Securing Linux
How To Lock Down Your Linux Box
by Garrett Hyde / @GarrettHyde
About Me
- Linux System Administrator
- CS Degree from BYU
- Open Source advocate
If you have any questions, don't hesitate to ask
Assumptions
- You are new to Linux
- You are new to computer security
- You have some level of common sense
SELinux
What Is SELinux?
“Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).”
SELinux Modes
- enforcing - SELinux security policy is enforced
- permissive - SELinux prints warnings instead of enforcing
- disabled - No SELinux policy is loaded
Change Settings
If at first you don't succeed, put SELinux in permissive mode.
$ sudo setenforce [ Enforcing | Permissive | 1 | 0 ]
$ getenforce
/etc/selinux/config
When Should I Use SELinux?
Always!
SSH
Why Is SSH A Vulnerability?
- SSH is enabled by default
- Bots scan networks looking for port 22
- Vector for online brute-force attacks
Do Not Make The Following Changes Remotely!
Change Port
$ sudo vi /etc/ssh/sshd_config
Port 2222
$ sudo systemctl restart sshd
Generate SSH Keys
$ ssh-keygen -b 4096 -t rsa -f ~/.ssh/id_rsa -C "My first SSH key"
$ ssh-copy-id -i ~/.ssh/id_rsa.pub username@linux-host.local
Disable Password Logins
$ sudo vi /etc/ssh/sshd_config
ChallengeResponseAuthentication no
PasswordAuthentication no
PermitRootLogin no
$ sudo systemctl restart sshd
Firewall
When Should I Use A Firewall?
- You're not behind a firewall (e.g., home router)
- You don't trust your firewall (e.g., home router)
- You don't trust others (e.g., hacky roommate)
Do Not Make The Following Changes Remotely!
Enabling/Disabling firewalld
$ sudo systemctl [ start | stop ] firewalld
$ sudo systemctl [ enable | disable ] firewalld
Adjust Open Ports
$ sudo firewall-cmd --zone=public --add-port=2222/tcp --permanent
$ sudo firewall-cmd --zone=public --remove-port=22/tcp --permanent
Note
- firewalld does not affect localhost
- Even if you know what you're doing,
you will lock yourself out
Other Considerations
- Use strong passwords, especially for root
- Don't login as root. Use sudo
- There are viruses for Linux
- Encrypt your hard drive
“Passwords are like underwear; you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.” -- Chris Pirillo
Always use SELinux!
Resources
- Linux Distro's Documentation
- Super User, Server Fault
- ghyde.github.io/slides/securing_linux.html