Problem scenario
You need to make a Linux server very secure. How do you harden a Linux server?
Answer
- You may need to reformat the server. Backup the data. When you reinstall Linux use full disk encryption. Make the boot partition read-only.
- Enforce complex passwords that must be changed every 30 to 90 days. Use John the Ripper (www.openwall.com/john) to ensure your passwords are strong.
- sshd_config should not "PermitRootLogin"
- Don't start Docker containers with
sudo
. Look into this one: could you remove root from the "docker" group? Or could do you some configuration to prevent "sudo" or the root user from starting Docker containers? - Use microservices architecture to the extent possible. If a single-purpose container or single-purpose VM is a compromised, you retain integrity of other services and data. From a pragmatic perspective, the data may not be useful to the hacker of a single container or VM. If you are using Docker, see this posting.
- Keep the Linux kernel up-to-date.
- Use AppArmor or SELinux.
- Have back-ups. Security involves the Confidentiality, Integrity and Availability triad. Therefore having back-ups that you have tested with restoring are essential to hardening a Linux server.
- Use a host-based IDS (Intrusion Detection System).
- Have an network-based IDS (Intrusion Detection System).
- Have a firewall on the OS.
- Discover noowner files from time-to-time:
Noowner Files
https://www.cyberciti.biz/tips/linux-security.html (#26)
Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid groupfind /dir -xdev ( -nouser -o -nogroup ) -print
You need to investigate each reported file and either assign it to an appropriate user and group or remove it.
13. Use TCPWrappers
"… TCPWrappers a host-based networking ACL system to filter network access to Internet. " (This excerpt was taken from https://www.cyberciti.biz/tips/linux-security.html.)
tcpwrappers are probably not necessary for a modern version of RHEL. But for Ubuntu they seem to be used according to this site.
14. Check the configuration of /etc/sysctl.conf. This important file sets kernel parameters. To ensure it is secure, see this website https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/.
15. Restrict the core dumps via their governing configurations. (This was influenced by #15 of this external page.) To do this, see these postings:
- https://community.perforce.com/s/article/2979
- https://linux-audit.com/understand-and-configure-core-dumps-work-on-linux/
16. Change the permissions settings of cronjob-related files. To do this, see #14 of this external page.
17. Install a shredder utility. Deleting sensitive files with this can help ensure confidentiality.
18. You may want to look into a Lojack-type recovery mechanism for the server.
19. You may want to read Bruce Schneier's blog.