Ready to Start Your Career?

Linux Hardening: 10 Effective Ways

By: Divya Bora

November 19, 2021

Linux Hardening header

WHAT IS LINUX HARDENING?

Linux Hardening is defined as intensifying the security of the operating system by implementing some dynamic security measures. It falls in the category of the operating systems under system hardening types. To understand Linux hardening better, we must first know its core principles and learn more about it.

System hardening is a collection of tools, techniques, and best practices to reduce vulnerabilities in technology applications, systems, firmware, and infrastructure. Its primary goal is to reduce the security risk to eradicate potential attack vectors and decrease the system's attack surface. The various types are:

Network
Server
Operating System
Database
Application

WHY IS IT IMPORTANT?

System hardening is significant as it provides the following benefits:

a) Simplified compliance and auditing There will be fewer programs and user accounts with a less complex environment, resulting in more transparent and effortless auditing.

b) Enhanced system functionality It reduces functionality, resulting in slighter chances of risks like incompatibilities, operational issues, misconfigurations, or compromise.

c) Significantly improved security Attack surface results in lowered risks of system hacking, data breaches, malware, or unauthorized access. It will also significantly reduce the number of access points that an attacker can leverage for their gain.

d) Financial benefits The organization will save money that would be utilized for system patches and updates or virus infections. Lesser bloatware means more memory space hence a huge dave on additional storage money.

CHECKLIST FOR LINUX HARDENING

Checklist

Mentioned below are some of the most effective measures that can be used for Linux hardening:

1. Check for open ports While using Kali Linux, it is critical to identify all the open connections to the internet. To spot any hidden ports, we will use the following commands:

sudo apt-get install unhide unhide proc unhide sys

2. System update When we boot a system, the first thing recommended doing is to update the system. For example, to update Kali Linux, we can use the following commands:

sudo apt update sudo apt full-upgrade -y

3. Lock up the boot directory In Linux, the boot directory consists of essential kernel files, so it should be given read-only permissions to harden the operating system. Execute the following command on the terminal and add the "password" line towards the end:

cat /etc/grub.conf default=0 timeout=15 password GrbPwd4SysAd$ (the line that needs to be added)

Once the password line is added to the grub.conf file, nobody can edit or modify the grub commands.

4. Hard Disk Encryption Disk Encryption plays an essential role in securing the device if it's stolen as the person won't be able to read the data by connecting the hard disk to their computer. Usually, most of the Linux distributions allow disk encryption. We will use dm-crypt, the Linux kernel's device-mapper crypto target, and provide transparent disk encryption in the Linux kernel using the kernel crypto API. Cryptsetup is a command-line tool used to interact with dm-crypt to access, create, and manage encrypted devices. We will use the Linux Unified Key Setup(LUKS) extension in Cryptsetup. Now we will use the following command:

df -h (displays the amount of disk space available for each disk)

Now the following commands will enable disk encryption:

sudo umount -l /dev/nvm0n1 (unmount file system on disk)

sudo dd if=/dev/urandom of=/home/opc/key0.key bs=1 (generate key for luks format)

*sudo /usr/sbin/cryptsetup -q -s 512* (Set initial key for LUKS partition) luksFormat /dev/nvme0n1 /home/opc/key0.key

*sudo /usr/sbin/cryptsetup --allow-discards* (Opening LUKS partition to setup mapping name) luksOpen -d /home/opc/key0.key /dev/nvm0n1 dm-nvme0n1

sudo /sbin/mkfs.ext4 /dev/mapper/dm-nvme0n1 (Creation of ext4 file system on disk)

sudo /usr/sbin/tune2fs -e remount-ro /dev/mapper/dm-nvme0n1 (Setting parameters for ext4 file system)

sudo mount /dev/mapper/dm-nvme0n1 /ons/nvme0n1 (Mount file to specified directory)

The following commands will disable disk encryption:

sudo umount -l /ons/nvme0n1 (unmount file system from disk)

sudo /usr/sbin/cryptsetup luksClose /dev/mapper/dm-nvme0n1 (removing LUKS mapping)

sudo /sbin/mkfs.ext4 /dev/nvme0n1 (Creation of ext4 file system on disk)

sudo mount /dev/nvme0n1 /ons/nvme0n1 (Mount file system on specified directory)

5. Documenting host information While one performs Linux hardening, they are required to document all the Linux host information so they can strike it off their checklist like:

IP Address
Machine's Name
Name of the expert performing hardening
Date
Asset number

6. Checking the installed packages The unnecessary packages should be removed from the Linux os by listing all the packages installed. We will use the "dpkg" package to list the packages. Open a terminal and type in the following commands:

sudo apt-get install dpkg (install dpkg if not present in Linux) dpkg -l (lists all the installed packages with their details)

Removing and disabling unnecessary services will reduce the attack surface and assist in hardening the system.

7. Disable USB usage We should disable USB usage. We can do it by:

Navigate to "blacklist.conf" using a text editor, type the following command on the terminal:

nano /etc/modprobe.d/blacklist.conf

Add the following line at the end and save the file:

blacklist usb_storage

Open the "rc.local" file using the following command:

nano /etc/rc.local

Write these two lines:

modprobe -r usb_storage exit 0

8. BIOS Protection We protect the host's BIOS with a password such that the end-user cannot modify or override any security settings that are part of the BIOS. Most computer manufacturers have different key combinations to enter it so, once the user finds the appropriate key combination, they can set up an administrative password. The next step is to disable the booting from external media devices to prevent an attacker from using a USB to access the data through a bootable OS. Some of the latest motherboards allow remote access through internal web servers. Finally, the default password of the admin page must be changed or disabled if there is a possibility.

9. Disk Protection Backups are useful when the system is damaged or the OS update consists of some bugs, but they must be maintained. Systems that contain critical information or data must be separated into different partitions for the /, /boot, /usr, /opt, /tmp, /var and /home directories. Partitioning disks will ensure efficient performance and security in case of any system error.

Let's briefly discuss the type of partitions:

a) Primary It is responsible for holding operating system files, and only four can be created.

b) Extended This is a particular type in which more than four can be created.

c) Logical It is created inside an extended one.

There are two ways to perform disk partitions:

Using parted command

*sudo parted -l *(list all the partitions and storage devices information) sudo parted /dev/sdb (open the storage disk "/dev/sdb")

NOTE: The first storage disk, "/dev/sda" or "/dev/vda" consists of the operating system, so if we create a partition on that disk, it will result in the Linux system being unbootable. Hence, partitions should be created only on secondary disks like "dev/s", "dev/vdc", "dev/sdb", or "dev/vdb".

select /dev/sdb (select the disk) mklabel [partition_table_type] (create a table) mklabel test (creates “test” partition table, type in “yes”) print (review the table and display storage device information) mkpart primary ext4 1MB 1855MB (make new partition) print quit (changes are saved)

Using fdisk command

sudo fdisk -l (list all existing partitions and storage device information) sudo fdisk /dev/sdb (selecting the disk) n (create a new one) 2 (choose a number) 3622912 (starting and ending sector of the hard drive, so this is a default number to enter) +2GB (size of the partition) w (writes changes of the disk) sudo fdisk -l (check if the disk is listed here)

10. Secure SSH Despite SSH being a secure service, we need to harden it. We have two ways of doing so, either disable the service or change its default configurations. You can follow the steps given below:

a) Open the terminal and navigate to the "etc/ssh" file to open "sshd_config" on the text editor. b) Now change the default port number from 22 to something like 2222. c) The following changes can be made to the "sshd_config" file to harden the SSH service:

PermitRootLogin no (root is not able to remotely login through SSH) AllowUsers [username] (only specified users are allowed ) IgnoreRhosts to yes HostbasedAuthentication no PermitEmptyPasswords no X11Forwarding no MaxAuthTries 5

d) Type the following commands to ensure the "sshd_config" file's content can be modified only by root users:

chown root:root /etc/ssh/sshd_config chmod 600 /etc/ssh/sshd_config

Linux Hardening is a course designed for beginners to understand what it is. If you are a beginner with minimal knowledge about Kali, the Kali Linux Fundamentals course would be great. Finally, Linux Fundamentals for Security Practitioners is a course designed for people who are thorough with Linux and are interested in some hands-on training about the topic.

REFERENCES