Things to Remember While Hardening the Linux Server

Linux Server Hardening Checklist Techhyme

This article is a hardening/checklist guide for the Linux operating system for servers. It summarizes a checklist of the configuration settings that constitute a secure server to safeguard against potential hackers and crackers.

It provides contextual descriptions of each checklist item along with details of what the setting means, its possible values followed by recommended mitigating strategies.

Also Read: Things to Remember While Hardening the Windows Server

The recommendations are intended to provide helpful information to administrators attempting to evaluate or improve the security of their systems. Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a “quick fix” solution for securing server’s operating system.

1. Physical Security

For new server in the network infra, secure it from combative network traffic make the Operating system installed and hardened
Configure BIOS/firmware password
Manage the boot order to prevent unauthorized booting from any type of removeable/static media.
Install and update the latest version of OS.

2. Linux Filesystem Configuration/countermeasures

separate partitions for /var, /var/log, /var/log/audit, and /home
separate partition with the nodev, nosuid, and noexec options sets for /tmp, set nodev option to /home
Bind mount /var/tmp to /tmp.
Sticky bit configuration on all writable files/directories.
Set nodev, nosuid, and noexec options on /dev/shm.
Configure SUID bit for files

3. Security Operating system Updates

Register server with satellite/centralized server, system will get patched and updated
All changes must be documented before being applied to the production system. The administrator must carefully weigh the criticality of the patch before installing
Install, enable and use the yum-security plugin
Fetches and update the list of available updates

4. Secure System Boot Settings

Configure boot loader password. Configure in /etc/grub.conf file or /boot/grub2/grub.cfg
Set user/group owner to root, and permissions to read and write for root only, on /etc/grub.conf or /boot/grub2/grub.cfg
Do not configure the GUI server or X-Window system, if not required
Disable/Remove X Font Server.

5. Process Hardening

Restrict core dumps
Enable Randomized Virtual Memory Region Placement
Edit /etc/sysctl.conf file as follows:
kernel.randomize_va_space = 2

6. Operating system Hardening

Remove/disable services (like, telnet-server; rsh, rlogin, rcp; ypserv, ypbind; tftp, tftp-server; talk, talk-server)
Remove/disable xinetd service if not in use
Disable any services and applications started by xinetd or inetd that are not being used or services that are autorun by system. Disable any xinetd services you do not absolutely require by setting “disable=yes” in /etc/xinetd.d/*
Configure TCP wrappers for access control
Disable inherited services (e.g., chargen-dgram, chargen-stream, daytime-dgram, daytime-stream, echo-dgram, echo-stream, tcpmux-server)
Disable or remove default installed server services that are not going to be used (like FTP, DNS, LDAP, SMB, DHCP, NFS, SNMP, etc.)
Disabled any unnecessary startup scripts under /etc, /etc/rc*.d, or /etc/init.d (or startup script directory for your system) and disabled any unneeded services from starting in these scripts
System default umask for daemons must be 027 or 022
CTRL-ALT-DEL should be disabled in the system for security
Remove accounts with empty passwords
CRON and AT related files must be secured. Only root must be given permissions to run CRON and AT jobs.
Linux OS /etc/passwd, /etc/shadow and /etc/group files are most important files
Change the owner of these files to root and change the permission using the following commands:
ls -l /etc/passwd/etc/shadow/etc/groupcd /etc
chownroot:root passwd shadow group
chmod 644 passwd group
chmod 400 shadow
FTP settings should be secure. Configure secure settings. Restrict access to authorized users by appropriately adding users in the /etc/ftpusers or /etc/vsftpd/ftpusers file

7. Password Policy

Password parameter must be set for all users:
- Enforced password history: 5
- Maximum password age: 45 days
- Minimum password length: 8 alphanumeric
- Password Complexity: Should be a combination of Upper case, lower case letters, numbers and special characters.
- Account lockout threshold: 3
User password resets will be performed when requested by the user, after verification of identity
Users should be provided with the capability to change their password on the login interface (after authentication through Old Password)

8. OS Network Security and Built-In Firewall Configuration

Limit connections to services running on the host to authorized users of the service via firewalls and other access control technologies
Disable IP forwarding if not using as router
Disable send packet redirects option
Disable source routed packet acceptance
Disable ICMP redirect acceptance
Enable Ignore Broadcast Requests
Enable Bad Error Message Protection
Enable TCP/SYN cookies

9. Remote Administration (If required)

Disable Telnet and use SSH service
Install/upgrade SSH protocol to 2
Change the port from port 22 to something/anything else. There are scripts online that malicious hackers can use against an SSH server
Set SSH Log Level to INFO.INFO is a basic logging level that will capture user login and logout activity
Disable SSH login for Root user
Set SSH Permit Empty Passwords to No
Remote login should block for unauthenticated users. Remove /etc/hosts.equiv file if not required; otherwise check & verify all hosts/users listed in the file & remove if not required

10. System Integrity and Intrusion Detection

Install and configure Advanced Intrusion Detection Environment (AIDE)
Configure SELinux as per the server requirement
Install and configure OSSec Host-based intrusion detection system that helps to performs log analysis, file integrity checking, and rootkit detection, with real time alerting

11. Logging

Configure Network Time Protocol (NTP) for interity of logs
Set the value of the NTP server to the IP address or Fully Qualified Domain Name of the Time Server specified in the Enterprise Network
Enable system accounting (auditd) that records activities, such as system logins, authentications, account modifications, and SELinux denials
Install and configure rsyslog or all logs (like, access, authorize, message, secure) should be shipped to centralized server
All superuser, root or local users’ access must be logged and shipped at centralized server

12. Directory permissions/file permission/access permissions

System accounts, group memberships, and their associated privileges should be enabled and integral

13. Pluggable Authentication Modules Service Configuration

Make sure that configuration files for PAM, /etc/pam.d/* are secure and not accessed by any local user and also report alerts to syslog
Upgrade password hashing algorithm technique to SHA-512.
Restrict root login to system console through PAM services with /etc/pam.d/system-auth file

14. Anti-Virus management

Install and enable anti-virus software or manage/update through centralized antivirus server
Update signature daily/weekly/monthly on server/system antivirus
All servers are to be configured such that they schedule regular operating system updates as provided by the vendor updates

15. Information/Banners

If network or physical access services are running, ensure the warning banner is displayed
If the system configures logins via a graphical user interface (GUI), make sure that the warning banner is displayed to login on successful/unsuccessful login

You may also like:

Related Posts