Top 5 Linux Security Best Practices Every Admin Must KnowTop 5 Linux Security Best Practices Every Admin Must KnowTop 5 Linux Security Best Practices Every Admin Must Know
This tutorial covers essential Linux security best practices, including securing remote access, keeping systems updated, configuring firewalls, implementing access controls, and monitoring logs.
This tutorial by Grant Knoetze highlights essential Linux security best practices that every administrator should follow. Knoetze emphasizes proactive security measures, such as securing remote access, keeping software up to date, and enforcing strict access controls to minimize risk. Additionally, he underscores the importance of firewalls and continuous monitoring through logging and auditing tools. By implementing these best practices, admins can strengthen their system's resilience against cyberattacks.
Subscribe to ITPro Today's YouTube channel for Linux tutorials and more.
The following transcript has been edited for length and clarity.
Transcript:
Grant Knoetze: Today's video covers the top five Linux security best practices every admin should know.
1. Secure Remote Access
Secure Shell, or SSH, is the lifeline for Linux admins, but attackers also commonly target it. Here are a few steps to harden it .
Use SSH key pairs instead of password authentication
One of the best ways to secure SSH access is using SSH key pairs instead of password-based authentication, which can be vulnerable to threats such as brute-force attacks.
To generate SSH key pairs, open your terminal and run:
ssh-keygenThis command generates a public/private RSA key pair. You will be prompted to choose a file location to save the key and can specify any additional parameters, such as algorithm type.
Related:How To Identify and Remove Linux Malware Infections
Once the keypair is generated, copy the public key to your server using this command:
ssh-copy-id This command will display available options if you run without any parameters.
Disable root login
You can also turn off root login with SSH by editing the SSH_config file (located in /etc/ssh/). Follow these steps:
1. Open a terminal and navigate to the SSH configuration directory:
cd /etc/ssh/2. Enter the LS command to list the files so you can confirm the configuration file is present. You should see ssh_config.
3. Open the file using your preferred text editor (mine is Nano):
sudo nano ssh_config 4. The SSH configuration file will open, and we can modify our SSH configurations directly from within this file.
Change the default SSH port
The default port for SSH is 22. Changing it to a non-default port adds an extra layer of security by reducing exposure to common attacks.
First, open the SSH configuration file in a text editor. Find the line that says #Port 22. Uncomment the line by removing the #, then change 22 to a different, high-numbered port (e.g., 8900). Save the file and exit.
Add multifactor authentication
You can add multifactor authentication to your Secure Shell using Google Authenticator and other third-party tools. I have another video and articles on this .
Related:Using Lynis for Linux Security Audits (Video Tutorial)
2. Keep Your System Updated
Stay up to date. Vulnerabilities in updated software are a black-hat hacker's playground.
Manual updates
To keep your system secure, update the package lists and software regularly. On Debian-based systems, use:
sudo apt update && sudo upgrade -yapt upgrade refreshes the list of available packages.
apt update installs the latest security packages and software updates.
Automate updates
You can automate updates to avoid falling behind. To schedule regular updates, create a cron job. A great tool for automating updates is unattended upgrades.
To install unattended-upgrades on Debian-based systems, type the following:
sudo apt install unattended-upgradesThe manual pages will give you all the information that you need. You can also type in unattended-upgrades --help or refer to the online documentation about using unattended-upgrades to automate system upgrades.
3. Configure Firewalls
A properly configured firewall blocks unauthorized access before it even reaches your server.
I've previously done an in-depth video on using the uncomplicated firewall (UFW) , iptables, and nftables, but here's how to get started.
UFW is a free tool. On Debian-based systems, you can use UFW directly from the command line. For example, you can allow specific traffic with commands like this:
Related:Linux Kernel Exploits: How Attackers Gain Root Access and How To Defend Against It
sudo ufw allow ssh To check the status of the uncomplicated firewall, type:
sudo ufw status If the status is inactive, you can enable UFW by typing:
sudo ufw enableYou should see: "Firewall is active and enabled on system startup."
For more control, you can configure iptables or nftables. They are both powerful but have a steeper learning curve. Choose what suits your expertise.
4. Implement Access Controls
You should always follow the principle of least privilege to limit what users and processes can do.
As a best practice, assign permissions using role-based access control . Also, consider using privileged access workstations.
You can use sudo in Linux natively to assign administrative privileges sparingly. To grant specific commands to users, you'll have to edit the sudoers file (found in the /etc/ directory).
In the /etc/ directory, I can use a text editor (we're using Nano here) to open the file by typing the following:
sudo nano sudoersWith the sudoers file open, you can modify it in the text editor.
Beyond user-based access, leverage tools like SELinux or AppArmor for mandatory access control. I've covered AppArmor in a previous video and written extensively on SELinux. These tools help you enforce strict policies on what processes can access.
5. Monitor and Audit Logs
Linux systems use Syslog, a standard for logging events, which stores logs in the /var/log directory. Inside /var/log, you can use the LS command to see the logs. For example, auth.log records authentication attempts (successful and failed), and kern.log logs kernel operations.
Your log files may differ slightly based on the distribution you use, but they will all use the Syslog standard.
Check authentication logs
To check authentication logs, look at /var/log/auth.log (or /var/log/secure on some systems). To view the logs:
cat /var/log/auth.log If I would like to save the log to a text file, use this command:
sudo cat auth.log > auth.txt If you encounter "Permission denied", switch to the root user:
sudo suOnce you're root, rerun the command. To exit the root user session, enter exit.
Using tools for log analysis
You can use tools like Logwatch or GoAccess to simplify log analysis and help spot anomalies.
For more complex setups, consider using centralized log management tools like Graylog, ELK Stack (Elasticsearch, Logstash, Kibana), or SIEM or SOAR tools for more extensive infrastructures.
Set up alerts
Also, set up alerts for critical events (such as failed login attempts). This will help you catch issues early and respond faster.
I hope you've enjoyed this video. I look forward to seeing you on the next one. Goodbye for now.
About the Author
Contributor
Grant Knoetze is a cybersecurity analyst with a special interest in DFIR, programming languages, incident response, red-teaming, and malware analysis. His full-time job includes teaching and instructing in various topics from basic Linux all the way through to malware incident response, and other advanced topics. He is also a speaker at various conferences worldwide.
https://github.com/Grant-Knoetze
https://www.linkedin.com/in/grant-knoetze-563b0b1b6/
You May Also Like
Editor's Choice
ITPro Today’s 2024 State of DevOps Report
Dec 16, 2024|2 Min ReadBCDR Basics: A Quick Reference Guide for Business Continuity & Disaster Recovery
Oct 10, 2024|1 Min ReadITPro Today’s 2024 IT Priorities Report
Sep 25, 2024|1 Min ReadTech Careers: Quick Reference Guide to IT Job Titles
Sep 13, 2024|1 Min Read