Jun 102010
 

From blog.taragana.com

Like every other Operating System Linux not free from security issues. These issues can be anticipated and averted only with suitable preventive steps. However, sticking to the buttoned-down techniques for securing the Linux systems such as locking the network, minimizing risk by locking down the system and restricting the access to only a few people are mere safe play and not the right measures a system administrator should take on to tighten up the security. These steps might be applicable to the average installation to some extent, but not much. We made an attempt to assemble some of the most feasible techniques for ensuring best security for your Linux system. Here’s our list of top 10 Linux security tips for system administrator.

1. Install Security Updates on time
Let us consider Ubuntu, for instance, Ubuntu’s Package Manager provides a regular stream of security and performance updates for Operating System and the Programs that you have installed. Keeping up with the patches is essential for Linux as for any other operating system. Moreover, since Linux is open source the updates can be expected more frequently.
When you receive

Shell Commands

In order to check the updates use

apt-get update && apt-get upgrade
or
yum update

Using the remote access software that works

SSH stands for “Secure Shell” is a network protocol for creating secure communications between two computers. Older protocols for remote access such as telnet, send information such as telnet, send information such as usernames and password in clear text and may have other security loop holes

2. Be alert when using peer-to-peer file sharing application
peer-to-peer (P2P) applications such as Napster, Gnutella, iMesh, Audiogalaxy Satellite and KaZaA offer good means for sharing information. In case you degrade the performance of the University’s network. Without knowing it you can share personal data, inadvertently violate federal copyright law or expose the computer to malicious code or unacceptable use.

For more information on peer-to-peer file sharing applications read here.

3. Enable WPA on router
For quiet some years now standard security for wireless networks has been the WEP, which can now be easily compromised. Modern machines can catch up the keys on wireless network using WEP within a short span only until enough data is transmitted. This might not be the issue for all locations.

The more the number of people within the range of access point, the more it is likely that one of them will try to crack your security. Users can do it with complete anonymity and you might never be able to trace the location.

Even turning off the access point name being broadcast or locking access to MAC addresses, but this might not help you, as a snooper might derive this information from the data. Only way you ensure protection is by switching the encryption methods on your router. In case, the router doesn’t support anything better then WEP you might consider getting a new one.

To overcome this you can look for model that supports WPA or ideally WPA2. Anyone of these might make your connection a lot more secure than WEP.

4. Securing the groups and permissions
Groups and permissions are both useful features in the filesystem adopted from Unix systems. Each of the members can be member of any of the groups. The groups can assemble some of the special kind of users. In most of the Linux distros groups are used to restrict access to specific hardware. Just follow the steps below

Right-click on the file manager
Click on Properties to see its permissions
Change the parameters and restrict access to key files and devices

5. Disable root Login
Try not to login as a root user. Instead use sudo to execute root level commands as and when required. The security of your system can be enhanced using sudo, as you don’t to share root and password with other users and admins. sudo offers a simple auditing and tracking feature too.

6. User Firewall to Protect Your Connection
There are a several reasons to have a firewall on

New software might open network ports without notifying you. It will leave your computer open to attack
With the Firewall on users can control which computer IP addresses can access your computer
Mostly the broadband routers include one by default, while Ubuntu has no Internet-facing services running in a standard installation that renders a firewall unnecessary. It doesn’t take much to change a configuration or install something that is vulnerable.

Linux kernel already has a functionality by default, so the only thing it takes is the graphical front-end by default.

One of the favorite we is the ufw. It’s a command line utility that is installed but not enabled on Ubuntu systems.

First type

sudo ufw enable

To start the firewall type

sudo ufw default deny

It’s easy to make the configuration easier using the Gufw GUI.

7. Encrypted Data Communication
It’s a known fact that all the data transmitted over network is open to monitoring. This makes it imperative to encrypt transmitted data whenever possible with password or using keys/certificates.

For file transfer use scp, ssh, rsync or sftp. You might also mount remote server file system or your own home directory using special sshfs and fuse tools.

GnuPG is another application that allow users to encrypt and sign the data and communicate. It features a versatile key management system as well as access modules for all kind of public key directories.

Fugu provides a graphical frontend to the commandline Secure File Transfer application(SFTP). SFTP is similar to FTP, but unlike FTP the entire session is encrypted meaning no passwords are sent in cleartext form and it is much less vulnerable to third party interception.

FileZilla is a cross platform client that supports FTP, FTP over SSL/TLS(FTPS) and SSH File Transfer Protocol(SFTP).

OpenVPN is a cost-effective, lightweight SSL VPN

Lighttpd SSL (Secure Server Layer) Https – Configuration and installation

Apache SSL (Secure Server Layer) Https (mod_ssl) Configuration and Installation

8. Minimize Software to Minimize Vulnerability
In order to to escape vulnerabilities in software try to avoid installing unnecessary software. Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Get rid of all the undesired packages.

# yum list installed
# yum list packageName
# yum remove packageName

OR

# dpkg –list
# dpkg –info packageName
# apt-get remove packageName

9. Track no-owner files
Sometimes the files without owners cause security problems. You can find them with the following command that doesn’t belong to a valid user and a valid group

find /dir -xdev \( -nouser -o -nogroup \) -print

10. Tips to ensure maximum protection to account and password
Users can employ the chage command to ensure password changes on a given date of last password change. This information helps to determine when a user needs to change his/her password.

To disable password aging type

chage -M 99999 userName

To get the password expiry date enter

chage -l userName

Restric Use of previous password

In Linux users can use and reuse the same old passwords under Linux. The pam_unix module parameter can be used to configure the number of previous passwords that cannot be reused.

i) Locking Users Accounts after login failures

In Linux you can use the faillog command to display faillog records or set login failure limits. faillog formats the contents of the failure log from /var/log/faillog database / log file. It can also be used for maintains failure counters and limits. In order to see the failed login attempts type

faillog

After a login failure users can unlock an account

faillog -r -u userName

To lock and unlock the accounts you can use

# lock account
passwd -l userName

# unlocak account
passwd -u userName

In order to verify that no accounts have empty passwords type the following command

# awk -F: '($2 == "") {print}' /etc/shadow

To Lock all empty password account

# passwd -l accountName

ii) Ensure No Non-root accounts have UID Set To 0

As you know root account has UID 0 and full permission to access the system. Using the following command you can display all acounts with UID set to 0.

# awk -F: '($3 == "0?) {print}' /etc/passwd

Now you will see just one line as below

root:x:0:0:root:/root:/bin/bash

In case you see more than one line delete them and make sure there are other accounts authorized by you to use UID 0.

 Posted by at 5:18 am