a replacement for clear text services such as telnet and tftp
 Highly customizable command line, config file
 System-wide config: /etc/ssh/sshd config (server)
/etc/ssh/ssh config (client)
 User-specific config: ~/.ssh/config
 Cheat sheet of all options available from:
http://www.cheat-sheets.org/saved-copy/OpenSSH_quickref.pdf
 /usr/sbin/sshd
 Use debug flag (-d) when thing go wrong
 Config file not default location? Use the -f flag.

IE3062 | Data and Operating Systems Security | Laneesha Ruggahakotuwa 19

 Open SSH Secure Settings
/etc/ssh/sshd config
– Port: default listening port
– ListAddress: address to accept connection
– Protocol: version SSH to be used force the use of version 2, as
version 1 has security issues
– LogLevel: verbosity level for the logging if you have a problem use
the detailed logging setting
– StrictModes: check the access permissions in the ~/.ssh directory
 Possible security measures
 Firewall
1. Filtering Gateway type- Firewalls installed on routers which
act as a gateway to an internal network (eg: PFSense,
OpenSence)
2. Netfilter or ipfilter – Firewalls built in to the Linuxkernel which
protect individual computers

IE3062 | Data and Operating Systems Security | Laneesha Ruggahakotuwa 21

 Monitoring and Logging
 Logcheck can be email you messages containing entries from your
system logs which are unusual.
- Can report on various levels from paranoid, server and workstation.
- Caution paranoid is very verbose and probably should be reserves for sensitive data servers or firewall
gateways.
 Top,Htop, glances are all good tools to monitor what is going on right
now on your system, but you are looking for unusual CPU activity or
network activity (higher volume than normal)

IE3062 | Data and Operating Systems Security | Laneesha Ruggahakotuwa 22

 Detecting Changes
 Package Changes
1. Debain systems you can use “dpkg-verify” to see if files have been altered, or new versions installed that are
not contained with the packages.
2. Redhat systems you can use “rpm-verify-a”
3. See ‘man’ pages for codes that are returned and what they mean
 AIDE is also a good way of detecting changes in the file systems.
 The Linux command ‘apropos <keyword>’ is a good way to search for
commands in the man pages without having to know what specific
command to look for, see man page for more examples

IE3062 | Data and Operating Systems Security | Laneesha Ruggahakotuwa 23

 Auditing Software -AIDE
Advanced Intrusion Detection Environment
http://aide.sourceforge.net/
– Free tool - can be deployed on most Linux distros
– Checks file integrity (such as system config files)
– Can be run from central server that also collects the syslog
information
– Scheduling can be used to automate the check process with alerts
send to predetermined accounts
 References
https://www.sans.org/media/score/checklists/linuxchecklist.pdf
http://www.ibm.com/developerworks/linux/tutorials/l-harden-server/index.html
https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/
operating_systems.shtml
https://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf
https://www.sans.org/media/score/checklists/linuxchecklist.pdf
http://www.ibm.com/developerworks/linux/tutorials/l-harden-server/index.html

IE3062 | Data and Operating Systems Security | Laneesha Ruggahakotuwa 25

 Any Question

IE3062 | Data and Operating Systems Security | Laneesha Ruggahakotuwa 26

IE3062 | Data and Operating Systems Security | Laneesha Ruggahakotuwa 27