Bangladesh University of Professionals (BUP)
M.Sc. in Cyber Security
Course Code: MCS 1101
Course Name: Cyber Security Fundamentals
Lab Assignment No: 02
Linux OS Security Hardening
Submitted To: Submitted By:
Engr. Md. Mushfiqur Rahman Sree Pradip Kumer Sarker
ID No: 24525201005
Guest Faculty, Dept of CE
M.Sc. in Cyber Security
Bangladesh University of Professionals (BUP)
BUP, Dhaka, Bangladesh.
Dhaka, Bangladesh.
1
� Linux OS Security Hardening
Avoid Using FTP, Telnet, And Rlogin / Rsh Services on Linux
Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred
files can be captured by anyone on the same network using a packet sniffer. The common solution to this
problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to
FTP. Type the following yum command to delete NIS, rsh and other outdated service:
# yum erase xinetd ypserv tftp-server telnet-server rsh-server
If you are using a Debian/Ubuntu Linux based server, try apt-get command/apt command to remove
insecure services:
# sudo apt-get --purge remove xinetd nis yp-tools tftpd atftpd tftpd-hpa telnetd rsh-server rsh-
redone-server
Minimize Software to Minimize Vulnerability in Linux
Do you really need all sort of web services installed? Avoid installing unnecessary software to avoid
vulnerabilities in software. Use the RPM package manager such as yum or apt-get and/or dpkg to review
all installed set of software packages on a system. Delete all unwanted packages.
# yum list installed
# yum list packageName
# yum remove packageName
OR
# dpkg --list
# dpkg --info packageName
# apt-get remove packageName
Keep Linux Kernel and Software Up to Date
Applying security patches is an important part of maintaining Linux server. Linux provides all necessary
tools to keep your system updated, and also allows for easy upgrades between versions. All security update
should be reviewed and applied as soon as possible. Again, use the RPM package manager such as yum
and/or apt-get and/or dpkg to apply all security updates.
# yum update
OR
# apt-get update && apt-get upgrade
2
�You can configure Red hat / CentOS / Fedora Linux to send yum package update notification via email.
Another option is to apply all security updates via a cron job. Under Debian / Ubuntu Linux you can use
apticron to send security notifications. It is also possible to configure unattended upgrades for your
Debian/Ubuntu Linux server using apt-get command/apt command:
# sudo apt-get install unattended-upgrades apt-listchanges bsd-mailx
Locking User Accounts After Login Failures
Under Linux you can use the faillog command to display faillog records or to set login failure limits. faillog
formats the contents of the failure log from /var/log/faillog database / log file. It also can be used for
maintains failure counters and limits.To see failed login attempts, enter:
faillog
To unlock an account after login failures, run:
faillog -r -u userName
Note you can use passwd command to lock and unlock accounts:
# lock Linux account
passwd -l userName
# unlock Linux account
passwd -u userName
How Do I Verify No Accounts Have Empty Passwords?
Type the following command
# awk -F: '($2 == "") {print}' /etc/shadow
Lock all empty password accounts:
# passwd -l accountName
Make Sure No Non-Root Accounts Have UID Set To 0
Only root account have UID 0 with full permissions to access the system. Type the following command to
display all accounts with UID set to 0:
# awk -F: '($3 == "0") {print}' /etc/passwd
You should only see one line as follows:
root:x:0:0:root:/root:/bin/bash
If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.
3
�Disable Unwanted Linux Services
Disable all unnecessary services and daemons (services that runs in the background). You need to remove
all unwanted services from the system start-up. Type the following command to list all services which are
started at boot time in run level # 3:
# chkconfig --list | grep '3:on'
To disable service, enter:
# service serviceName stop
# chkconfig serviceName off
**A note about systemd based Linux distro and services**
Modern Linux distros with systemd use the systemctl command for the same purpose.
Print a list of services that lists which runlevels each is configured on or off
# systemctl list-unit-files --type=service
# systemctl list-dependencies graphical.target
Turn off service at boot time
# systemctl disable service
# systemctl disable httpd.service
Start/stop/restart service
# systemctl disable service
# systemctl disable httpd.service
Get status of service
# systemctl status service
# systemctl status httpd.service
Viewing log messages
# journalctl
# journalctl -u network.service
# journalctl -u ssh.service
# journalctl -f
# journalctl -k
4
�Delete X Window Systems (X11)
X Window systems on server is not required. There is no reason to run X11 on your dedicated Linux based
mail and Apache/Nginx web server. You can disable and remove X Windows to improve server security
and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter:
# yum groupremove "X Window System"
On CentOS 7/RHEL 7 server use the following commands:
# yum group remove "GNOME Desktop"
# yum group remove "KDE Plasma Workspaces"
# yum group remove "Server with GUI"
# yum group remove "MATE Desktop"
Linux Kernel /etc/sysctl.conf Hardening
/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from
/etc/sysctl.conf at boot time. Sample /etc/sysctl.conf:
# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1
5
�Disable Unwanted SUID and SGID Binaries
All SUID/SGID bits enabled file can be misused when the SUID/SGID executable has a security problem
or bug. All local or remote user can use such file. It is a good idea to find all such files. Use the find
command as follows:
#See all set user id files:
find / -perm +4000
# See all group id files
find / -perm +2000
# Or combine both in a single command
find / \( -perm -4000 -o -perm -2000 \) -print
find / -path -prune -o -type f -perm +6000 -ls
Noowner Files
Files not owned by any user or group can pose a security problem. Just find them with the following
command which do not belong to a valid user and a valid group
find /dir -xdev \( -nouser -o -nogroup \) -print
Disable USB/firewire/thunderbolt devices
Type the following command to disable USB devices on Linux system:
# echo 'install usb-storage /bin/true' >> /etc/modprobe.d/disable-usb-storage.conf
You can use same method to disable firewire and thunderbolt modules:
# echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf
# echo "blacklist thunderbolt" >> /etc/modprobe.d/thunderbolt.conf
Once done, users can not quickly copy sensitive data to USB devices or install malware/viruses or backdoor
on your Linux based system.
Disable unused services
You can disable unused services using the service command/systemctl command:
# sudo systemctl stop service
# sudo systemctl disable service
6
�For example, if you are not going to use Nginx service for some time disable it:
# sudo systemctl stop nginx
# sudo systemctl disable nginx
Use fail2ban/denyhost as IDS (Install an Intrusion Detection System)
Fail2ban or denyhost scans the log files for too many failed login attempts and blocks the IP address which
is showing malicious signs. See how to install and use denyhost for Linux. One can install fail2ban easily:
# sudo apt-get install fail2ban
OR
# sudo yum install fail2ban
Edit the config file as per your needs:
# sudo vi /etc/fail2ban/jail.conf
Restart the service:
# sudo systemctl restart fail2ban.service
Secure Apache/PHP/Nginx server
Edit httpd.conf file and add the following:
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Options all -Indexes
Header always unset X-Powered-By
Restart the httpd/apache2 server on Linux, run:
# sudo systemctl restart apache2.service
OR
# sudo systemctl restart httpd.service
Secure OpenSSH server on a Linux system:
1. Update Your System
Ensure your system and OpenSSH packages are up-to-date:
7
� # sudo apt-get update
# sudo apt-get upgrade
# sudo apt-get install openssh-server
2. Backup the SSH Configuration File
Before making changes, backup the existing SSH configuration file:
# sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
3. SSH Configuration Adjustments
Edit the SSH configuration file:
# sudo nano /etc/ssh/sshd_config
Key Configuration Options:
Protocol Version: Ensure SSH is using Protocol 2.
Protocol 2
Disable Root Login: Prevent root from logging in via SSH.
PermitRootLogin no
Change Default Port: Change the default SSH port (22) to a non-standard port.
Port 2222
Limit User Access: Restrict SSH access to specific users.
AllowUsers user1 user2
Disable Password Authentication: Use key-based authentication instead of password-
based.
PasswordAuthentication no
Disable Empty Passwords: Ensure users cannot log in with empty passwords.
PermitEmptyPasswords no
Use Strong Ciphers and MACs: Configure strong encryption and message authentication
codes.
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
Limit Login Grace Time: Reduce the login grace time.
LoginGraceTime 1m
Enable Public Key Authentication:
PubkeyAuthentication yes
8
� Disable X11 Forwarding: Unless needed.
X11Forwarding no
Disable SSH Agent Forwarding: Unless needed.
AllowAgentForwarding no
4. Key-based Authentication
Generate SSH keys for users and distribute them securely:
ssh-keygen -t rsa -b 4096
Copy the public key to the server:
ssh-copy-id user@server
5. Enable and Configure Firewall
Use ufw to manage the firewall:
sudo ufw allow 2222/tcp
sudo ufw enable
6. Install and Configure Fail2Ban
Fail2Ban helps protect against brute-force attacks:
sudo apt-get install fail2ban
Create or edit the local configuration for SSH:
sudo nano /etc/fail2ban/jail.local
Add the following configuration:
[sshd]
enabled = true
port = 2222
logpath = /var/log/auth.log
maxretry = 3
Restart Fail2Ban:
sudo systemctl restart fail2ban
7. Restart SSH Service
Apply the configuration changes:
sudo systemctl restart sshd
8. Regular Audits and Monitoring
9
� Regularly review SSH logs (/var/log/auth.log).
Use tools like logwatch or OSSEC for monitoring.
By following these steps, you can significantly improve the security posture of your OpenSSH server.
Linux Hardening: Install & Use Intrusion Detection System
Installing and using an Intrusion Detection System (IDS) is a crucial step in hardening a Linux system. An
IDS can help monitor and analyze network traffic for signs of malicious activities. Below are the steps to
install and configure an IDS, using two popular options: Snort and OSSEC.
1. Snort - Network-based Intrusion Detection System
Step 1: Install Snort
For Debian/Ubuntu-based systems:
sudo apt-get update
sudo apt-get install snort
Step 2: Configure Snort
Edit the Snort configuration file:
sudo nano /etc/snort/snort.conf
Set the network variables to match your network setup:
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET any
Step 3: Update Snort Rules
Snort uses a set of predefined rules to detect malicious activities. Update the rules:
sudo apt-get install pulledpork
sudo pulledpork.pl -c /etc/snort/pulledpork.conf -g
Step 4: Start Snort
Run Snort in intrusion detection mode:
sudo snort -A console -q -c /etc/snort/snort.conf -i eth0
Replace eth0 with your network interface.
Step 5: Monitor Snort Logs
Logs are typically stored in /var/log/snort/. Monitor these logs for any alerts:
sudo tail -f /var/log/snort/alert
10
� 2. OSSEC - Host-based Intrusion Detection System
Step 1: Install OSSEC
Download and install the latest version of OSSEC:
curl -L -O https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz
tar -xzf 3.6.0.tar.gz
cd ossec-hids-3.6.0
sudo ./install.sh
During the installation, follow the prompts to configure OSSEC. Choose the local
installation type for a single host.
Step 2: Configure OSSEC
Edit the main configuration file to set up email notifications and other settings:
sudo nano /var/ossec/etc/ossec.conf
Example email configuration:
xml
<global>
<email_notification>yes</email_notification>
<email_to>admin@example.com</email_to>
<email_from>ossec@example.com</email_from>
<smtp_server>smtp.example.com</smtp_server>
<smtp_port>25</smtp_port>
</global>
Step 3: Start OSSEC
Start the OSSEC services:
sudo /var/ossec/bin/ossec-control start
Step 4: Monitor OSSEC Logs
OSSEC logs and alerts can be found in /var/ossec/logs/alerts/alerts.log. To monitor
the logs:
sudo tail -f /var/ossec/logs/alerts/alerts.log
Additional Steps for Both IDS
Regular Updates
Regularly update the IDS rules and software to ensure you are protected against the latest threats.
11
�Tune the IDS Configuration
Tuning the IDS configuration is necessary to reduce false positives and ensure that the alerts are relevant
to your environment.
Integrate with SIEM
For enhanced monitoring and alerting, consider integrating the IDS with a Security Information and Event
Management (SIEM) system like Splunk or ELK stack.
Automated Responses
Set up automated responses to certain types of alerts, such as blocking an IP address that is attempting a
brute force attack.
By installing and configuring an IDS like Snort or OSSEC, you can significantly enhance the security of
your Linux system by detecting and responding to potential l threats in real-time.
12
