Hardening Linux: The Basics

This document describes basic hardening of a GNU/Linux machine. It's only the start, security takes a lot more than just this. All items mentioned should already be on the mind of every systems administrator.

Remove Unused Users

Extra user accounts can be considered dangerous, remove unused ones and then prevent login for the daemon accounts like postgres or apache. The Creo section has a helper script that will identify unused user accounts. The listed accounts can be restricted, disabled or removed.

# Restrict: Comment, set home and shell
usermod -c Daemon [user]
usermod -d /dev/null [user]
usermod -s /bin/false [user]

# Disable Lock account, comment, home and shell
passwd -l [user]
usermod -c Disabled [user]
usermod -d /dev/null [user]
usermod -s /bin/false [user]

# Remove
userdel -r [user]

Completely unused accounts should be removed entirely. The used daemon accounts should have their shell and home directories adjusted accordingly. Test by disabling the account before removing it entirely.

Secure Root Account

Restrict the users who can then become root by making su only executable by root and one group. Users who can su must be added to that group.

# Now make su only available to one group (wheel in the example)
#  and make su setuid root only runnable by that group (and root)
chgrp wheel /bin/su
chmod 4710 /bin/su

# Add the necessary users to wheel
usermod -G wheel johndoe

Disable Network Services

Say netstat -anptu to see all TCP and UDP services running, with process names. One should know what should and should not be present, take steps to remove all unnecessary processes. If the host has multiple IP addresses care should be taken to ensure listening only on the expected address or addresses.

Remote shell services should be only run over encrypted connections, this means SSH. Use a recent version of SSH, force use of protocol 2 and use keys for authentication. The sample of sshd_config below sets the above reccomendations. There are also a number of forwarding options for sshd, read the man page and set accordingly. If forwarding will never be used for any reason then disable the forwarding options.

# Set /etc/ssh/sshd_config like so
Protocol 2
LoginGraceTime 5s
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

Tighten Networking

The IP stack on the machine can be tuned for higher performance and to resist network attacks, even still a firewill is reccomended. Below the IP stack is tuned and then and a simple firewall is defined.

sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.forwarding=0
sysctl -w net.ipv4.conf.all.mc_forwarding=0
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.tcp_max_syn_backlog=1280
sysctl -w net.ipv4.tcp_syncookies=1

This firewall is very basic, search the internet for more information.

iptables -F
iptables -Z
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT

See Also