{"id":4980,"date":"2011-08-19T00:00:00","date_gmt":"2011-08-19T00:00:00","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/2011\/08\/19\/linux-hardening-quick-wins\/"},"modified":"2021-01-28T16:20:21","modified_gmt":"2021-01-28T16:20:21","slug":"linux-hardening-quick-wins","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/products\/linux-hardening-quick-wins\/","title":{"rendered":"Linux Hardening – Quick Wins"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
\n<\/p>\n

<\/span><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

<\/div>\n<\/p><\/div>\n

The best way to ensure that your Linux server is secure is to build it from scratch with a minimum amount of code that can be exploited by a hacker — a custom compiled kernel and the bare minimum of packages needed for the server to do its intended job.<\/p>\n

\u00a0<\/p>\n

But what if you already have Linux servers running in your business? If that’s the case then here are some simple steps you can take to improve security that take just a few minutes to implement:<\/p>\n

Remove unnecessary software to minimize your attack surface <\/strong>– The more code your server is running, the more likely it is that a hacker will be able to find a vulnerability to exploit. Go through all the packages installed on your system and remove any that aren’t necessary.<\/p>\n

To list all installed packages: yum list installed or dpkg \u2013l<\/p>\n

To remove a package: yum remove somepackage or apt-get remove somepackage<\/p>\n

Apply the latest security patches <\/strong>– Once a vulnerability in any software you’re running has been discovered, your system is in danger until the vulnerability is patched.<\/p>\n

To update your system with all patches that are available: yum update or apt-get update apt-get upgrade<\/p>\n

You can automate this process to update daily or weekly using the cron scheduler by placing a suitable script in \/etc\/cron.daily\/ or \/etc\/cron.weekly\/<\/p>\n

Avoid logging in as root <\/strong>– Use the sudo command instead to execute (and log) commands as root when necessary. Make sure that the accounts that need sudo privileges are listed in \/etc\/sudoers, which you can edit with visudo. You can give contractors and other users that may need it accounts with sudo privileges for certain commands, and delete the accounts or remove them from \/etc\/sudoers when they no longer need them.<\/p>\n

You can disable root SSH login by opening the sshd_config file: vi \/etc\/ssh\/sshd_config and then edit it by uncommenting or adding a line: PermitRootLogin no<\/p>\n

It’s also sensible to add, edit or uncomment a Protocol line: Protocol 2 to force the use of SSH protocol 2, rather than the less secure Protocol 1.<\/p>\n

Restart the sshd service for this to take effect: \/etc\/init.d\/sshd restart<\/p>\n

Lock any user accounts which have no passwords <\/strong>-Accounts with no passwords are an unnecessary security risk. To find any accounts which have no password use the passwd command and look for any with the status NP (no password): passwd -Sa | grep NP<\/p>\n

You can lock any accounts you find using passwd -l: passwd -l someuser<\/p>\n

To unlock an account use: passwd -u<\/p>\n

Lock user accounts after three failed login attempts <\/strong>-Restricting the number of login attempts before an account is disabled makes it hard for a hacker to guess a password successfully. You need to strike a balance between security and convenience, but genuine users are unlikely to mistype their password three times in a row.<\/p>\n

To lock the account of user someuser after three attempts use the faillog command: faillog -m 3 -u someuser<\/p>\n

You can use this command for all users using -a instead of -u someuser. However make sure that the root account can’t be locked (using -m 0) to prevent being locked out of the root account by a deliberate denial of service attack on the root account.<\/p>\n

Disable any services that you don’t need to run <\/strong>– To discover what services are configured to start automatically, use the chkconfig command: chkconfig -list<\/p>\n

Disable the following services if you don’ specifically need them:<\/p>\n

\u00a0<\/p>\n