Hey,
Just thought it was worth writing a thread covering Linux security and hardening tips (was bored earlier), maybe it could be sticky'ed as the other stuff is 6 years old?
Malware / Viruses / Rootkits
Currently this is of no concern in the Linux world. If you are storing Windows files then Sophos offer a very good enterprise AV package and there is also ClamAV.
There is more concern over rootkits but generally they are still rarely seen. RKHunter and CHKRootkit are the tools of choice to track them down, but if you find or suspect a rootkit you need to reinstall the OS as it is fully compromised.
Secure File Deletion
You can securely delete a file from disk using the shred command, the -n switch specifies the number of overwrites with the default being 3. Example: shred -u -n 10 myfile.txt (-u deletes it after overwrite). Note this isn't 100% forensically-sound on journalling file systems, but it's pretty much there.
You can securely erase an entire disk using DBan or dd will also do a perfectly good job: dd if=/dev/urandom of=/dev/sdX
Integrity Checking a File
If you want to find out if a file is corrupt or has been tampered with, which is a good idea for important files, you can use a hashing algorithm to produce a checksum. Every Linux distro under the sun (maybe?) will include common hash programs like md5sum, sha256, sha512. Just run one of these with a file as an argument and you will get a 128-bit+ checksum out.
A single bit flip in a file will drastically change the checksum you get, so they are very reliable. You will also see a lot of Linux source code/tools etc are distributed with checksums alongside them so you can verify they are not corrupt or malicious.
Simple but very useful!
Encrypting Individual Files
I do this with backups before uploading them to DropBox, very quick and easy to do. GNUPG is the native GNU Linux crypto tool, it should be in your distro's repositories if not already installed.
Encrypt a file with a password: gpg --symmetric --cipher AES256 myfile.zip
Decrypt with: gpg myfile.zip.gpg
With a strong password that will be unbreakable, another option is TrueCrypt which is also cross-compatible with Windows.
GPG also supports certificate based encryption/decryption using public/private key-pairs, if interested in this read here: http://www.madboa.com/geek/gpg-quickstart/
Encrypting Whole Disks (Pen Drives/HDDs/External HDDs etc):
On modern hardware you won't really notice a visible slow down when using full disk encryption, so it's worth going for
LUKS/DM-CRYPT is the current best choice for full disk encryption on Linux/Unix. It supports the new AES-NI CPU instruction sets at is very well made. In essence it generates a very strong random key for the partition you are protecting and then encrypts that with your disk password, you can have multiple passwords for decrypting the same volume.
Brief example of how to create an encrypted partition inside your current OS, good for USB keys!:
To encrypt your whole OS you need an unencrypted boot partition (about 200mb) and then you can encrypt everything else (including SWAP). You can use unique very strong keys for each partition and just hardcode them in the root volume under /etc/crypttab and then just remember the 1 password for the root drive. The arch wiki explains this in very good detail: https://wiki.archlinux.org/index.php/LUKS
Server Protection / Hardening
If you want to secure a box (or exposed server) there are a lot of very neat tools available to help. Here is a brief summary as you could write pages on each one...:
VPNs
A VPN allows you to join multiple networks together over an insecure channel (the internet). So for example if you run a company and want people to be able to connect to the corporate network from their Laptops over the Internet, a VPN is perfect. OpenVPN is a well regarded standard Linux server/client, good tutorial here: http://www.hackadmin.com/2010/02/17/openvpn-tutorial/
SSH & SFTP
SSH is the most popular tool for remote administration of Linux boxes and it offers the SFTP/SCP subsystem for securely transferring files. OpenSSH is the standard widespread server/client SSH software for Linux.
Your distro will provide docs for getting a server running but usually just install openssh-server, and connect to it with ssh [email protected] for a remote shell.
There is a lot you can do to harden SSH:
SFTP is usually just enabled by default and should always be used instead of FTP, so if you have an SSH server you should just be able to SFTP to it using something like: sftp [email protected] and transfer files. FileZilla is a good GUI client for SFTP and Putty provides a Windows tool.
The most recent version of SSH supports Elliptic Curve crypto, which is very cool and much faster than RSA/DSA, for example a 256-bit EC key is equivalent to a 1024-bit DSA key and much faster and more secure to work with.
You can also tunnel ports over SSH. And if you want graphics look at tunneling VNC over SSH.
Password & Key Storage
Open Port Auditing
It's a good idea to audit what open ports you have on your box, here's a few different ways:
Common Sense / Good Practice
Just thought it was worth writing a thread covering Linux security and hardening tips (was bored earlier), maybe it could be sticky'ed as the other stuff is 6 years old?
Malware / Viruses / Rootkits
Currently this is of no concern in the Linux world. If you are storing Windows files then Sophos offer a very good enterprise AV package and there is also ClamAV.
There is more concern over rootkits but generally they are still rarely seen. RKHunter and CHKRootkit are the tools of choice to track them down, but if you find or suspect a rootkit you need to reinstall the OS as it is fully compromised.
Secure File Deletion
You can securely delete a file from disk using the shred command, the -n switch specifies the number of overwrites with the default being 3. Example: shred -u -n 10 myfile.txt (-u deletes it after overwrite). Note this isn't 100% forensically-sound on journalling file systems, but it's pretty much there.
You can securely erase an entire disk using DBan or dd will also do a perfectly good job: dd if=/dev/urandom of=/dev/sdX
Integrity Checking a File
If you want to find out if a file is corrupt or has been tampered with, which is a good idea for important files, you can use a hashing algorithm to produce a checksum. Every Linux distro under the sun (maybe?) will include common hash programs like md5sum, sha256, sha512. Just run one of these with a file as an argument and you will get a 128-bit+ checksum out.
A single bit flip in a file will drastically change the checksum you get, so they are very reliable. You will also see a lot of Linux source code/tools etc are distributed with checksums alongside them so you can verify they are not corrupt or malicious.
Code:
[jack@tcore]$ md5sum test.txt
ce373bb83c8cf5c1c1fbb32c139698b4 test.txt
[jack@tcore]$ md5sum test_cpy.txt
ce373bb83c8cf5c1c1fbb32c139698b4 test_cpy.txt
The above are identical bit for bit, now append a character and see the hash change:
[jack@tcore]$ echo 1 >> test_cpy.txt
[jack@tcore]$ md5sum test_cpy.txt
3ca7d4757240491ed72db6ee1edc1bfe test_cpy.txtSimple but very useful!
Encrypting Individual Files
I do this with backups before uploading them to DropBox, very quick and easy to do. GNUPG is the native GNU Linux crypto tool, it should be in your distro's repositories if not already installed.
Encrypt a file with a password: gpg --symmetric --cipher AES256 myfile.zip
Decrypt with: gpg myfile.zip.gpg
With a strong password that will be unbreakable, another option is TrueCrypt which is also cross-compatible with Windows.
GPG also supports certificate based encryption/decryption using public/private key-pairs, if interested in this read here: http://www.madboa.com/geek/gpg-quickstart/
Encrypting Whole Disks (Pen Drives/HDDs/External HDDs etc):
On modern hardware you won't really notice a visible slow down when using full disk encryption, so it's worth going for
LUKS/DM-CRYPT is the current best choice for full disk encryption on Linux/Unix. It supports the new AES-NI CPU instruction sets at is very well made. In essence it generates a very strong random key for the partition you are protecting and then encrypts that with your disk password, you can have multiple passwords for decrypting the same volume.
Brief example of how to create an encrypted partition inside your current OS, good for USB keys!:
Code:
modprobe aes_x86_64 # (or just 'aes' for x86 boxes)
modprobe dm_crypt
cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/sdaX
cryptsetup luksOpen /dev/sdaX mydrive
mkfs -t ext3 /dev/mapper/mydrive
mount /dev/mapper/mydrive /mnt/mymountpointTo encrypt your whole OS you need an unencrypted boot partition (about 200mb) and then you can encrypt everything else (including SWAP). You can use unique very strong keys for each partition and just hardcode them in the root volume under /etc/crypttab and then just remember the 1 password for the root drive. The arch wiki explains this in very good detail: https://wiki.archlinux.org/index.php/LUKS
Server Protection / Hardening
If you want to secure a box (or exposed server) there are a lot of very neat tools available to help. Here is a brief summary as you could write pages on each one...:
- GRSecurity - Tutorial - A set of very well made patches for the Linux kerenl that will make it like forte nox, seriously.
- John The Ripper - Tutorial - A password cracker - it's a good tool to audit password strength on your box. Run it for a few days against the the password file to see if any of your users suck.
- RSyslog - Tutorial - Send system log files to a remote box, so they can't be directly altered by an attacker.
- Tripwire - Tutorial - Stores a checksum database of specified directories. This is a very good tool, it can monitor your whole system volume and alert you whenever a file is altered.
- Snort - Tutorial - Intrusion Detection
- IPTables - Tutorial - The standard linux firewall, very powerful.
- AppArmor - Tutorial - Allows you to assign security profiles to applications outlining what they can and can't do.
- SELinux - Tutorial - An alternative to AppArmor, they basically do the same thing but SELinux is much harder to configure (a nightmare).
- PAX - A kernel patch that protects memory pages, very useful for preventing stack based program exploitations. This is included in the GRSecurity patch set.
- Wireshark - Tutorial - You can audit your network traffic at a very low level to see what's coming in and out of the network, this does require experience on knowing what to look for though.
- TCP Wrappers - Tutorial - A common host-based network access control system.
- Port Knocking - Tutorial - Port knocking is a cool technique for opening ports remotely. You can for example define rules that say when a SYN|ACK TCP packet is received open Port 22 for 10 seconds while you connect then close it.
- Read about Fork Bombs and put prevention measures in place - they are often forgotten but more often than not will bring down a box with ease!
- Read about how Linux file permissions work and how to set/change them.
- Scan the box for world writeable files and fix them: find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
- Scan the box for files owned by no user/group and fix them: find / -xdev \( -nouser -o -nogroup \) -print
- Read about chroot jails for locking remote users into a directory jail.
VPNs
A VPN allows you to join multiple networks together over an insecure channel (the internet). So for example if you run a company and want people to be able to connect to the corporate network from their Laptops over the Internet, a VPN is perfect. OpenVPN is a well regarded standard Linux server/client, good tutorial here: http://www.hackadmin.com/2010/02/17/openvpn-tutorial/
SSH & SFTP
SSH is the most popular tool for remote administration of Linux boxes and it offers the SFTP/SCP subsystem for securely transferring files. OpenSSH is the standard widespread server/client SSH software for Linux.
Your distro will provide docs for getting a server running but usually just install openssh-server, and connect to it with ssh [email protected] for a remote shell.
There is a lot you can do to harden SSH:
- Run on a non standard port number > 1024 which will hide you from automated port scans.
- Edit /etc/ssh/sshd_config and disable remote root login (PermitRootLogin no).
- If you will only be connecting from a few IP's, make them a whitelist of the only allowed SSH connections. This can be done with DenyHosts or IPTables.
- Use public-private key pairs instead of password authentication. This is a very secure method of connecting to SSH. I suggest using > 2048bit RSA/DSA/ECDSA keys, there's a good guide here: http://www.petefreitag.com/item/532.cfm
SFTP is usually just enabled by default and should always be used instead of FTP, so if you have an SSH server you should just be able to SFTP to it using something like: sftp [email protected] and transfer files. FileZilla is a good GUI client for SFTP and Putty provides a Windows tool.
The most recent version of SSH supports Elliptic Curve crypto, which is very cool and much faster than RSA/DSA, for example a 256-bit EC key is equivalent to a 1024-bit DSA key and much faster and more secure to work with.
You can also tunnel ports over SSH. And if you want graphics look at tunneling VNC over SSH.
Password & Key Storage
- Use strong passwords (>= 12 characters) you can't remember and whack them in a tool like KeePassx, very good and cross compatible with other operating systems, I keep my database stored on DropBox and sync it with Windows & Android phone.
- Use a tool like this to understand password strength.
Open Port Auditing
It's a good idea to audit what open ports you have on your box, here's a few different ways:
- Run netstat -tulp on the local box to see what TCP ports are listening.
- Use nmap to run a remote port scan against the box: nmap -sT 192.168.1.X
- Use an online port scanner like this: http://www.t1shopper.com/tools/port-scan/
Common Sense / Good Practice
- Keep everything patched
- Don't run services as root where possible, this is usually done for you these days but keep in mind things like Apache don't need to run as root.
- If you use su consider switching to sudo
- Only run dameons/services that you actually need and are going to use
- Use strong passwords and physically protect boxes
- If you are running a web server, look into running hardened versions of things like PHP and keep web applications patched up
- Read log files (/var/log/*) otherwise they are useless - There are some nice web apps to read logfiles like PHP syslog viewer.
- Don't use ancient tools that aren't safe, e.g: telnet, ftp, rlogin.
Last edited:
), couple that with zero moderation equating to four hundred "what distro?", "why linux?", "linux n00b" or "why linux over windows?" threads, has meant that it's generally a bit crap nowadays.
