Linux Security

Deep dive into Linux system security, user authentication, firewall configuration, intrusion detection, and security hardening techniques

Back to Tutorial List

1. Security Overview

Linux security is an important component of system administration, covering system protection, user authentication, access control, data encryption, and more. Effective security measures can prevent unauthorized access, data breaches, and system attacks.

1.1 Types of Security Threats

  • Unauthorized access: Attackers gain system access through password guessing, exploiting vulnerabilities, etc.
  • Denial of Service (DoS) attacks: Attackers make systems unavailable by sending massive requests or exploiting vulnerabilities.
  • Data breaches: Sensitive data is accessed or stolen without authorization.
  • Malware: Systems are infected with viruses, trojans, worms, and other malicious programs.
  • Social engineering attacks: Attackers obtain user information or system access through deceptive means.
  • Internal threats: Malicious actions or mistakes by system insiders.

1.2 Security Protection Strategies

  • Principle of least privilege: Users and programs only get the minimum permissions needed to complete tasks.
  • Defense in depth: Implement multiple security layers, so even if one layer is breached, others still provide protection.
  • Security updates: Timely application of security patches for systems and software.
  • Security auditing: Regular checks of system security status and logs.
  • User education: Improving users' security awareness and skills.
  • Disaster recovery: Developing and testing system recovery plans.

2. User Authentication and Access Control

User authentication and access control are the foundation of Linux security. They are used to verify user identities and restrict user access to system resources.

2.1 User managementment

# Create user
sudo useradd -m -s /bin/bash user1

# Set password
sudo passwd user1

# Delete user
sudo userdel -r user1

# View user information
grep user1 /etc/passwd
id user1

# Lock user
sudo passwd -l user1

# Unlock user
sudo passwd -u user1

# View logged in users
w
who
last

2.2 Password Policies

# View password policy configuration
sudo nano /etc/login.defs
# Modify the following configurations
# PASS_MAX_DAYS   99999 → PASS_MAX_DAYS   90
# PASS_MIN_DAYS   0 → PASS_MIN_DAYS   7
# PASS_MIN_LEN    5 → PASS_MIN_LEN    12
# PASS_WARN_AGE   7 → PASS_WARN_AGE   14

# Install password quality checking tool
sudo apt install libpam-pwquality  # Debian/Ubuntu
sudo yum install pam_pwquality  # CentOS/RHEL

# configuration password quality checking
sudo nano /etc/security/pwquality.conf
# Add the following configurations
# minlen = 12
# dcredit = -1
# ucredit = -1
# ocredit = -1
# lcredit = -1

# Force user to change password at next login
sudo chage -d 0 user1

# View user password expiration information
sudo chage -l user1

2.3 Sudo Configuration

# View sudo configuration
sudo visudo

# Add user to sudo group
sudo usermod -aG sudo user1  # Debian/Ubuntu
sudo usermod -aG wheel user1  # CentOS/RHEL

# configuration sudo permissions
sudo visudo
# Add the following configurations
# user1 ALL=(ALL) ALL  # User can execute all commands
# user1 ALL=(ALL) NOPASSWD: ALL  # User can execute commands without password
# user1 ALL=(ALL) NOPASSWD: /usr/bin/apt, /usr/bin/yum  # User can only execute specific commands

# View sudo logs
grep sudo /var/log/auth.log  # Debian/Ubuntu
grep sudo /var/log/secure  # CentOS/RHEL

# Test sudo permissions
sudo -l -U user1

2.4 PAM Configuration

# View PAM configuration files
ls /etc/pam.d/

# configuration login restrictions
sudo nano /etc/pam.d/login
# Add the following configuration
# auth required pam_tally2.so deny=3 unlock_time=600

# View failed login attempts
sudo pam_tally2

# Reset user failed login count
sudo pam_tally2 -r -u user1

# configuration SSH login restrictions
sudo nano /etc/pam.d/sshd
# Add the following configuration
# auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=1200

3. Firewall Configuration

Firewalls are an important component of Linux security. They are used to control network traffic, prevent unauthorized access, and protect against network attacks.

3.1 iptables Configuration

# View iptables rules
sudo iptables -L -n

# View detailed rules
sudo iptables -L -n -v

# Clear all rules
sudo iptables -F

# Set default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# Allow local loopback
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH connections
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP connections
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow HTTPS connections
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow Ping
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Save rules
sudo iptables-save > /etc/iptables/rules.v4  # Debian/Ubuntu
sudo service iptables save  # CentOS/RHEL

# Restore rules
sudo iptables-restore < /etc/iptables/rules.v4  # Debian/Ubuntu
sudo service iptables restart  # CentOS/RHEL

3.2 firewalld Configuration

# Install firewalld
sudo apt install firewalld  # Debian/Ubuntu
sudo yum install firewalld  # CentOS/RHEL

# Start and enable firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld

# View firewalld status
sudo systemctl status firewalld
sudo firewall-cmd --state

# View default zone
sudo firewall-cmd --get-default-zone

# View zone list
sudo firewall-cmd --get-zones

# View current zone rules
sudo firewall-cmd --list-all

# Add services to default zone
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

# Add ports to default zone
sudo firewall-cmd --permanent --add-port=8080/tcp

# Reload configuration
sudo firewall-cmd --reload

# View added services
sudo firewall-cmd --list-services

# View added ports
sudo firewall-cmd --list-ports

# Remove service
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload

3.3 ufw Configuration

# Install ufw
sudo apt install ufw  # Debian/Ubuntu

# View ufw status
sudo ufw status

# Enable ufw
sudo ufw enable

# Disable ufw
sudo ufw disable

# Reset ufw rules
sudo ufw reset

# Allow SSH connections
sudo ufw allow ssh

# Allow HTTP connections
sudo ufw allow http

# Allow HTTPS connections
sudo ufw allow https

# Allow specific port
sudo ufw allow 8080/tcp

# Allow specific IP access
sudo ufw allow from 192.168.1.100

# Allow specific IP to access specific port
sudo ufw allow from 192.168.1.100 to any port 22

# Deny specific IP
sudo ufw deny from 192.168.1.200

# View ufw rules
sudo ufw status numbered

# Delete rule
sudo ufw delete 1

4. SSH Security Configuration

SSH (Secure Shell) is the primary method for remote login to Linux systems, and its security configuration is crucial for system security.

4.1 Basic SSH Configuration

# View SSH configuration file
sudo nano /etc/ssh/sshd_config

# Modify the following configurations
# Port 22 → Port 2222  # Change SSH port
# PermitRootLogin yes → PermitRootLogin no  # Disable root remote login
# MaxAuthTries 6 → MaxAuthTries 3  # Limit authentication attempts
# LoginGraceTime 120 → LoginGraceTime 30  # Reduce login timeout
# PermitEmptyPasswords no  # Disable empty password login
# PasswordAuthentication yes → PasswordAuthentication no  # Disable password login, use key authentication

# Restart SSH service
sudo systemctl restart sshd

# View SSH service status
sudo systemctl status sshd

4.2 SSH Key Authentication

# Generate SSH key pair
ssh-keygen -t rsa -b 4096 -C "user@example.com"

# Copy public key to server
ssh-copy-id -i ~/.ssh/id_rsa.pub user@server_ip

# Test SSH key login
ssh -i ~/.ssh/id_rsa user@server_ip

# Test login after disabling password authentication
ssh user@server_ip

# configuration SSH client
sudo nano ~/.ssh/config
# Add the following configuration
# Host server
#     HostName server_ip
#     User user
#     Port 2222
#     IdentityFile ~/.ssh/id_rsa

# Test configuration
ssh server

4.3 SSH Access Control

# configuration allowed login users
sudo nano /etc/ssh/sshd_config
# Add the following configurations
# AllowUsers user1 user2  # Only allow specific users to login
# DenyUsers user3 user4  # Deny specific users from logging in
# AllowGroups sshusers  # Only allow users from specific groups to login
# DenyGroups badusers  # Deny users from specific groups from logging in

# Create SSH user group
sudo groupadd sshusers

# Add user to SSH user group
sudo usermod -aG sshusers user1

# Restart SSH service
sudo systemctl restart sshd

# configuration TCP wrappers
sudo nano /etc/hosts.allow
# Add the following configuration
# sshd: 192.168.1.0/24 10.0.0.0/24  # Allow specific networks to access

sudo nano /etc/hosts.deny
# Add the following configuration
# sshd: ALL  # Deny access from all other networks

5. SELinux and AppArmor

SELinux and AppArmor are security enhancement tools for Linux systems. They provide Mandatory Access Control (MAC) mechanisms to restrict process behavior.

5.1 SELinux Configuration

# View SELinux status
sestatus

# View SELinux mode
getenforce

# Temporarily set SELinux mode
sudo setenforce 0  # Set to permissive mode
sudo setenforce 1  # Set to enforcing mode

# Permanently set SELinux mode
sudo nano /etc/selinux/config
# Modify the following configuration
# SELINUX=enforcing → SELINUX=permissive  # Permissive mode
# SELINUX=enforcing → SELINUX=disabled  # Disable SELinux

# View SELinux contexts
ls -Z
ps -Z

# Modify file SELinux context
sudo chcon -t httpd_sys_content_t /var/www/html/file.html

# Restore file default SELinux context
sudo restorecon -v /var/www/html/file.html

# View SELinux booleans
getsebool -a | grep httpd

# Modify SELinux boolean
sudo setsebool -P httpd_can_network_connect 1

# View SELinux logs
sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent
sudo sealert -a /var/log/audit/audit.log

5.2 AppArmor Configuration

# View AppArmor status
sudo apparmor_status

# View AppArmor configuration files
sudo ls /etc/apparmor.d/

# View AppArmor configuration file content
sudo cat /etc/apparmor.d/usr.sbin.sshd

# Enable AppArmor profile
sudo aa-enforce /etc/apparmor.d/usr.sbin.sshd

# Disable AppArmor profile
sudo aa-complain /etc/apparmor.d/usr.sbin.sshd

# Reload AppArmor configuration
sudo systemctl reload apparmor

# View AppArmor logs
sudo grep apparmor /var/log/syslog

# Generate AppArmor profile
sudo aa-genprof /usr/sbin/sshd

# Edit AppArmor profile
sudo nano /etc/apparmor.d/usr.sbin.sshd

# Restart AppArmor service
sudo systemctl restart apparmor

6. Intrusion Detection

Intrusion Detection Systems (IDS) are used to monitor system and network activities, detecting potential intrusion behaviors and security events.

6.1 fail2ban Configuration

# Install fail2ban
sudo apt install fail2ban  # Debian/Ubuntu
sudo yum install fail2ban  # CentOS/RHEL

# Start and enable fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

# View fail2ban status
sudo systemctl status fail2ban

# configuration fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

# Modify the following configuration
#[sshd]
#enabled = true
#port = ssh
#filter = sshd
#logpath = /var/log/auth.log  # Debian/Ubuntu
#logpath = /var/log/secure  # CentOS/RHEL
#maxretry = 3
#bantime = 3600

# View fail2ban status
sudo fail2ban-client status

# View specific jail status
sudo fail2ban-client status sshd

# Manually unban IP
sudo fail2ban-client set sshd unbanip 192.168.1.100

# Manually ban IP
sudo fail2ban-client set sshd banip 192.168.1.100

# Restart fail2ban service
sudo systemctl restart fail2ban

6.2 OSSEC Configuration

# Download OSSEC
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz

# Extract OSSEC
tar -xzvf 3.6.0.tar.gz

# Install OSSEC
cd ossec-hids-3.6.0
./install.sh

# Follow the prompts to configure installation

# Start OSSEC
sudo /var/ossec/bin/ossec-control start

# Stop OSSEC
sudo /var/ossec/bin/ossec-control stop

# View OSSEC status
sudo /var/ossec/bin/ossec-control status

# View OSSEC logs
sudo tail -f /var/ossec/logs/alerts/alerts.log

# View OSSEC configuration file
sudo nano /var/ossec/etc/ossec.conf

# Restart OSSEC
sudo /var/ossec/bin/ossec-control restart

7. Security Hardening

Security hardening is an important measure to improve system security, including system configuration optimization, service management, file permission settings, and more.

7.1 System Hardening

# Disable unnecessary services
sudo systemctl disable bluetooth
sudo systemctl disable cups
sudo systemctl disable avahi-daemon
sudo systemctl disable rpcbind

# Enable necessary security services
sudo systemctl enable fail2ban
sudo systemctl enable ufw  # or firewalld

# configuration system kernel parameters
sudo nano /etc/sysctl.conf
# Add the following configurations
# Prevent SYN flood attacks
net.ipv4.tcp_syncookies = 1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
# Disable IP forwarding (if not a router)
net.ipv4.ip_forward = 0

# Apply kernel parameters
sudo sysctl -p

# configuration login banner
sudo nano /etc/motd
# Add warning message

# configuration history command logging
sudo nano /etc/profile
# Modify the following configurations
# HISTSIZE=1000 → HISTSIZE=500
# HISTFILESIZE=2000 → HISTFILESIZE=1000

# configuration automatic logout
sudo nano /etc/profile
# Add the following configuration
# TMOUT=300  # 5 minutes idle automatic logout

7.2 File System Security

# View file permissions
ls -la

# Modify file permissions
chmod 644 file.txt
chmod 755 directory

# Modify file owner
chown user1:user1 file.txt

# Modify directory permissions recursively
chmod -R 755 directory
chown -R user1:user1 directory

# configuration important file permissions
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd
sudo chmod 644 /etc/group

# Find SUID/SGID files
sudo find / -type f -perm -4000 -ls
sudo find / -type f -perm -2000 -ls

# Find world-writable files
sudo find / -type f -perm -0002 -ls

# configuration file system mount options
sudo nano /etc/fstab
# Add the following options
# /dev/sda1 / ext4 defaults,nosuid,noexec,nodev 0 1
# /dev/sda2 /home ext4 defaults,nosuid,noexec,nodev 0 2
# /dev/sda3 /tmp ext4 defaults,nosuid,noexec,nodev 0 2

# Remount file systems
sudo mount -o remount /
sudo mount -o remount /home
sudo mount -o remount /tmp

7.3 Network Security

# View network connections
sudo netstat -tuln
sudo ss -tuln

# View listening ports
sudo netstat -tuln | grep LISTEN
sudo ss -tuln | grep LISTEN

# View established connections
sudo netstat -ant | grep ESTABLISHED
sudo ss -ant | grep ESTABLISHED

# View network interface configuration
sudo ifconfig
sudo ip addr show

# Disable IPv6 (if not needed)
sudo nano /etc/sysctl.conf
# Add the following configurations
# net.ipv6.conf.all.disable_ipv6 = 1
# net.ipv6.conf.default.disable_ipv6 = 1

# Apply kernel parameters
sudo sysctl -p

# configuration TCP Wrappers
sudo nano /etc/hosts.allow
# Add allowed services and IPs
# sshd: 192.168.1.0/24

sudo nano /etc/hosts.deny
# Add denied services
# ALL: ALL

8. Encryption Techniques

Encryption techniques are important means to protect data security, used to prevent unauthorized access and data breaches.

8.1 Data Encryption

# Install GnuPG
sudo apt install gnupg  # Debian/Ubuntu
sudo yum install gnupg  # CentOS/RHEL

# Generate GPG key pair
gpg --gen-key

# View GPG key list
gpg --list-keys

# Encrypt file
gpg --encrypt --recipient user@example.com file.txt

# Decrypt file
gpg --decrypt file.txt.gpg > file.txt

# Sign file
gpg --sign file.txt

# Verify signature
gpg --verify file.txt.gpg

# Export public key
gpg --export --armor user@example.com > public.key

# Import public key
gpg --import public.key

# Install openssl
sudo apt install openssl  # Debian/Ubuntu
sudo yum install openssl  # CentOS/RHEL

# Encrypt file using openssl
openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc

# Decrypt file using openssl
openssl enc -d -aes-256-cbc -in file.txt.enc -out file.txt

# Generate random password
openssl rand -base64 32

8.2 SSL/TLS Configuration

# Generate private key
openssl genrsa -out server.key 2048

# Generate Certificate Signing Request (CSR)
openssl req -new -key server.key -out server.csr

# Generate self-signed certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

# View certificate information
openssl x509 -in server.crt -text -noout

# Verify certificate
openssl verify server.crt

# Install certificate
sudo cp server.crt /etc/ssl/certs/
sudo cp server.key /etc/ssl/private/

# configuration web server to use SSL/TLS
# Nginx configuration example
sudo nano /etc/nginx/sites-available/example.com
# Add the following configuration
# server {
#     listen 443 ssl;
#     server_name example.com;
#     
#     ssl_certificate /etc/ssl/certs/server.crt;
#     ssl_certificate_key /etc/ssl/private/server.key;
#     
#     ssl_protocols TLSv1.2 TLSv1.3;
#     ssl_prefer_server_ciphers on;
#     ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
#     
#     root /var/www/example.com;
#     index index.html;
# }

# Restart Nginx
sudo systemctl restart nginx

9. Security Auditing

Security auditing is an important means to monitor and evaluate system security status, including log analysis, security scanning, and vulnerability assessment.

9.1 Log managementment

# View system logs
sudo tail -f /var/log/syslog  # Debian/Ubuntu
sudo tail -f /var/log/messages  # CentOS/RHEL

# View authentication logs
sudo tail -f /var/log/auth.log  # Debian/Ubuntu
sudo tail -f /var/log/secure  # CentOS/RHEL

# View kernel logs
sudo tail -f /var/log/kern.log

# View boot logs
sudo tail -f /var/log/boot.log

# View application logs
sudo tail -f /var/log/apache2/error.log  # Apache
sudo tail -f /var/log/nginx/error.log  # Nginx
sudo tail -f /var/log/mysql/error.log  # MySQL

# configuration log rotation
sudo nano /etc/logrotate.conf

# View log rotation configurations
sudo ls /etc/logrotate.d/

# Use journalctl to view systemd logs
sudo journalctl
sudo journalctl -f
sudo journalctl -u sshd
sudo journalctl --since "1 hour ago"
sudo journalctl --until "1 hour ago"

# View log disk using
sudo journalctl --disk-using

# Clean logs
sudo journalctl --vacuum-time=1d
sudo journalctl --vacuum-size=100M

9.2 Security Scanning

# Install Nmap
sudo apt install nmap  # Debian/Ubuntu
sudo yum install nmap  # CentOS/RHEL

# Scan open ports
nmap -sS -sV -p- server_ip

# Scan specific ports
nmap -sS -sV -p 22,80,443 server_ip

# Scan network
nmap -sS -sV 192.168.1.0/24

# Install OpenVAS/Greenbone
sudo apt install openvas  # Debian/Ubuntu
sudo yum install openvas  # CentOS/RHEL

# Start and configure OpenVAS
sudo gvm-setup

# Access OpenVAS web interface
# https://server_ip:9392

# Install Lynis
sudo apt install lynis  # Debian/Ubuntu
sudo yum install lynis  # CentOS/RHEL

# Run security audit
sudo lynis audit system

# View Lynis report
sudo cat /var/log/lynis-report.dat

# Check system updates
sudo apt update && sudo apt list --upgradable  # Debian/Ubuntu
sudo yum check-update  # CentOS/RHEL

# Check system vulnerabilities
sudo apt install debsecan  # Debian/Ubuntu
sudo debsecan

10. Security Practice

10.1 Case Objective

configuration security measures for Linux servers, including user authentication, firewall, SSH security, intrusion detection, and system hardening.

10.2 Implementation Steps

10.2.1 User Authentication Configuration

# Create user and set strong password
sudo useradd -m -s /bin/bash user1
sudo passwd user1

# configuration password policy
sudo nano /etc/login.defs
# Modify the following configurations
# PASS_MAX_DAYS   99999 → PASS_MAX_DAYS   90
# PASS_MIN_DAYS   0 → PASS_MIN_DAYS   7
# PASS_MIN_LEN    5 → PASS_MIN_LEN    12
# PASS_WARN_AGE   7 → PASS_WARN_AGE   14

# configuration password quality checking
sudo nano /etc/security/pwquality.conf
# Add the following configurations
# minlen = 12
# dcredit = -1
# ucredit = -1
# ocredit = -1
# lcredit = -1

# Add user to sudo group
sudo usermod -aG sudo user1

10.2.2 Firewall Configuration

# Enable ufw
sudo ufw enable

# Allow necessary services
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

# View firewall status
sudo ufw status

# configuration iptables as backup
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Save iptables rules
sudo iptables-save > /etc/iptables/rules.v4

10.2.3 SSH Security Configuration

# configuration SSH
sudo nano /etc/ssh/sshd_config
# Modify the following configurations
# Port 22 → Port 2222
# PermitRootLogin yes → PermitRootLogin no
# MaxAuthTries 6 → MaxAuthTries 3
# LoginGraceTime 120 → LoginGraceTime 30
# PasswordAuthentication yes → PasswordAuthentication no

# Generate SSH key pair
ssh-keygen -t rsa -b 4096 -C "user1@example.com"

# Copy public key to server
ssh-copy-id -i ~/.ssh/id_rsa.pub -p 2222 user1@server_ip

# Restart SSH service
sudo systemctl restart sshd

# Test SSH login
ssh -p 2222 user1@server_ip

10.2.4 Intrusion Detection Configuration

# Install fail2ban
sudo apt install fail2ban  # Debian/Ubuntu
sudo yum install fail2ban  # CentOS/RHEL

# configuration fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
# Modify the following configuration
#[sshd]
#enabled = true
#port = 2222
#filter = sshd
#logpath = /var/log/auth.log  # Debian/Ubuntu
#logpath = /var/log/secure  # CentOS/RHEL
#maxretry = 3
#bantime = 3600

# Start and enable fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

# View fail2ban status
sudo fail2ban-client status

# Install OSSEC (optional)
# Follow the OSSEC installation steps above for installation and configuration

10.2.5 System Hardening

# Disable unnecessary services
sudo systemctl disable bluetooth
sudo systemctl disable cups
sudo systemctl disable avahi-daemon
sudo systemctl disable rpcbind

# configuration system kernel parameters
sudo nano /etc/sysctl.conf
# Add the following configurations
# Prevent SYN flood attacks
net.ipv4.tcp_syncookies = 1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
# Disable IP forwarding (if not a router)
net.ipv4.ip_forward = 0

# Apply kernel parameters
sudo sysctl -p

# configuration file system mount options
sudo nano /etc/fstab
# Add the following options
# /dev/sda1 / ext4 defaults,nosuid,noexec,nodev 0 1
# /dev/sda2 /home ext4 defaults,nosuid,noexec,nodev 0 2
# /dev/sda3 /tmp ext4 defaults,nosuid,noexec,nodev 0 2

# Remount file systems
sudo mount -o remount /
sudo mount -o remount /home
sudo mount -o remount /tmp

# configuration important file permissions
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd
sudo chmod 644 /etc/group

# Find and fix insecure file permissions
sudo find / -type f -perm -4000 -ls
sudo find / -type f -perm -2000 -ls
sudo find / -type f -perm -0002 -ls

11. Interactive Exercises

Exercise 1: User Authentication Configuration

Perform the following operations:

  • 1. Create a new user and set a strong password.
  • 2. configuration password policy, requiring passwords to be at least 12 characters long, including uppercase and lowercase letters, numbers, and special characters.
  • 3. Add the user to the sudo group and configure sudo permissions.
  • 4. configuration PAM to limit login attempts to 3 times, locking out for 600 seconds after exceeding.
  • 5. Test user login and sudo permissions.

Exercise 2: Firewall Configuration

Perform the following operations:

  • 1. Enable and configure ufw, allowing SSH, HTTP, and HTTPS services.
  • 2. configuration iptables with default policy set to DROP, only allowing necessary traffic.
  • 3. Save iptables rules to ensure they remain effective after system restart.
  • 4. Test firewall rules to ensure SSH, HTTP, and HTTPS services can be accessed normally.
  • 5. Test whether other ports are correctly blocked.

Exercise 3: SSH Security Configuration

Perform the following operations:

  • 1. Modify SSH configuration to change default port to 2222 and disable root remote login.
  • 2. configuration SSH to use key authentication and disable password login.
  • 3. Generate SSH key pair and copy public key to server.
  • 4. Restart SSH service and test login using keys.
  • 5. configuration TCP Wrappers to only allow specific networks to access SSH service.

Exercise 4: Intrusion Detection Configuration

Perform the following operations:

  • 1. Install and configure fail2ban to monitor SSH login attempts.
  • 2. configuration fail2ban to block IP access for 3600 seconds after 3 failed login attempts.
  • 3. Test fail2ban by deliberately entering wrong password 3 times and check if you are blocked.
  • 4. Manually unban the blocked IP.
  • 5. Install and configure OSSEC for more comprehensive intrusion detection.

Recommended Tutorials

Linux Basics Linux File System Linux Command Line Linux Users and Permissions Linux Process managementment Linux Network Configuration Linux System Administration Linux Server Configuration Linux advanced topics View complete Tutorial List