The Linux operating system has already been proven to be very reliable and secure. It is often the most popular operating system found on web servers largely accredited to its track record in security, but can it be improved?
1. Use SELinux
Security Enhanced Linux was originally developed for The National Security Agency and is now merged with the 2.6 kernel to provide some additional security measures to the Linux operating system. Enabling SELinux is probably one of the most important things you can do if you care about creating a ridiculously secure operating system.
“While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole.” SELinux
Although SELinux is one of the best things you can do in regards to security, it may not be right for everyone. The main criticism to SELinux is the difficulty in setting up and maintaining the system.
Fedora comes with SELinux enabled by default.
2. Subscribe to a Vulnerability Alert Service
Often times it is not the operating system itself that is vulnerable. Vulnerabilities are usually found in the applications and additional services that are installed on the system itself. One of the best ways to stay secure is to make sure you have the latest version of the application and that there are no known vulnerabilities for the version you have.
Here are some of my favorite alert services:
If you find your email/rss reader is filling up with too many vulnerabilities that down effect the applications you are using, check out OSVDB and subscribe to vulnerability alerts for only the applications that you use.
3. Disable Unused Services and Applications
We know that applications are almost always the cause of vulnerabilities and for this reason it is best to disable anything that you don’t use. OpenBSD is touted as one of the most secure distributions in existence. According to OpenBSD and their philosophy
All non-essential services are disabled. OpenBSD claims, “Only two remote holes in the default install, in a heck of a long time!“. Disabling unneeded services and applications is a huge contributor to OpenBSD’s security record.
Learn from one of the most secure operating system and disable services that you are not using.
4. Check System Logs
If you are subscribed to NixTutor you should have a pretty good grasp on how to monitor logs and search through them. Checking system logs will often be the first way to check if a system has been compromised or malicious activity is afoot.
Here is a recent example where someone was trying to login to an FTP service with an automated script.
Tue May 19 18:01:49 2009 [pid 2277] CONNECT: Client “22.214.171.124″
Tue May 19 18:01:52 2009 [pid 2276] [Administrator] FAIL LOGIN: Client “126.96.36.199″
Tue May 19 18:01:55 2009 [pid 2276] [Administrator] FAIL LOGIN: Client “188.8.131.52″
How do we stop this kind of automated attack? Well, one solution would be port knocking.
5. Consider Port Knocking
In a nutshell port knocking is a way of opening pre-defined ports on a system remotely using a secret “knock”. The knock consists of sending a special packet to a specific port in a secret sequence. Once the special sequence of packets have been sent the server will then open a port for your IP address.
If you have open ports consider adding another level of protection with port knocking. I wrote about setting up port knocking in Linux and FreeBSD in the past. Port knocking is a really cool solution to prevent automated attacks against known applications. It virtually stops automated scripts and port scanners completely.
The only problem with port knocking is that it isn’t really suited for public access. For example if you are going to run the Apache webserver it wouldn’t make sense to make the client go through a port knock just to visit the site; however, if your intention is to hide the fact that you have a remote access server like SSH running port knocking is wonderful.
6. Use Iptables
Iptables is a packet inspection framework that is included in the Linux kernel that will allow you to build a state of the art firewall in Linux. Many of modern day routers are simply embedded Linux machines with iptables, like the Linksys WRT54G.
Learning how to write good firewall rules has a fairly steep learning curve but it is worth learning. Of course if you don’t have the time but still want to take advantage of the security iptables can bring check out, FirewallBuilder.
FirewallBuilder is basically a GUI for iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists.
7. Deny All by Default
There are two schools of thought when it comes to creating firewall rules. One way is to allow everything by default and then restrict access to certain ports and applications. This is almost always the way firewalls are setup as it is the easiest to setup and maintain. Allowing all by default is nice for system admins because everything just works, and there are no user complaints to deal with.
The other method of setting up firewalls is to deny all incoming and outgoing traffic by default, only allowing approved traffic through by creating exceptions. This is a much better way but requires a lot of thought and planning of which types of traffic you are going to allow.
If you care about security, take the extra time it takes to develop a deny by default plan.
A default deny would look something like this:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
8. Use an Intrusion Detection System
An Intrusion Detection System or IDS is a great way to monitor malicious hacking attempts on your machine. The idea of an IDS is to log traffic and look for certain patterns that are known to be used for malicious purposes. When the IDS detects malicious traffic it will log and notify you. This allows you to tweak your firewall to block that type of access or adjust your policies to deal with the attack.
An IDS is not usually setup to block attacks but rather log them and keep tabs on what attackers are doing. It is up you, the administrator, to refine your firewall rules to block uninvited access. Using a deny by default policy will make refining rules much eas
Snort is a great IDS for Linux machines and claims to be the de facto standard for intrusion detection/prevention.
9. Use Full Drive Encryption
According to the 2006 Security Breaches Matrix, a large number of the data leaks were caused due to stolen/missing laptops. If the data was encrypted these data leaks could have been prevented.
If you have a mobile device or paranoid about security full drive encryption provides peace of mind that your data is yours and only yours.
10. Your Favorite Security Tip
Number 10 is left to you. What is your favorite way to make Linux more secure? Leave your tip in the comments below!