Linux Hardenining: tips to protect your distro and make it more secure

Isaac

14 minutes

Hardening Linux two tuxs, one defenseless and one in armor

Many articles have been published on Linux distributions more secure, such as TAILS (which ensures your privacy and anonymity on the web), Whonix (a Linux for security paranoid) and other distros aimed at being safe. But of course, not all users want to use these distributions. That is why in this article we will give a series of recommendations for the «linux hardening«, That is, make your distro (whatever it is) more secure.

Red Hat, SUSE, CentOS, openSUSE, Ubuntu, Debian, Arch Linux, Linux Mint, ... what difference does it make. Any distribution can be safe as the safest if you know it in depth and know how to protect yourself from the dangers that threaten you. And for this you can act on many levels, not only at the software level, but also at the hardware level.

Generic safety rabbits:

Hardware security padlocked circuit

In this section I will give you some very basic and simple tips that do not need computer knowledge to understand them, they are only common sense but that sometimes we do not carry out due to carelessness or carelessness:

  • Do not upload personal or sensitive data to the cloud. The cloud, regardless of whether it is free or not and whether it is more or less secure, is a good tool to dispose of your data wherever you go. But try not to upload data that you don't want to "share" with onlookers. This type of more sensitive data must be carried in a more personal medium, such as an SD card or pendrive.
  • If you use a computer to access the Internet and work with important data, for example, imagine that you have joined the BYOD craze and have taken some business data home. Well, in these kinds of circumstances, don't work online, try to be disconnected (why do you want to be connected to work for example with LibreOffice editing a text?). A disconnected computer is the safest, remember that.
  • Related to the above, don't leave important data on local hard drive when working online. I recommend that you have an external hard drive or another type of memory (memory cards, pen drives, etc.) in which you have this information. Thus we will put a barrier between our connected equipment and that "not connected" memory where the important data is.
  • Make backup copies of the data that you consider interesting or do not want to lose. When they use vulnerabilities to enter your computer and escalate privileges, the attacker will be able to erase or manipulate any data without impediments. That is why it is better to have a backup.
  • Do not leave data about your weak points in forums or comments on the webs. If, for example, you have security problems on your computer and it has open ports that you want to close, do not leave your problem in a forum for help, because it can be used against you. Someone with bad intentions can use that information to search for their perfect victim. It is better that you find a trusted technician to help you solve them. It is also common for companies to put ads on the Internet such as "I am looking for an IT security expert" or "Personnel is needed for the security department." This may indicate a possible weakness in said company and a cybercriminal can use these types of pages to look for easy victims ... It is also not good for you to leave information about the system you use and versions, someone could use exploits to exploit vulnerabilities of that version. In short, the more the attacker is unaware of you, the more difficult it will be for him to attack. Keep in mind that attackers usually carry out a process prior to the attack called “information gathering” and it consists of collecting information about the victim that can be used against them.
  • Keep your equipment updated With the latest updates and patches, remember that on many occasions, these not only improve functionalities, they also correct bugs and vulnerabilities so that they are not exploited.
  • Use strong passwords. Never put names that are in the dictionary or passwords like 12345, since with dictionary attacks they can be removed quickly. Also, do not leave passwords by default, since they are easily detectable. Also do not use dates of birth, names of relatives, pets or about your tastes. Those kinds of passwords can be easily guessed by social engineering. It is best to use a long password with numbers, uppercase and lowercase letters, and symbols. Also, do not use master passwords for everything, that is, if you have an email account and a session of an operating system, do not use the same for both. This is something that in Windows 8 they have screwed up to the bottom, since the password to log in is the same as your Hotmail / Outlook account. A secure password is of the type: "auite3YUQK && w-". By brute force it could be achieved, but the time devoted to it makes it not worth it ...
  • Don't install packages from unknown sources and if possible. Use the source code packages from the official website of the program you want to install. If the packages are questionable, I recommend that you use a sandbox environment like Glimpse. What you will achieve is that all the applications that you install in Glimpse can run normally, but when trying to read or write data, it is only reflected within the sandbox environment, isolating your system from problems.
  • Use system privileges as little as possible. And when you need privileges for a task, it is recommended that you use "sudo" preferably before "su".

Other slightly more technical tips:

Computer Security, padlock on keyboard

In addition to the advice seen in the previous section, it is also highly recommended that you follow the following steps to make your distro even more secure. Keep in mind that your distribution can be as safe as you wantI mean, the more time you spend configuring and securing, the better.

Security suites in Linux and Firewall / UTM:

Use SELinux or AppArmor to fortify your Linux. These systems are somewhat complex, but you can see manuals that will help you a lot. AppArmor can restrict even applications sensitive to exploits and other unwanted process actions. AppArmor has been included in the Linux kernel as of version 2.6.36. Its configuration file is stored in /etc/apparmor.d

Close all ports that you do not use frequently. It would be interesting even if you have a physical firewall, that's the best. Another option is to dedicate an old or unused equipment to implement a UTM or Firewall for your home network (you can use distributions such as IPCop, m0n0wall, ...). You can also configure iptables to filter out what you don't want. To close them you can use "iptables / netfilter" that integrates the Linux kernel itself. I recommend you consult manuals on netfilter and iptables, since they are quite complex and could not be explained in an article. You can see the ports that you have open by typing in the terminal:

netstat -nap

Physical protection of our equipment:

You can also physically protect your computer in case you do not trust someone around you or you have to leave your computer somewhere within the reach of other people. For this you can disable the boot from other means than your hard drive in the BIOS / UEFI and password protect the BIOS / UEFI so they cannot modify it without it. This will prevent someone from taking a bootable USB or external hard drive with an operating system installed and being able to access your data from it, without even having to log into your distro. To protect it, access the BIOS / UEFI, in the Security section you can add the password.

You can do the same with GRUB, password-protecting it:

grub-mkpasswd-pbkdf2

Enter the password for GRUB you want and it will be encoded in SHA512. Then copy the encrypted password (the one that appears in “Your PBKDF2 is”) to use later:

sudo nano /boot/grub/grub.cfg

Create a user at the beginning and put the encrypted password. For example, if the previously copied password was "grub.pbkdf2.sha512.10000.58AA8513IEH723":

set superusers=”isaac”
password_pbkdf2 isaac grub.pbkdf2.sha512.10000.58AA8513IEH723

And save the changes ...

Less software = more security:

Minimize the number of installed packages. Only install the ones you need and if you are going to stop using one, it is best to uninstall it. The less software you have, the fewer vulnerabilities. Remember it. I also advise you with the services or daemons of certain programs that run when the system starts. If you don't use them, put them in "off" mode.

Safely delete information:

When you delete information of a disk, memory card or partition, or simply a file or directory, do it safely. Even if you think you have deleted it, it can be easily recovered. Just as physically it is not useful to throw a document with personal data in the trash, because someone could take it out of the container and see it, so you have to destroy the paper, the same thing happens in computing. For example, you can fill memory with random or null data to overwrite data that you don't want to expose. For this you can use (for it to work you must execute it with privileges and replace / dev / sdax with the device or partition you want to act on in your case ...):

dd if=/dev/zeo of=/dev/sdax bs=1M
dd if=/dev/unrandom of=/dev/sdax bs=1M

If what you want is delete a specific file forever, you can use "shred". For example, imagine that you want to delete a file called passwords.txt where you have system passwords written down. We can use shred and overwrite for example 26 times above to guarantee that it cannot be recovered after deletion:

shred -u -z -n 26 contraseñas.txt

There are tools like HardWipe, Eraser or Secure Delete that you can install to "Wipe" (permanently delete) memories, SWAP partitions, RAM, etc.

User accounts and passwords:

Improve the password system with tools like S / KEY or SecurID to create a dynamic password scheme. Make sure there is no encrypted password in the / etc / passwd directory. We have to better use / etc / shadow. For this you can use "pwconv" and "grpconv" to create new users and groups, but with a hidden password. Another interesting thing is to edit the / etc / default / passwd file to expire your passwords and force you to renew them periodically. So if they get a password, it will not last forever, since you will change it frequently. With the /etc/login.defs file you can also fortify the password system. Edit it, looking for the PASS_MAX_DAYS and PASS_MIN_DAYS entry to specify the minimum and maximum days a password can last before expiration. PASS_WARN_AGE displays a message to let you know that the password will expire in X days soon. I advise you to see a manual about this file, since the entries are very numerous.

All the accounts that are not being used and they are present in / etc / passwd, they have to have the Shell variable / bin / false. If it's another, change it to this one. That way they can't be used to get a shell. It is also interesting to modify the PATH variable in our terminal so that the current directory "." Does not appear. That is, it has to change from “./user/local/sbin/:/usr/local/bin:/usr/bin:/bin” to “/ user / local / sbin /: / usr / local / bin: / usr / bin: / bin ”.

It would be recommended that you use Kerberos as a network authentication method.

PAM (Pluggable Authentication Module) it is something like Microsoft Active Directory. It provides a common, flexible authentication scheme with clear advantages. You can take a look at the /etc/pam.d/ directory and search for information on the web. It is quite extensive to explain here ...

Keep an eye on the privileges of the different directories. For example, / root should belong to the root user and the root group, with "drwx - - - - - -" permissions. You can find information on the web about what permissions each directory in the Linux directory tree should have. A different configuration could be dangerous.

Encrypt your data:

Encrypts the contents of a directory or partition where you have relevant information. For this you can use LUKS or with eCryptFS. For example, imagine we want to encrypt / home of a user named isaac:

sudo apt-get install ecryptfs-utils
ecryptfs-setup-private
ecryptfs-migrate-home -u isaac

After the above, indicate the passphrase or password when asked ...

To create a private directoryFor example called "private" we can also use eCryptFS. In that directory we can put the things that we want to encrypt to remove it from the view of others:

mkdir /home/isaac/privado
chmod 700 /home/isaac/privado
mount -t ecryptfs /home/isaa/privado

It will ask us questions about different parameters. First, it will let us choose between passwords, OpenSSL, ... and we must choose 1, that is, "passphrase". Then we enter the password we want twice to verify. After that, we choose the type of encryption we want (AES, Blowfish, DES3, CAST, ...). I would choose the first one, AES and then we introduce the byte type of the key (16, 32 or 64). And finally we answer the last question with a "yes". Now you can mount and unmount this directory to use it.

If you just want encrypt specific files, you can use scrypt or PGP. For example, a file called passwords.txt, you can use the following commands to encrypt and decrypt respectively (in both cases it will ask you for a password):

scrypt <contraseñas.txt>contraseñas.crypt
scrypt <contraseñas.crypt>contraseñas.txt

Two-step verification with Google Authenticator:

Google AUthenticator in Ubutnu terminal

Add two step verification in your system. Thus, even if your password is stolen, they will not have access to your system. For example, for Ubuntu and its Unity environment we can use LightDM, but the principles can be exported to other distros. You will need a tablet or smartphone for this, in it you must install Google Authenticator from the Play Store. Then on the PC, the first thing is to install Google Authenticator PAM and start it up:

sudo apt-get install libpam-google-authenticator
google-authenticator

When you ask us if the verification keys will be based on time, we answer affirmatively with a and. Now it shows us a QR code to be recognized with Google Authenticator from your smartphone, another option is to enter the secret key directly from the app (it is the one that appeared on the PC as “Your new secret is:”). And it will give us a series of codes in case we do not carry the smartphone with us and that it would be good to have them in mind in case the flies. And we continue to reply with yon according to our preferences.

Now we open (with nano, gedit, or your favorite text editor) the configuration file with:

sudo gedit /etc/pam.d/lightdm

And we add the line:

auth required pam_google_authenticator.so nullok

We save and the next time you log in, it will ask us for the verification key that our mobile will generate for us.

If one day do you want to remove XNUMX-step verification, you just have to delete the line "auth required pam_google_authenticator.so nullok" from the file /etc/pam.d/lightdm
Remember, common sense and caution is the best ally. A GNU / Linux environment is secure, but any computer connected to a network is no longer secure, no matter how good the operating system you use. If you have any questions, problems or suggestions, you can leave your comment. I hope it helps…


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Nuria said
    ago 8 years

    Hello good, look I comment; I have installed google-authenticator on a Raspbian without any problem and the mobile application registers well and provides me with the code, but when restarting the raspberry and restarting the system it does not ask me to enter the double authentication code It only appears to me to enter username and password.

    Thank you very much. A greeting.

    Reply to Nuria