dcsimg

Five Easy Ways to Secure Your Linux System

When it comes to system security, there's no single correct solution. But with vigilance and these techniques, you will be five steps closer.

On the heels of last week’s entry on using DenyHosts, and Nikto the week before that; I thought it appropriate to continue in the security vein with five more simple techniques that you can use to protect your systems. These include using account locking, limiting cron use, using DENY access to services, refusing root SSH logins and changing SSHD’s default port.

There’s no excuse to run insecure systems on your network. Your data’s integrity (and your job) depend on your ability to keep those systems running correctly and securely for your co-workers and customers. Shown here are five simple techniques to make your systems less vulnerable to compromise.

Account Locking

Account locking for multiple failed tries puts extra burden on the system administrators but it also puts some responsibility on the user to remember his passwords. Additionally, locking allows the administrator to track the accounts that have potential hack attempts against them and to notify those users to use very strong passwords.

Typically, a system will drop your connection after three unsuccessful attempts to login but you may reconnect and try again. By allowing an infinite number of failed attempts, you’re compromising your system’s security. Smart system administrators can take the following measure to stop this threat: Account lockout after a set number of attempts. My preference is to set that limit to three.

Add the following lines to your system’s /etc/pam.d/system-auth file.

auth    required   /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required   /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset

Your distribution might not include the system-auth file but instead uses the /etc/pam.d/login file for these entries.

Cron Restriction

On multiuser systems, you should restrict cron and at to root only. If other users must have access to scheduling, add them individually to the /etc/cron.allow and /etc/at.allow files. If you choose to create these files and add user accounts into them, you also need to create /etc/cron.deny and /etc/at.deny files. You can leave them empty but they need to exist. Don’t create an empty /etc/cron.deny unless you add entries to the /etc/cron.allow because doing so allows global access to cron. Same goes for at.

To use the allow files, create them in the /etc directory and add one user per line to the file. The root user should have an entry in both allow files. Doing this restricts cron to the root user only.

As the system administrator, you can allow or deny cron and at usage based upon the user’s knowledge and responsibility levels.

Deny, Deny, Deny

“Deny everything” sounds eerily Presidential doesn’t it? But for system security and certain political indiscretions, it’s the right answer. System security experts recommend denying all services for all hosts using an all encompassing deny rule in the /etc/hosts.deny file. The following simple entry (ALL: ALL) gives you the security blanket you need.

#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!

ALL: ALL

Edit the /etc/hosts.allow file and insert your network addresses (192.168.1., for example) where you and your users connect from before you logout or you’ll have to login via the console to correct the problem. Insert entries similar to the following to allow access for an entire network, single host or domain. You can add as many exceptions as you need. The /etc/hosts.allow file takes precedence over the /etc/hosts.deny to process your exceptions.

Deny SSH by Root

Removing the root user’s ability to SSH provides indirect system security. Logging in as root to a system removes your ability to see who ran privileged commands on your systems. All users should SSH to a system using their standard user accounts and then issue su or sudo commands for proper tracking via system logs.

Open the /etc/ssh/sshd_config file with your favorite editor and change PermitRootLogin yes to PermitRootLogin no and restart the ssh service to accept the change.

Change the Default Port

While changing the default SSH port (22) will have limited effectiveness in a full port sweep, it will thwart those who focus on specific or traditional service ports. Some sources suggest changing the default port to a number greater than 1024, for example: 2022, 9922 or something more random, such as 2345. If you’re going to use this method as one of your strategies, I suggest that you use a port that doesn’t include the number 22.

Edit your /etc/ssh/sshd_config and change the “Port” parameter to your preferred port number. Uncomment the Port line too. Restart the sshd service when you’re finished and inform your users of the change. Update any applicable firewall rules to reflect the change too.

System security is important and is a constant battle. You have to maintain patch levels, updates and constantly plug newly discovered security holes in system services. As long as there are black hat wearing malcontents lurking the Net looking for victims, you’ll have a job keeping those wannabe perpetrators at bay.

Comments on "Five Easy Ways to Secure Your Linux System"

Very nice post. I just stumbled upon your blog and wished to mention that I’ve truly enjoyed browsing your weblog posts. After all I will be subscribing on your feed and I hope you write once more soon!

Very few internet websites that happen to become in depth beneath, from our point of view are undoubtedly well worth checking out.

Please check out the web pages we follow, including this a single, because it represents our picks from the web.

Greate article. Keep writing such kind of info on your blog.

Im really impressed by it.
Hey there, You’ve done a great job. I will definitely digg it and personally recommend to my friends.

I am confident they will be benefited from this web site.

Also visit my web-site – BetteIHopman

Here are a few of the web pages we recommend for our visitors.

The data mentioned inside the write-up are a number of the ideal readily available.

We like to honor quite a few other net web pages on the web, even when they aren?t linked to us, by linking to them. Below are some webpages worth checking out.

Below you?ll locate the link to some sites that we assume it is best to visit.

Just beneath, are several totally not connected web-sites to ours, nonetheless, they are surely worth going over.

The info talked about in the report are several of the very best available.

That will be the end of this article. Here you?ll find some web-sites that we believe you will enjoy, just click the links.

The info mentioned inside the report are a number of the top offered.

Although internet sites we backlink to beneath are considerably not associated to ours, we feel they are actually really worth a go through, so possess a look.

Check beneath, are some entirely unrelated web sites to ours, nonetheless, they may be most trustworthy sources that we use.

Below you will discover the link to some web pages that we consider you need to visit.

Although internet sites we backlink to beneath are considerably not associated to ours, we feel they are essentially really worth a go by way of, so possess a look.

We came across a cool web page which you may well enjoy. Take a search if you want.

Below you?ll come across the link to some web sites that we consider you’ll want to visit.

That would be the end of this report. Right here you?ll uncover some web pages that we believe you?ll appreciate, just click the hyperlinks.

We came across a cool site that you simply may possibly enjoy. Take a look should you want.

Just beneath, are quite a few completely not connected sites to ours, however, they’re surely worth going over.

I always was concerned in this subject and still am, thanks for putting up.

Please go to the web sites we comply with, including this 1, because it represents our picks from the web.

Very couple of web sites that take place to become detailed beneath, from our point of view are undoubtedly very well worth checking out.

Usually posts some extremely fascinating stuff like this. If you are new to this site.

We like to honor lots of other internet sites on the web, even though they aren?t linked to us, by linking to them. Underneath are some webpages really worth checking out.

Here are a number of the websites we suggest for our visitors.

The facts talked about within the report are a few of the most beneficial accessible.

Please visit the web pages we follow, including this a single, because it represents our picks through the web.

Here is a good Weblog You may Obtain Fascinating that we encourage you to visit.

We prefer to honor several other web web sites on the internet, even if they aren?t linked to us, by linking to them. Underneath are some webpages really worth checking out.

The facts talked about inside the report are several of the most beneficial out there.

Hi there, You’ve done an excellent job. I’ll definitely digg it and personally recommend to my friends.
I’m confident they’ll be benefited from this site.

my webpage – ToneyYFremin

We prefer to honor lots of other world wide web websites around the internet, even though they aren?t linked to us, by linking to them. Below are some webpages really worth checking out.

Please stop by the web pages we follow, like this one particular, as it represents our picks through the web.

Although websites we backlink to below are considerably not connected to ours, we really feel they are truly worth a go by way of, so have a look.

Always a massive fan of linking to bloggers that I appreciate but don?t get a great deal of link enjoy from.

Here are a number of the web pages we advise for our visitors.

Always a huge fan of linking to bloggers that I enjoy but really don’t get lots of link adore from.

Usually posts some pretty fascinating stuff like this. If you?re new to this site.

One of our visitors just lately suggested the following website.

Please check out the web sites we follow, like this one particular, as it represents our picks in the web.

Here are some of the web-sites we advise for our visitors.

Wonderful story, reckoned we could combine some unrelated information, nonetheless really really worth taking a appear, whoa did a single learn about Mid East has got more problerms too.

Here are some hyperlinks to internet sites that we link to since we consider they may be really worth visiting.

Very handful of web sites that take place to be in depth below, from our point of view are undoubtedly effectively really worth checking out.

Si su frigorifico congelador tiene una averia, nosotros estamos cerca de usted, a su servicio en Binéfar, por ello no tendra que sufrir largas esperas hasta recibir al tecnico en su hogar. Ofrecemos un servicio de atencion rapida, porque queremos que usted disponga de su nevera como nueva lo antes posible con la mejor calidad tecnica. Los logos y marcas de cada servicio expuesto en este website son propiedad de Servicio Técnico Oficial Bosch GIRONA y SAT oficial Bosch GIRONA, estando protegidos por las Leyes del Copyright,así como nuestros técnicos estan especializados en el Servicio Técnico y reparación de la marca Bosch. Ese presupuesto es totalmente GRATIS y usted decide si desea realizar la reparación.

Although web sites we backlink to below are considerably not connected to ours, we feel they may be basically worth a go by means of, so possess a look.

Below you?ll come across the link to some sites that we feel it is best to visit.

Leave a Reply