Security Information and Review

Collection of security information and review

Hardening Linux Server part 2 : Advanced Linux Security

Author : Admin

In the previous discussion, Hardening Linux Server part 1: Physical Access Security was discussed how to improve physical access security in the Linux server. In this discussion will be discussed more detail in the side of Linux itself.

 

The “root” account has no security restrictions, for this reason we must know what we are doing and never login with this user unless it’s absolutely an instance that necessitates root access. The first thing to be done to improve security the Linux server, it’s configure users profile, especially the super user “root”. It’s sometimes and even often happens is delete file when we log in as “root”. So, we need to modifications of the “rm” command, like show in script following bellow.

1
2
3
        #vi .bashrc
 
	alias rm=’rm –i’

With this change, execute of the “rm” command will provide a confirmation before execution of the command.

 

One of the security improvement is not using the “r” utility such as rsh, rlogin and rexec and don’t create .rhosts file. So, we must delete all existing .rhosts file in the Linux system.

 

It’s recommended to specify which TTY and VC devices the “root” is allowed to login on the Linux system. We need to configure and edit /etc/securetty file, disable any TTY or VC devices that we don’t need by comment out or remove them. See sample /etc/securetty file bellow.

1
2
3
4
5
6
7
	#vi /etc/securetty
 
	tty1
	#tty2	this console is disabled
	#tty3  this console is disabled
	tty4
	…

For security reason, some the Linux distro such Ubuntu, by default disabling the superuser “root” and it’s recommended to use “sudo” to run command that it required root privileges. It has one main configuration file, /etc/sudoers and it’s readable by root only. It’s recommended to edit /etc/sudoers with tool visudo, special configuration editor for /etc/sudoers. See sample file /etc/sudoers in the following script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
 
#visudo /etc/sudoers
 
# User alias specifications
#
User_Alias WEBMASTERS = indra
 
# Command alias specifications
#
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias WEBINIT = /etc/rc.d/init.d/httpd
 
# User specifications
#
# root and users in group wheel can run anything as any user
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
 
# webmasters can restart apache as well as run any command as user
# apache (which owns the web pages) or simply su to user apache
WEBMASTERS ALL = WEBINIT, apache = (apache) ALL, (root) /usr/bin/su apache
 
# indra can also shutdown the machine
indra ALL = SHUTDOWN

It’s excellent practice to hardening the Linux server is configure user profile such limit history old command, automatic timeout and limit size of history old command.

1
2
3
4
5
6
7
8
9
10
 
	#vi /etc/profile
 
	# Set automatic time out if idle  720 second
	TMOUT=720
	# Set determine old command
	HISTSIZE=10
 
	# Set determinet size file history
	HISTFILESIZE=0

If we use this configuration which means, the .bash_history file in each users home directory can store 10 old command and no more. The HISTFILESIZE=0, each time a user logout, it’s .bash_history file will be deleted. The TMOUT=720, it’s will control which users will be automatically logged out after 720 second of inactivity, it’s apply for all users on the system.

 

To complete the discussion, it’s very important is tighten file /etc/inittab. With this file, the Linux system defines the boot behavior of the SYSV init process. It’ s pretty important if we don’t have the best physical security to the Linux system is disable the possibility of the Linux system reboot by Ctrl + Alt + Del command. To require the root password when entering single user mode, we also must configure this file.

1
2
3
4
5
6
7
8
 
	#vi /etc/inittab
 
   	# comment this option to disable / trap CTRL +  ALT + DEL to restart system.
	#ca::ctrlaltdel:/sbin/shutdown –t3 –r now
 
	id:3:initdefault:
          ~~:S:wait:/sbin/sulogin

Looking further discussion, how to improve security in the Linux system. We hope this discussion can provide benefits for all. Amiin.

 

 

 

 

Mohamad Widodo

Mohamad Widodo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Linux
A discovery is said to be an accident meeting a prepared mind.
18 November 09 at 22:11
If you like this posts, please leave messages / comments.