Linux Security, checklist, Debian 8
Please ignore quotation marks on the commands and most periods at end of the sentence. I used this article in 2018 and worked fine. version using Grub2 on Debian, Fedora, Ubuntu. Please check for newer versions on google. Use vim, nano, or vi to modify config files.
With hackers using vulnerabilities to get into your network, it’s time to baton down the hatches.
The PDF is not for beginners but intermediate admins. I had to add SELinux to this version of Debian to make it more secure.
I used the Debian distro, but this works for Fedora and Ubuntu, most distros have these features below, and you can replace “apt-get” commands with “yum” for other Distros. Any commands in quotes, please exclude the quotes. Most of these commands are as root. This not a tutorial for beginners but intermediate to advanced administrators.
Use Debian and Ubuntu 14.04 GRUB2. This is the latest in security safety. Debian separates individual partitions like “/dev/var/home/tmp/” on install, which is a requirement for making it difficult for hackers to jump to different partitions. This configuration will prevent hard link breaches or escalations.
• Add a bios password to a server so hackers cannot modify the bios. Boot your server to a bios prompt and add a password. Also, move removable devices down the ladder of the boot order.
Update your Distro before proceeding with a “yum install updates” or “apt-get install updates,” this will get your current fixes, updates, patches that are needed.
• Sync your NTP with an install of time service, type “apt-get install ntp” or ”yum install ntp” then start the service with “service ntpd start” or check the status with “service ntpd status.”
• Password security set expiry dates, “vi /etc/default/useradd,” and set the expired days to your company’s policy. (use vim or nano as well)
• Set passwords as non-reusable “vi /etc/default/useradd” look for the line ”password sufficient” at the end of that line add “remember=8” and save. 8 means times you may use the same passwords. You can add a line if it’s not there “sufficient password pam_unix.so use_authtok md5 shadow remember=8”
• To check for SUID bit, which allows programs to be executed with root privileges: find / -perm -04000
• Check that no users have a UID as zero, root should have a zero. “grep ‘x:0:’ /etc/passwd” or “getent passwd 0”
• use ssh to connect to other servers use”ssh-keygen –t rsa” this creates both private and public keys.
• To export your public key use “scp .ssh/ida_rsa.pub x.x.x.x: .ssh/authorized_keys2” (use an IP or hostname to replace x)
• Put a padlock on the server if possible.
• Lockdown cron as Root only
Check the file of whose names are allowed to open crontab or create one. “vi /etc/cron.allow” add the name “root” if empty. This step will only allow root to modify cron jobs.
• Lockdown USB sticks installs vi /etc/modprobe.d/no-usb
• Add this line “install usb-storage /bin/true” reboot, test a usb stick, and it should not install anything.
• Remove FTP service if installed with “yum remove –y ftp” or “apt-get remove ftp.”
• Use sftp instead, and this will encrypt your password.
• Check ports that are open: netstat –lnptu and close the wrong ports that are not needed.
• Download SELinux if you know how to run with it. “aptitude install selinux-basics selinux-policy-default”
• Turn on Selinux if off, check with “getenforce” or turn on with “setenforce enforcing” this is a strict mode for users trying to do other non-permissive commands. The file is located at /etc/selinux/config check to see if it is set to “SELINUX=enforcing”
• Shutdown all graphical interfaces (Xwindows) GNOME if installed or your all done.
• Setting to run level 3 “cat /etc/inittab” look for a hard link (ln –s) that points to runlevel5 and remove it.
• Remove the path to runlevel5; my command looks like this “rm /etc/system/system/default.target” runlevel5 is the GNOME or KDE level.
• Set to runlevel3 mine looks like this:
• “ln –s /lib/systemd/system/runlevel3.target /etc/systemd/system/default.target”
• Now check and remove all GNOME and KDE, locate with “yum grouplist |egrep “GNOME|KDE”