Announcement Announcement Module
Collapse
No announcement yet.
Basic Steps to make Linux machine secure Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Basic Steps to make Linux machine secure

    Securing Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). Following these guidelines will help reduce your chance of compromise.

    Basic Steps to make Linux machine secure

    1: Pick a good, supported operating system

    2: Physical System Security

    Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS. Enable BIOS password & also protect GRUB with password to restrict physical access of our system.

    3: Disk Partitions

    Make sure you must have following separate partitions and sure that third party applications should be installed on separate file systems under /opt.

    /
    /boot
    /usr
    /var
    /home
    /tmp
    /opt


    4: Avoid Using FTP, Telnet, And Rlogin / Rsh Services

    Use OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP.

    5: Minimize Software to Minimize Vulnerability

    Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages.

    6: Check Listening Network Ports

    Use 'netstat‘ networking command can view all open ports and associated programs. Use ‘chkconfig‘ command to disable all unwanted network services from the system.

    7: Use Secure Shell(SSH)

    SSH is a secure protocol that use encryption technology during communication with server.
    Change default SSH 22 port number with some other higher level port number.

    8: Keep Linux Kernel and Software Up to Date

    All security update should be reviewed and applied.Use the RPM package manager such as yum and/or apt-get and/or dpkg to apply all security updates.

    9: Disable USB stick to Detect

    We want to restrict users from using USB stick in systems to protect and secure data from stealing. Create a file ‘/etc/modprobe.d/no-usb‘ and adding below line will not detect USB storage.

    install usb-storage /bin/true

    10: Turn on SELinux

    Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel.

    SELinux provides three basic modes of operation and they are.

    Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.

    Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues.

    Disabled: SELinux is turned off.

    11: User Accounts and Strong Password Policy

    Use the useradd / usermod commands to create and maintain user accounts. Also have a good and strong password policy which includes (at least 12 characters long and mixture of alphabets, number, special character, upper & lower alphabets etc.)


    12: Enable Iptables (Firewall)

    Enable Linux firewall to secure unauthorised access of our servers. Apply rules in iptables to filters incoming, outgoing and forwarding packets.

    13: Review Logs Regularly

    Common Linux default log files name and their usage:
    /var/log/message – Where whole system logs or current activity logs are available.
    /var/log/auth.log – Authentication logs.
    /var/log/kern.log – Kernel logs.
    /var/log/cron.log – Crond logs (cron job).
    /var/log/maillog – Mail server logs.
    /var/log/boot.log – System boot log.
    /var/log/mysqld.log – MySQL database server log file.
    /var/log/secure – Authentication log.
    /var/log/utmp or /var/log/wtmp : Login records file.
    /var/log/yum.log: Yum log files.

    14: Important file Backup

    It is necessary to take important files backup and keep them in safety vault, remote site or offsite for Disasters recovery.

    15: Keep /boot as read-only

    Linux kernel and its related files are in /boot directory which is by default as read-write. Changing it to read-only reduces the risk of unauthorized modification of critical boot files. To do this, open “/etc/fstab” file.
    Last edited by Pratheesh; 1st December 2014, 05:51 AM.

  • #2
    >>Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS. Enable BIOS password & also protect GRUB with password to restrict physical access of our system.

    As we all know we can get into the GRUB mode when the server BOOT by pressing F12 button or by pressing SHIFT or space bar or arrow keys(it may vary on platforms), can you describe how can we configure BIOS to disable booting from CD/DVD, External Devices also how can we enable BIOS password & also protect GRUB with password?

    Comment


    • #3
      Upon checking I found, we can use 'grub-md5-crypt' command to create the encrypted password for locking GRUB and add the encrypted password in /boot/grub/grub.conf file to make it active, I am afraid making the changes in grub.conf leads to any harm while rebooting the server.

      Comment

      Working...
      X