Linux Server Security and Hardering

1. Linux Server Security and Hardering
Antonio C. Vélez Báez
24, october 2018

2. ABOUT ME ...
• Antonio C. Vélez Báez
• OSCP, RHCE, RHCSA-RHOS, Linux+
• Vidalinux.com Founder
• OVOX LLC. Co-Founder
• Red Hat Certified Instructor and examiner
• Red Hat Certified Training Center
• First Linux distribution made in Puerto Rico
https://en.wikipedia.org/wiki/VidaLinux
• Email: acvelez@vidalinux.com
• Website: www.vidalinux.com

3. MYTHS ABOUT LINUX SECURITY
• Linux is invulnerable and virus-free.
• Virus writers do not target Linux because it has a low market share.
• Windows malware cannot run on Linux.
• On Linux you install software from software repositories, which
contain only trusted software.
• I don't need a firewall because Linux has no open ports by default.

4. VULNERABILITIES STATS
Linux kernel Vulnerabilities Stats
1999 - present
Vulnerabilities Stats by Vendor
1999 - present
source: https://www.cvedetails.com

5. EXPLOITS STATS

6. TOP VULNERABILITIES
• Dirty Cow: CVE-2016-5195 (Privilege escalation vulnerability)
• Heatbleed: CVE-2014-0160 (OpenSSL library vulnerability)
• Shellshock: CVE-2014-6271 (GNU Bash Remote Code Execution Vulnerability)
• Glibc: CVE-2015-7547 (getaddrinfo stack-based buffer overflow)
• VENOM: CVE-2015-3456 (security vulnerability in the virtual floppy drive code)
• Misconfiguration of Enterprise Services NIS/NFS
• Misconfiguration of Simple Network Management Protocol (SNMP)
• User account weak password
• Application vulnerabilities
• No updates or OS end-of-life

7. SHELLSHOCK
Live demo

8. NFS MISCONFIGURATION
If no_root_squash is used, remote root users are able to change
any file on the shared file system and leave applications infected
by Trojans for other users to inadvertently execute

9. ENTERPRISE LINUX
Red Hat offers subscription services for each major release of Red Hat Enterprise Linux
throughout four life-cycle phases—called Full Support, Maintenance Support 1, Maintenance
Support 2, and an Extended Life Phase.

10. ENTERPRISE LINUX
LTS or ‘Long Term Support’ releases are published every two years in April. LTS releases are the
‘enterprise grade’ releases of Ubuntu, and they are much more heavily used (something like 95%
of all Ubuntu installations are LTS releases).

11. LINUX SEC ADVISORIES
At the OS level, major distro vendors regularly publish details on
security issues with their platform. Examples include:
• https://access.redhat.com/security/
• https://www.suse.com/support/security/
• https://www.ubuntu.com/usn/
• https://security.gentoo.org/glsa
• https://security.archlinux.org/
• https://www.debian.org/security/

12. DISK PARTITIONS
Servers should have separate file systems for /, /boot, /usr, /dev, /var,
/tmp, and /home.

13. POST INSTALLATION
• Install latest updates
• Terminate unauthorized users
• Identify and shut down unused daemons
• Set firewall rules
• Disable USB devices
• Set GRUB boot loader password
• Configure root user timeout

14. ACCOUNTS & PASSWORDS
• Unused Accounts
• Enabling Password Aging
• Stronger Password Enforcement
• Restricting Use of Previous Passwords
• Locking User Accounts After Too Many Login Failures
• Set password expiration

15. FILE PERMISSIONS
• SUID/SGID Files
• World-Writable Files
• Orphaned or Unowned Files

16. SSH SECURITY
• Configure idle timeout interval
• Limit users for ssh access
• Disable password login
• Disable root login
• Disable empty passwords
• Use public/private keys for authentication
• Display login Banner
• Change default port

17. KERNEL SECURITY
• Disable IP Forwarding (also known as Internet routing)
net.ipv4.ip_forward parameter = 0
• Disable the Send Packet Redirects (send routing information to other hosts)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
• Ignore all to ICMP (ping)
net.ipv4.icmp_echo_ignore_all = 1
• Enable Bad Error Message Protection (alert about error messages in network)
net.ipv4.icmp_ignore_bogus_error_responses = 1
• Enable IP spoofing protection (packets which claim to be from another host)
net.ipv4.conf.all.rp_filter = 1
https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/

18. SELINUX
SELinux disable SELinux enable
SELinux, Security-Enhanced Linux, is an additional method to protect your system.
SELinux is a set of security rules that determine which process can access which files,
directories, ports, etc. Every file, process, directory and port has a special security label called
SELinux contexts. A context is simply a name that is used by the SELinux policy to determine
whether or not a process can access a file, directory or port.

19. PHP SECURITY
• disable_functions = exec,system,shell_exec,passthru
• register_globals = Off
• expose_php = Off
• display_errors = Off
• track_errors = Off
• html_errors = Off
• magic_quotes_gpc = Off

20. APACHE INFO LEAKAGE
• ServerTokens Prod
• ServerSignature Off
• TraceEnable Off
• Header unset ETag
• FileETag None
• Header always unset "X-Powered-By"
• Header unset "X-Powered-By"

21. MODSECURITY
ModSecurity is a web application firewall for the Apache web
server. In addition to providing logging capabilities, ModSecurity
can monitor the HTTP traffic in real time in order to detect
attacks. ModSecurity also operates as a web intrusion detection
tool, allowing you to react to suspicious events that take place at
your web systems.

22. MODEVASIVE
Mod Evasive is an evasive maneuvers module for Apache that
provides evasive action in the event of an HTTP DoS attack or
brute force attack. It is also designed to be a detection and
network management tool, and can be easily configured to talk to
ipchains, firewalls, routers, and more. mod_evasive presently
reports abuse via email and syslog facilities.

23. BAN SUSPICIOUS HOSTS
• Fail2ban
• SshGuard
• Denyhosts
• HeatShield
• Portknocking

24. SCANNER AND AUDITING
• Lynis
• Logwatch
• Nmap
• Openscap
• Metasploit
• Nikto
• Nessus
• OpenVAS

25. OPENSCAP
Live demo

26. LYNIS
Live demo

27. ¿QUESTIONS?