Skip to main content

Hardening the Linux server - Part 1

Hardening the Linux server - Part 1
An introduction to GNU/Linux server security

Summary:  Servers—whether used for testing or production—are primary targets for attackers. By taking the proper steps, you can turn a vulnerable box into a hardened server and help thwart outside attackers. Learn how to secure SSH sessions, configure firewall rules, and set up intrusion detection to alert you to any possible attacks on your GNU/Linux® server. Once you've gained a solid foundation in the basics of securing your server, you can build on this knowledge to further harden your systems.

Objectives
In this tutorial, you learn about basic concepts in security administration, including how to secure Secure Shell (SSH) remote logins, create firewall rules, and watch logs for possible attacks.

System requirements
To run the examples in this tutorial, you need to install Ubuntu Server Edition on a computer or a virtual machine, such as Sun VirtualBox. You also need an Internet connection to download specific software packages used in the tutorial.


Introduction
To understand the basics of hardening a server running GNU/Linux as the operating system, you need to be aware that although many core concepts of security apply to both the desktop operating system and the server operating system, the ways they're secured are completely different.

The Principle of Least Privilege

A truly secure network makes sure that the Principle of Least Privilege is applied across the enterprise, not just to the servers. The roles taken on by servers and desktops also mandate how the operating system, and the computer itself, should be secured. The desktop may be an attractive target for a script kiddie whose attacks are often thwarted by updated software and malware scanners, but a data center hosting user accounts or credit-card information is a much more attractive target for the skilled attacker who can exploit weaknesses without detection in an environment that hasn't been hardened.



Securing a server is much different than securing a desktop computer for a variety of reasons. By default, a desktop operating system is installed to provide the user with an environment that can be run out of the box. Desktop operating systems are sold on the premise that they require minimal configuration and come loaded with as many applications as possible to get the user up and running. Conversely, a server's operating system should abide by the Principle of Least Privilege, which states that it should have only the services, software, and permissions necessary to perform the tasks it's responsible for.


Revisiting the immutable laws of security
In November 2000, Scott Culp of Microsoft drafted what he called the 10 Immutable Laws of Security. There are two versions of these laws: one for users and one for system administrators. Over the years, these laws have been both revised and despised by people in the security industry. Despite some criticism, the 10 laws for administrators can serve as an excellent foundation for hardening any system if applied correctly.
First, the following law applies to general security practices: Security only works if the secure way also happens to be the easy way. This is the most important law for any system administrator. If a security policy is so tight that people can't perform their job tasks, they're going to find ways to circumvent the security put in place, sometimes creating a greater vulnerability than the policy was put in place to prevent. The best example relates to passwords. Strong passwords should be part of any security policy, but sometimes policies go too far. Requiring users to remember a password that is 15 characters long and that consists of uppercase letters, lowercase letters, numbers, and symbols is asking for a high percentage of users to write their password on a post-it note and attach it to their monitor.
Four of Culp's laws apply directly to the material covered in this tutorial:
  • If you don't keep up with security fixes, your network won't be yours for long. Attackers find vulnerabilities every day. As a system administrator. you need to make sure your system is updated. But this brings you to a difference between hardening a desktop and hardening a server. Generally, updates to the GNU/Linux desktop should be installed when they're published. When you're dealing with the server, you should test it in a research or development server environment before applying the fix to your production server, to make sure the patch doesn't interfere with the operations of the server or the users.
  • Eternal vigilance is the price of security. In an effort to make sure your GNU/Linux server is secured, you must constantly check logs, apply security patches, and follow up on alerts. Vigilance is what keeps your system secure.
  • Security isn't about risk avoidance; it's about risk management. Things happen. There may be a malware outbreak, or your Web site may be attacked. It may be something completely out of your control, such as a natural disaster. At one time or another, the security of your system will be tested. Make sure you've done everything you can to protect your system, and deal with the threat in a way that keeps your server and its resources available to the users who count on it.
  • Technology isn't a panacea. If there is one law that everyone who deals with technology should know, it's this one. Simply throwing more technology at the security problem won't solve it. Vigilance on the part of the system administrator, buy-in on the part of management, and acceptance on the part of users must all be in place for a security policy to work effectively.

Comments

Popular posts from this blog

CentOS / Redhat : Configure CentOS as a Software Router with two interfaces

Linux can be easily configured to share an internet connection using iptables. All you need to have is, two network interface cards as follows: a) Your internal (LAN) network connected via eth0 with static ip address 192.168.0.1 b) Your external WAN) network is connected via eth1 with static ip address 10.10.10.1  ( public IP provided by ISP ) Please note that interface eth1 may have public IP address or IP assigned by ISP. eth1 may be connected to a dedicated DSL / ADSL / WAN / Cable router: Step # 1: Enable Packet Forwarding Login as the root user. Open /etc/sysctl.conf file # vi /etc/sysctl.conf Add the following line to enable packet forwarding for IPv4: net.ipv4.conf.default.forwarding=1 Save and close the file. Restart networking: # service network restart Step # 2: Enable IP masquerading In Linux networking, Network Address Translation (NAT) or Network Masquerading (IP Masquerading) is a technique of transceivin

Virtual Box and Alt/Tab Keys

I use virtual box for all my testing activities. It comes too often that I have a virtual box VM window open & I want to switch to my host machine to see some stuff like tutorials etc.. If you press the alt+tab combination it just works inside the VM & doesn't switches to host machine. In these scenarios you can press the host key once ( not hold it ) & then whatever you press goes to host machine. So in general where host key is the default Right Ctrl, just press Right Ctrl once & now press the alt+tab & it will switch you out to host machine. This is really helpful when you have the VM windows open or you're working on seamless mode. Hope it help others too.

AMD Radeon™ HD 7670M on Ubuntu 12.04

Update:   Recently I install kubuntu 13.10 and there is no problem with graphics. It just works  fine out of the box. I've seen many blog posts on how to make AMD HD7670M work on Ubuntu 12.04, specially when its in switchable graphics board like Dell Inspiron 15R 5520. I tried many things to make it work so that I could use the cinnamon desktop on ubuntu & other things too.. But to my surprise even the drivers from AMD site didn't work. Then I tried a combination of those blog posts I read & somehow I became successful in running the full graphics including compiz settings inside My Ubuntu Machine. Following are the steps I followed & it worked... 1. Create a backup of your xorg configuration file: sudo cp /etc/X11/xorg.conf /etc/X11/xorg.conf.BAK 2. Remove/purge current fglrx and fglrx-amdcccle : sudo apt-get remove --purge fglrx* 3. Install the driver: sudo apt-get install fglrx fglrx-amdcccle 4. Install additional