Linux Operating System is less prone to virus than other major operating Systems but there are lot of security issues. Following are the few task that can be done to make Linux system more secure.
This is the big privilege to change root password in case we forgot it. Sometimes this privilege become great security flow and our system may get hacked
So, We need to prevent GRUD setting modification with password to prevent unauthorised person to modify grub.
Modify grub.conf file and add password setting and add line password –md5
vi /boot/grub/grub.conf
password -–md5 $1$vDBXc$stkC6hxrdEcK691qwarft1
/etc/cron.allow list all the users to allow cron execution.
/etc/cron.deny list all the user to deny cron execution
Cron has it’s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ALL line to cron.deny file.
Below example shows that user dilli is allowed to use cron where as all others are not deny to use cron.
# echo "dilli" >> /etc/cron.allow
# echo "ALL" >>/etc/cron.deny
crontab -e
*/5 * * * * echo "hello"
See crontab(1) for more information
Create a file control-alt-delete.override under /etc/init directory to disable it.
$ vi /etc/init/control-alt-delete.override
start on control-alt-delete
exec /usr/bin/logger -p authpriv.notice -t init "Control-Alt-Delete disabled"
Whenever we press CTRL+ALT+DELETE nothing will be happened. Instead of reboot it will log message that Control-Alt-Delete disabled.
tail -f /var/log/secure
Jan 20 22:00:51 mylinux init: Control-Alt-Delete disabled
Jan 20 22:00:56 mylinux init: Control-Alt-Delete disabled
Jan 20 22:01:18 mylinux init: Control-Alt-Delete disabled
Paste the banner content on /etc/ssh/banner.txt
cat< <EOF>/etc/ssh/banner.txt
WARNING: This system is for the use of authorized clients only.
Individuals using the computer network system without
authorization, or in excess of their authorization, are
subject to having all their activity on this computer
network system monitored and recorded by system
personnel. To protect the computer network system from
unauthorised use and to ensure the computer network systems
is functioning properly, system administrators monitor this
system. Anyone using this computer network system
expressly consents to such monitoring and is advised that
if such monitoring reveals possible conduct of criminal
activity, system personnel may provide the evidence of
such activity to law enforcement officers.
Access is restricted to authorized users only.
Unauthorized access is a violation of state and federal,
civil and criminal laws.
EOF
PermitRootLogin no
X11Forwarding no
#X11Forwarding yes
3 different settings for eth0, eth1, bond0.
vi /etc/sysctl.conf
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.eth1.disable_ipv6 = 1
net.ipv6.conf.bond0.disable_ipv6 = 1
or
net.ipv6.conf.all.disable_ipv6 = 1
sysctl -p
Protect GRUB with password
Anyone, who have physical access to machine can easily login Linux system into single user mode and may change root password and setting.This is the big privilege to change root password in case we forgot it. Sometimes this privilege become great security flow and our system may get hacked
So, We need to prevent GRUD setting modification with password to prevent unauthorised person to modify grub.
Generate encrypt password with grub-md5-crypt. Password will be prompted and it will be converted into encrypted form.
grub-md5-crypt
Modify grub.conf file and add password setting and add line password –md5 between timeout and splash setting.
vi /boot/grub/grub.confpassword -–md5 $1$vDBXc$stkC6hxrdEcK691qwarft1
Whenever you try to enter the grub you cannot enter the grub unless you enter the correct password. Type P to type password to unlock the grub. Unless you type the correct password you are not allowed to enter the grub and modify any.
After entering correct password we can enter to the grub setting and modify.
Protect cron
By default, all the Linux users are allowed to execute cron job. This should be controlled. We can use following two files to control it./etc/cron.allow list all the users to allow cron execution.
/etc/cron.deny list all the user to deny cron execution
Cron has it’s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ALL line to cron.deny file.
Below example shows that user dilli is allowed to use cron where as all others are not deny to use cron.
# echo "dilli" >> /etc/cron.allow
# echo "ALL" >>/etc/cron.deny
We modified the cron as user dilli and it get executed.
crontab -e
*/5 * * * * echo "hello"
Whenever we tried to modify cron as user oracle we get message below.
You (oracle) are not allowed to use this program (crontab)See crontab(1) for more information
Disable Ctrl+Alt+Delete in Inittab
Pressing Ctrl+Alt+Delete is worse nightmare for System Admins because it will reboot Linux Machine. Those who uses Windows machine presses Ctrl+Alt+Delete accidentally on Linux machine. So it is wise to disable this feature.Create a file control-alt-delete.override under /etc/init directory to disable it.
$ vi /etc/init/control-alt-delete.override
start on control-alt-delete
exec /usr/bin/logger -p authpriv.notice -t init "Control-Alt-Delete disabled"
Whenever we press CTRL+ALT+DELETE nothing will be happened. Instead of reboot it will log message that Control-Alt-Delete disabled.
We can verify the log
tail -f /var/log/secureJan 20 22:00:51 mylinux init: Control-Alt-Delete disabled
Jan 20 22:00:56 mylinux init: Control-Alt-Delete disabled
Jan 20 22:01:18 mylinux init: Control-Alt-Delete disabled
Configure SSH Banner for Login
Paste the banner content on /etc/ssh/banner.txtcat
WARNING: This system is for the use of authorized clients only.
Individuals using the computer network system without
authorization, or in excess of their authorization, are
subject to having all their activity on this computer
network system monitored and recorded by system
personnel. To protect the computer network system from
unauthorised use and to ensure the computer network systems
is functioning properly, system administrators monitor this
system. Anyone using this computer network system
expressly consents to such monitoring and is advised that
if such monitoring reveals possible conduct of criminal
activity, system personnel may provide the evidence of
such activity to law enforcement officers.
Access is restricted to authorized users only.
Unauthorized access is a violation of state and federal,
civil and criminal laws.
EOF
Modify /etc/ssh/sshd_config and uncomment Banner configuration with the banner file name.
Banner /etc/ssh/banner.txtDisable SSH root login
Modify /etc/ssh/sshd_config and uncomment PermitRootLogin configuration with value no.PermitRootLogin no
Disable X11 forwarding.
Modify /etc/ssh/sshd_config and uncomment #X11Forwarding no and comment X11Forwarding yesX11Forwarding no
#X11Forwarding yes
Restart sshd service to get new changes in effect.
/etc/init.d/sshd restartTurn Off IPv6
Add following configuration settings on kernel configuration file /etc/sysctl.conf. In my case I have 3 interfaces so I am adding
3 different settings for eth0, eth1, bond0.
vi /etc/sysctl.conf
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.eth1.disable_ipv6 = 1
net.ipv6.conf.bond0.disable_ipv6 = 1
or
net.ipv6.conf.all.disable_ipv6 = 1
Execute following command to get kernel configuration in effect.
sysctl -p
We can verify with ifconfig command and we can find that ipv6 has been disabled.
Something that are simple yet very important.
ReplyDeleteSujit, Thank You very much for the comment. Secure Linux server 2 and Secure Linux server 3 are on the way to publish hope they will be useful too.
DeleteNice Work Dilli.
ReplyDeleteThank You Ahmer Mansoor for the comment.
Delete