Linux Server Hardening

For today’s computing platforms, ease of access and openness is essential for web based communications and for lean resourced IT Management teams.

This is directly at odds for the increased necessity for comprehensive security measures in a world full of malware, hacking threats and would-be data thieves.
Most organizations will adopt a layered security strategy, providing as many protective measures for their IT infrastructure as are available – firewalls, sandboxes, IPS and IDS, anti-virus – but the most secure computing environments are those with a ‘ground up’ security posture.
If data doesn’t need to be stored on the public-facing Linux web server, then take it off completely – if the data isn’t there, it can’t be compromised.
If a user doesn’t need access to certain systems or parts of the network, for example, where your secure Ubuntu server farm is based, then revoke their privileges to do so – they need access systems to steal data so stop them getting anywhere near it in the first place.
Similarly, if your CentOS server doesn’t need FTP or Web services then disable or remove them. You reduce the potential vectors for security breaches everytime you reduce means of access.
To put it simply, you need to harden your Linux servers.

Linux Hardening Policy background

The beauty of Linux is that it is so accessible and freely available that it is easy to get up and running with very little training or knowledge. The web-based support community places all the tips and tutorials you’ll ever need to carry out any Linux set-up task or troubleshoot issues you may experience.
Finding and interpreting the right hardening checklist for your Linux hosts may still be a challenge so this guide gives you a concise checklist to work from, encompassing the highest priority hardening measures for a typical Linux server.

And, if you want to make life simpler…

NNT Change Tracker Enterprise provides an automated tool for auditing servers, firewalls, router and other network devices for compliance with a full range of hardened build checklists. Once a hardened build baseline has been established, any drift from compliance with the required build standard will be reported. To enhance security protection further, Change Tracker also provides system-wide, real-time file integrity monitoring to detect any Trojan, backdoor or other malware infiltrating a secure server. Request a trial or demonstration here www.newnettechnologies.com/enterprise-change-and-configuration-management.html

Account Policies

• Enforce password history – 365 days
• Maximum Password Age - 42 days
• Minimum password length – 8 characters
• Password Complexity - Enable
• Account Lockout Duration - 30 minutes
• Account Lockout Threshold – 5 attempts
• Reset Account Lockout Counter - 30 minutes

Edit the /etc/pam.d/common-password to define password policy parameters for your host.

Access Security

• Ensure SSH version 2 is in use
• Disable remote root logons
• Enable AllowGroups to permitted Group names only
• Allow access to valid devices only
• Restrict the number of concurrent root sessions to 1 or 2 only

Edit sshd.config to define SSHD policy parameters for your host and /etc/hosts.allow and /etc/hosts.deny to control access. Use /etc/securetty to restrict root access to tty1 or tty1 and tty2 only.

Secure Boot Only

Remove options to boot from CD or USB devices and password protect the computer to prevent the BIOS options from being edited.
Password protect the /boot/grub/menu.lst file, then remove the rescue-mode boot entry.

Disable All Unnecessary Processes, Services and Daemons

Each system is unique so it is important to review which processes and services are unnecessary for your server to run your applications.
Assess your server by running the ps –ax command and see what is running currently.
Similarly, assess the startup status of all processes by running a chkconfig –list command.
Disable any unnecessary services using the sysv-rc-conf service-name off

Restrict Permissions on Sensitive Files and Folders to root Only

Ensure the following sensitive programs are root executable only

• /etc/fstab
• /etc/passwd
• /bin/ping
• /usr/bin/who
• /usr/bin/w
• /usr/bin/locate
• /usr/bin/whereis
• /sbin/ifconfig
• /bin/nano
• /usr/bin/vi
• /usr/bin/which
• /usr/bin/gcc
• /usr/bin/make
• /usr/bin/apt-get
• /usr/bin/aptitude

Ensure the following folders are root access only

• /etc
• /usr/etc
• /bin
• /usr/bin
• /sbin
• /usr/sbin
• /tmp
• /var/tmp

Disable SUID and SGID Binaries

Identify SUID and SGID files on the system: find / \( -perm -4000 -o -perm -2000 \) –print.
Render these files safe by removing the SUID or SGID bits using chmod –s filename
You should also restrict access to all compilers on the system by adding them to a new ‘compilers’ group.

• chgrp compilers *cc*
• chgrp compilers *++*
• chgrp compilers ld
• chgrp compilers as

Once added to the group, restrict permissions using a chmod 750 compiler

Implement Regular/Real-Time FIM on Sensitive Folders and Files

File integrity should be monitored for all files and folders to ensure permissions and files do not change without approval.

Configure Auditing on the Linux Server

Ensure key security events are being audited and are forwarded to your syslog or SIEM server. Edit the syslog.conf file accordingly.

General Hardening of Kernel Variables

Edit the /etc/sysctl.conf file to set all kernel variables to secure settings in order to prevent spoofing, syn flood and DOS attacks.

Google+

The Top Ten of Server Change and Configuration Management

The concept of a Server Change and Configuration Management Policy is simple - define what 'good' IT service looks like, then maintain your Server estate in this state.
It is vitally important to keep in check all relevant servers configuration settings, performance metrics and application response times that together govern the quality and consistency of delivered IT service levels to the business.

However, while it is obvious that governing the performance and health of your servers is important, the need to ensure your servers are compliant with security and external corporate governance legislations is now equally necessary.

Corporate Governance policies such as Sarbanes Oxley (SOX), GLBA, NERC, PCI DSS, HIPAA, MiFID, SAS 70, and Basel II have all been introduced to ensure minimum levels of security and integrity are maintained for company financial information and any stored personal details of customers.
Your Servicedesk or Helpdesk system has a role to play, typically playing an integral role in any ITIL Change and Configuration Management Process, providing reconciliation data for any planned changes to any configuration item, including servers.

The Top Ten of Server Configuration Management
1. Server Performance Management - Measure and control all parameters affecting IT Service Delivery, including configuration settings, server health and user experience
2. Server Compliance Audits - Take steps to automate the audit of your server estate in order to provide auditors with accurate details of all security and access controls for compliance with all Corporate Governance legislations, such as PCI DSS, SOX, GLBA, NERC, HIPAA, MiFID, SAS 70, Basel II
3. Virtualization - when virtualising servers in order to facilitate datacentre moves, service continuity provision and to reduce running costs, remember that you are also introducing another layer of configuration management at the VM Host level that must equally be audited to ensure it is compliant with corporate governance policies
4. Compare 'one server to many' and pinpoint all differences between a 'policy compliant' (i.e. 'working') server and those that aren't -all key changes and deviations will be instantly identified and reported
5. Software Inventory Management - A Configuration Management solution should cover Server inventory management, server asset management, server performance management and server configuration management
6. Server Security Management - Best practise is to limit the User Accounts to the minimum and restrict access to Administrator accounts with Admin privileges but you also need to regularly check that Server User Accounts have not been modified, added or changed
7. Server File system Management - a key aspect of PCI DSS and other corporate governance policies is that core filesystem attributes have their integrity maintained, for instance, the Win32 folder should not be changed or modified and it is vital to regularly check this
8. Registry Settings - as the core repository of Server Configuration Settings, any Registry changes must be logged and analysed
9. Running Processes and Services/Service States - build a whitelist and blacklist of authorised/unauthorized process and services, together with any mandatory 'must run' or illegal 'never run' processes and services
10. Server Application Configuration Management - Together with the Windows Server Operating System, key server applications such as SQL Server, IIS, Exchange, Active Directory and Oracle all have numerous and complex configuration settings which also need to be audited for compliance with your configuration management policy

All the above change and configuration management tasks can be automated using change and configuration management software solutions, the best of which will cover servers together with change and configuration management of your desktop PCs and all network devices such as firewalls, switches and routers.