Secure Linux server 1
Verify Network ports that are listening.
Execute netstat command to find the listening ports. Disable all services listening and are not required.netstat -tulpn
Execute lsof command to view more details about the listening ports.
lsof -Pnl +M -i4
SELinux
Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. Following are the SELinux three different modes:
Enforcing: The default mode which will enable and enforce the SELinux security policy on the system, denying access and logging actionsPermissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues
Disabled: SELinux is turned off
By default everything is denied and then we can write a policy that gives each element of the system only the access required to function.
In example below SELinux has denied my MySQL process to start.
To troubleshoot this issue I have toggled SELinux setting to Permissive. After toggling the SELinux mode the MySQL server starts normally.
getenforce will display current mode of SELinux. We can use setenforce 0 to toggle it to Permissive.sealert command is used to view the alert logs.
/usr/sbin/getenforce
setenforce 0
/etc/init.d/mysqld start
sealert -a /var/log/audit/audit.log
We can either disable the SELinux setting or create policy that will ignore the SELinux setting for MySQL. It is recommended to create the policy. Using command below we have created a policy module file mysql.te
create policy module.
cat mysql.te
Manually compile and load the edited custom policy module:
checkmodule -M -m -o mysql.mod mysql.tesemodule_package -o mysql.pp -m mysql.mod
semodule -i mysql.pp
Now we can enforce the SELinux and start MySQL process normally. We have created a policy that will ignore MySQL.
User Password
Set password expiration Check Password Expiration of User. View password age of any user. In example below password for user dilli never expires.
chage -l dilli
Change password age of user with command below.
chage -M 60 dilli
chage -M 60 -m 7 -W 7 dilli
-M Maximum number of days
-m minimum number of days
-W number of days of warning.
PASS_MAX_DAYS 60
PASS_MIN_DAYS 7
PASS_WARN_AGE 7
In example above Password of user dilli will expire on 60 days. Once user changes he or she has to wait at least 7 days to change password again. User dilli get warning message of password expiration 7 days earlier to expire. from 53rd days user start getting warning message that his or her password will be expire.
In addition to that we can set the values of the configuration files so that the setting will be applied for every new users created.
sudo vi /etc/login.defsPASS_MAX_DAYS 60
PASS_MIN_DAYS 7
PASS_WARN_AGE 7
In above example we checked the age setting for user oracle. Since user oracle has been created before we change settings on login.defs file the setting will not be effected for the user. Later we created user xyz normally, the age setting is in effect for user xyz.
Enforcing Stronger Passwords
Weaker passwords are main reason behind hacking. Dictionary based and brute-force attack can be done against weaker password. So it is recommended to enforce stronger password. Stronger password are the combination of upper case, lower case, numeric and special characters of certain length. The PAM module pam_passwdqc.so can be used to enforce the password complexity. The pam_passwdqc module is a simple password strength checking module for PAM.
Comment following line on file /etc/pam.d/system-auth
pam_cracklib.so try_first_pass retry=3 type=
pam_cracklib.so try_first_pass retry=3 type=
Add pam_passwdqc setting.
vi /etc/pam.d/system-auth
We have 4 Character classes
- Upper Character class [A-Z]
- Lower Character Class [a-z]
- Digit Character Class [0-9]
- Others Character Class [Symbols]
min=disabled,40,10,8,6:
disabled as first values shows that If we are using password from single character class it will be denied.
example 123456789, abcdefghij, ABCDEFGHIJ these all are invalid passwords.
40 as second value defines that passphrase should be of 40 character length.
8 as third values defines that if we are using password with combination of 3 character classes out of 4 and is of minimum length 8 it will be allowed.
apPle3all, n!ghTsUit,nep@123l are allowed password
6 as fourth value defines that if we are using password with combination of all character classes and is of minimum length 6, it will be allowed.
enforce=everyone
defines this rules is enforced for all the users including root.
disable_firstupper_lastdigit_check
By default, if we begin our password with Upper case and end with digit then these characters are not counted. Disabling this features allow us using Uppercase in begin and numbers at the end.
For example following passwords are combination of all 4 character class and are of length 6 that is minimum length required with such combination.
K@tHm0 not allowed by default.
k@tH0m is allowed.
Using parameter disable_firstupper_lastdigit_check both password are allowed.
The best part of this authentication module is that proper information is displayed while changing password. Reading message carefully will be helpful a lot.
Checking accounts for empty password
Any account that has blank password is open to login. It is become bigger threat in Linux system and can be easily preventable. A hacker could use it to set up a fake account that has root privileges through sudo. Then anytime they need to access your system they will log on through the fake account and they will never have to remember a password.
List users with blank password using command below.
sudo awk -F: '($2 == "") { print $1 }' /etc/shadow
We can set password or delete such users if not required.
echo "new_password1" | sudo passwd xyz --stdin
echo "new_password1" | sudo passwd user1 --stdin
Reverify that user with blank password no more exists.
sudo awk -F: '($2 == "") { print $1 }' /etc/shadow
0 comments:
Post a Comment