Securing Linux

How To Lock Down Your Linux Box

by Garrett Hyde / @GarrettHyde

About Me

  • Linux System Administrator
  • CS Degree from BYU
  • Open Source advocate

If you have any questions, don't hesitate to ask

Assumptions

  1. You are new to Linux
  2. You are new to computer security
  3. You have some level of common sense

SELinux

What Is SELinux?

“Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).”

SELinux Modes

  1. enforcing - SELinux security policy is enforced
  2. permissive - SELinux prints warnings instead of enforcing
  3. disabled - No SELinux policy is loaded

Change Settings

If at first you don't succeed, put SELinux in permissive mode.

$ sudo setenforce [ Enforcing | Permissive | 1 | 0 ]

$ getenforce
			

			  /etc/selinux/config
			

When Should I Use SELinux?

Always!

SSH

Why Is SSH A Vulnerability?

  • SSH is enabled by default
  • Bots scan networks looking for port 22
  • Vector for online brute-force attacks

Do Not Make The Following Changes Remotely!

Change Port


$ sudo vi /etc/ssh/sshd_config

Port 2222

$ sudo systemctl restart sshd
			

Generate SSH Keys


$ ssh-keygen -b 4096 -t rsa -f ~/.ssh/id_rsa -C "My first SSH key"

$ ssh-copy-id -i ~/.ssh/id_rsa.pub username@linux-host.local
			

Disable Password Logins


$ sudo vi /etc/ssh/sshd_config

ChallengeResponseAuthentication no
PasswordAuthentication no
PermitRootLogin no

$ sudo systemctl restart sshd
			

Firewall

Dilbert - Firewall

When Should I Use A Firewall?

  • You're not behind a firewall (e.g., home router)
  • You don't trust your firewall (e.g., home router)
  • You don't trust others (e.g., hacky roommate)

Do Not Make The Following Changes Remotely!

Enabling/Disabling firewalld


$ sudo systemctl [ start | stop ] firewalld

$ sudo systemctl [ enable | disable ] firewalld
			

Adjust Open Ports


$ sudo firewall-cmd --zone=public --add-port=2222/tcp --permanent

$ sudo firewall-cmd --zone=public --remove-port=22/tcp --permanent
			

Note

  • firewalld does not affect localhost
  • Even if you know what you're doing,
    you will lock yourself out

Other Considerations

  • Use strong passwords, especially for root
  • “Passwords are like underwear; you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.” -- Chris Pirillo
  • Don't login as root. Use sudo
  • There are viruses for Linux
  • Encrypt your hard drive

Always use SELinux!

Resources