segunda-feira, 9 de setembro de 2013

Keep Your Linux Server Secure With 15 Easy Ways


There are important things to know when it comes to Linux. Read on.          
Monday, September 09, 2013 Security is of prime importance in any situation. EFYTimes brings you 15 steps you can follow to ensure better security of your Linux server.

1. Encrypt Data Communication: Use passwords wherever possible to make your data more secure. Make use of scp, ssh, rsync, or sftp for file transfer. This can also be done if the user mounts remote server file system using special sshfs and fuse tools. Another tool is GnuPG, which allows the user to encrypt and sign data and communication, features a versatile key management system. Also, avoid making use of FTP, Telnet, And Rlogin / Rsh. The common solution to this problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP. Type the following command to delete NIS, rsh and other outdated service:

linux tips, linux commands, linux for you, open source for you, linux administrators, linux tips, administrator tips linux, linux sysadmin tips, linux basic commands, linux server secure, linux admin tips, secure linux network




# yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve

2. Minimise Software to Minimise Vulnerability: If you are one of those that wants to install all sorts of web services, you need to avoid installing unnecessary software to avoid vulnerabilities. Make use of the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages.

# yum list installed

# yum list packageName

# yum remove packageName

OR

# dpkg –list

# dpkg --info packageName

# apt-get remove packageName

3. One Network Service Per System or VM Instance: Run different network services on separate servers or VM instance, limiting the number of other services that can be compromised.

4. Keep Linux Kernel and Software Up to Date: Make sure you apply all security patches. While Linux provides all necessary tools to keep your system updated, all security updates should be reviewed and applied as soon as possible.

5. Use Linux Security Extensions: If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel.

6. User Accounts and Strong Password Policy: Make use of the useradd / usermod for the creation and maintenance of user accounts. Also ensure that you have a good password policy in place. Most importantly, you need to pick a password you can remember. The change command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password. The /etc/login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration. To disable password aging, enter:

chage -M 99999 userName

To get password expiration information, enter:

chage -l userName

Finally, you can also edit the /etc/shadow file in the following fields:

{userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:

7. Disable root Login: Never make the mistake of logging in as the root user. One can use sudo to execute root level commands as and when required.

8. Physical Server Security: Protection of Linux servers physical console access is of paramount importance. This can be done by configuring the BIOS and disable the booting from external devices such as DVDs / CDs / USB pen. Set BIOS and grub boot loader password to protect these settings.

9. Disable Unwanted Services: Disable all unnecessary services and daemons (services that runs in the background). You need to remove all unwanted services from the system start-up. Type the following command to list all services which are started at boot time in run level # 3:

# chkconfig --list | grep '3:on'

To disable service, enter:

# service serviceName stop

# chkconfig serviceName off

10. Delete X Windows: This isn’t even a requirement on the server, there isn’t any reason to run X Windows on your dedicated mail and Apache web server. The service can be disabled altogether or can be removed to work towards the improvement of server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter:

# yum groupremove “X Window System”

11. Configure Iptables and TCPWrappers: Iptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel. Use firewall to filter out traffic and allow only necessary traffic. Also use the TCPWrappers a host-based networking ACL system to filter network access to Internet. You can prevent many denial of service attacks with the help of Iptables.

12. Linux Kernel /etc/sysctl.conf Hardening: /etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time. Sample /etc/sysctl.conf:

# Turn on execshield

kernel.exec-shield=1

kernel.randomize_va_space=1

# Enable IP spoofing protection

net.ipv4.conf.all.rp_filter=1

# Disable IP source routing

net.ipv4.conf.all.accept_source_route=0

# Ignoring broadcasts request

net.ipv4.icmp_echo_ignore_broadcasts=1

net.ipv4.icmp_ignore_bogus_error_messages=1

# Make sure spoofed packets get logged

net.ipv4.conf.all.log_martians = 1

13. Separate Disk Partitions: Separation of the operating system files from user files may result into a better and secure system. Make sure the following filesystems are mounted on separate partitions:

/usr
/home
/var and /var/tmp
/tmp

14. Turn Off IPv6: This gives users a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and provides many benefits. Currently there are no good tools out which are able to check a system over network for IPv6 security issues.

15. Disable Unwanted SUID and SGID Binaries: All SUID/SGID bits enabled file can be misused when the SUID/SGID executable has a security problem or bug. All local or remote user can use such file. It is a good idea to find all such files. Use the find command as follows:

#See all set user id files

find / -perm +4000

# See all group id files

find / -perm +2000

# Or combine both in a single command

find / \( -perm -4000 -o -perm -2000 \) -print

find / -path -prune -o -type f -perm +6000 -ls



Fonte: Keep Your Linux Server Secure With 15 Easy Ways

Nenhum comentário:

Postar um comentário