To enhance the security of your servers, list all packages and software installed on your servers using your package managers (apt, yum, dpkg). Kerberos builds on symmetric-key cryptography and requires a key distribution center. You can make remote login, remote copy, secure linux hardening and security lessons inter-system file copying and other high-risk tasks safer and more controllable using Kerberos. So, when users authenticate to network services using Kerberos, unauthorized users attempting to gather passwords by monitoring network traffic are effectively thwarted.
- Go to network configuration file and add followings lines to disable it.
- Most people assume that Linux is already secure, but imagine that your laptop is stolen (or yours) without first being hardened.
- These tools runs in a system background and continuously tracks each user activity on a system and resources consumed by services such as Apache, MySQL, SSH, FTP, etc.
- Ghassan has successfully delivered software products and developed solutions for companies all over Quebec/Canada.
- The lock and unlock features are very useful, instead of removing an account from the system, you can lock it for an week or a month.
Any findings are showed on the screen and also stored in a data file for further analysis. With an extensive log file, it allows to use all available data and plan next actions for further system hardening. This principle aims to remove something that is not strictly needed for the system to work. It looks like the principle of least privilege, yet focuses on preventing something in the first place. Similar for unneeded user accounts or sensitive data that is no longer being used.
Embedded Linux Hardening
For more details regarding the configuration, have a look at our more in-depth article about unattended-upgrades. After you have your system installed, it is time to configure the system. This is also the phase in which your security defenses can easily be weakened. So each time you perform activities on your servers, consider what it does for your overall security level of the server. Enable encrypted LVM volumes during the installation of your Ubuntu desktop or server system. It is a great measure to hardening the system and data in particular.
To check password expiration of user’s, you need to use ‘chage‘ command. It displays information of password expiration details along with last password change date. These details are used by system to decide when a user must change his/her password. There is no need to run X Window desktops like KDE or GNOME on your dedicated LAMP server. You can remove or disable them to increase security of server and performance.
Secure OpenSSH Server
Auditd will write audit records to disk for review when needed. Two different utilities, ausearch and aureport can be used for viewing audit logs, and the auditctl utility can be used for audit configuration. In computing, hardening is the term that we use for describing the securing of a system. This process generally doesn’t involve completely securing a system. Brute force attacks are shockingly common with Linux servers.
SELinux modifies the Linux kernel to enforce mandatory access controls, restricting how Linux processes can access files and programs. This additional layer of restriction provides a fundamental protection mechanism against root kit malware. AppArmor provides an equivalent level of MAC for Debian distributions.
Linux Security Expert
Changing the default SSH port should add an additional security layer because the number of attacks (coming to port 22) may reduce. After the initial updates have been run, the system should continually be kept up-to-date. Most distributions can be set up to automatically run updates, or notify system administrators via e-mail when system updates when available. Many of these updates address security vulnerabilities found by the Linux community, so keeping systems as up-to-date as possible is essential. The end goal of this process is balancing security with effectivity and accessibility. A completely open system may be the easiest to use – but is a security risk and may not be usable for long.
- Still, every system is different and serves its own purpose.
- As an additional security measure, you should lock the grub bootloader and the BIOS.
- SSH is used for all Linux and Unix access, so the following guidelines apply for Unix hardening, too.
- The reason why is because most critical infrastructure apps and websites are running on this operating system.
To get rid of the constant brute force attacks, you can opt for only key-based SSH login. SSH (Secure Shell) is a pretty secure protocol by design but this doesn’t mean you should leave it at default configuration. While securing your Linux system is important, it’s not difficult. Time invested going through steps like the ones laid out will return dividends in the future.