dcsimg

Five Easy Ways to Secure Your Linux System

When it comes to system security, there's no single correct solution. But with vigilance and these techniques, you will be five steps closer.

On the heels of last week’s entry on using DenyHosts, and Nikto the week before that; I thought it appropriate to continue in the security vein with five more simple techniques that you can use to protect your systems. These include using account locking, limiting cron use, using DENY access to services, refusing root SSH logins and changing SSHD’s default port.

There’s no excuse to run insecure systems on your network. Your data’s integrity (and your job) depend on your ability to keep those systems running correctly and securely for your co-workers and customers. Shown here are five simple techniques to make your systems less vulnerable to compromise.

Account Locking

Account locking for multiple failed tries puts extra burden on the system administrators but it also puts some responsibility on the user to remember his passwords. Additionally, locking allows the administrator to track the accounts that have potential hack attempts against them and to notify those users to use very strong passwords.

Typically, a system will drop your connection after three unsuccessful attempts to login but you may reconnect and try again. By allowing an infinite number of failed attempts, you’re compromising your system’s security. Smart system administrators can take the following measure to stop this threat: Account lockout after a set number of attempts. My preference is to set that limit to three.

Add the following lines to your system’s /etc/pam.d/system-auth file.

auth    required   /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required   /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset

Your distribution might not include the system-auth file but instead uses the /etc/pam.d/login file for these entries.

Cron Restriction

On multiuser systems, you should restrict cron and at to root only. If other users must have access to scheduling, add them individually to the /etc/cron.allow and /etc/at.allow files. If you choose to create these files and add user accounts into them, you also need to create /etc/cron.deny and /etc/at.deny files. You can leave them empty but they need to exist. Don’t create an empty /etc/cron.deny unless you add entries to the /etc/cron.allow because doing so allows global access to cron. Same goes for at.

To use the allow files, create them in the /etc directory and add one user per line to the file. The root user should have an entry in both allow files. Doing this restricts cron to the root user only.

As the system administrator, you can allow or deny cron and at usage based upon the user’s knowledge and responsibility levels.

Deny, Deny, Deny

“Deny everything” sounds eerily Presidential doesn’t it? But for system security and certain political indiscretions, it’s the right answer. System security experts recommend denying all services for all hosts using an all encompassing deny rule in the /etc/hosts.deny file. The following simple entry (ALL: ALL) gives you the security blanket you need.

#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!

ALL: ALL

Edit the /etc/hosts.allow file and insert your network addresses (192.168.1., for example) where you and your users connect from before you logout or you’ll have to login via the console to correct the problem. Insert entries similar to the following to allow access for an entire network, single host or domain. You can add as many exceptions as you need. The /etc/hosts.allow file takes precedence over the /etc/hosts.deny to process your exceptions.

Deny SSH by Root

Removing the root user’s ability to SSH provides indirect system security. Logging in as root to a system removes your ability to see who ran privileged commands on your systems. All users should SSH to a system using their standard user accounts and then issue su or sudo commands for proper tracking via system logs.

Open the /etc/ssh/sshd_config file with your favorite editor and change PermitRootLogin yes to PermitRootLogin no and restart the ssh service to accept the change.

Change the Default Port

While changing the default SSH port (22) will have limited effectiveness in a full port sweep, it will thwart those who focus on specific or traditional service ports. Some sources suggest changing the default port to a number greater than 1024, for example: 2022, 9922 or something more random, such as 2345. If you’re going to use this method as one of your strategies, I suggest that you use a port that doesn’t include the number 22.

Edit your /etc/ssh/sshd_config and change the “Port” parameter to your preferred port number. Uncomment the Port line too. Restart the sshd service when you’re finished and inform your users of the change. Update any applicable firewall rules to reflect the change too.

System security is important and is a constant battle. You have to maintain patch levels, updates and constantly plug newly discovered security holes in system services. As long as there are black hat wearing malcontents lurking the Net looking for victims, you’ll have a job keeping those wannabe perpetrators at bay.

Comments on "Five Easy Ways to Secure Your Linux System"

grdetil

\”On multiuser systems, you should restrict cron and at to root only.\” You don\’t elaborate on the reason for this, as though the security risk in allowing non-root users access to cron or at is common knowledge. This is news to me. Could you provide more info or a relevant reference?

Reply
dragonwisard

I think he\’s going for the \”disabled by default\” approach. Although cron and at are relatively mundane to make such a fuss about. If a user even knows they exist, they probably meet the criteria for \”based upon the user’s knowledge and responsibility levels.\”

If you allow long-running background process (screen) they can achieve the same results with some trivial shell coding.

Reply
sandholm

I don\’t agree with the root ssh lockout suggestion. During a crisis situation you need to be able to get into a system as root very quickly. Support can\’t fumble around with su & looking up passwords for the root account. We manage a medium sized data center (approx 150 to 200 systems), and have exchanged root public keys from the bastion to all the remote systems. To improve security and reduce risk, we use the /etc/security/access.conf file and limit root ssh login to just a couple of machines; only systems the support staff have access to (the bastion). Our current monitoring scripts rely on remote root access, and by locking out root ssh, that would break all our monitoring. It\’s not perfect, but to manage a few hundred systems in batch, it\’s necessary.

Reply
jpforte

Ha Ha, three strike. I had a junior admin who tried that once. We just kept trying to login to his account until it locked for days. Then he decided that 99 was a better number. A DOS attack on a system could be done by just attempting logins a few times.

Reply
khess

If you work in a large environment, like I do (thousands of servers), account lockout after 6 tries and no root SSH is the norm. So is disabled CRON and AT for normal users.

Reply
ffej01

I left my ssh port open for just a few days, to see what traffic I would get…what a mistake !!! 84 pages of security log in violations recorded. Most were from China, Brazil, and Hungary….Oh and a middle school in Japan. It was amazing to see the user names that they tried.

I use Denyhost since then, and think that my server is bored now. hehehehe.

Reply
jobst

Saying \”don\’t login as root\” is silly and useless paranoid. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreased the chance you got spoofed as to your telnet host target. You\’d get your password spoofed but not root\’s pw. Gimme a break …. this is 2010 – We have ssh 4.8, used properly it\’s secure. Used improperly NONE of the OTHER security settings of the machine will make a damn bit of difference.
Use \”Protocol 2\”, \”AllowUsers root blah1 blah2\”, \”ClientAliveInterval 300\”, \”IgnoreRhosts yes\”, \”HostbasedAuthentication no\”, use TCPWRAPPERS, use Public Key Based Authentication ONLY, \”PermitEmptyPasswords no\”, limit access from a small range of IP addresses ONLY and a few more things and ssh is secure and you can enjoy simple access to other machines and do your job, simply.
I do not want to create another \”windows X\” environment where it is difficult to do things quickly … using ssh properly I can even be ssh\’ed into a machine, do a \”yum update sshd\”, then initiate a delayed \”sshd restart\”, logout, wait a bit and login again and run the latest ssh version on a machine that is 2000km away!

Reply
wrdieter

On blocking out users after three bad login attempts, I have to agree with jpforte that it is a great way for someone to launch a denial of service attack. DenyHosts is a better alternative because only the attacking IP is blocked. There are definitely people out there probing. At last count my /etc/hosts.deny had 883 hosts, all put there by DenyHosts.

On root logins, I prefer to disallow root ssh logins if only for audit purposes when more than one person needs to have root privileges. If someone logs in directly as root you have no idea who it was. If someone logs in as a regular user then does su or sudo, you know who it was (or at least whose remote account has been compromised). The audit is not always because you suspect someone of being malicious. It can help recover from mistakes, too.

Reply

Good riddance to Flash. wood chipper I am sick and tired to google web sites that tell, me how to install Flash Player on my Distribution X or Y.

Reply

Hi there, I found your blog by the use of Google even as looking for a comparable topic, your website came up, it appears great. I have bookmarked it in my google bookmarks.

Reply

Appreciating the persistence you put into your site and detailed information you provide.

It’s awesome to come across a blog every once in a while that isn’t the same
unwanted rehashed material. Excellent read! I’ve bookmarked your site and I’m including your RSS feeds to my
Google account.

Reply

Truly when someone doesn’t understand afterward its up to other users that they will help, so here it occurs.

Reply

JOBST – Saying \”don\’t login as root\” is silly and useless paranoid.
Hm, I guess you don’t have to contend with Price Waterhouse at your Fortune 100 company.

Reply

Thank you for the good writeup. It in reality used to be a entertainment account it. Glance complex to more delivered agreeable from you! However, how could we keep up a correspondence?

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>