Securing your environment starts during the ordering process when you are deploying server resources. Sometimes you want to deploy a quick server without putting it behind an extra hardware firewall layer or deploying it with an APF (Advance Policy Firewall). Here are a couple of security hardening tips I have set on my Linux template to have a solid base level of security when I deploy a Linux system.
Note: The following instructions assume that you are using CentOS or Red Hat Enterprise Linux.
passwd- Make sure it’s strong.
- Don't intend on using
passwd <username>(Make sure this is a strong password that’s different from your root password.)
- chage –M 60 –m 7 –w 7 <username>
- M: Minimum of days required between password changes
- m: Maximum days the password is valid
- w: The number of days before password will warn of expiration
- When you need super-user permissions, use
Sudois more secure than using
su: When a user uses
sudoto execute root-level commands, all commands are tracked by default in
/var/log/secure. Furthermore, users will have to authenticate themselves to run
sudocommands for a short period of time.
telnetprotocols don’t use an encrypted format, just plain text. I recommend using SSH protocol for remote log in and file transfers. SSH allows you to use encryption technology while communicating with your sever. SSH is still open to many different types of attacks, though. I suggest using the following to lock SSH down a little bit more:
- Remove the ability to SSH as
#PermitRootLogin yesand change to
service sshd restart.
- Change the default SSH 22 port. You can even utilize RSA keys instead of passwords for extra protection.
sudoto get updates in RedHat or CentOS:
- List what is installed:
yum list installed
- List the package name:
yum list <package-name>
- Remove the package:
yum remove <package-name>
- I recommend
- System boot log:
- Authentication log:
- Log in records file:
/var/log/utmp or /var/log/wtmp:
- Where whole system logs or current activity are available:
- Authentication logs:
- Kernel logs:
- Crond logs (cron job):
- Mail server logs:
You can even move these logs to a bare metal server to prevent intruders from easily modifying them.
This is just the tip of the iceberg when securing your Linux server. While not the most secure system, it gives you breathing room if you have to deploy quick servers for short duration tests, and so on. You can build more security into your server later for longer, more permanent-type servers.
- Darrel Haswell
Darrel Haswell is an advisory SoftLayer Business Partner Solution Architect.