July 23, 2017

Basic Hardening Security Tips for Linux Servers

Basic Hardening Security Tips for Linux Servers – However, Linux has in-built security model in place by default. Need to tune it up and customize as per your need which may help to make more secure system. Linux is harder to manage but offers more flexibility and configuration options. Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for security Linux box.

Basic Hardening Security Tips for Linux Servers

In this section we will discuss about basic to secure the Linux box.

1. Update Your System–Frequently

Keeping your software up to date (OS and application or software) is the single biggest security precaution you can take for any operating system.

2. Avoid Nulled

Avoid using nulled applications or software in your system.

3. File permission and ownership

Make sure the permissions and ownership of a file and directory you use,

Permission for file is 664 and for directory 755,

4. Disable Unwanted Services

Disable all unnecessary services and daemons (services that runs in the background). You need to remove all unwanted services from the system start-up and Minimize packages to minimize vulnerability. Check all services which are started at boot time in run level :

chkconfig –list | grep ‘3:on’

To disable service, enter:
service serviceName stop
chkconfig serviceName off
yum -y remove package-name

5. Secure SSH

# nano /etc/ssh/sshd_config

#Disable root Login
PermitRootLogin no
#Only allow Specific Users
AllowUsers username
#Use SSH Protocol 2 Version
Protocol 2
#Change default SSH 22 port number with some other higher level port number
Port 9822
#Configure Idle Log Out Timeout Interval
ClientAliveInterval 300
ClientAliveCountMax 0
#Disable .rhosts Files
IgnoreRhosts yes
#Disable Host-Based Authentication
HostbasedAuthentication no
#Disable Empty Passwords
PermitEmptyPasswords no
# Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
# Specifies whether password authentication is allowed. The default is yes.
PasswordAuthentication no

Save and closed by pressing the combination key ctrl + X and then press Y then hit enter

Restart sshd service :

[root@sgnode03]# systemctl restart sshd.service

[root@sgnode03]# /etc/init.d/sshd restart

Optional recommendation

Limite IP access to SSH (using iptables/firewall)
Rate-limit Incoming Port (using iptables/firewall)
Use Strong SSH Passwords
Use Public Key Based Authentication
Chroot SSHD
Thwart SSH Crackers (Brute Force Attack) (Fail2ban/Brute Force Detection/etc)
Use Port Knocking
Use Log Analyzer
Patch OpenSSH and OS

6. Use Strong Passwords for all your aplication

7. Install/Enable firewall and malware scanning

Install firewall in your linux box like iptables, ConfigServer Security & Firewall (csf), Advanced Policy Firewall (APF), Fail2ban, Linux Malware Detect (LMD) with ClamAV, etc

8. Review Logs Regularly

Monitoring and make sure the system save is hard work for sysadmin and it must to do. Below are the Common Linux default log files name and their usage:

/var/log/message : Where whole system logs or current activity logs are available.
/var/log/auth.log : Authentication logs.
/var/log/kern.log : Kernel logs.
/var/log/cron.log : Crond logs (cron job).
/var/log/maillog : Mail server logs.
/var/log/boot.log : System boot log.
/var/log/mysqld.log : MySQL database server log file.
/var/lib/mysql/Hostname.com.err : MySQL database server log file.
/var/log/secure : Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log : Yum log files.
/var/log/nginx/access.log : nginx web server access logs
/var/log/nginx/error.log : nginx web server error logs
/var/log/httpd/error_log : httpd web server error logs
/var/log/httpd/access_log : httpd web server access logs

To view logs can be by using the tail -f command,

Exp : tail -f /var/log/message

9. Important file Backup

In a production system, it is necessary to take important files backup and keep them in safety vault, remote site or offsite for Disasters recovery. Data or file without backup is = zero

10. Tunning /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
kernel.printk = 4 4 1 7
kernel.panic = 10
kernel.sysrq = 0
kernel.shmmax = 4294967296
kernel.shmall = 4194304
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
vm.swappiness = 20
vm.dirty_ratio = 80
vm.dirty_background_ratio = 5
fs.file-max = 2097152
net.core.netdev_max_backlog = 262144
net.core.rmem_default = 31457280
net.core.rmem_max = 67108864
net.core.wmem_default = 31457280
net.core.wmem_max = 67108864
net.core.somaxconn = 65535
net.core.optmem_max = 25165824
net.ipv4.neigh.default.gc_thresh1 = 4096
net.ipv4.neigh.default.gc_thresh2 = 8192
net.ipv4.neigh.default.gc_thresh3 = 16384
net.ipv4.neigh.default.gc_interval = 5
net.ipv4.neigh.default.gc_stale_time = 120
net.netfilter.nf_conntrack_max = 10000000
net.netfilter.nf_conntrack_tcp_loose = 0
net.netfilter.nf_conntrack_tcp_timeout_established = 1800
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 20
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 20
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 20
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 20
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.route.flush = 1
net.ipv4.route.max_size = 8048576
net.ipv4.icmp_echo_ignore_broadcasts = 1
kernel.exec-shield = 1
kernel.randomize_va_space = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_congestion_control = htcp
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144
net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.udp_rmem_min = 16384
net.ipv4.tcp_wmem = 4096 87380 33554432
net.ipv4.udp_wmem_min = 16384
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 400000
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_ecn = 2
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 10
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1