L Harden Server PDF
L Harden Server PDF
L Harden Server PDF
23 January 2014
(First published 17 December 2008)
Servers whether used for testing or production are primary targets for attackers. By taking
the proper steps, you can turn a vulnerable box into a hardened server and help thwart outside
attackers. Learn how to tighten Secure Shell (SSH) sessions, configure firewall rules, and set
up intrusion detection to alert you to possible attacks on your GNU/Linux server.
Linux already claims a large share of the server market, and forecasts show that this share
will increase because of the demands of cloud computing. Enterprise IT shops concerned with
security need to take a look at the vulnerabilities these servers pose to the network and how these
machines can be secured. This article demonstrates how to tighten Secure Shell (SSH) sessions,
configure a firewall, and set up intrusion detection.
The first step in hardening a GNU/Linux server is determining the server's function, which
determines the services that need to be installed on it. For example, if the server in question is
used as a web server, you should install Linux, Apache, MySQL, and Perl/ PHP/ Python (LAMP)
services. If the server is used for directory services, the only applications and services that should
be permitted to run on it are those required for the task it's meant to perform. Nothing extra should
be installed for two reasons:
Installing extra software or running extra services creates unnecessary vulnerabilities. For
example, if you run Lightweight Directory Access Protocol (LDAP) on a server for directory
Copyright IBM Corporation 2008, 2014
Hardening the Linux server
Trademarks
Page 1 of 14
developerWorks
ibm.com/developerWorks/
services, both the operating system and LDAP must be up-to-date with security fixes and
patches. If LAMP (or any other software) were installed on this server, it also would require
updates and attention, even if it weren't used. Its mere existence on the server gives an
attacker another avenue into your system.
Installing extra software on a server means that someone will be tempted to use that server
for something other than its intended use. Using the server for tasks other than its main task
diverts resources from its primary job and exposes it to potential threats.
GUI login
Some people who rely on a GUI such as GNOME or KDE might be inclined to install a
graphical login such as the GNOME Display Manager. This isn't necessary, because you can
log in from the command-line interface just as easily as you can through a GUI-based login
screen. The only difference is that you have to use the sudo startx command if you need
to administer your server through a GUI.
You need to decide if you want to install a graphical user interface (GUI). GNU/Linux admins
have long held a certain pride in administering their networks and servers from a commandline interface. But some systems administrators have begun administering their GNU/Linux
servers through a GUI. A GUI can tax a system's resources and, because it's an extra service
that isn't necessary, create vulnerabilities. However, the GUI process can be killed when it's no
longer in use, and it makes certain tasks, such as working with a database, much easier for the
administrator.
If you decide you want to install a GUI, the following instructions show you how to install GNOME
as a desktop GUI:
1. Log in to your system. To install the GNOME core, type the following at the command prompt
and press Enter:
sudo aptitude install x-window-system-core gnome-core
4. Press Enter and follow the process until GNOME is installed on your system.
5. When either package is finished installing, you're still at the command prompt. To open
GNOME, type sudo startx.
Page 2 of 14
ibm.com/developerWorks/
developerWorks
Security by obscurity
Install Emacs
To install Emacs, use sudo aptitude install emacs. Now, locate the portion of the file
where you set the port number. When you've found it (the default is port 22), you can change
it to an arbitrary number. More than 65,000 ports are available: Choose something at the
upper end of the scale, but a number you'll remember. Remember, skilled attackers know
how people think. Changing the port number to 22222 or 22022 is a common mistake, so
choose a number that isn't easily guessed.
One of the most common methods for hardening SSH is to change the port number used to
access it. The theory is that an attacker using the default port or TCP 22 to establish a connection
will be denied access because the service is running on a secure port. However, changing the
port number won't prevent an attacker with a port scanner from finding the SSH port if he takes
the time to scan all of the ports on your server. For this reason, many systems administrators don't
bother changing the port. But this approach does prevent script kiddies from attacking SSH with
automated tools dedicated to finding open TCP 22 ports, and impatient attackers may grow weary
of scanning your server if they don't find SSH running in the first range of ports they scan.
To change the SSH port address, first install SSH on your server. Type the following command,
and then press Enter:
sudo aptitude install openssh-server
Type your password. This command installs openssh to use for remote logins to your server.
When you have an SSH file to configure, copy the file just in case something happens during
configuration. You can always revert to the original. Then:
1. At the command line, type the following command, then press Enter:
sudo cp /etc/ssh/sshd_config /ete/ssh/sshd_config.back
2. Now you can use a text editor such as Emacs or vi to change the file:
emacs /etc/ssh/sshd_config
Page 3 of 14
developerWorks
ibm.com/developerWorks/
Whitelist users
Another step you can take to harden SSH on your server is to allow only certain people to use this
service. This process is known as whitelisting. To create a whitelist, you first need the user names
of the people who will be allowed to use SSH to access the server remotely. Then, perform these
steps:
1. Add this line to your sshd_config file:
# Allow only certain users
AllowUsers username username username
Substitute user names from your list in place of the word username. Alternately, you can allow
groups access to SSH logins by using:
# Allow only certain groups
AllowGroups group group
Again, substitute your user groups for the word group in the example.
2. Save your configuration file, and exit your editor.
3. Restart SSH for the changes to take effect. You don't need to shut down your computerjust
type sudo service ssh restart.
4. Press Enter and provide your password.
The service restarts and tells you [OK].
You can secure SSH in other ways, although those are for more advanced users. When you've
had more experience working with GNU/Linux and SSH, consider taking those steps.
Press Enter. The output you see should look similar to that of Listing 1:
Code output
youruser@yourcomputer:~$ sudo ufw status verbose
[sudo] password for youruser:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
youruser@yourcomputer:~$
Page 4 of 14
ibm.com/developerWorks/
developerWorks
Notice that by default, all incoming traffic is denied. You can change this to allow all incoming
traffic, but that would defeat the purpose of the firewall. Instead, you can create rules that specify
which traffic you'll allow by:
Port and protocol
IP address
Service
You also have the option of specifying which protocol is allowed. If no protocol is specified, then
both TCP and User Datagram Protocol (UDP) are covered under the rule. However, to allow only
TCP traffic on port 80, the command is:
sudo ufw allow 80/tcp
To allow incoming traffic on port 80 for UDP, the same syntax applies:
sudo ufw allow 80/udp
To block an entire subnet, you need to enter the entire range of addresses. For example, for this
class C network, you would type:
sufo ufw deny from 192.168.1.0/24
The same syntax applies should you need to allow traffic from only one IP address or subnet
just substitute deny for allow.
Hardening the Linux server
Page 5 of 14
developerWorks
ibm.com/developerWorks/
To stop the firewall altogether, you have the option of disabling it using:
sudo ufw disable
Disabling a firewall that runs essential services or houses sensitive data is inadvisable. Even
taking down this protection for a moment could open the server and its resources to threats.
Tripwire
Tripwire sets up a baseline of normal system binaries for your computer. It then reports any
anomalies against this baseline through an email alert or through a log. Essentially, if the system
binaries have changed, you'll know about it. If a legitimate installation causes such a change, no
problem. But if the binaries are altered as a result of a Trojan horse-type installation, you have a
starting point from which to research the attack and fix the problems.
1. To install and configure Tripwire through the command line, type the following command and
then press Enter:
sudo aptitude install tripwire
Page 6 of 14
ibm.com/developerWorks/
developerWorks
4. Open your text editor to make the configurations shown in Listing 2, substituting your server
name for hostname (you'll be using Emacs here):
Tripwire configurations
hostname
hostname
hostname
hostname
~
~
~
~
#
#
#
#
emerge tripwire
cd /etc/tripwire
emacs -nw /etc/tripwire/twpol.txt
emacs -nw /etc/tripwire/twcfg.txt
5. Enter the following command to create keys and sign the policy:
hostname ~ # cd /etc/tripwire ; sh ./twinstall.sh
6. Initialize everything, and create the database using the next command (you should be asked
to supply your passphrase here):
hostname ~ # tripwire --init
When this process is complete, Tripwire has created a snapshot of your system. This baseline will
be used to check whether any critical files have been changed. If they have, you'll be alerted to it.
You can run reports from Tripwire, as well. From your editor, type this command:
sudo twprint --print-report -r\
Now, your prompt changes to a single carat (>). At this new prompt, type:
/var/lib/tripwire/report/[hostname]-YYYYMMDD-HHMMSS.twr| less
If you don't know the exact time you ran your report, navigate to the directory /var/lib/tripwire/
reports to see the complete file name.
To fine-tune the capabilities of Tripwire, you can look to twadmin. You can also set a cron job
to email you a copy of this report each day or configure Tripwire to email you if an anomaly is
reported.
Logwatch
Logwatch helps you monitor your system's log files. This program requires a working mail server
on your network to email the logs to you. If you want to change the .conf file, you need to open /
Page 7 of 14
developerWorks
ibm.com/developerWorks/
usr/share/logwatch/default.conf/logwatch.conf and look for the line that reads MailTo. Change
user.name.domain.tld to your email address.
You can install Logwatch with this command:
sudo aptitude install logwatch
Pressing Enter sends a copy of the report to the email address specified. If you aren't running a
mail server on your network but would still like to see a Logwatch report, the following command
provides it on your screen:
logwatch --range All --archives --detail Med
The output spans several screens; press Shift-Page Up to move to the beginning of the report.
File permissions. Read (r), write (w), and execute (x). Each of these permissions is also
given a number: read = 4, write = 2, and execute = 1.
Directory-level permissions. Enter, which gives permission to enter the directory; Show,
which gives permission to see the contents of the directory; and Write, which gives permission
to create a new file or subdirectory.
How permissions are assigned. Permissions are assigned in three ways: by user level,
group level, and other level. The user level defines the user who created the file or directory;
the group level defines the group the user is in; and the other level is for any user outside of
the user's group.
The user permissions are granted first: For example, r/w/x means the user can read, write, and
execute the file or files in the folder. You can apply the number value to each permission. Thus, if
a user can read, write, and execute, you add the corresponding numbers 4, 2, and 1 for a total of
7. Next come the group permissions. For instance, the other members of the user's group may be
able to read and execute but not write. Adding up the corresponding values gives you 5. Those in
Hardening the Linux server
Page 8 of 14
ibm.com/developerWorks/
developerWorks
the others category can only read the files, so their numerical value is 4. Thus, the permissions for
the file or folder are 754.
When permissions are set to 777, everyone is given the ability to read, write, and execute. The
chmod command changes permissions for files and directories. If you want to change ownership of
a user, use the chown command. To change group ownership of a file or directory, use the chgrp
command.
Encryption
Encryption is the process of scrambling data stored on a computer in a manner that makes it
unreadable to anyone who doesn't possess the key to re-create the data in its original form. Data
that has been encrypted can be stored on the local computer, stored on a network share, or
transmitted to other users and computers.
You can encrypt an entire hard disk or the partitions of the disk. This should be done at installation.
You can also secure data through encryption by creating a directory and encrypting it. For
example, if you've set up a file server, you may want to encrypt a directory that holds sensitive
information.
Before you go forward with protecting your data, you need to install eCryptfs from the Ubuntu
repositories by typing:
sudo aptitude install ecryptfs-utils
When installed, set up a private directory where you can store your encrypted files and folders. To
do so, type this command in the terminal:
ecryptfs-setup-private
You'll be asked to enter your login password and then to create a mount pass (or have one
generated for you). Write down this passphrase: You'll need it to recover data manually. Log out of
your computer, and then log back in. When you are logged in, any folders or files you write in ~/
Private will be encrypted.
Recovering data
In an emergency, you may need to recover your encrypted data. You can do so automatically by
making sure that your hard drive is mounted, and then opening the terminal. At the prompt, run:
sudo encryptfs-recover-private
Follow the prompts, and you'll be able to access your data after it has been decrypted. Make sure
you save it in another location so you can access it again.
Page 9 of 14
developerWorks
ibm.com/developerWorks/
Updates
Never install updates and patches on a production server until they've been tested on a test, or
development, server. Because a GUI may not be installed on your server, you have to download
any updates and patches through the terminal. When you're ready to install updates, enter the
command sudo apt-get update, and then sudo apt-get dist-upgrade. In some cases, you need
to restart your server.
Malware
Although viruses don't pose much of a threat to the GNU/Linux server, if you run Samba to share
Windows files, make sure an antivirus scanner like ClamAV is installed so infected files don't
spread throughout your system. In addition to viruses, worms, Trojans, and the like, there is also
the danger of a hacker installing a rootkit on your system and gaining root-level permissions to
capture passwords, intercept traffic, and create other vulnerabilities. To combat this threat, install
tools such as the Rootkit Hunter, (rkhunter), and chkrootkit on the server (see Resources for a
link to "Hardening the Linux desktop," which contains instructions).
Passwords
As the systems administrator, you're required to set passwords for your server's root account
and possibly other sensitive accounts in your organization, such as MySQL databases or FTP
connections. You can't force strong passwords for your users with Ubuntu Server, but you can be
sure you train users on how to create a strong password.
Passwords should be at least eight characters long and contain at least three of the following: an
uppercase letter, a lowercase letter, a number, or a symbol. One way to teach users to use strong
Hardening the Linux server
Page 10 of 14
ibm.com/developerWorks/
developerWorks
passwords but keep them from writing down complex passwords on sticky notes is to have them
use passphrases. Something like Myf@voritecolorisBlue! is much easier to remember than M
$iuR78$, and both meet minimal complexity standards.
Conclusion
The tasks outlined in this article and "Hardening the Linux desktop" should give you a solid
knowledge base on the topic of system security. Keep in mind that these articles are aimed at
beginners to provide a foundation for learning more about GNU/Linux security.
Page 11 of 14
developerWorks
ibm.com/developerWorks/
Resources
Learn
"Hardening the Linux desktop" (Jeff Orloff, developerWorks, 2013): Read this step-by-step
guide to securing a GNU/Linux desktop computer.
"10 Immutable Laws of Security" (Scott Culp, Microsoft, 2010): Find out more about security
for users; Culp's follow-on article, 10 Immutable Laws of Security Administration, gives similar
guidance for administrators.
"Secure Linux containers cookbook" (Serge E. Hallyn, developerWorks, 2009): Learn how to
strengthen lightweight containers with SELinux and Smack.
"Secure Linux: Part 1" (Evgeny Ivashko, developerWorks, 2012): Learn about the basic
milestones in the development, architecture, and operating principles of Security-Enhanced
Linux.
"Anatomy of Security-Enhanced Linux (SELinux)" (M. Tim Jones, developerWorks, 2012):
Learn more about the architecture and implementation of SELinux.
In the developerWorks Linux zone, find more resources for Linux developers (including
developers who are new to Linux).
See all Linux tips on developerWorks.
Stay current with developerWorks technical events and webcasts focused on a variety of IBM
products and IT industry topics.
Follow developerWorks on Twitter.
Watch developerWorks on-demand demos ranging from product installation and setup demos
for beginners, to advanced functionality for experienced developers.
Get products and technologies
Download Ubuntu Server Edition to follow along with the lessons in this article.
Download VirtualBox to create a virtual machine so that you can practice with the lessons in
this article.
Learn more about Samba, which offers file and print services to Windows computers.
Learn more about GNOME, a Linux graphical desktop.
Learn more about GNOME Desktop Manager, which provides you with a graphical login.
Learn more about KDE, an alternative graphical desktop to GNOME.
Learn more about UFW from the Ubuntu wiki.
Learn more about the Tripwire open source project.
Learn more about Logwatch.
Learn more about eCryptfs for securing files and folders.
Learn more about ClamAV to help protect your server from malware.
Learn more about how Rootkit Hunter can help secure your servers.
Learn more about chkrootkit, which assists in finding rootkits that have been installed on
your server.
Learn more about iptables from the Ubuntu wiki.
Evaluate IBM products in the way that suits you best: Download a product trial, try a product
online, or use a product in a cloud environment.
Hardening the Linux server
Page 12 of 14
ibm.com/developerWorks/
developerWorks
Discuss
Get involved in the My developerWorks community. Connect with other developerWorks
users while exploring the developer-driven blogs, forums, groups, and wikis.
Page 13 of 14
developerWorks
ibm.com/developerWorks/
Page 14 of 14