Security Lockdown for Linux

02/11/2011

Automatic updates

If you’re using Ubuntu you can do this by editing /etc/apt/apt.conf.d/50unattended-upgrades. Running out of date packages with security holes is a good way to get your machine pwnd.

Remove unused software

Every piece of software installed on your system provides one more attack point for malicious users. You should inventory your system and remove anything you don’t need. E.g. to remove Ubuntu One from your system:

sudo apt-get purge ubuntuone*

Secure SSH

Edit /etc/ssh/sshd_config:

PermitRootLogin no
AllowUsers bmccann nx gitolite

You may also disable password authentication and replace it with public key authentication:

PasswordAuthentication no
PubkeyAuthentication yes

Restart the SSH daemon:

sudo service ssh restart

sudo /etc/init.d/ssh restart

This disallows login via password and instead replaces it with login via public/private key pair. To setup your public key encryption run ssh-keygen on the client and put ~/.ssh/id_rsa.pub from the client into ~/.ssh/authorized_keys on server.

Sometimes while messing around with SSH settings, you’ll lock yourself out. I this case it’s nice to use the -v option with the ssh client.

You can also setup shortcuts in ~/.ssh/config. E.g. the shortcut below turns ssh gitolite into an alias for ssh -l gitolite -p 77777 bensdynamicdns.getmyip.com.

Host gitolite
   User gitolite
   Hostname bensdynamicdns.getmyip.com
   Port 77777
   IdentityFile ~/.ssh/id_rsa

Secure NX

If you’d like to setup NX in a secure manner, you can follow these instructions.

Secure MySQL

Run mysql_secure_installation

Install fail2ban

Install fail2ban by running sudo apt-get install fail2ban, which will lockout users who repeatedly try to access your system by guessing passwords.
Make your own copy of the configuration file: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Check if fail2ban is running properly: sudo fail2ban-client status

More
Andrew Ault and CyberCiti wrote good articles as well.
The NSA has a comprehensive guide to securing a Linux system

Be Sociable, Share!

1 Comment

Sean
11/01/2011 - 2:16 am

Wow thanks for this. I’ve been trying to figure out how to get NX running again after securing SSH, and this post helped a lot.

The only addition I would make is that when you add the line “AllowUsers nx” to the sshd_config, you also need to add the user that you will be logging in as (i.e. AllowUsers nx bmccann). When you set AllowUsers, it will ONLY allow the ones listed there, so your SSH will suddenly stop working unless you also add your username.

I got stuck on that for a long time, and couldn’t figure out what was wrong.

Popular Posts

Recent Posts

Ben McCann

Co-founder of Connectifier.
Investor at C3 Ventures.
Google and CMU alum.

Security Lockdown for Linux

1 Comment

Leave a Reply