Security Lockdown for Linux


Automatic updates

If you’re using Ubuntu you can do this by editing /etc/apt/apt.conf.d/50unattended-upgrades. Running out of date packages with security holes is a good way to get your machine pwnd.

Remove unused software

Every piece of software installed on your system provides one more attack point for malicious users. You should inventory your system and remove anything you don’t need. E.g. to remove Ubuntu One from your system:

sudo apt-get purge ubuntuone*

Secure SSH

Edit /etc/ssh/sshd_config:

PermitRootLogin no
AllowUsers bmccann nx gitolite

You may also disable password authentication and replace it with public key authentication:

PasswordAuthentication no
PubkeyAuthentication yes

Restart the SSH daemon:

sudo service ssh restart


sudo /etc/init.d/ssh restart

This disallows login via password and instead replaces it with login via public/private key pair. To setup your public key encryption run ssh-keygen on the client and put ~/.ssh/ from the client into ~/.ssh/authorized_keys on server.

Sometimes while messing around with SSH settings, you’ll lock yourself out. I this case it’s nice to use the -v option with the ssh client.

You can also setup shortcuts in ~/.ssh/config. E.g. the shortcut below turns ssh gitolite into an alias for ssh -l gitolite -p 77777

Host gitolite
   User gitolite
   Port 77777
   IdentityFile ~/.ssh/id_rsa

Secure NX

If you’d like to setup NX in a secure manner, you can follow these instructions.

Secure MySQL

Run mysql_secure_installation

Install fail2ban

  • Install fail2ban by running sudo apt-get install fail2ban, which will lockout users who repeatedly try to access your system by guessing passwords.
  • Make your own copy of the configuration file: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  • Check if fail2ban is running properly: sudo fail2ban-client status

Andrew Ault and CyberCiti wrote good articles as well.
The NSA has a comprehensive guide to securing a Linux system

Be Sociable, Share!