Well, I had been preparing this post for my blog for some time they suggested it to me in DesdeLinux, and due to lack of time, he had not been able or willing. If I am somewhat lazy 😀. But now they are on strike, as we say in Cuba ...
0- Keep our systems updated with the latest security updates.
0.1 Critical Updates Mailing Lists [Slackware Security Advisor, Debian Security Advisor, in my case]
1- Zero physical access to the servers by unauthorized personnel.
1.1 Apply password to BIOS of our servers
1.2 No boot by CD / DVD
1.3 Password in GRUB / Lilo
2- Good password policy, alphanumeric characters and others.
2.1 Aging of passwords [Password Aging] with the "chage" command, as well as number of days between password change and last change date.
2.2 Avoid using previous passwords:
in /etc/pam.d/common-password
password sufficient pam_unix.so use_auth ok md5 shadow remember 10
So you change the password and it reminds you of the last 10 passwords that the user had.
3- Good management / segmentation policy for our network [routers, switches, vlans] and firewall, as well as filtering rules INPUT, OUTPUT, FORWARD [NAT, SNAT, DNAT]
4- Enable the use of shells [/ etc / shells]. Users who do not have to log into the system will get / bin / false or / bin / nologin.
5- Block users when login fails [faillog], as well as control the system user account.
passwd -l pepe -> block user pepe passwd -v pepe -> unblock user pepe
6- Enable the use of "sudo", NEVER log in as root by ssh, "NEVER". In fact you must edit the ssh configuration to achieve this purpose. Use public / private keys on your servers with sudo.
7- Apply in our systems the “Principle of least privilege".
8- Check our services from time to time [netstat -lptun], for each of our servers. Add monitoring tools that can help us in this task [Nagios, Cacti, Munin, Monit, Ntop, Zabbix].
9- Install IDSs, Snort / AcidBase, Snotby, Barnyard, OSSEC.
10 Nmap is your friend, use it to check your subnet / subnets.
11 Good security practices in OpenSSH, Apache2, Nginx, MySQL, PostgreSQL, Postfix, Squid, Samba, LDAP [the ones that most use] and some other service that you need in your network.
12 Encrypt all communication while possible in our systems, SSL, gnuTLS, StarTTLS, digest, etc ... And if you handle sensitive information, encrypt your hard drive !!!
13 Update our mail servers with the latest security, blacklist and antispam rules.
14 Activity logging in our systems with logwatch and logcheck.
15 Knowledge and use of tools such as top, sar, vmstat, free, among others.
sar -> system activity report vmstat -> processes, memory, system, i / o, cpu activity, etc iostat -> cpu i / o status mpstat -> multiprocessor status and usage pmap -> memory usage by free processes - > iptraf memory -> traffic in real time of our network ethstatus -> console-based ethernet statistics monitor etherape -> graphical network monitor ss -> socket status [tcp socket info, udp, raw sockets, DCCP Sockets] tcpdump -> Detailed analysis de traffic vnstat -> network traffic monitor of selected interfaces mtr -> diagnostic tool and analysis of overload in networks ethtool -> stats about network cards
For now it is all. I know that there are a thousand and one more security suggestions in this type of environment, but these are the ones that have struck me the most closely, or that at some point I have had to apply / exercise in an environment that I have administered.
A hug and hopefully it will serve you 😀
I invite you in the comments to tell us about some other rules that have been implemented apart from those already mentioned, to increase the knowledge of our readers 😀
Well I would add:
1.- Apply sysctl rules to prevent dmesg, / proc, SysRQ access, assign PID1 to the core, enable protections for hard and soft symlinks, protections for TCP / IP stacks for both IPv4 and IPv6, activate full VDSO for maximum randomization of pointers and memory space allocations and improve the strength against buffer overflows.
2.- Create fire walls of the type SPI (Stateful Package Inspect) to prevent connections not created or previously allowed from having access to the system.
3.- If you do not have services that warrant connections with elevated privileges from a remote location, simply revoke access to them using access.conf, or, failing that, enable access to only a specific user or group.
4.- Use hard limits to prevent access to certain groups or users from destabilizing your system. Very useful in environments where there is a real multi-user active at all times.
5.- TCPWrappers is your friend, if you are on a system with support for it, using it would not hurt, so you can deny access from any host unless it is previously configured in the system.
6.- Create SSH RSA keys of at least 2048 bits or better of 4096 bits with alphanumeric keys of more than 16 characters.
7.- How world-writable are you? Checking the read-write permissions of your directories is not bad at all and is the best way to avoid unauthorized access in multi-user environments, not to mention that it makes it more difficult for certain unauthorized accesses to gain access to information that you do not want them to. nobody else see.
8.- Mount any external partition that does not deserve it, with the options noexec, nosuid, nodev.
9.- Use tools such as rkhunter and chkrootkit to periodically check that the system does not have a rootkit or malware installed. A prudent measure if you are one of those who install things from non-secure repositories, from PPAs or simply live compiling code from untrusted sites.
Uhmmm, delicious… Good comment, add guys… 😀
Apply a Mandatory Access Control with SElinux?
very good article
Thanks friend 😀
Hello and if I am a normal user, should I use su or sudo?
I use su because I don't like sudo, because anyone who has my user password can change whatever they want on the system, instead with su no.
On your PC it does not bother to use su, you can use it without problems, on the servers, it is highly recommended to disable the use of su and use sudo, many say that it is due to the fact of auditing who executed what command and sudo does that task ... I in the particular, on my pc I use his, just like you ...
Sure, I don't really know how it works on the servers. Although, it seems to me that sudo had the advantage that you can give privileges to the user of another computer, if I'm not mistaken.
Interesting article, I encrypt some files with gnu-gpg, as is that of the minimum privilege, in case you want to execute for example a binary of unknown origin lost in the immense seas of information on the disk, how do I remove access to certain functions ?
I owe that part to you, although I think you should only run as sudo / root, programs that are reliable, that is, they come from your repo ...
I remember reading that there is a way to enable root capabilities in a manual on GNU / Linux and UNIX, if I find it I will put it 😀
@andrew here is the article I mentioned and some more help
http://www.cis.syr.edu/~wedu/seed/Labs/Capability_Exploration/Capability_Exploration.pdf
http://linux.die.net/man/7/capabilities
https://wiki.archlinux.org/index.php/Capabilities
and chown cages to run unknown binaries?
Using sudo at all times is much better.
Or you can use sudo, but limiting the time the password is remembered.
Similar tools I use to monitor pc, "iotop" as a substitute for "iostat", "htop" excellent "task manager", "iftop" bandwidth monitoring.
many will think that is exaggerated, but I have already seen attacks to include a server to a botnet.
https://twitter.com/monitolinux/status/594235592260636672/photo/1
ps: Chinese beggars and their attempts to hack my server.
something that is also convenient is to use chown cages for the services, so if for some reason they are attacked they would not compromise the system.
Using the ps command is also excellent for monitoring and could be part of actions to check for security flaws. running ps -ef lists all processes, it is similar to top however it shows some differences. installing iptraf is another tool that may work.
Good contribution.
I would add: SELinux or Apparmor, depending on the distro, always enabled.
From my own experience I realized that it is bad practice to disable those components. We almost always do it when we are going to install or configure a service, with the excuse that it runs without problems, when really what we should do is learn to handle them to allow that service.
A greeting.
1.How to encrypt the entire file system? worth it??
2.Does it have to be decrypted every time the system is going to be updated?
3. Is encrypting the entire file system of the machine the same as encrypting any other file?
How do you show that you know what you are talking about?
Also, you can cage programs and even multiple users. Although doing this is more work, but if something happened, and you had a previous copy of that folder, it's just hitting and singing.
The best and most convenient security policy is not to be paranoid.
Try it, it is infallible.
I am using csf and when unlocking a client who misplaced his password in some access, this delays in the process but it does. It is normal?
I am looking for the command to unblock from ssh ... any suggestion