Click here to close now.

Welcome!

Linux Authors: Elizabeth White, Carmen Gonzalez, Pat Romanski, Louis Evans, Jason Bloomberg

Related Topics: Linux, Security

Linux: Blog Feed Post

Linux: Secure as a Brick

Best practices I’ve learned over the years

People who are familiar with me know that there are two things I’m not forgiving about. The first is backups, the second is security.

If backups interest you, perhaps we can discuss it some other time. This time we’re going to discuss security.

I’m going to outline in the following article some of the best practices I’ve learned along the years and help you “almost brick up, but not just yet” or “harden” your Linux server.

While reading this article, however, I suggest also reading this article as well. As we both try to tackle the same issues. I believe both articles eventually represent the same views in a different guise.

All of the ideas I’m coming up with are already implemented in shk. I suggest downloading shk, reviewing the code and using it.

Security
Do you know what is secure? – a brick.

Yes, but a brick is not functional.

When I’m trying to build a secure system, I’m using the same concepts as if I’d like to secure my house.

Yes, a house is functional.

Where Is Your Front Door?
Is the front door of your house in a conventional place? – if it is it does make it easier not only for you, but also for everybody else to enter.

Imagine the door to your house would be placed 30 meters away from the house and you’d have to remove leaves and branches over a floor door, unlock it, open it, crawl 30 meters to your house, open  and unlock the house’s main door, and only then you’ll be at home.

I bet such an entrance would surprise any potential burglar.

So what’s your door for accessing your machine?

Yes, it’s usually SSH. If it’s telnet, rsh, or any other unencrypted protocol, you live in the 1970s, please update yourself, together with your haircut.

SSH on port 22 would usually get knocked quite a lot, be it bots, or kiddies, trying to see what’s in.

Don’t believe me? – run:

 # lastb 

It’ll list all the incorrect login attempts which would usually be via SSH attempts.

How do we dig the trench away from the house and install the neat floor door? – simply move SSH to a different port. It’ll fend off most of the scanning attempts.

Port knocking can add some extra security here, but I believe that port knocking also requires you to walk around with a crowbar on a daily basis – as port knocking more or less means you keep the floor door jammed – and only the correct crowbar would open it.

Since I’m not Gordon Freeman – I’m not wandering around with a crowbar and do not use port knocking.

Who Has the Key?
With SSH moved to a different port, you should ask yourself if your door is really secure.

Is your root password strong? Honestly?

And other users on the system? Do they have a secure password? Does it matter?

After you’ve reset the root password to something which is really strong, it’s time to enforce SSH to allow only the root user.

This more or less means that even if you gave your neighbor the key to your house – in order to feed the cat – she wouldn’t be able to do it. Yes, your cat might get a bit hungry, but your house will stay in tact and the and cats usually tent to find a solution when it comes to food…

And the Windows?
You’ve just installed a super-secure door, but what about your windows? Have you left any of these unbarred? Redundant?

A redundant window might be a NFS service which runs for no reason at all on your server.

On the other hand, an unbarred window might be a HTTP service which is supposed to be exposed only internally.

It is highly recommended to instantly remove services and packages you don’t use and brick these windows up.

You can use:

 # netstat -pan | grep “\bLISTEN\b” 

This will list the services that are waiting for connections.

Install bars on the unbarred windows, in other words – use a firewall. If your HTTP service is supposed to be used only internally – seal it with a firewall.

Generally speaking, it should be easy for you – the SysAdmin – to easily know which ports of a system should be exposed externally. The rest of the ports you should lock down.

And When Someone Got In?
If someone got into your house, even if it’s dark – he can always use a headlamp and pick up whatever he wants to. If someone hacked into your system and got regular user privileges – usually it’ll be super easy for him to gain root access.

Hence, it doesn’t matter if you login as a regular user and than ‘su -’ or ‘sudo’ to root, it’s all the same. I prefer to just login as root and no other user. It’ll also make you treat things more seriously.

I also don’t bother to remove useful utilities for day-to-day use. I want my systems to be comfortable for me to maintain. I can’t be bothered if comfortability for me means comfortability also for potential attackers. Once they got in they’ll be as comfortable whether there is a sofa in the living room or not.

And I do want the sofa in the living room.

Bring It On!
Lock your house – then let your friends hack in.

Security audits are invaluable and should be carried out quite often. Whether by automatic tools such as Monitis or by colleagues.

Monitis Monitoring Platform

If you never try to hack in – you’ll never know how hard it is for an attacker.

When a system is properly secure – it’s hard also for you to hack in. And if it’s hard for you – an attacker would usually find it at least twice as hard, even if he is experienced.. A random attacker has much less information and knowledge as to how your system is built, comparing to you.

A Crack in a Wall
Cracks in a wall can cause the whole wall to collapse, rendering your defenses useless.

A crack in the wall can come in the shape of an outdated apache server – with a recent exploit on the wild.

Another crack in the wall could be a 3rd party piece of software you can’t audit – but must expose to the outside world. Be extra cautious with these.

Sending your root password in plain text emails is highly discouraged just as well for the same reasons.

Aftermath
Got hacked?

In real life we will not burn a house that was broken into, but if you did get hacked, assess the situation. In 99% of the cases I would suggest to reinstall the machine freshly. The reason for that is that an attacker could install numerous back doors and it might take you ages to find them.

Reinstalling is a big headache if your system is not setup properly, or if you don’t have proper backups.

But do trust me – in the long run, it is highly recommended to avoid future problems.

Unbreakable?
If you have a house, people can break into it. Period.

Do trust me though, that usually, if you’ve decided to place your door in a non-trivial place, the casual attacker/burglar will just decide to bother the next server/house.

Carry out the rest of the defenses that are outlined here and you are more than good to go.

It sounds very simplistic, I know. But if there’s something ironic I’ve seen in life is an uber-extra-comprehensive  firewall setup on an extremely secure system, and a login of admin/123456 that caused everything to collapse.

shk
shk
will help you do the tasks I’ve outlined through this article. Tasks such as:

  • Firewall configuration
  • Altering SSH configuration
  • Setting sysctl parameters
  • Disabling services
  • Removing packages

shk is written purely in Bash and is supposed to work on most Redhat and Debian systems.

The default configuration is a bit forgiving, feel free to play with it as much as you need.

shk is free – I’d be more than happy to receive contributions and suggestions for improvement.

Read the original blog entry...

More Stories By Hovhannes Avoyan

Hovhannes Avoyan is the CEO of Monitis, Inc., a provider of on-demand systems management and monitoring software to 50,000 users spanning small businesses and Fortune 500 companies.

Prior to Monitis, he served as General Manager and Director of Development at prominent web portal Lycos Europe, where he grew the Lycos Armenia group from 30 people to over 200, making it the company's largest development center. Prior to Lycos, Avoyan was VP of Technology at Brience, Inc. (based in San Francisco and acquired by Syniverse), which delivered mobile internet content solutions to companies like Cisco, Ingram Micro, Washington Mutual, Wyndham Hotels , T-Mobile , and CNN. Prior to that, he served as the founder and CEO of CEDIT ltd., which was acquired by Brience. A 24 year veteran of the software industry, he also runs Sourcio cjsc, an IT consulting company and startup incubator specializing in web 2.0 products and open-source technologies.

Hovhannes is a senior lecturer at the American Univeristy of Armenia and has been a visiting lecturer at San Francisco State University. He is a graduate of Bertelsmann University.

@ThingsExpo Stories
SYS-CON Events announced today that ActiveState, the leading independent Cloud Foundry and Docker-based PaaS provider, has been named “Silver Sponsor” of SYS-CON's DevOps Summit New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. ActiveState believes that enterprises gain a competitive advantage when they are able to quickly create, deploy and efficiently manage software solutions that immediately create business value, but they face many challenges that prevent them from doing so. The Company is uniquely positioned to help address these challenges thro...
SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes for use cases across the industrial, enterprise, and consumer segments.
SYS-CON Events announced today that Alert Logic, the leading provider of Security-as-a-Service solutions for the cloud, has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® and DevOps Summit 2015 New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo® and DevOps Summit 2015 Silicon Valley, which will take place November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that kintone has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. kintone promotes cloud-based workgroup productivity, transparency and profitability with a seamless collaboration space, build your own business application (BYOA) platform, and workflow automation system.
SYS-CON Events announced today that Akana, formerly SOA Software, has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Akana’s comprehensive suite of API Management, API Security, Integrated SOA Governance, and Cloud Integration solutions helps businesses accelerate digital transformation by securely extending their reach across multiple channels – mobile, cloud and Internet of Things. Akana enables enterprises to share data as APIs, connect and integrate applications, drive part...
SYS-CON Events announced today that CommVault has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. A singular vision – a belief in a better way to address current and future data management needs – guides CommVault in the development of Singular Information Management® solutions for high-performance data protection, universal availability and sim...
SYS-CON Events announced today that SafeLogic has been named “Bag Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. SafeLogic provides security products for applications in mobile and server/appliance environments. SafeLogic’s flagship product CryptoComply is a FIPS 140-2 validated cryptographic engine designed to secure data on servers, workstations, appliances, mobile devices, and in the Cloud.
SYS-CON Events announced today that StorPool Storage will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. StorPool is distributed storage software that allows service providers, enterprises and other cloud builders to run data storage on standard x86 servers, instead of using expensive and inefficient storage arrays (SAN).
SYS-CON Events announced today that Site24x7, the cloud infrastructure monitoring service, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Site24x7 is a cloud infrastructure monitoring service that helps monitor the uptime and performance of websites, online applications, servers, mobile websites and custom APIs. The monitoring is done from 50+ locations across the world and from various wireless carriers, thus providing a global perspective of the end-user experience. Site24x7 supports monitoring H...
SYS-CON Events announced today that B2Cloud, a provider of enterprise resource planning software, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. B2cloud develops the software you need. They have the ideal tools to help you work with your clients. B2Cloud’s main solutions include AGIS – ERP, CLOHC, AGIS – Invoice, and IZUM
SYS-CON Events announced today that Intelligent Systems Services will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Established in 1994, Intelligent Systems Services Inc. is located near Washington, DC, with representatives and partners nationwide. ISS’s well-established track record is based on the continuous pursuit of excellence in designing, implementing and supporting nationwide clients’ mission-critical systems. ISS has completed many successful projects in Healthcare, Commercial, Manufacturing, ...
SYS-CON Events announced today that Vicom Computer Services, Inc., a provider of technology and service solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. They are located at booth #427. Vicom Computer Services, Inc. is a progressive leader in the technology industry for over 30 years. Headquartered in the NY Metropolitan area. Vicom provides products and services based on today’s requirements around Unified Networks, Cloud Computing strategies, Virtualization around Software defined Data Ce...
SYS-CON Events announced today that Optimal Design, an Internet of Things solution provider, will exhibit at SYS-CON's Internet of @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Optimal Design is an award winning product development firm offering industrial design and engineering services to the consumer, medical, and defense markets.
SYS-CON Events announced today that Tufin, the market-leading provider of Security Policy Orchestration Solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. As the market leader of Security Policy Orchestration, Tufin automates and accelerates network configuration changes while maintaining security and compliance. Tufin's award-winning Orchestration Suite™ gives IT organizations the power and agility to enforce security policy across complex, multi-vendor enterprise networks. With more than 1...
SYS-CON Events announced today that MangoApps will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY., and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. MangoApps provides private all-in-one social intranets allowing workers to securely collaborate from anywhere in the world and from any device. Social, mobile, and easy to use. MangoApps has been named a "Market Leader" by Ovum Research and a "Cool Vendor" by Gartner...
SYS-CON Events announced today that Cloudian, Inc., the leading provider of hybrid cloud storage solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Cloudian, Inc., is a Foster City, California - based software company specializing in cloud storage software. The main product is Cloudian, an Amazon S3-compliant cloud object storage platform, the bedrock of cloud computing systems, that enables cloud service providers and enterprises to build reliable, affordable and scalable cloud storage solu...
SYS-CON Events announced today that Gridstore™, the leader in hyper-converged infrastructure purpose-built to optimize Microsoft workloads, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Gridstore™ is the leader in hyper-converged infrastructure purpose-built for Microsoft workloads and designed to accelerate applications in virtualized environments. Gridstore’s hyper-converged infrastructure is the industry’s first all flash version of HyperConverged Appliances that include both compute and storag...
SYS-CON Events announced today that Creative Business Solutions will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Creative Business Solutions is the top stocking authorized HP Renew Distributor in the U.S. Based out of Long Island, NY, Creative Business Solutions offers a one-stop shop for a diverse range of products including Proliant, Blade and Industry Standard Servers, Networking, Server Options and Care Packs. As a trusted supplier, CBS guarantees quality controlled stock levels thanks to an Auto...
How is unified communications transforming the way businesses operate? In his session at WebRTC Summit, Arvind Rangarajan, Director of Product Marketing at BroadSoft, will discuss how to extend unified communications experience outside the enterprise through WebRTC. He will also review use cases across different industry verticals. Arvind Rangarajan is Director, Product Marketing at BroadSoft. He has over 19 years of experience in the telecommunications industry in various roles such as Software Development, Product Management and Product Marketing, applied across Wireless, Unified Communic...
SYS-CON Events announced today that IDenticard will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. IDenticard™ is the security division of Brady Corp (NYSE: BRC), a $1.5 billion manufacturer of identification products. We have small-company values with the strength and stability of a major corporation. IDenticard offers local sales, support and service to our customers across the United States and Canada. Our partner network encompasses some 300 of the world's leading systems integrators and security s...