SecPro Explainer: Linux Security & Hardening

S

• HTTP and HTTPS to retrieve updates (port 80/443, TCP, sometimes UDP)

• DNS traffic to resolve names and IP addresses (port 53, UDP and TCP)

• Time synchronization (port 123, UDP)

• Outgoing email (port 25, TCP)

Filtering outgoing traffic greatly helps you in preventing the attacker from downloading malware into your system.

Using Localhost interface is helpful when using network-based services that should not be publicly available. This command “ip addr show lo” will assist you in showing the details of the interface you are using.

Limiting the Installations

One of the best ways to secure your system is not to install tools or software that you don’t use frequently. This is sometimes also called “apply minimal installation.” Here you can also remove the unwanted users in your system as well. This is otherwise called restricting the users based on their roles and usage, ie., role-based access control or removing users when they don’t belong to your system anymore.

Conducting Code Audit

A code audit is to check whether you have used any undeclared variables or unexpected logic while developing your software systems. You can apply Linting or use Lint Tools to check on the source code for any unexpected errors.

Regularly Updating Installed Software

Of course, it is wise to periodically update all the software packages that you have installed in your systems. More importantly, when there is a security update that pops up in your software notification, do it immediately. That way you could seal off the vulnerable points in your systems.

Automating OS security Updates

Configure your systems to upgrade your OS automatically. That way you won’t miss any security update that is coming along with the improvement of your operating systems.

Deleting Unused Software Modules

If you are no longer using a software tool, then delete it for now. If you keep them unnoticed then it would turn out to be a vulnerability that would later cause severe damage to internal components.

Regular Data Backup

One of the major risks of attacks is compromising sensitive data. Always back up all your data regularly to avoid such instances.

Perform regular Audits and Update the Security Patch

And finally, is performing regular security audits and updating the security patch if any. This way you’re adding another shield of protection to your systems.

Now that we have seen ways to mitigate the vulnerable points across Linux systems. We shall look into the quick fixes that are established for the most common issues.

Fixing the most common vulnerabilities and exposure (CVEs)

The effect of vulnerability is basically determined by these factors, such as existence, access, and exploitation. That is the presence of weaknesses in the software system, the probability of intruders accessing these weaknesses, and finally the degree of exploitation it costs when the attack is found to be compromised of resources.

The most common vulnerabilities across Linux Kernel are

1. DoS – Denial of Service – CVE-2019-11477

This is called TCP selective acknowledgment (SACK) which is caused by an integer overflow when Linux processing subsystems of the networks. Here the buffer data segment is fragmented and when the Kernel tries to merge them into one, it will lead to the overflow of variables. This is a major vulnerability that could allow malicious SACK requests from intruders that leads to denial of service. To resolve such an attack, you could use the following commands to firewall your network,

 Image Original Source

2. Memory Corruption – CVE-2017-18017

It is caused due to the failure of Linux Kernels to handle exceptions. This is posing the threat of denial of service, in which hackers would execute the attack remotely. The following code snippet can be used to mitigate such vulnerabilities.

Image Original Source

3. SegmentSmack – CVE-2018-5390

This occurs when Kernel handles the crafted TCP packets differently. Hackers would use this flaw remotely to trigger costly calls by sending modified packets through the active TCP sessions. This will lead to a CPU saturation and insufficient bandwidth to support the incoming traffic which therefore again turns to denial of service. The following commands can be used to mitigate such attacks.

Image Original Source

That’s about the quick fixes on most common vulnerabilities. Now we shall investigate the list of tips and tricks you can follow while performing Linux security hardening.

Checklist for Hardening your Linux Systems

1. Audit system services with systemctl and network services with netstat

Linux systems with systemd have systemctl command that helps you with controlling all your services and it also lets you know the status of each service that is up and running.

sudo systemctl -t service –state=active 

And netstat helps you keep track of all the network services that are running across your system.

netstat -lp -A inet 

This way you would know the real time status of all your system and network services.

2. All data communication across the Linux Servers must be encrypted

Whatever data you are exchanging with other devices, do always encrypt them. Tools such as GnuPG, OpenVPN, allow you to encrypt all your data and communication in transit.

3. Restrict the usage of FTP, Telnet, and Rlogin/Rsh services

You can implement OpenSSH, SFTP, or FTPS to add an extra layer of encryption on FTP.

4. Utilize Linux Security Extensions

Use security patches that come alongside the Linux kernel to keep the systems updated. This will rule out any misconfigured programs or compromised programs.

5. Utilize Mandatory Access Control (MAC) such as SELinux

This mandatory access control guards the system against malicious applications that could cause damage to the system. Here you can find the user guide install SELINUX.

6. Enable Strict password protection with GRUB2(Grand Unified Boot Loader) configuration

When your laptop is stolen and you don’t encrypt your hardware, there are chances the thief might boot the laptop in emergency mode to retrieve its stored data. In Linux, the GRUB feature restricts people from editing Kernel and allows only permitted users to access the booting functionalities.

7. Do not allow root login

Always use sudo command to allow other users to login into the system. It has an additional tracking and auditing functionality that protects the system from malicious activities. Never allow root login facility.

8. Enable physical hardware security across the server

You need to configure the BIOS or UEFI chips for booting instruction once the system is powered on. Do not allow booting from external hard drives such as DVDs and CDs as this increases the chances of vulnerabilities. BIOS/UEFI is the most secure way of booting your system and all the production box configurations must be locked in respective Internet Data Centers (IDC).

9. Remove unwanted Linux services

Disable all the unwanted services and unnecessary services that are running in the background (daemon). Use the following command to stop services at boot time,

# systemctl disable service
# systemctl disable httpd.service 

10. Enable listen function on all open ports

$ ss –tulpn, executing this command will list all the open ports and associate programs in your network.

11. Do configure firewalls based on Iptables and TCPWrappers

You can avoid a lot of denial of services (DoS) attacks by just configuring Iptables and TCPWrapper firewalls. These help in filtering a lot of unwanted traffic across your network.

12. Enable Disk Quotas

Always segregate and organize the operating system files from the user files. This may sound simple but, in many cases, this helps in a better way of securing the systems. Create separate partitions for FTP and Apache server roots and add noexec, nodev, nosuid configuration options. And assign disk storage quotas for every user and enable the disk quota policy.

13. Go for a centralized authentication service like OpenLDAP

To avoid forgotten accounts and expired credentials always use a centralized authentication system for client-server configuration. This will help in synchronizing the data between servers and clients. Instead of NIS service, you can implement OpenLDAP to execute the user auth.

14. Kerberos

It is effective in blocking unwanted user activities such as gathering passwords. This is a trusted third-party authentication service that uses cryptographic methods to secure the data in transit. This helps in authenticating every user associated with the network.

15. Use Logwatch/Log checks to monitor suspicious activities

You need to monitor all your network activities by enabling logwatch/logcheck. This will indicate any suspicious activity around your network. This will also send you a detailed report about the hacker attempt if any.

16. Utilize auditd for system accounting

Auditd is designed to record every system activity across the disk. It helps in knowing the details of the event like who has performed this activity, when, and whether it is successful or failed. Learn more about installing and enabling auditd.

17. Utilize Network Intrusion Detection System

Before setting up the system in a live production environment, do always install a network intrusion detection system (NIDS) like AIDE or rkhunter rootkit to enable network monitoring for any malicious activity.

18. Disable USB/Firewire/ThunderBolt devices

You need to disable the open ports as they are more vulnerable to attacks even remotely.

19. Use external storage such as opensource NAS servers for data backup

Always back up data and we have many open-source network-attached storage facilities to make a copy of your sensitive data.

20. Abiding with Security Standards such as HIPAA

Last but not least, always adhere to security standards. This will help you to stay on top of cybersecurity measures.

Wrap Up

We hope this quick explainer gives you a better understanding of how to approach Linux system security hardening and the practical ways you can follow to mitigate the risk associated with the common Linux vulnerabilities.