Monday, June 3, 2013

Securing Linux servers

One of the first thing to do on newly built server before deploying the applications and moving the data is to secure the server. Following have been the steps I have been doing to harden our production servers which are mostly RedHat linux. 

This is by no means a comprehensive list. I plan to update it with more stuff as we go on.

Remove unnecessary packages

Since our servers are deployed by data-center, we don't get the option to customize the packages installed. So we remove all packages that are unnecessary to us like X-Windows, Cups, FTP etc. We host a web-based application and don't need GUI or Printer support for our server. We use SFTP/SCP instead of FTP and I would suggest the same as they are more secure.

We can remove the X Window's and related dependencies using the following command.

yum groupremove "X Window System"

You can get the list of all the RPM's installed to a file using following. Go through each on list and remove what is not required.

rpm -qa >/tmp/rpms-installed.txt

rpm -e <Paackage to be removed>

Password policy and Account lockout for shell users

We can then set password policy for the shell users. We can set password ageing and length in /etc/login.defs.

PASS_MAX_DAYS 90    -  Password expires in 90 days.
PASS_MIN_DAYS 1   - Minimum  days required between password changes.
PASS_MIN_LEN    8  -  Minimum length password set as 8.
PASS_WARN_AGE 7 - Password expiration warning are issued 7 days before.

Another step is securing shell accounts is configuring pam_cracklib and pam_tally.
pam_cracklib -  Ensures that the passwords are reasonably strong.
pam_tally - For account lockout.

We can append pam_cracklib settings to /etc/pam.d/system-auth file as given below.

password required pam_cracklib.so retry=3 minlen=8 difok=3

This ensures the following:
  • 3 retries allowed for password change.
  • Length of password should be 8.
  • Number of characters that must be different from the previous password should 3.
http://linux.die.net/man/8/pam_tally
Add the following to auth section of /etc/pam.d/system-auth file.

auth    required        pam_tally.so onerr=fail per_user deny=3 unlock_time=600

This ensures that the account is locked out after 3 wrong password attempts and unlocks only after 10 minutes. 
You can view the password attempts by all users using the following command.

faillog

To unlock a particular user use the follwing command.

faillog -r -u <username>

http://linux.die.net/man/8/pam_cracklib

Securing SSH

1. Disable root login
Open the /etc/ssh/sshd_config and look for PermitRootLogin. Set it as following.

PermitRootLogin no

2. Allow access only to required shell users.
AllowUsers max payne
This ensures that only max and payne has SSH access to the server.

3. Chroot the directory of SFTP users.
If not chrooted the users with SFTP access can view other directories like /etc and download the files.
We will first disable the shell access to the SFTP user.

usermod -d /sftphome/sftp_user -s /sbin/nologin sftp_user

We will then edit SSHD config file /etc/ssh/sshd_config. Look for the line "Subsystem      sftp    /usr/libexec/openssh/sftp-server" comment it and add the following "Subsystem       sftp    internal-sftp".  The SSHD config should be as below.

#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

Now add the following.

Match User sftp_user
        ChrootDirectory /sftphome/%u
        ForceCommand internal-sftp

After all the changes are made in sshd_config restart SSH service.
http://linux.die.net/man/5/sshd_config

Make sure that the /sftphome/sftp_user is owned by root user with permission of 755. The folders within /sftphome/sftp_user should be owned by sftp_user.

TCP_WRAPPERS

TCP Wrapper are another useful security feature. We can all the services to accessible only from our required IP ranges using. One of the service we can protect is SSH, since only few people from our office network will need to access it. We also add our VPN address along with office IP address for access from outside office.

The configuartion files are /etc/host.allow and /etc/hosts.deny.
Edit /etc/hosts.deny and add in following format.

sshd : ALL

Then add the IP addresses for which you need the service available to /etc/host.allow.

sshd: 192.168.1.5 10.

This will make SSHD available only to 192.168.1.5 and the whole 10. range of IP's.

IPTABLES

I am not going into IPTABLES rules here. It's recommended to set the default policy for all the chains to DROP and open only the services that need to exposed.

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP