Linux Hardening
Hardening In Theory
Defense in Depth
Firewalls protect the entry points
Network Intrusion Detection and protection system monitor transactions and find malicious activity based on behavior or indicator of compromise (IOC)
Deep packet inspection looks at the contents of individual packets for anything suspicious
Firewalls, Anti-Virus, and Anti-Malware services run on hosts as well
Reducing the Attack Surface
Attack surface as the entire network and software environment that is exposed to remote or local attacks.
services include
patching all software
Disabling or Uninstalling unused services
disabling unused user accounts
setting requirements for stronger passwords
Layers of Defense that you must harden to achieve defense in Depth:
Hardware/BIOS
Bootloader
Operating System
Services
Administration
Users
Role of CIS (Center of Internet Security)
Leading the global community to secure our ever-changing connected world.
CIS provides best practices from multiple operating systems.
The CIS Benchmarks and controls are best based on best practices for securing IT systems
The benchmarks provide "prescriptive guidance for establishing a secure configuration posture" for the various OS including Ubuntu 20.04 LTS (CIS Ubuntu 20.04 LTS benchmark, 2021 p13)
Advantage of Hardening at the Hardware Level
Hardening the BIOS means security measures are in effect before the operating system starts
These changes cannot be modified by remote attacks
These changes cannot be undone at the OS level
Hardening the Bootloader
The bootloader manages the loading of the OS and it is where an administrator can configure options
Hardening the bootloader will prevent
Modifying boot configurations
The loading of a malicious kernel
Hardening the Kernel
The Kernel manages the resources for the OS
Access to system resources (e.g. the CPU, Input/Output Devices, etc.)
Shares resources between multiple requests
Allocates and deallocates memory for running processes
Allocates devices based on requests for them
Hardening the Kernel protects the OS by
Preventing the misallocation of system resources
Preventing the misallocation of memory
Hardening Storage Devices
Data-at-Rest is
Files on a logical or physical storage device
Records in a database
NOT files in use (e.g. documents open in an editor)
NOT files in transit (e.g. html file moving from server to browser)
A solution for protecting data-at-rest is encryption
The individual file
The directory
The volume
Access Control Lists
Read/Write?execute are basic settings for any file and these are defined for the owning user, owning group, and everyone
Does not offer any more granularity than a single user, single group, and everyone
Access control Lists allow more granularity
ACLs allow for the assignment of multiple individual users and multiple groups
Danger of World-writable file
Data in a world-writable file can be modified by any user
if the world-writable file is a script, anyone can modify it to do something malicious
World-writable configuration files make the scripts and services that use them vulnerable
Layers of defense
Firewalls and IPS/IDS as Endpoint Security
Role of Firewalls
Originally the term firewsll referred to a fire-resistent wall between structures
It was designed to stop the spread of fire from one structure to another
The technological firewalls follow the same concept
Except a technological firewall can be configured to selectively allow traffic through
Network firewalls c an block or allow inbound and outbound traffic
Host based firewalls work in the same manner (looking into the data directly related to that host)
Intrusion Detection and Intrusion Prevention System
IDS Monitors and IPS intiates control
Reasons behind host-based protection in addition to network-based protection
At a basic level, host based firewalls and intrusion systems are defence in depth measures
A host firewall can protect the host and prevent a hacker from using it to his benefit
Blocaking unwanted inbounnd traffic can stop certain types of attacks
Blocking outbound traffic means computer cannot become a pivot point during an attack
Host based IDS and IPS (HIDS and HIPS) focuses on the individual machine
Rule based on behavior are more likely to detect unusual activity to and from the machine
Managing Services
Why to avoid legacy services and how to disable them and xinetd services
Legacy Services
It is older services that emoloy less secure means of interaction
FTP, TFTP, and TFTPD are 3 unencypted means of transferring files
Telnet is an unencrypted means of connecting to a remote server
RSH is another service for connecting to the remote server
HTTP is also unencrypted but there are ways allowing for the redirection of traffic over HTTPS
The risk of Legacy Services
Competent hackers can leverage unencrypted transactions for account credentials
unscrupulous individuaks and government can eavesdrop on private communications
Hacker can insert malicious cookies or code into the stream
Hackers can copy the content of those streams as well
What is xinetd?
is a "Super server" running on many Unix-like system including Linux
it monitors all standard internet ports for traffic
when it receives a request for a particular services (i.e. http) it will start the appropriate service (apache or nginx) and direct the requests
Risk of xinetd?
The xinetd has vulnerabilities dating back to 2000
exposes all servives and allows attackers to bypass intended access restrictions
hackers can exploit it and use it in a Denial of Service attack against the server
It doesnot enforce user and group directives and causes service to be run by the root user
One exploited the adversary has access to the computer with elevated permissions
Why to disable or uninstall unused services
The fewer ports listening the better
Running services can be exploited to gain access to the server
if there is no reason to use the service, remove the service
Disabling a service stops it from listening, but someone can always start it again
Lifecycle Management
How to prepare workstations and servers for lifecycle retirement?
As resource demands rise it becomes necessary to replace hardware in order to keep up with the demand
Also it may be more fiscally resposible to replace a ccomputer vs. upgrading components to ensure complience
Replacing equipment periodically also address compliance with OS requirements (i.e. TPM 2.0)
Life cycle consideration
Data backups
Information is money
Lost datacan have a significant impact on the bisiness
Therefore, it is important to make a good backup of data or copy files to a network drive
Wiping storage and Degaussing drives
Once data on the computer has been saved it is important to wipe the internal drive clean
if the data on the machine is highly sensitive more drastic steps may be required
Deleting the contents off the drive
Overwriting the drive
Degaussing the drive
Destroying the drive
Destroying RAM and CPUs
When the sensitivity of the information is so severe that its release could cause grave harm to the business or nation, it may be necessary to go a step further
in these cases, the orgranizatoion's policy or national regulations may require the destruction of the CPI and the RAM
Recommendation for Integraring Hardening Measures
Test Hardened Environment
Before implementing a plan on your network
Build the hardened OS in a VM
test the VM thoroughly
Get ready to roll out incrementally
The Phased Approach to Roll-out
Other considerations for rollout...
Leave the user's old computer in place during the rollout in case the user experiences issues with the new computer
identify one or two senior executives for phase 4 updates
Roll out to the majority of senior executives should take place in Phase 5
System Hardening in Practice
Hardening the hardware
What to protect in the BIOS/UEFI
There are several things we can protect at the BIOS or UEFI level
Secure BIOS or UEFI with a password
Disable booting from any drive but the computer's hard drive
Protecting the BIOS or UEFI is defence-in-depth
Protecting the BIOS and UEFI with a password prevents users from making changes
is redundancy for a similar change in the OS
Functionality configured in the BIOS or UEFI cannot be overridden by the OS
Hardening the Bootloader
Role of the Bootloader
The bootloader is responsible for putting the OS into memory
It is the place where an administrator can configure different options for the OS
It is where the user can choose which configuration he need to run
Dual-booting is made possible because of the bootloader
Different hardening steps
Securing the bootloader focuses on password protecting each of the boot options
It can be further secured by limiting access to each boot option based on the user accessing it
Password protect the bootloader
Prevent a random individual from starting the OS
Prevent a thief from even getting to a login prompt on a laptop
Password protecting each boot option
This allows any group of users to access the version of the OS they need to use
This allows for the configuration of services for each boot option
Limit user Permissions
Block users from modifying the bootloader configuration
Stops users from getting around the security control the security in place on the computer
How to configure the Bootloader
Starts with the
/etc/default/grubfile and the scripts in/etc/grub.d/make changes across the various files to build the bootloader that fulfills your requirements
Once your edits are complete run
sudo update-grubThere are other bootloaders (i.e. Linux LOader) but GRUB2 is the default bootloader for Ubuntu Linux
Password Protecting the Bootloader
Generate separate passwords for the superuser an deach user grub-mkpasswd-pbkdf2
Edit /etc/grub.d/00_header using your editor of choice
Note: You will have to start the editor using sudo
At end of the file add following
cat << EOF
set superusers="admin"
password_pbkdf2 admin HASH1
password_pbkdf2 user1 HASH2
password_pbkdf2 user2 HASH3
EOF
With the passwords stored it is time to configure the bootloader
You do not need to specify the superuser because the superuser can boot all images
On subsequent reboots, grub will give you the option to choose whicch OS to run and ask for the username and associated password
Edit
/boot/grub/grub.cfgFor each menuentry block specify which user can use that option with the
--usersparameter
Securing the Kernel
What the kernel is and to keep it up to date
Refer section 2
What kernel parameters are and how to configure them
sysctl enable an administrator to set kernel parameters until the next reboot of the machine. This is useful as a means of testing how a change in settings will impact the usability of the server.
Editing Settings in the sysctl.conf file (found in /etc/ directory) will remain persistent even after reboot
It is better to create a file in the /etc/sysctl.d directoty rather than editing sysctl.conf directly
These are also persistent changes
It is the better method becaise a future update can reset the
sysctl.conffileIf this setting does not have the desired effect check to see if there is a conflicting setting elsewhere (systemcontrol.com or one of the files in /etc/system.d directory)
Hiding process from other Users
By default, a user can see all processes running on the server
It can reveal too much information to a hacker
A User should only be able to see the processes his account owns
To change this behavior, edit the /etc/fstab file
Open the file in your own favorite editor
Add the
hidepid=2parameter so the line readsproc /proc proc hidepid=2 0 0Remount the
/procvolumesudo mount -o remount proc
It is important to protect the system from internal and external threats
Control Groups
Relatively new (2010) to Linux, control Groups (aka cgroups) allow processes to run in their own kernel and memory spaces.
Administrators can configure how many resources to give to each service independently
This also reduces the risk that the failure of one process impacts another
The customization is configured through the systemctl command
sudo systemctl set-property httpd.service CPUQuota=40% MemoryLimit=500MThis command appends these change to existing files in the
/etc/systemd/system.control/directory or create new filesThis command can also be used to place resource limits on user accounts
Namespace Isolation
Namespaces were introduced back in 2002
Namespaces are used to assign resources to a process and other processes cannot see those resources
Seven of better known namespaces:
Mount (mnt) - where the process has its own root filesystem
Process ID (pid) - PID namespace provides processes with an independent set of process IDs
UTS - processes have its own unique hostname and domain
Network (net) - Allows for the creation of a virtual network
Interprocess Communications (ipc) - prevent data leakage
Control Group (cgroup)
User- Allows users to have different level of permissions on different processes
Role of Exec Shield, AppArmour and Security Enhanced Linux (SELinux)
Exex Shield, originally designed by RedHat, is designed to protect the system against multiple overflows:
Buffer
Stack
Function Pointer
AppArmor is a Linux kernel security module that allows the system administrator to restrict programs capabilities with per-program profiles
Security Enhanced Linux (SELinux) provides a mechanism for supporting access control security policies, including mandatory access control
These features are enabled by default in many Linux distributions including Ubuntu.
How to disable the key combination "Ctrl-Alt-Delete"
Users logged in at the server can use this well known key combination
Unlike the
initcommand, this option does not require root permissionTherefore, disabling
ctrl-alt-deleteprevents an unauthorized reboot of the serverthe command to disable is as follows:
sudo systemctl mask ctrl-alt-del.target && sudo systemctl daemon-reload
The Second command enables the change without a reboot
if you find you have to undo this change the command is
sudo systemctl unmask ctrl-alt-del.target && sudo systemctl daemon-reload
Securing Storage Devices
How to partition disks, and encrypt volumes
Historically, it was a best practice to create multiple volumes for many of the key components of Linux uses to store files
Root (
/) - where the bulk of the OS resides/boot- contains the kernel images and other files for starting the OSOnce the OS is loaded and running the volume is no longer used. However, there is the threat of a malicious individual compromising the computer by modifying the content of the directory
The simplest solution is to mount the /boot volume read-only
CAVEAT: Mounting the /boot volume read-only prevents automated updates to update the kernel.
During installation the boot volume is easy
It is more complicated when creating one in a machine that is operational
If there is no unallocated storage one has to shrink one volume with
fdiskandresize2fsThe boot volume requires between 512MB and 1GB
Warning: Before manipulating volumes take the time to determine if the benefit outweighs the cost if there are issues
Recommendation: Perform a complete backup of the computer before manipulating volumes
/var- logs, databases, and websites are stored here by default/home- users' directoriesswap- disk storage used for memory swapping
Today the default for the Ubuntu install creates only two partitions
Root (
/)swap
Steps to create /Boot Volume in free space
Determine the device lebel of the target drive with
sudo fdisk -lCreate a new volume with
sudo fdisk /dev/sdbat the prompt type, n to create a new partition
Select the drive with unallocated space
Please enter to choose the starting block (Default to first free block)
Specify the size with +1G
at the prompt type w to write changes to the disk
Run
partprobeto detect the volume and reboot only if the volume isn't detectedFormat the volume with
sudo mke2fs -j /dev/sdb#Mount the volume temporarily
sudo mount /dev/sdb# /mount/temp/pathMigrate the files
sudo mv /boot/. /mount/temp/pathMount the volume at its permanent mount point
sudo mount /dev/sdb /bootAdd the new volume to
/etc/fstabso it mounts after every reboot/dev/sdb# /mnt/example ext4 defaults 0 2
Shrinking an existing Partition
Run
sudo fdisk /dev/sdbAt the prompt type p for the list of partitions
After existing run
sudo resize2fs -P /dev/sdb#to determine the minimum size neededIf you cannot free up 1GB of space STOP
If you can proceed unmount the volume with
sudo unmount /dev/sdb#Resize the volume by running
resize2fs -p /dev/sdb# new_sizewhere new_size is 1GB less than the current size
At this point follow the steps for using Free Space
Encrypting a Volume
Encrypting a Volume
Encrypting volumes during the installation process is less complicated than encrypting volumes afterwards
There is also no risk to data because there is none on the system
Encrypting a volume with data comes with the risk that a power outage or other disruption could mean the loss of the data
Recommendation: Add a new drive to the computer and create a new encrypted volume
Any time you are altering an existing partition is highly recommended to back it up
Steps
Determine the volume's partition with
fdisk -l(i.e/dev/sdc1)Follow the previously covered instructions for creating a new volume
install the tools for encrypting the partition with
sudo apt install -y cryptsetup-binEncrypt the volume with
sudo cryptsetup luks /dev/sdcMount the encrypted volume
cryptsetup open /dev/sdb encryptedFormat disk with
mkfs.ext4 /dev/mapper/encryptedUnlock the volume
cryptsetup --type luks open /dev/sdb encryptedMount the new volume under /mnt/newmount with
sudo mount -t ext4 /dev/mapper/encrypted /mnt/encryptedCopy contents from old volume to new volume
sudo cp -R /path/to/oldmount/. /mnt encrypted/complete unmounted the old volume and mount the new volume where the old one was
Get and ste file permissions through Access Control Lists
Basic way to get Permissions
the first way most people learn to determine a file's permissions is with the ls -la command
ls -la lists all of the files in a directory and shows their associated permissions
r-- means a file can be read
-w- means a file can be written
--x means a file can be executed
Basic way to set Permissions
The first way most people learn to set permissions with the chmod command
Each permission has a numerical value
4 equals to read permission
2 equals to the write permissions
1 equals to the execute permissions
Add the appropriate number together to find the numerical value you need to set (5-for read-execute, 6 for read-write, 7 for all three)
The chmod syntax is chmod ### file where the first # is the owner's permission, the 2nd groups, and 3rd everyone
Better way to get and Set Permissions
Instead of using ls -la we use getfacl to see all the users and groups with permissions and a file's mask
To set a new user's permission we use
setfacl -m u:bob:rw fileto revoke certain permissions for a user we use
setfacl -x u:alice:wx fileTo copy the ACL from one file to another
get file1 | setfacl -set-file=- file2
Disable SUID and SGID permissions
SUID and SGID are special permissions for executable files
SUID allows the file to be executed with the owner's permissions
SGID allows the file to be executed with the group's permissions
It doesn't matter if the user executing the script is the owner or in the group
Unlike sudo any user can run these scripts as root
If the root user owns the file then the script would run as if root executed it
How to set SUID and SGID
As with standard read, write, execute permissions we use chmod to set SUID and SGID permissions by adding a prefix:
2 for SGID
4 for SUID
6 for both SGID and SUID
therefore the syntax would be
chmod 4775 script_nameto allow any user to run the script with the owner's permissions
Find and Remove SUID and SGID settings
To find files with the SUID and SGID bits are set run:
find / -perm /6000to find files with just SUID bit is set run:
find / -perm /4000To find files with just SGID bit is set run:
find / -perm /2000if you want to filter the search to just find scripts owned by root add the -user parameter
find / -user root -perm /6000Searching for and removing the SUID and GUID bits is as easy as:
find / -perm /6000 -o -perm /4000 -o -perm /2000 chmod u-s, g-s file_name
How to make the boot partition read-only
Blocking Unwanted activities and Traffic
Install and configure IPTables, and Intrusion Detection Systems (IDS)
Installing the firewall
Today, a fresh install of Linux includes the iptables firewall
if not installed, install the firewall with
sudo apt install iptables -yensure it is installed with
sudo systemctl status iptablesIf it is not running,
sudo systemctl start iptablesEnsure it will start on reboot with
sudo systemctl enable iptables
Understanding firewall Rules
Rules consist of several parameters sources, destination and port, and protocol (TCP, or UDP)
A series of rules is called a chain
Each packet is processed through the appropriate chain to determine how it is handled
The default chains are
INPUT for incoming traffic
FORWARD for incoming traffic that needs to be routed somewhere else
OUTPUT for outgoing traffic
Understanding Firewall Actions
for each rule there are three possible actions:
ACCEPT for allowing the packet
DROP which rejects the packet
RETURN stops a packet from traversing the current chain and returns it to the previous chain ( in this case malicious senders know that packet reached the machine but rejected)
Approach to Rule Chains
Chains should start with the most permissive rules and transition down to the most restrictive
The final rule should be an explicit rule to block all unresolved packets
Blocking outbound traffic is just as important as blocking inbound traffic
You do not want hackers to use your server or workstation as a pivot point to attack other notes
New rules are just stored in memory
They are made permanent with the command
sudo /sbin/iptables-saveAll rules can be deleted with the -F flag
An individual rule can be deleted with:
sudo iptables -D <chain_name> <rule_number>
Take steps for preventing Denial of Service attacks
Snort
Installing
Snort is an industry-recognized IDS
Make sure ubuntu is fully updated by running
sudo apt update && suod apt dist-upgrade -yDownload the package with wget (or curl):
wget http://mirrors.kernel.org/ubuntu/pool/universe/s/snort/snort_2.9.7.0-5build1_amd64.debTo install Snort run
sudo apt install ./snort_2.9.7.0-5build1_amd64 -yDuring the install you will be asked to provide the servers network interface and the ip address or range if addresses to monitor
Check snort's status by running:
sudo systemctl status snort
Updating Snort's Configuration, and Rulesets
The snort configuration is located in /etc/snort
the local rules are located i /etc/snort/rules
Download the latest rulesets from snort.org:
wget https://www.snort.org/downloads/community/community-rules.tar.gzExpand the tarball and then copy the new rules files to the /etc/snort/rules directory and the .conf configuration file to /etc/snort
Restart snort with the command
sudo systemctl restart snort.service
Detecting and stopping Denial of service attcks
First us ss (netstat is deprecated) to see what devices have connections with your server
ss -pltunBlocking these connections is as simple as adding rules to your firewall
sudo iptables -A INPUT -s ADDRESS/SUBNET -j DROP(use IP address/CIDR)
Minimizing the OS attack surface
How to ensure regular patching of software
Regular patching
Keeping a server or workstation up to date helps to keep it secure
By default, Ubuntu's Banner message tells user if there are packages that need updating and how many are security related
NOTE: Consider editing the default banner to hide patching information
To see which packages have pending updates run
sudo apt list --upgradableConsider automating updates by installing ubuntu's
unattended-updatestoolInstall it
sudo apt install unattended-upgrades apt-listchanges bsd-mailxTo automate security updates run
sudo dpkg-reconfigure -plow unattended-upgradesTo configure unattended updates run
sudo vi /etc/apt/apt.conf.d/50unattended-upgrades
Add your administrator's email account to this line
Unattended-Upgrades : :Mail "email@address.com";To have the kernel load after an update set this parameter to true
Unattended-Upgrade::Automatic-Reboot "true";Lastly, edit the
/etc/apt/listchanges.confand set email IDemail_address=email@address.comTest your setup with
sudo unattended-upgrades --dry-run
How and why to unistall unused packages
Identifying unused packages
Uninstalling unused packages, particularly services, should be removed
Save disk space
Uninstalling an unused service means there is one less open port to be exploited
Deborphan is a command line utility that can be used to find and remove unused or orphaned packages
Install Deborphaned with
sudo apt install deborphanAfter installation run
deborphanRun
orphanerto uninstall the orphaned packagesIt is a good practice to also run
sudo apt autoremove && sudo apt autocleanNote: Be very judicious about removing packages you do not have enough information for
How and Why to disable firewire ports
There is a known attack through Direct Memory Access (dma) through firewire ports
Therefore, if you have but don't use these ports it is a good reason to disable them
This is done by editing the
blacklist-firewire.conffile in/etc/modproble.dJust uncomment the two lines containing the firewire drivers
How and why to disable or uninstall the X11 Desktop Environment
Consider removing X11 from servers
X11 is the foundation of Linux's graphical user interface (GUI)
GNOME, KDE, and other desktop interfaces sit on top of X11
X11 functions as the middleware between the underlying server functionality and the desktop functionality
There are some non-security benefits to the removal of X11
The server's performance will benefit from uninstalling X11
It will free up storage space
If users are not using X11 then removing it should not impact usability
if the users only use ssh to interact with the servers, X11 is unnecessary
If users are using unencrypted means of connecting to X11 they expose the server to compromise
Threat actors with access to the server can collect screenshots of activities within X11
Threat actors can exploit X11's remote desktop protocol (Xrdp) and in combination with netcat can establish a reverse shell
If root is logged in the actor can create a user account with sudo rights for future exploits
Disable X11 at startup
As a pre-cursor to uninstalling X11 you can disable X11
Change the runlevel from multi-user with the graphical interface to multi-user with the terminal
this means switching run level from 5 to 3
the command
sudo init 3will reboot the computer into the preferred modeEditing the
/etc/inittabfile ensures the system will always boot at the proper runlevel
After configuring the server not to start X11 st startup you can remove X11 with these two commands:
sudo apt purge 'x11-*'sudo apt autoremove
You should also remove the desktop environment and as an example here is how you remove gnome
sudo apt remove ubuntu-gnome-desktopsudo apt remove gnome-shellsudo apt purge ubuntu-gnome-desktopsudo apt autoremove
Other desktop environments can be removed in a similar manner
If X11 is a Must and an absolute requirement, consider the following measures:
Disable xrdp and drop all traffic received on that port
Enable X11 forwarding through SSH
Reject X11 forwarding from all sources except for those who actually need it
Restrict X11 Forwarding to only those users who actually need it
Network Hardening at the Host
How to turn off IPv6 if not in use
If your company's network does not use IPv6 the best practice is to disable IPv6
Leaving IPv6 active particularly if services on the server is listening for IPv6 traffic would allow a rogue computer to communicate with the server
If network monitoring is not configured to alert administrators or activate controls at the detection of IPv6 communication it could continue with no one knowing
The following command will temporarily disable IPv6
Permanently disable IPv6
in order to make the changes permanent edit /etc/sysctl.conf and add the following lines to the bottom of the file:
when the changes are complete, restart the networking services
How to employ NIC Bonding and how it improves resiliency
Network Interface Card (NIC) Bonding is a method of bundling multiple network connections so they function as a single logical connection
There are several bonding methods
Generic Bonding or bonding-alb
Effective bonding methods that do not require any configuration on the switch
It does require the NIC interfaces support changing of its MAC address on the fly
Tricks the other end (switch or host) to send data across all links
Channel Bonding Modes
balance-rr: frames transferred in a round robin fashion
balance-xor: traffic is hashed and balanced according to receiver
802.3ad: the official standard for link aggregation and it is configurable
High Availability
Each bonded NIC is connected to two different switches
In the event of the failure of a single switch data can still flow
Enabling NIC Bonding
To temporarily set up bond0
Load the driver with
madprobe bondingSetup
bond0with an IP address by runningifconfig bond0 10.10.10.2 netmask 255.255.0.0ORip addr add 192.168.1.1/24 dev bond0
Configure mac address for each NICs in the bond
sudo ifconfig eth0 down && sudo ifconfig eth# hw either 00:11:22:33:44:55 && sudo ifconfig eth0 upsudo ip link set eth# down && ip link set eth0 address 02:01:02:03:04:08 && sudo ip link eth# up
Enslave (bind them to bond0) two interfaces with the command
ifenslave bond0 eth0 eth2
Verify bond0 with
ifconfig bond0View Bonding info with the command
more /proc/net/bonding/bond0
System Administration Hardening
Why and How to disable the root account's remote access
When threat actors seek to infiltrate a network they do so by obtaining elevated permissions
Root is the Holy Grail of elevated permissions
As a superuser, root has unlimited rights
Being able to connect remotely as root then there is no need to obtain other accounts
Disabling remote root access is done by modifying ssh's configuration file with sudo vi /etc/ssh/sshd_config
find the line that reads PerimitRootLogin and change the value to no
The role of sudo command and how to configure it
Sudo is short for superuser do
It allows users to execute commands as the superuser
Before the command is executed users must supply their own password
Not all users have permission to use
sudonot should they
Dangers of sudo's default configuration: The default configuration for sudo is not completely secure
Assuming a user has permission to use sudo, he can run
sudo su - rootenter a password and login as rootOnce the user is logged in as root it will be difficult to say with 100% certainty who was at the keyboard
By default, any user given permission to use sudo can run any command as sudo
Securing Sudo
There are some basic concepts to consider when securing sudo
You can edit
sudo's configuration file with the commandsudo visudoDo not allow users unlimited access for running commands
Limiting the commands a user can run with
sudosupports the concept of least privilege%security ALL=(ALL) PASSWD: /sbin/iptables, /usr/sbin/update-grub2, /bin/systemctlNOTE: When specifying only a directory (i.e. /sbin/) you must include the trailing slash (/)
Require a user to enter their password each time they use sudo
This is achieved by setting the timeout (in minutes) to zero
defaults timestamp_timeout=0
Grant permissions to groups instead of users
Specify groups with a leading percent (%)
%security ALL =(ALL) PASSWD: /sbin/iptables, /usr/sbin/update-grub2, /bin/systemctl
Limit where executables or scripts can be located in order to use
sudoDefaults secure_path- "/usr/local/sbin:/user/local/bin:/local/bin:/local/sbin"
Log activity in sudo's own log file
Default logfile=/var/log/sudo
Explicitly block a command from being run with a preceding exclamation point (!)
%group ALL=/usr/bin/, !/usr/bin/passwd
Run a command as a user other than root
%docker ALL=(docker:docker) /usr/bin/docker
Email notification for suspicious (or all) uses of the command
there are several options
for all the settings below check for the mailto parameter in the configuration file:
mailto "admin@yourcompany.com"
mail_always - email sent on each use of sudo
mail_badpass - Email sent when user enters a bad password
mail_no_host - Email sent when user is not allowed to run commands on the host
mail_no_perms - Email sent when the command is explicitly denied
mail_no_user - email sent if the user is not in the sudoers configuration file
Testing, Monitoring, and Reviewing
Manage Logs and investigate them
As with any OS, logs are a primary means for analyzing and troubleshooting issues
The challenge with analyzing is the volume of information contained within the logs
However, Linux provides tools like
logwatchandauditdto summarize and audit the logsIn addition to processing logs, it is important to archieve logs on a centralized server
Setting Up logwatch
Logwatch analyzes the last day's log and provides a summary report
Install the application
apt update && apt install -y logwatchEdit the logwatch configuration file
sudo vi /usr/share/logwatch/default.conf/logwatch.confConfigure email address to send the report to
MailTo=email@address.comConfigure who sends the email (can be a real fake address)
MailFrom=email@host.address.comConfigure detail of report as low, medium, or high
Detail=HighIdentify which services to summarize
Service=sshd2Service=sudo
Setting up auditd
auditd is a service (aka daemon) with the job of collecting and writing audit logs to the disk
auditd comes with multiple utilities for the configuration and evaluation of the audit logs
Install the application
sudo apt update && sudo apt install -y auditd auditspd-pluginsEnable and start the service
sudo systemctl enable auditd && systemctl start auditdExamples
Configure auditd to monitor /etc/shadow
sudo auditctl -w /etc/shadow -k shadow-key -p rwxaGenerate a report of the audit logs with aureport
sudo aureport -k shadow-keySearch the audit logs with ausearch
sudo ausearch -m USER_LOGIN
Log Rotation
Given the important role logs can play either for troubleshooting problems or forensic investigations
Install the
logrotateon the serverapt update && apt install logrotateOpen /etc/logrotate.conf
Confirm the following line is present and not commented out
include /etc/logrotate.d
Once it is installed change to the /etc/logrotate.d directory
Find the preconfigured .conf file for the service lig you want to rotate
Edit if needed
Centralized Log Storage
Logging to a remote centralized server allows for more holistic analysis of events on the network
It also ensures the integrity of the logs in the event a threat actor attempts to cover his tracks by deleting his activities in the local logs
The connection between local and centralized server should be encrypted
An encrypted connection protects against eavesdropping by hacker
Leaves the perpetrator unaware a record of his presence exists
Access to the log should be as restrictive as possible
This will reduce the attack surface of the logs
Best practices for backups
The following recommendation are simple to implement
Don't just scan the backup report
There are details in the reports that you can easily overlook if you don't dig into the report
Perform manual restorations regularly
This assures the backups are working and will be able to perform their role when needed
Have a rotation and pull out an archive
Perform fill backups at a regular interval and incremental and partial backups in-between take 1 full backup out of rotation at a set interval (i.e. once a month) and move that backup to an off-site source location
Perform a full disaster recovery
Testing portion of the backups is one thing but a full disaster restoration will test backups and the team for a possible future event
Incorporate diskless and cloud backups
Different backups allow for overlap and increase the probability of a full recovery of any lost data
How restricting CoreDumps is important for security
When a memory error occurs the system generates a core dump
The system saves the Core Dump to /var/crash
It contains details about what triggered the crash and any error messages
Anyone analyzing this information can gain insights about applications that were running in memory
Information in the Core Dumps could also be useful to someone wanting to exploit the server
Restrict access to the core dumps and the directory they are stored in
Move the core dumps to another server or workstation that is more secure
use and encrypted connection to move the files
Verify that security actions work as expected
Trust but Verify
Developing response plans is critical for the company's resiliency
Incidents, manmade or natural, trigger these response plans
More complex plans include human intervention and automated processes
Assuming these plans will function is asking for trouble
The plans must be tested and trained regularly
This will ensure the plan and its components function as expected
It ensures individuals know eir role and will be able to act with efficiency when the plan is put into action for a real incident
The plan should be reviewed regularly as well
Reviews give stakeholders the opportunity to update the plan as circumstances change
Reviews also give the stakeholders the opportunity to identify and address gaps within the plan
Log Management
Service Hardening in Practice
General handling of services
Disable and remove services
Reducing the attack surface of a system includes the disabling and uninstalling of services
to temporary disable a service
sudo systemctl stop network.service
In a circumstance where you need to restart the computer but do not want the service to start
To prevent a service from starting on a reboot
sudo systemctl disable nginx.service
When you no longer need a service installed on a server
To remove a service
sudo apt remove nginx -yto remove a service and its dependencies if they are not needed by other applications
sudo apt purge nginx
Services to consider disabling
Whenever you configure a new server or audit an existing one, it is a good practice to evaluate the services running on it and disable and/or remove services that are not needed
DNS - In an environment whre you have dedicated DNS servers you can uninstall DNS
SSHD - if users are not connecting to the server via SSH or using SFTP and SCP then consider disabling this service
SMB - If the server is not sharing directories via SMB this service can be disabled
All Legacy Services - Sevices like telnet, and rsync use plaintext and there are more secure options
Security Benefits of splitting the network services
Containerizing Services
Containerizing services provide several security benefits:
Transparency - an administrator can easily look inside a container to see what runs inside it
Modularity - It is easier to isolate vulnerabilities without disrupting other elements
Smaller Attack Surface - unlike a virtual server scenario where you have to harden two OS you have the host's OS, the Docker daemon, and the containerized application
Easy Updates - Updating container is as easy as pulling the latest image for it
Environment Parity - No matter what OS the host runs the container will run on it and runs the same way on all hosts
Securing CRON jobs
CRON jobs are time-triggered scripts for automation
it can serve many different functions
Rotate or offload logs to another server
Restart Services, manage backups ...
These scripts are run as the user who added them to the cron process
You can allow or deny users access to cron by editing /etc/cron.allow and /etc/cron.deny and adding the user's name to the respective file
Employ best practices for timeout setting for interactive shell sessions
It is good practice to set a timeout for terminal sessions
This can be done in each user's profile (/home/user/.bashrc)
the default value can be set in the /etc/.bashrc or /etc/profile
the key=value pair is TMOUT=VALUE (in seconds)
Setting TMOUT to 0 overrides the timeout
This timeout affects users logged in at the terminal
There are conflicting requirements to consider
A short timeout may lead to orphaned processes
A long timeout could be present an opportunity if someone forgets to logout and a malicious person hijacks the session
The usefulness of Login Banners
Login Banners are there to present information to a user upon login
This message of the day (motd) is fully configurable
The default message in ubuntu provides notification about the patch status of the host
While useful to the administrators and engineers, it is information most users don't need
It can be dangerous in the hands of a malicious or inexperienced individual
Changing the message to that of warning is a good practice
While it will deter the malicious individual it may deter the less experienced
It is simply a passive measure
By changing the motd, particulars that could be useful to a threat actor are kept from him
The motd file is stored in the /etc/ directory
Hardening of public-facing services
Redirect plaintext communications to encrypted channels or how to require encrypted communications for public-facing services
There are risks with unencrypted communications
It allow the adversary to gain information by monitoring the plaintext traffic
It also allows adversaries to gain credentials
In order to harden web-based applications traffic to and from the webserver should be encrypted
This can be done natively by the webserver
make sure the connections use stronger encryption and disable older standards
This approach applies the same logic we use for legacy services
It can also be done through firewall forwarding rules
Consider enforcing encrypted communication for back end communications as well
require an encrypted connection between the webserver and database server
Use the same approach with the tools developers use to work on the web application
Explain the importance of closing unused ports
Finding and closing open ports start with discovery
NOTE: netscan is a deprecated program
ss is the replacement for netscan
The syntax for ss is as follows
sudo ss -tulpn | grep LISTEN
t Show only TCP sockets on Linux
u Display only UDP sockets on Linux
l Show listening sockets
p list process name that opened sockets
n don't resolve service names
You can match service to a port by refrencing /etc/services
Start by adding a firewall rule to drop any traffic to the port
This is not the end of it, however
if this port is not open as part of your network plan then further research needs to be done
once you find which service runs on the port in question stop and disable the service
Hardening of SSH services
Steps to limit user access to SSH
If users do not require SSH access you should restrict their access
Edit the ssh_config file
sudo vi /etc/ssh/sshd_configFind the
PermitRootLoginparameterChange the value from yes to no
Restrict other users and groups that do not need access
DenyUsers user1 user2 user3DenyGroups group1 group2 group3
While SSH cannot block networks natively, you can configure iptables to block unwanted traffic
Limiting SSH functionality
SSH is a robust communications service but most users do not need this functionality
Just as we apply the least privileges to what permissions a user has, an administrator should consider restricting functionality the user does not use
Some functionality to consider disabling
Port forwarding - this allows a user to connect to one computer and then tunneling another service through SSH
X11 forwarding - unless users are tunnelling X11 through SSH this should be blocked
Agent forwarding
How to disable password-based login and employ asymmetric encryption for authentication
An alternative to logging in with a password is using a private key identification (PKI) to authenticate users
Once established then only those with the PKI can actually authenticate themselves with the server
Keys can be created with a passphrase creating a 2FA scenario
It is a good practice to configure the server to allow PKI authentication and ensure it works before disabling password authentication
The following steps will enable PKI authentication
Open the ssh configuration file with an editor of your choice
sudo vi /etc/ssh/sshd_configSearch for PubKeyAuthentication and change the value to yes
Restart ssh with
sudo systemctl restart ssh
Once everyone has their private key edit sshd_config to disable password logins
change PasswordAuthentication value to no
After saving the change restart ssh with
sudo systemctl restart ssh
Generating Certificates
With PKI Authentication enabled the next step is to generate a user's keypair
Start by executing ssh-keygen or ssh-kaygen -N <passphrase>
When prompted provide the path for saving the key (
/home/<user_name>/.ssh/id_rsa)copy the public key into the authorized_keys
cat /home/<user_name>/.ssh/id_rsa.pub >> .authorized_keysProvide the user with his private key (id_rsa) and the passphrase so he can use it to log in
How to block connections from a specific network
While SSH cannot reject connections from networks natively, you can configure iptables to do the job for SSH
The best option to achieve this is to accept packets from those who are allowed to access the server iptables -A INPUT -p tcp --dport 22 --source 192.168.0.0/24 -j ACCEPT
Before blocking everyone else iptables -A INPUT -p tcp --dport 22 -j DROP
Employ DenyHosts to block brute force attacks against SSH
There are two separate changes to ssh regarding hosts
Use DenyHost to block requests from an individual host
DenyHost <ip_address>A defense-in-depth approach should include a Firewall rule on the host dropping packets
Explain how and why to block host-based authentication and obsolete rsh functionality
Another host based change to make is to disable host based authentication
Host-based authentication is dangerous because anyone can be at the client machine's keyboard
Host-based authentication was the standar for conenctivity for rsh
Disabling it is as easy as adding the following two lines to the sshd_config file
Host *HostbasedAuthentication no
Account Hardening in Practice
User Password Authentication Requirements
Enhance password security with Pluggable Authentication Modules
Pluggable Authentication Modules (PAM) is a service for implementing modular authentication modules
It is loaded and executed when a program needs to authenticate a user
Configurations for PAM are located in several places including the
/etc/pam.ddirectory
What services does PAM provide
Password Quality
Password Attempts before lockout
Password History
Stronger hashing by replacing md5 with SHA512
provides the means to prevent brute force attack
Install PAM with sudo apt install libpam-pwquality libpam-modules
Settings can be configured in /etc/pam.d/common-auth
the line to configure PAM starts with auth required
pam_tally2.soOptions include
onerr=fail
audit
silent
deny=n (maximum consecutive failures)
unlock_time=n (n is the number of minutes to lock the account)
To unlock an account locked by failed consecutive attempts
/sbin/pam_tally2 -u <username> --reset
Enumerate the benefits of strong passwords, two-factor authentication, and password management
PAM gives you the capability to configure strong password requirements
The parameters are set in /etc/security/pwquality.conf
The fol parameters are ones you can set in pwquality.conf
Minimum Length (minlen = 14)
password complexity
minclass = 4 or
dcredit = -1 (1 digit)
ucredit = -1 (1 uppercase character)
lcredit = -1 (1 lowercase character)
ocredit = -1 (1 symbol)
You must also ensure two settings are inclided in
/etc/pam.d/common-accountaccount requisitite pam_deny.soaccount required pam_tally2.so
Restrict users from using old passwords
Password reuse limitations prevent users from constantly reusing the same 2 or 3 passwords
users will go so far as to change their passwords multiple times in a single session in order to get back to their original password
Edit
/etc/pam.d/common-passwordfile to set how many passwords the machine should rememberThe syntax is
password required pam_pwhistory.so remember=nwhere n is the number of previous password to remember
Another setting outside of PAM, defines how frequently a user can change his password
This addresses those who would rapidly change their password to get back to the one they want to keep
Edit
/etc/login.defschange
PASS_MIN_DAYS nwhere n is the number of days that must pass before the user can change his password againNOTE: CIS recommends no less than 1 day between password changes
Manage password expiration and maintain user accounts and password policies
Another setting like PASS_MIN_DAYS, defines how long a user can keep same password before being required to change it
Edit
/etc/login/.defsChange
PASS_MAX_DAYS nwhere n is the number of days a user can keep using a password before having to change itPassword longevity should be greater than days between password changes and less than or equal to 365
A related setting is PASS_WARN_AGE is the setting for an alert the user receives n days before his password is set to expire
Another password management tool allows for locking accounts after they have been inactive for n days
CIS recommends 30 days
This parameter is set using the following command
useradd -D -f -nwhere n is number of daysSetting it to -1 disables this setting and is the default setting
Multifactor Authentication
Multi-factor Authentication is a method of using 2 or more means of authenticating the user is who he claims to be
These means of authentication are
something I know - his password or pin
Something I have - a phone or access card
Something I am - fingerprints, hand geometry, facial geometry
Something I do - Typing DNA, handwriting
Somewhere I am - geofencing, GPS
Each factor falls into its unique category
BAD: a password and a pin are both something I know
GOOD - Fingerprint and a phone
Describe the function of Kerberos and how to utilize it
Kerberos is a security protocol implemented by numerous OS including Linux
A trusted third party for authentication client-server applications and verifying users' identities
It uses secret-key cryptography
An open-source protocol and the go-to protocol for Single-Sign-On (SSO)
First developed at MIT
The use of key pairs and the instances where they can be employed
Asymmetric key pairs
Also known as public-key cryptography
consists of two keys (1 public and 1 private)
the public key can be used by anyone to encrypt something for you but only you can decrypt it
The private key can be used to sign something and everyone can confirm it was signed by you and no one else
It is used in many funtions
HTTPS (both SSL and TLS)
Digital signature
Login AUthentication
Account Management Requirements
Validate the User IDs of non-root Users
The root account is often referred to as a Super User
The root user doesnot need to be call Root
The super User is the user with a user id of Zero (0)
Each user should have a unique user id
when we validate the user id we ensure each user has a unique id
The ID number is what the system uses when it evaluates permissions
If someone manipulates the /etc/passwd file:
changes their user id to match another user theu will effectively have the same permissions of the other user based on the User ID
This Kind of manipulation can be dangerous.
Lock and unlock account manually
There are scenarios where you will find it necessary to lock a user's account
User is on extended leave
Prior to user termination
Locking the account in Ubuntu is as easy as:
usermod -L usernamepasswd -l username
Unlocking the account in Ubuntu is as easy as:
usermode -U usernamepasswd -u username
Checking accounts for empty passwords
Password complexity requirements should be prevented the use of empty passwords but it is better to safe than sorry
passwords are stored in /etc/shadow and each line represents a single user
The field in each line is separated by a colon : and the second field contains the hash of the password
An account with an empty password will have two colons following the username
A faster way to find these is to use the following command on the command- line
passwd -S -a
or
passwd --status -a
Reviewing accounts
The concept of least privileges
The principle that users and programs should only have the necessary privileges to complete their tasks
Use groups for assigning permissions to users
There are several reasons why we assign privileges to groups and not individual users
simplifies account management
Simplifies audits and reviews
Reduces the risk of error
Assigning users to groups
In order to assign users the permission they need assign them to the appropriate group
This holds true for temporary assignments and/or projects
Ensures least privileges as long as groups are properly maintained
Audit user permissions and group associations and monitor user activity
Periodic auditing and monitoring of activity on a server is important for security
Reviews and Audits
Log Monitoring
Last updated