What Ø Assign password to GRUB (GRand Unified

What
is Linux hardening?

Linux
is considered as one of the secure Operating System. Linux is secure by default
because of its in-built security model. 
However, you need to configure according to you which makes it even more
secure.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Linux
hardening is the process of increasing the level of security of the Linux
machine. In general, hardening the Operating system (regardless of any O.S)
means securing the Operating system against the attacks. Hardening usually
involves a series of processes of securing a system by reducing its surface of
vulnerability against attacks. Any system which has more vulnerable surface
then it’s more prone to get attacked. Below are the some of the useful tips to
harden your Linux security:

1.     
Physical System Security

Ø  Disable booting from Floppy Drive, CD/DVD, and USB drives

Ø  Enable BIOS password

Ø  Assign password  to GRUB (GRand Unified Bootloader) to avoid

     2. Disk Partitions

Ø  Disk partitioning is of the best
method to provide higher data security during any event of disaster.

Ø  By creating different partitions,
data can be separated and grouped. When an unexpected accident occurs, only
data of that partition will be damaged

Ø  Make sure that use store
Third-party applications under file system /opt

    3. Minimize Packages to
Minimize Vulnerability

Ø  Install only the required
packages

Ø  Disable or remove any un-wanted
packages

Ø  The Vulnerabilities in the un
used packages may become entry point of attacker

Commands:

                               List all the installed Packages                                          # yum -y remove package-name            Remove package               # sudo apt-get remove package-name                   

   4. Check
Listening Network Ports

Ø  Monitor the ports

Ø  Close the unused ports

Ø  Make use of ‘netstat command’ to
view all the port and associated services

Ø  Disable unwanted services using
the command below:

                        To find services running
on runlevel3

                                         # /sbin/chkconfig –list |grep ‘3:on’                                Disable service                                          # chkconfig serviceName off

5. Use
Secure Shell(SSH)

Ø  Do not use Telnet or rlogin
protocols during communication with server

Ø  Use SSH protocol while
communicating with the sever

Ø  SSH makes use of encryption
technology during communication

Ø  Change the default port number of
SSH from 22 to some other higher level port number

6. Keep
System updated

Ø  Regularly update the system with
latest kernel

Ø  Regularly update the security
patches

Ø  Regularly update the applications

7. Lockdown Cronjobs

Ø 
Cron is a daemon to run schedule tasks which can run automatically in the
background without human intervene

Ø 
We specify who can and who cannot run these
processes

Ø  lock a user using cron, simply
add user names in cron.deny

Ø 
to allow a user to run cron add in cron.allow file

 

8. Disable USB stick to Detect

Ø  We should restrict others from
copying data using pendrive(USB Stick)

Ø  Disable USB stick to detect

Ø  Create a file “/etc/modprobe.d/no-usb” and add the line below to avoid
detecting USB storage

§  install
usb-storage /bin/true

 

 

9. Turn on SELinux

Ø  Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the
kernel.

Ø  Disabling this service will allow
attacker to enter the system

Ø  Always keep the SELinux ON

Ø  It provides 3 different modes of operations,
they are

Enforcing – this mode
enables the SELinux security policy

Permissive – this
mode will not enforce security policy but enforces the log                                                                                
 and warns

Disabled – SELinux is
disabled

Ø  To view the current status : # sestatusØ  To enable SELinux : # setenforce enforcing

 

10. Remove KDE/GNOME Desktops

Ø  In LAMP server, you don’t need to
run KDE or GNAME

Ø  Disable or remove them to
increase the security

Ø  To disable: open ‘/etc/inittab’ file and set run level to 3

Ø  To remove them: # yum groupremove “X Window System”

 

               

11. Turn Off IPv6

Ø  Turn off the IPv6 if not using

Ø  Only a very few applications make
use of it

Ø  Not all Servers will make use of
it

Ø  To disable:

               # vi /etc/sysconfig/network                                         NETWORKING_IPV6=no               IPV6INIT=no

 

 

 

12. Restrict Users to Use Old Passwords

§  Reusing of same password should
be avoided

§  In Linux machine we can see the
last 5 passwords of anyone.

§  Old passwords are stored in /etc/security/opasswd

§  Open the file :  # vi /etc/pam.d/system-auth (in CentOS/Fedora)   # vi /etc/pam.d/common-password (in Ubuntu/Debian) §  Add following to the ‘auth’ section:  auth sufficient  pam_unix.so likeauth nullok §  Add the following to ‘password’ section to disable use from using the last 5 passwords:password sufficient pam_unix.so nullok use_authtok md5 shadow remember=5   

13. How to Check Password Expiration of User

Ø  Users should change their
passwords regularly

Ø  Users should change their
password before it expires

Ø  In Linux, the passwords are
stored in ‘/etc/shadow’
file in encrypted
form

Ø  Use ‘change ‘ command to view detail about
assword expiration details along with last password  change date.

Ø  To view aging information like expiry date and time: #chage -l usernameØ  To change password aging : #chage -M 60 usernameo    #chage -M 60 -m 7 -W 7 userName

                                                where: -M Set maximum number of days

-m
Set minimum number of days

-W
Set the number of days of warning

 

14. Lock and Unlock Account Manually

Ø  Lock the user for some time
instead of removing    

Ø  To lock a user : # passwd –l accountName

Ø  When we lock any user, the
encrypted password is replaced by (!) string

Ø  To unlock locked user : # passwd
–u  AccountName 

x

Hi!
I'm Isaac!

Would you like to get a custom essay? How about receiving a customized one?

Check it out