Get back

How to strengthen Linux


How to strengthen Linux security

1. Configure UEFI:
• Boot in UEFI mode instead of legacy BIOS
• Set a password for changing UEFI settings
• Activate SecureBoot mode
• Set an UEFI password for system boot
2. Choose appropriate distro
• Typically popular distros (Arch, Ubuntu, Debian) have better support and patched faster
• Pick a distro with digitally signed packages
• With UEFI and SecureBoot support
• Supporting disk encryption out-of-the-box
• Consider an entire system encryption with LUKS
• Swap should be encrypted as well
• Set strong password for root access
• Don’t grant administrative permissions for normal user
• User password should be different from superuser password
3. Update regularly
• Update regularly and check for unnecessary packages
• Subscribe to security alerts
• Configure available update notification using yum or apticron
• Configure unattended upgrade
4. Use Intrusion Detection System (NIDS)
• AIDE is included in Debian/Ubuntu, Gentoo, RedHat, CentOS, Fedora and OpenSUSE. This tool is used to check system integrity and report malicious changes
• Fail2Ban protects system from brute-force attacks
• psad to detect and block port-scan attacks in real time
5. Check open ports
• netstat -tunlp will show open ports and associated services
• To disable unwanted services use chkconfig nameofservice off
6. Disable services that are not in use
• Avoid using FTP, Telnet and rsh services
• Get encrypted services (sftp, ftps and ssh) instead
7. Backup important files
• Set up encrypted backups to external storage, like NAS or remote cloud computing service
8. Use RSA-keys for SSH connection
• Password-less authentication is more secure against brute-force attack, than traditional login
• 2FA can significantly improve security
9. Configure firewall
• Enable iptables to filter incoming, outgoing and forwarding packets
• Allow only necessary traffic
• For less complicated configuring opt for UFW or Firewalld
10. Monitor user activity and review logs regularly
• Check list of users with cat /etc/passwd
• Use psacct and acct tools to monitor processes on your system
• Logs are stored in /var/log
11. Setup your system to use Security Enhanced Linux
• SELinux provides a strong Mandatory Access Control
• Set of sample configuration files is included to meet common security goals
• Alternatively, AppArmor can be used, as less complex tool for average user
12. Ensure your system is physically secured
• Even if your system is invulnerable to network attacks, it could be stolen or damaged physically. Consider about good locks, high fences and 24/7 watch guard
• Consider about visible, invisible and trackable tags