Security Lockdown for Linux
Automatic updates
If you’re using Ubuntu you can do this by editing /etc/apt/apt.conf.d/50unattended-upgrades. Running out of date packages with security holes is a good way to get your machine pwnd.
Remove unused software
Every piece of software installed on your system provides one more attack point for malicious users. You should inventory your system and remove anything you don’t need. E.g. to remove Ubuntu One from your system:
sudo apt-get purge ubuntuone*Secure SSH
Edit /etc/ssh/sshd_config:
PermitRootLogin no
AllowUsers bmccann nx gitoliteYou may also disable password authentication and replace it with public key authentication:
PasswordAuthentication no
PubkeyAuthentication yesRestart the SSH daemon:
sudo service ssh restartor
sudo /etc/init.d/ssh restartThis disallows login via password and instead replaces it with login via public/private key pair. To setup your public key encryption run ssh-keygen on the client and put ~/.ssh/id_rsa.pub from the client into ~/.ssh/authorized_keys on server.
Sometimes while messing around with SSH settings, you’ll lock yourself out. I this case it’s nice to use the -v option with the ssh client.
You can also setup shortcuts in ~/.ssh/config. E.g. the shortcut below turns ssh gitolite into an alias for ssh -l gitolite -p 77777 bensdynamicdns.getmyip.com.
Host gitolite
User gitolite
Hostname bensdynamicdns.getmyip.com
Port 77777
IdentityFile ~/.ssh/id_rsaSecure NX
If you’d like to setup NX with this configuration it takes a couple extra steps than a normal NX installation. Note that every additional service you run on the machine provides one more attack point for hackers, so you’re more secure not running NX at all. However, if you choose to run NX for the benefits that it provides then here are some steps to help keep you safe:
- Download and install the client, node, and server in that order
- In /etc/ssh/sshd_config add the nx user by setting
AllowUsers nxand restart the ssh daemon sudo /etc/init.d/ssh restart. - NX uses a deprecated location for the ssh authorized_keys file, so you must fix that or you will get a public key authentication failed error. Open /usr/NX/etc/server.cfg and change
#SSHAuthorizedKeys = "authorized_keys2"toSSHAuthorizedKeys = "authorized_keys". Now run sudo mv /usr/NX/home/nx/.ssh/authorized_keys2 /usr/NX/home/nx/.ssh/authorized_keys if there’s an authorized_key2 file present. - Run sudo /usr/NX/scripts/setup/nxserver –install
- If you’ve disabled SSH passwords then you’ll also need to set
EnableUserDB = "1"andEnablePasswordDB = "1"in /usr/NX/etc/server.cfg and then run sudo /usr/NX/bin/nxserver –useradd $USER since we’ve disabled passwords when we locked down SSH. - Change the default NX key. Run sudo /usr/NX/bin/nxserver –keygen. In your NX client, open “Configure…” > “General” tab > “Key …” and copy the contents of “/usr/NX/share/keys/default.id_dsa.key” into the key window and save it.
- Optional for connecting to multiple servers at once: Change DisplayBase in /usr/NX/etc/server.cfg.
- Restart the NX server to pickup your changes: sudo /etc/init.d/nxserver restart
Secure MySQL
Run mysql_secure_installation
Install fail2ban
- Install fail2ban by running sudo apt-get install fail2ban, which will lockout users who repeatedly try to access your system by guessing passwords.
- Make your own copy of the configuration file: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- Check if fail2ban is running properly: sudo fail2ban-client status
More
Andrew Ault and CyberCiti wrote good articles as well.
The NSA has a comprehensive guide to securing a Linux system