Hardening Linux: The Basics
This document describes basic hardening of a GNU/Linux machine. It's only the start, security takes a lot more than just this. All items mentioned should already be on the mind of every systems administrator.
Remove Unused Users
Extra user accounts can be considered dangerous, remove unused ones and then prevent login for the daemon accounts like postgres or apache. The Creo section has a helper script that will identify unused user accounts. The listed accounts can be restricted, disabled or removed.
# Restrict: Comment, set home and shell usermod -c Daemon [user] usermod -d /dev/null [user] usermod -s /bin/false [user] # Disable Lock account, comment, home and shell passwd -l [user] usermod -c Disabled [user] usermod -d /dev/null [user] usermod -s /bin/false [user] # Remove userdel -r [user]
Completely unused accounts should be removed entirely. The used daemon accounts should have their shell and home directories adjusted accordingly. Test by disabling the account before removing it entirely.
Secure Root Account
Restrict the users who can then become root by making su only executable by root and one group. Users who can su must be added to that group.
# Now make su only available to one group (wheel in the example) # and make su setuid root only runnable by that group (and root) chgrp wheel /bin/su chmod 4710 /bin/su # Add the necessary users to wheel usermod -G wheel johndoe
Disable Network Services
netstat -anptu to see all TCP and UDP services running, with process names.
One should know what should and should not be present, take steps to remove all unnecessary processes.
If the host has multiple IP addresses care should be taken to ensure listening only on the expected address or addresses.
Remote shell services should be only run over encrypted connections, this means SSH. Use a recent version of SSH, force use of protocol 2 and use keys for authentication. The sample of sshd_config below sets the above reccomendations. There are also a number of forwarding options for sshd, read the man page and set accordingly. If forwarding will never be used for any reason then disable the forwarding options.
# Set /etc/ssh/sshd_config like so Protocol 2 LoginGraceTime 5s PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
The IP stack on the machine can be tuned for higher performance and to resist network attacks, even still a firewill is reccomended. Below the IP stack is tuned and then and a simple firewall is defined.
sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.all.accept_source_route=0 sysctl -w net.ipv4.conf.all.forwarding=0 sysctl -w net.ipv4.conf.all.mc_forwarding=0 sysctl -w net.ipv4.conf.all.rp_filter=1 sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 sysctl -w net.ipv4.tcp_max_syn_backlog=1280 sysctl -w net.ipv4.tcp_syncookies=1
This firewall is very basic, search the internet for more information.
iptables -F iptables -Z iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT