This article is a hardening/checklist guide for the Linux operating system for servers. It summarizes a checklist of the configuration settings that constitute a secure server to safeguard against potential hackers and crackers.
It provides contextual descriptions of each checklist item along with details of what the setting means, its possible values followed by recommended mitigating strategies.
The recommendations are intended to provide helpful information to administrators attempting to evaluate or improve the security of their systems. Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a “quick fix” solution for securing server’s operating system.
1. Physical Security
- For new server in the network infra, secure it from combative network traffic make the Operating system installed and hardened
- Configure BIOS/firmware password
- Manage the boot order to prevent unauthorized booting from any type of removeable/static media.
- Install and update the latest version of OS.
2. Linux Filesystem Configuration/countermeasures
- separate partitions for /var, /var/log, /var/log/audit, and /home
- separate partition with the nodev, nosuid, and noexec options sets for /tmp, set nodev option to /home
- Bind mount /var/tmp to /tmp.
- Sticky bit configuration on all writable files/directories.
- Set nodev, nosuid, and noexec options on /dev/shm.
- Configure SUID bit for files
3. Security Operating system Updates
- Register server with satellite/centralized server, system will get patched and updated
- All changes must be documented before being applied to the production system. The administrator must carefully weigh the criticality of the patch before installing
- Install, enable and use the yum-security plugin
- Fetches and update the list of available updates
4. Secure System Boot Settings
- Configure boot loader password. Configure in /etc/grub.conf file or /boot/grub2/grub.cfg
- Set user/group owner to root, and permissions to read and write for root only, on /etc/grub.conf or /boot/grub2/grub.cfg
- Do not configure the GUI server or X-Window system, if not required
- Disable/Remove X Font Server.
5. Process Hardening
- Restrict core dumps
- Enable Randomized Virtual Memory Region Placement
- Edit /etc/sysctl.conf file as follows:
kernel.randomize_va_space = 2
6. Operating system Hardening
- Remove/disable services (like, telnet-server; rsh, rlogin, rcp; ypserv, ypbind; tftp, tftp-server; talk, talk-server)
- Remove/disable xinetd service if not in use
- Disable any services and applications started by xinetd or inetd that are not being used or services that are autorun by system. Disable any xinetd services you do not absolutely require by setting “disable=yes” in /etc/xinetd.d/*
- Configure TCP wrappers for access control
- Disable inherited services (e.g., chargen-dgram, chargen-stream, daytime-dgram, daytime-stream, echo-dgram, echo-stream, tcpmux-server)
- Disable or remove default installed server services that are not going to be used (like FTP, DNS, LDAP, SMB, DHCP, NFS, SNMP, etc.)
- Disabled any unnecessary startup scripts under /etc, /etc/rc*.d, or /etc/init.d (or startup script directory for your system) and disabled any unneeded services from starting in these scripts
- System default umask for daemons must be 027 or 022
- CTRL-ALT-DEL should be disabled in the system for security
- Remove accounts with empty passwords
- CRON and AT related files must be secured. Only root must be given permissions to run CRON and AT jobs.
- Linux OS /etc/passwd, /etc/shadow and /etc/group files are most important files
- Change the owner of these files to root and change the permission using the following commands:
ls -l /etc/passwd/etc/shadow/etc/groupcd /etc
chownroot:root passwd shadow group
chmod 644 passwd group
chmod 400 shadow
- FTP settings should be secure. Configure secure settings. Restrict access to authorized users by appropriately adding users in the /etc/ftpusers or /etc/vsftpd/ftpusers file
7. Password Policy
- Password parameter must be set for all users:
- Enforced password history: 5
- Maximum password age: 45 days
- Minimum password length: 8 alphanumeric
- Password Complexity: Should be a combination of Upper case, lower case letters, numbers and special characters.
- Account lockout threshold: 3
- User password resets will be performed when requested by the user, after verification of identity
- Users should be provided with the capability to change their password on the login interface (after authentication through Old Password)
8. OS Network Security and Built-In Firewall Configuration
- Limit connections to services running on the host to authorized users of the service via firewalls and other access control technologies
- Disable IP forwarding if not using as router
- Disable send packet redirects option
- Disable source routed packet acceptance
- Disable ICMP redirect acceptance
- Enable Ignore Broadcast Requests
- Enable Bad Error Message Protection
- Enable TCP/SYN cookies
9. Remote Administration (If required)
- Disable Telnet and use SSH service
- Install/upgrade SSH protocol to 2
- Change the port from port 22 to something/anything else. There are scripts online that malicious hackers can use against an SSH server
- Set SSH Log Level to INFO.INFO is a basic logging level that will capture user login and logout activity
- Disable SSH login for Root user
- Set SSH Permit Empty Passwords to No
- Remote login should block for unauthenticated users. Remove /etc/hosts.equiv file if not required; otherwise check & verify all hosts/users listed in the file & remove if not required
10. System Integrity and Intrusion Detection
- Install and configure Advanced Intrusion Detection Environment (AIDE)
- Configure SELinux as per the server requirement
- Install and configure OSSec Host-based intrusion detection system that helps to performs log analysis, file integrity checking, and rootkit detection, with real time alerting
- Configure Network Time Protocol (NTP) for interity of logs
- Set the value of the NTP server to the IP address or Fully Qualified Domain Name of the Time Server specified in the Enterprise Network
- Enable system accounting (auditd) that records activities, such as system logins, authentications, account modifications, and SELinux denials
- Install and configure rsyslog or all logs (like, access, authorize, message, secure) should be shipped to centralized server
- All superuser, root or local users’ access must be logged and shipped at centralized server
12. Directory permissions/file permission/access permissions
- System accounts, group memberships, and their associated privileges should be enabled and integral
13. Pluggable Authentication Modules Service Configuration
- Make sure that configuration files for PAM, /etc/pam.d/* are secure and not accessed by any local user and also report alerts to syslog
- Upgrade password hashing algorithm technique to SHA-512.
- Restrict root login to system console through PAM services with /etc/pam.d/system-auth file
14. Anti-Virus management
- Install and enable anti-virus software or manage/update through centralized antivirus server
- Update signature daily/weekly/monthly on server/system antivirus
- All servers are to be configured such that they schedule regular operating system updates as provided by the vendor updates
- If network or physical access services are running, ensure the warning banner is displayed
- If the system configures logins via a graphical user interface (GUI), make sure that the warning banner is displayed to login on successful/unsuccessful login