Linux Security: Best Practices for a Secure System
Linux, being an open-source operating system, is considered one of the most secure platforms available today. However, no system is impervious to security threats. This article explores best practices that Linux users should follow to maintain a secure system, covering a range of topics from user management to file permissions.
One of the most critical aspects of maintaining a secure system is keeping the software up-to-date. Regularly updating the Linux distribution, kernel, and installed packages ensures that known vulnerabilities are patched and new features are introduced.
To update your Linux system, use the package manager specific to your distribution, such as apt for Debian-based systems or yum for Red Hat-based systems. Schedule automatic updates using cron jobs or utilize automated tools like unattended-upgrades for apt.
- Creating separate user accounts: Avoid using the root account for everyday tasks. Create separate user accounts with limited privileges and use the sudo command when administrative tasks are required.
- Strong password policies: Enforce the use of complex passwords that are at least 12 characters long, containing a mix of upper and lowercase letters, numbers, and special characters.
- Regularly reviewing user accounts: Periodically review user accounts to ensure they are still necessary and disable or delete any unused or obsolete accounts.
Configuring File Permissions
- Use umask: Set the umask value to restrict default file permissionsor newly created files and directories. A umask value of 027, for example, would grant the owner read and write permissions, while denying write permissions for the group and all other users.
- Review and modify permissions: Periodically review file and directory permissions to ensure they are appropriate. Use the chmod command to modify permissions when necessary.
- Secure sensitive files: Secure important system files such as /etc/passwd, /etc/shadow, and /etc/group by setting proper permissions, ensuring that unauthorized users do not have access to them.
- A properly configured firewall is crucial for securing a Linux system. Linux distributions usually come with a built-in firewall called iptables or nftables. Utilize these tools to:
- Set default policies: Configure the default policy for INPUT, FORWARD, and OUTPUT chains to DROP or REJECT, allowing only specific traffic through the firewall.
- Allow necessary services: Allow only essential services and ports, such as SSH (port 22) and HTTP (port 80), while denying all other connections.
- Limit access to specific IP addresses: Restrict access to sensitive services like SSH only to trusted IP addresses.
- Secure Shell (SSH) is a widely used method for remote access to Linux systems. To secure your SSH server, consider the following best practices:
- Use key-based authentication: Disable password-based authentication and use SSH keys instead, as they provide stronger security.
- Change the default SSH port: Change the default SSH port (22) to a non-standard port to reduce the risk of automated attacks.
- Limit user access: Restrict SSH access only to specific users or groups, and avoid allowing root login.
- System Auditing and Monitoring
Regular system auditing and monitoring help identify potential security issues and breaches. To implement
effective system auditing and monitoring:
- Use system logs: Review system logs regularly using tools like logwatch, syslog-ng, or rsyslog. Check for suspicious activity, failed login attempts, and unauthorized access attempts.
- Monitor user activity: Monitor user activity with tools like auditd or snoopy to keep track of user commands, file access, and system changes.
- Configure intrusion detection systems (IDS): Implement intrusion detection systems like AIDE (Advanced Intrusion Detection Environment) or OSSEC to monitor and detect unauthorized system changes or access attempts.
Antivirus and Anti-malware
- Even though Linux is less prone to viruses and malware compared to other operating systems, it’s essential to use antivirus and anti-malware tools to protect your system. Popular antivirus software for Linux includes ClamAV and Sophos. Schedule regular scans and keep the virus definitions up-to-date to ensure maximum protection.
- When running network services such as web servers, databases, or file servers, follow these guidelines:
- Keep services up-to-date: Regularly update network services to patch vulnerabilities and benefit from new features.
- Disable unnecessary services: Disable any services that are not required to reduce the attack surface.
- Use secure configurations: Follow best practices for configuring network services securely. For instance, use HTTPS instead of HTTP for web servers, and configure databases to listen only on localhost when possible.
Backup and Disaster Recovery
- Regular backups are essential to protect your system and data in case of hardware failure, data corruption, or security breachesImplement a robust backup strategy that includes:
- Regular backups: Schedule frequent backups of critical data, system configuration files, and databases.
- Offsite storage: Store backup copies in a separate location, such as an offsite server or cloud storage provider, to protect against local disasters.
- Encryption: Encrypt backups to ensure data privacy and prevent unauthorized access.
- Test backups: Periodically test backup restoration procedures to ensure that backups are functional and can be successfully restored in case of an emergency.
Security Training and Awareness
- A secure Linux system also depends on the users’ knowledge and awareness of security best practices. Provide regular training and updates on security measures, including:
- Safe browsing habits: Educate users on recognizing and avoiding phishing attacks, downloading files from trusted sources, and using strong, unique passwords.
- Software installation: Instruct users to install software only from trusted repositories and to avoid installing unnecessary or unverified software.
- Incident reporting: Encourage users to report any suspicious activity or security incidents to the appropriate personnel.
Maintaining a secure Linux system involves following best practices across multiple aspects, including regular updates, user management, file permissions, firewalls, SSH, system auditing, antivirus, network services, backups, and security training. Implementing these measures will help ensure the continued security of your Linux system and protect it against potential threats.
Best security practices in Linux
What security best-practices would you strongly recommend in maintaining a Linux server?
(i.e. bring up a firewall, disable unnecessary services, beware of suid executables, and so on.) Also: is there a definitive reference on Selinux? EDIT: Yes, I’m planning to put the machine on the Internet, with at least openvpn, ssh and apache (at the moment, without dynamic content), and to provide shell access to some people.
8 Answers 8
For SELinux I’ve found SELinux By Example to be really useful. It goes quite in-depth into keeping a sever as secure as possible and is pretty well written for such a wide topic.
- Disable anything you don’t need. The wider the attack domain, the more likely you’ll have a breach.
- Use an intrusion detection system (IDS) layer in front of any meaningful servers.
- Keep servers in a different security zone from your internal network.
- Deploy updates as fast as possible.
- Keep up to date on 0-day attacks for your remotely-accessible apps.
The short answer is, it depends. It depends on what you’re using it for, which in turn influences how much effort you should put into securing the thing.
There are some handy hints in the answers to this question: Securing a linux webserver for public access
If you’re not throwing the box up onto the internet, some of those answers won’t be relevant. if you’re throwing it up onto the internet and hosting something even vaguely interesting on it, those answers are far too laissez-faire for you.
There’s an NSA document «NSA Security Guide for RHEL5» available at:
which is pretty helpful and at least systematic.
- Limit the software to the only ones you really use
- Limit the rights of the users, through sudo, ACLs, kernel capabilities and SELinux/AppArmor/PaX policies
- Enforce use of hard passwords (no human understandable words, no birthday dates, etc.)
- Make LXC countainers, chroot or vserver jails for the «dangerous» applications
- Install some IDS, e.g. Snort for the network traffic and OSSEC for the log analysis
- Monitor the server
- Encrypt your sensible datas (truecrypt is a gift of the gods)
- Patch your kernel with GRSecurity : this add a really nice level of paranoïa
That’s more or less what I would do.
Edit : I added some ideas that I previously forgot to name .
1.) Enabling only necessary and relevant ports.
2.) Regular scan of the network data in — out
3.) Regular Scan of ip addresses accessing the server and verify if any unusual data activity associated with those ip address as found from logs/traces
4.) If some some critical and confidential data and code, needs to be present on the server , may be it can be encrypted
Goals: The hardest part is always defining your security goals. Everything else is relatively easy at that point.
Probing/research: Consider the same approach that attackers would take, ie network reconnaissance (namp is pretty helpful for that).
More information: SELinux by example is a helpful book, finding a good centralized source for SELinux information is still hard. I have a small list of helpful links that I find useful time to time http://delicious.com/reverand_13/selinux
Helpful solution/tools: As with what most people will say less is more. For an out of the box stripped down box with SELinux I would suggest clip (http://oss.tresys.com/projects/clip). A friend of mine used it in an academic simulation in which the box was under direct attack from other participants. I recall the story concluded very favorably for said box.
You will want to become familiar with writing SELinux policy. Modular policy can also become helpful. such tools as SLIDE and seedit (have not tried) may help you.