{"id":2870,"date":"2022-05-18T02:43:38","date_gmt":"2022-05-18T02:43:38","guid":{"rendered":"https:\/\/dft.wiki\/?p=2870"},"modified":"2022-09-25T10:17:45","modified_gmt":"2022-09-25T14:17:45","slug":"linux-hardening-guide","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=2870","title":{"rendered":"Linux Hardening Guide"},"content":{"rendered":"<p>This guide lists essential considerations to harden (enhance) a Linux server to reduce the attack surface, reduce the impact or protect the system against human error, and manage users and privileges.<\/p>\n<hr \/>\n<p><strong>Preparation<\/strong><\/p>\n<ul>\n<li>Plan and the logical and physical diagrams that represents the infrastructure and its systems,<\/li>\n<li>Create a Software Bill of Material (SBOM) per server and link to the ports,<\/li>\n<li>Represent graphically (with illustrations) and document all relationship between applications and services on the network,<\/li>\n<\/ul>\n<hr \/>\n<p><strong>Planning<\/strong><\/p>\n<ul>\n<li>Enumerate the layers of communication to apply Defense-in-Depth,<\/li>\n<li>Define an Entry Point for the network and deploy the resources in High-Availability to prevent single point of failure,<\/li>\n<li>Frequently the network entry point will have:\n<ul>\n<li>One primarily firewall between the internet and the DMZ,<\/li>\n<li>And another firewall between the DMZ and the private network.<\/li>\n<\/ul>\n<\/li>\n<li>Make the firewall rules as much restrictive as possible,<\/li>\n<li>Use VLANs and ACLs whenever applicable,<\/li>\n<li>In case of physical infrastructures use consider using dedicated data links in the Core Network,<\/li>\n<li>And Port Security for the Transport and Access Networks when possible,<\/li>\n<li>Strategically define where in the network the IDS\/IPS shall be located and what will be protected (Network-Bases Protection),<\/li>\n<li>End points also must have up to date anti-virus, anti-malware, and firewall rules accordingly (Host-Based Protection),<\/li>\n<li>Avoid or eliminate the usage of Legacy services such as Telnet, FTP, RSH, HTTP, etc. They are all non-encrypted services.\n<ul>\n<li>If it is unenviable tunnel the traffic over encrypted or dedicated sniff-proof means.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>Hardening points to target<\/strong><\/p>\n<ul>\n<li>Hardware\n<ul>\n<li>Restrict physical access and to servers and network devices with locks, alarms, or cameras if necessary,<\/li>\n<li>Prefer UEFI (uses GPT) over BIOS (uses MBR),<\/li>\n<li>Enable TPM 2.0 when possible.<\/li>\n<\/ul>\n<\/li>\n<li>BIOS\n<ul>\n<li>Create password to access the BIOS\/UEFI menus.<\/li>\n<\/ul>\n<\/li>\n<li>Operating System\n<ul>\n<li>Bootloader\n<ul>\n<li>Limit the access to the bootloader configuration and to the boot volume (desirable read-only for \/boot),<\/li>\n<li>Use password for groups or users in GRUB to limit the boot options such as kernel versions of multi operating system boot.<\/li>\n<\/ul>\n<\/li>\n<li>Kernel\n<ul>\n<li>Customize the Kernel compilation to only load the drivers for the used pieces of hardware,<\/li>\n<li>Hide process from other users (only root should be able of seen all processes),<\/li>\n<li>Isolate processes resources with Control Groups and Namespaces,<\/li>\n<li>Enable SELinux, AppArmor, and Exec Shield,<\/li>\n<\/ul>\n<\/li>\n<li>Always choose LTS version of the desires distribution and update it regularly (consider unattended upgrades),<\/li>\n<li>Remove orphan (unused) packets and unused resources such as X11, Firewire, IPv6,<\/li>\n<li>Consider disabling Ctrl+Alt+Delete if not needed,<\/li>\n<li>Reserve disk space for a SWAP partition,<\/li>\n<li>Encrypt volumes that store sensitive data,<\/li>\n<li>Disable root login or disable completely the <em>root<\/em> account,<\/li>\n<li>Granularly assign what each user can or cannot execute with <em>sudo<\/em>\u00a0and configure notifications,<\/li>\n<li><\/li>\n<\/ul>\n<\/li>\n<li>Services\n<ul>\n<li>Leverage system and application level containerization (LXD and Docker, respectively),<\/li>\n<li>Periodically list and audit the listening ports,<\/li>\n<li>Apply all best practices to the SSH service:\n<ul>\n<li>Dot not allow empty\u00a0passwords (preferably no passwords at all) nor root login,<\/li>\n<li>Require SSH-Keys and a secondary factor such as <strong>OTP<\/strong> mobile app\u00a0[<a href=\"https:\/\/dft.wiki\/?p=2379\">Link<\/a>] or USB\/NFC <strong>Hardware Key<\/strong> [<a href=\"https:\/\/dft.wiki\/?p=2494\">Link<\/a>],<\/li>\n<li>Only allow certain users or groups or use restrictive rules to allow connections that Match an specific pattern,<\/li>\n<li>Ans always use <strong>Fail2Ban<\/strong> in combination with most of your publicly facing services [<a href=\"https:\/\/dft.wiki\/?p=401\">Link<\/a>].<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Administration\n<ul>\n<li>Centralize the logs in a Log Server,<\/li>\n<li>Configure LogWatch and LogCheck to monitor the logs and send reports periodically,<\/li>\n<li>Disable and remove unused or unnecessary services,<\/li>\n<li>Allow\/Deny the users that should use <em>cron<\/em> or not,<\/li>\n<li>Define a reasonable timeout for the for the shells,<\/li>\n<li>Find and disable SUID and GUID permission files,<\/li>\n<li>Use PAM (Pluggable Authentication Modules) to enforce Strong Passwords (length, complexity, reusability, etc) and Password Age parameters,<\/li>\n<li>Configure Kerberos when possible,<\/li>\n<li>Validate the UIDs periodically and identify users with empty password,<\/li>\n<li>Stablish policies to lock inactive users.<\/li>\n<\/ul>\n<\/li>\n<li>Users\n<ul>\n<li>Assign privileges to Groups instead Users, even if the user is the only member of the group,<\/li>\n<li>Use a directory service or manage the users with automation tools such as Ansible.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>Desired State<\/strong><\/p>\n<ul>\n<li>Encryption in Transit,<\/li>\n<li>Encryption in Rest,<\/li>\n<li>Restrict read and write with Least Privilege Access Control,\n<ul>\n<li>Per Files,<\/li>\n<li>Per Directory,<\/li>\n<li>Per Volumes.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This guide lists essential considerations to harden (enhance) a Linux server to reduce the attack [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-2870","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2870"}],"version-history":[{"count":6,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2870\/revisions"}],"predecessor-version":[{"id":3116,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2870\/revisions\/3116"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}