Basic security for Linux hosts

By | 2014/05/14

After reading Cuckoo’s egg from Clifford Stoll [1] I got a bit unsure if my Linux server is basically set-up secure enough. Even if the story about the hacker is quite old, it is neither the less highlighting the importance for security and to be careful enough when connecting a machine to the net.

Additionally having some history and experience in Security, I decided to have a closer look on my Linux server to double-ensure security.

1.) Passwords

First of all – and the issue of many problems – passwords. So let’s create a password which has no relation to the user, the content or the server itself. Passwords should have a certain length, numbers, lower and upper-case characters – and at least a special character. If your brain is unable to generate such a password, you can use the pwgen command under Linux.

root@lvps5-35-244-75:~# pwgen -y 12

Since we now have created a secure password, we should limit our remote access to certain users. In addition we should disable remote access for the privileged root account, since to whatever reason somebody might be able to log in as root, there would be no more limitations or boundaries to change, modify or destroy our system. Therefore simply edit the following line in the /etc/ssh/sshd_config:

PermitRootLogin no

Afterwards, do a simple restart of the sshd to reload the configuration.

/etc/init.d/sshd restart

In addition, since most of our system might have several accounts – you should question yourself if all of them require ssh access.

 2.) Automatic Security Updates

To enable automatic security related updates under Ubuntu you should install the unattended-upgrades package.

apt-get install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

Further details in regards to the unattended upgrades and specifics can be found under [3]. Personal note: As for my installation, the unattended-upgrade was not doing the upgrades automatically, I simply added the command into my crontab to be fired up each day at 03:00.  To change your crontab use:

crontab -e

and add the following line

0 3 * * * /usr/bin/unattended-upgrade

In relation to this topic, also quite helpful I would see the apticron package, which should automatically inform you about package updates.

apt-get install apticron
vim /etc/apticron/apticron.conf

 

3.) Disable external root access

Also one of the basic security todos after a server set-up should be the disabling of the remote root ssh login. This can be easily done by changing the following parameter in /etc/ssh/sshd_config:

PermitRootLogin  no

Please note that a change onthe sshd requires a restart of the service, which can be done via:

/etc/init.d/sshd restart

4.) Take a look beyond the walls: Check for additional services

I see it as quite helpful to do an external scan of which services are available. This can be done quite easy and straightforward via nmap. So let’s install it and do a quick scan:

root@abc:~# apt-get install nmap
root@abc:~# nmap -f xyz.com
Starting Nmap 5.00 ( http://nmap.org ) at 2013-11-06 23:16 CET
 Interesting ports on jvr.at (5.35.244.75):
 Not shown: 985 closed ports
 PORT     STATE SERVICE
 21/tcp   open  ftp
 22/tcp   open  ssh
 25/tcp   open  smtp
 53/tcp   open  domain
 80/tcp   open  http
 106/tcp  open  pop3pw
 110/tcp  open  pop3
 143/tcp  open  imap
 443/tcp  open  https
 465/tcp  open  smtps
 587/tcp  open  submission
 993/tcp  open  imaps
 995/tcp  open  pop3s
 3306/tcp open  mysql
 8443/tcp open  https-alt

Of course there are a lot more of security related tipps & tricks, but I thought this might be a starting point. Another starting point, which I find quite useful is [2].

 

[1] Clifford Stoll, CUCKOO’S EGG

[2] Ravi Saive, 25 Hardening Security Tips for Linux

[3] Ubuntu Help, Automatic Security Updates

2 thoughts on “Basic security for Linux hosts

  1. Pingback: Block SSH Brute Force Attacks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.