How to secure and harden Linux | 7 topics to take care while hardening unix

How to secure and harden Linux

Once Linux installation is over and planing to move it to a production environment, following are the quick checks which we may need to perform to harden and secure your linux boxes.This article is been written for newbies and also to  remind experienced administrators about the simple steps which may be left unnoticed.

Always take care of physical security

Even if server is applied with latest patches , applied all possible hardening tips,but not taking much care of the physical security ,then security as a whole is under threat. Periodically do a mock drill to verify and confirm the physical security,for example if the servers are kept at the data center , make sure no one have access to servers with out security identification even if he is very familiar to the security staff.

Remove unnecessary Packages

It is been noticed as a usual practice for newbies to install many software packages thinking that it may be needed later on or some name resembles to be needed for security etc.. It is very important that servers should be only having packages which is absolutely necessary and the versions are also very important.Always stick on to the latest stable version. Never hang around with beta versions since it may be vulnerable.

Files/ Kernel and Filesystem security

Always avoid World write/execute permissions, get a mechanism to check this periodically.

Always use SUID, SGUID very carefully.

Umask can help to avoid World write permission by mistake.umask 002 and 022 would set the file permissions rw-rw-r– and rw-r–r– respectively.

Kernel should be compiled with necessary options alone and should be always updated to latest stable version.

Password security and User Policy

Administer strong user creation and management policies, few of them are listed below
- Enforce stronger passwords
- Enable password aging
- Discourage password sharing
- Check for disabled and unused accounts
- Restrict SU to specific users
- Use shadow passwords
- Use Pluggable Authentication Medules (PAM)
- Enforce Quota and Limits

Network Security

Make it a regular practice to monitor your network ports, Understand what exactly each ports are used for and block the suspicious ports, nmap , lsof and netstat can be used to identify the ports.

Disable X-Windows and believe me, you can do all administrative activities using command mode.

Use SSH instead of telnet

Use SFTP instead of FTP

Secure your mail servers, Patch it regularly, many of the admins are lazy or unwilling to do this may be because of the risk of working on a production servers.(Why should I patch it if it is working fine, This is the mindset which we need to change.Read the release notes for each patch and understand it and act on it)

Write your Firewall rules ,read it , rewrite it.

http://metalab.unc.edu/mdw/HOWTO/Firewall-HOWTO.html

Be ready for a disaster

- Always be ready with a full BACKUP
- Review your backup policy frequently
- Run your disaster recovery test once in 6 months.

Reference
http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html
http://www.ibm.com/developerworks/linux/library/l-seclnx3/
http://www.userlocal.com/security/securitytips.php
http://www.securityfocus.com/infocus/1419

Is this article useful for you , please comment (why should I comment ?)

Contact me for more details

Tags: faq, howto, internet, Linux, open source, quick guide, tips