CentOS 8.x Securing a Linux machine
<yambe:breadcrumb self="Securing a Linux machine">Security tips|Security tips</yambe:breadcrumb> <yambe:breadcrumb self="Securing a Linux machine">CentOS 8.x System Administration|System Administration</yambe:breadcrumb>
CentOS 8.x Securing a Linux machine
This article is written assuming CentOS 8.x OS. However the general principles of hardening will apply to any other system. Only the commands need to be changed based on the flavor / distribution of Linux being hardened.
This article is work in progress
Securing a Linux system is a must for any system that is accessible publically or is in potentially hostile environment. General tips for securing a Linux machine have two parts:
- Initial security hardening of the system
- Regular tasks to monitor and ensure system is safe
Initial security hardening of system
Update system
It makes sense to keep system fully updated with latest patches and security updates. This is easier for enterprise distributions such as CentOS which are purpose built for servers and hence typically have older version of software compared to Desktop editions (eg Fedora) which might come with latest versions. Using slightly older version of software that has been tested for more than a year is safer for servers.
To update the system fully use:
dnf update -y
Setup firewalld
It is important for system to have host based firewall setup. To setup firewalld Refer:
- Basic setup
- CentOS 7.x Basic firewalld configuration
- Advanced details about firewalld
- CentOS 8.x firewalld
Setup fail2ban
Any system which is exposed to public Internet starts getting attacks immediately. If we leave SSH port open then we can see thousands of bad login attempts on any system per day. To ensure that such attackers get only limited no. of chances (Bad password attempts) to attack system, we can setup fail2ban. Fail2ban will ban IP for some duration (default 900 seconds) if it makes more than a fixed no. of bad login attempts. The no. of attempts allowed for root user are typically lesser than no. of attempts allowed for other users. Limiting only a few (9-10) attempts every 900 seconds (15 minutes), is more than enough to ensure that system cannot be exploited using dictionary based attacks / bruteforce attacks.
To setup fail2ban refer:
Note that fail2ban supports many other applications such as dovecot, postfix apart from sshd. Hence we should try to secure as many applications via fail2ban as possible.
Earlier versions of OS used to use Denyhosts, which is now deprecated and we should use fail2ban instead.
Use key based authentication for SSH. At least for root user disable password based SSH
Ideally we should disable password based SSH for all users using:
- Edit /etc/ssh/sshd_config and set
- PasswordAuthentication no
- Restart sshd service
- systemctl restart sshd
However, if above is not practical then at least disable password based SSH for root user using following in '/etc/ssh/sshd_config':
PermitRootLogin without-password
and reload sshd service
Setup logwatch and outgoing alert emails
Any Linux system generates many useful logs that go to various different log files. It is not possible for human administrators to go through many log files of many systems and look for issues and anomalies. Hence, it makes sense to configure Logwatch to go through various log files and send one email per day related to events / logs that were seen on that system in past 24 hours.
Since logwatch can send email enable outgoing email from system using CentOS 8.x postfix send email through relay or smarthost with smtp authentication if required
To install logwatch use:
dnf -y install logwatch
After default setup consider:
- Increasing Logwatch detail
- Increasing detail of logwatch output
- Configure From and To address for logwatch
- CentOS 7.x Zimbra command line for sending logwatch email
- Disable too much logs from kernel when log detail is high
- Disable too much logs from kernel when log Detail is high
- Create customer logwatch service or scripts
- Creating new logwatch service or scripts
TODO
- Setup anti-virus scan via clamav
- OSSEC
- Disable IPv6 Connectivity, if not required
- Install file integrity monitor (AIDE)
- Change SSH port from default 22
- Protect SSH port access via firewall
- Allow SSH only for required users
- SFTP chroot
- Secure other services eg (Web, proxy, DNS, MySQL etc.) setup on that server.
- OWASP for web applications
- Configure backups
- Configure longer history retention with date/time
- Configure audit daemon
- SSL certificate (Lets encrypt)
- Containers or virtualization for isolation (lxc, kvm)
- Configure two factor authentication for applications including SSH (Google authenticator)
- Remove unwanted packages
- Many people suggest removing X11 or graphical packages, if they are not required
- Removing cc,gcc, etc. should make it difficult for attacker to compile programs
- File and folder encryption1
- Monitor User Activities (psacct, acct)?
- Record system CPU, Memory, Disk usage statistics?
- Zabbix montioring?
- DRL hardening script?
- SELinux ??
- CIS Linux benchmark??
- Strong password policy including aging
- LDAP instead of local logins when there are many systems (Data-center)
- Physical security
- BIOS boot passwords
- Prevent accidental /intentional shutdown / reboot / network disconnection
- Grub single mode root access
- Boot from live CD/DVD/USB
- Take files / account information without any logs /traces
- Take hard-disk and put in another system
- Network firewall managed by someone else / Microsegmentation
- Honeypots?
- Central logging / remote logging for incident analysis purposes
- Reformat compromised system
- Avoid Using FTP, Telnet, And Rlogin / Rsh Services (SSH, SFTP, Owncloud, etc.)
Regular tasks to monitor and ensure system is safe
TODO
- Do VA/PT of your system using tools
- Go through logwatch report (Daily)
- Additional updates (dnf -y update) -- Automatic updates??
- Installed packages list (dnf history)
- List of open ports (ss -alnp). Avoid non-encrpted (non-SSL/non-TLS) services
- Validate list of users (getent passwd)
- Validate the UID of Non-Root Users
- Validate shell of non-human users
- Validate sudo access
- Validate SSH authorized keys
- Validate firewall rules including people who have SSH access
- Validate cron files and crontab entries
- Validate atd entries or disable at daemon
- Validate kernel modules (Honeypots, keyloggers, etc.)
- Validate backups are happening properly (Including application / DB backups)
- If possible restore backup (Note steps)
- Validate fail2ban status and no. of machines blocked
- Disable unwanted services
- Disable SUID and SGID Permission
- Maintain Word-Writable Files
- Look for files modified using chattr (lsattr)
- Look at relevant application logs (/var/log/httpd, /var/log/maillog, etc.) and OS logs (/var/log/messages)
- Look at audit logs
- Try to crack existing passwords
- Look for rootkits using chkrootkit and rkhunter (
Refer:
- https://www.ubuntupit.com/best-linux-hardening-security-tips-a-comprehensive-checklist/
- https://www.tecmint.com/linux-server-hardening-security-tips/
- https://www.cyberciti.biz/tips/linux-security.html
- https://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/
- https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/overview-of-security-hardening-security-hardening
<yambe:breadcrumb self="Securing a Linux machine">Security tips|Security tips</yambe:breadcrumb>
<yambe:breadcrumb self="Securing a Linux machine">CentOS 8.x System Administration|System Administration</yambe:breadcrumb>