Securing Linux (for a newbie)
Linux Kernel
At the minimum, we should be updating/upgrading Linux as much as tolerable (both by the users and by the sysadmin). Keeping things up to date can take advantage of discovered vulnerabilities and sometimes improve performance and/or experience of the system. I won’t be naive to believe that there are never any bad patches, but as we say in SecOps…. Layer your security. So even if there is a bad patch, hopefully by segmenting it, having a firewall, reverse proxy and/or other methods, you can mitigate your risk/exposure.
Linux is specific to the flavor you have installed. I used to use Centos for years, but have recently (in the past 2 years) started using Ubuntu. In Ubuntu, we can use the unattended-upgrades package and run it on a schedule to take care of the the security patches/updates. If it’s not installed, you can install it by issuing:
sudo apt install unattended-upgrades
We can then schedule the system to fetch the upgrades by using:
sudo dpkg-reconfigure --priority=low unattended-upgrades
Hit enter. This will install 2 configuration files to the /etc/apt/apt.conf.d/ directory:
- 20auto-upgrades
- This will automatically execute the automatic updates script
- 50unattended-upgrades
- This is the default configuration file where you can set up an email for notifications about the packages or schedule a reboot, etc.
To test if the configuration is set up correctly, you can run a ‘dry run’ where nothing will actually run, but it will validate the application will run.
sudo unattended-upgrade –dry-run –debug
If you get no errors, you can manually run the unattended upgrade, or let the application run for you.
Using SSH Keys (instead of passwords) to log into Server
Create a user or use an existing user to generate keys. In this example, we will create a user to manage docker. It is best to give someone ‘least based access’ to let them do what they need, but not anything else. To create a new user, use:
useradd uname -m -s /bin/bash -c "docker admin"
usermod -aG sudo,adm,docker uname
passwd uname
<type password twice>
Once the user is created, you can now set up SSH keys for this user. On a computer with OpenSSH, issue the commands:
ssh-keygen -b 4096 -C "some comment here, like email"
The default folder the keys will be stored are in the /home/uname directory. There should be a folder named ‘.ssh/id_rsa’, or you can type a new location when prompted
Set up a strong passphrase if you do not have a way to store the keys in an encrypted or protected area! The keygen will create a public and a private key:
- id_rsa
- private key (do not share with anyone!!!)
- id_rsa.pub
- you can install this key onto any server you want to log into. This can also be shared.
Make sure the destination server has the same user account and home directory created and copy the keys to the user’s home directory under .ssh/authorized_keys
mkdir /home/uname/.ssh
scp id_rsa.pub root@<servername or ip>:/home/uname/.ssh/authorized_keys
change permissions to the folder for the user to have access:
chown -R uname:uname .ssh
see if it works by using ssh to log into the remote server
ssh uname@<servername or ip>
Now we should disable login for user/password and only use priv/pub key
sudo vi /etc/ssh/sshd_config
Change the PermitRootLogin to ‘no’ and change PasswordAuthentication to ‘no’:
PermitRootLogin no
PasswordAuthentication no
Reboot the server
Network Security
View what ports are listening and running by using the command ‘ss -ltpn’ and shutdown or disable the applications/services. You can look at the /etc/<application_config> and configure it to not start or disable ports. To go further, use the Linux built in firewall (UFW).
The first rule should be allow port 22 so you can connect to the server in the future and it does not log you out.
sudo ufw allow 22
Now you can enable the firewall by using:
sudo ufw enable
To view the allowed ports on the system, you can use:
sudo firewall status
Now go through the services and allow the necessary ones (again, least based access… kinda). For example:
sudo ufw allow 443
This will not block access to containers (ie. Docker), so it can be a little deceiving.
IP Prevention System
A popular and lightweight/simple IPS for Linux (not the most robust, but gets the job done for the most part) is Fail2Ban. This will prevent the typical brute-force and put the intruder in ‘jail.’ Install it, start it, and view the status by using:
sudo apt install fail2ban
sudo systemctl enable fail2ban --now
sudo systemctl status fail2ban
This will show you if the service is running as well as if there has been any blocks. If there is a block, you will see a number next to the service and you can get more info by using this command and the service name that is being attacked.
sudo fail2ban-client status <service ie. sshd>
Another way Ubuntu protects you (to a degree) is by isolating the container applications by using build in profiles. If a profile is not defined, then it is probably sub-optimal. This application is called AppArmor. You can check the status by using:
sudo apparmor_status