Mastering Linux Security and Hardening E-Book

Mastering Linux Security and Hardening

Third Edition

A practical guide to protecting your Linux system from cyber attacks

Donald A. Tevault

BIRMINGHAM—MUMBAI

Mastering Linux Security and Hardening

Third Edition Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Senior Publishing Product Manager: Aaron Tanna

Acquisition Editor – Peer Reviews: Gaurav Gavas

Project Editor: Rianna Rodrigues

Content Development Editor: Liam Draper

Copy Editor: Safis Editing

Technical Editor: Karan Sonawane

Proofreader: Safis Editing

Indexer: Manju Arasan

Presentation Designer: Ganesh Bhadwalkar

Developer Relations Marketing Executive: Meghal Patel

First published: January 2018

Second edition: February 2020

Third edition: February 2023

Production reference: 1210223

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-83763-051-6

www.packt.com

Contributors

About the author

Donald A. Tevault – you can call him Donnie – got involved with Linux way back in 2006 and has been working with it ever since. He holds the Linux Professional Institute Level 3 Security certification and the GIAC Incident Handler certification. Donnie is a professional Linux trainer, and thanks to the magic of the Internet, has taught Linux classes all over the world from the comfort of his living room. He has also been a Linux security researcher for an IoT security company.

I’d like to thank the good folk at Packt Publishing for making the publishing of this book such a smooth process. I’d also like to thank my cats for graciously allowing me to use their names in the demos, and Mike, my intrepid technical reviewer, for his suggestions that made the book better than it would have been.

About the reviewer

Michael Ernstoff is a Unix and Linux infrastructure and security specialist with over 25 years of experience. An independent consultant for over 20 years, Michael has worked for many well-known blue-chip companies, mainly in the banking and finance industries.

With extensive knowledge of host-based security, security hardening, and identity and access management. Michael has developed and implemented solutions for Security and Regulatory Compliance.

He is a keen amateur musician and has four children.

Join our book community

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/CyberSec

Preface

Who this book is for

This book is aimed at Linux administrators in general, whether or not they specialize in Linux security. The techniques that we present can be used on either Linux servers or on Linux workstations.

We assume that our target audience has had some hands-on experience with the Linux command line and has basic knowledge of the Linux essentials.

What this book covers

Chapter 1, Running Linux in a Virtual Environment, gives an overview of the IT security landscape, and will inform the reader why learning Linux security would be a good career move. We’ll also show how to set up a virtual lab environment for the hands-on labs.

Chapter 2, Securing Administrative User Accounts, covers the dangers of always using the root user account, and introduces the benefits of using sudo instead.

Chapter 3, Securing Normal User Accounts, covers how to lock down normal user accounts, and ensure that the users use good-quality passwords.

Chapter 4, Securing Your Server with a Firewall – Part 1, involves working with the various types of firewall utilities.

Chapter 5, Securing Your Server with a Firewall – Part 2, continues the discussion about working with the various types of firewall utilities.

Chapter 6, Encryption Technologies, makes sure that important information—both at rest and in transit—are safeguarded with proper encryption.

Chapter 7, SSH Hardening, covers how to safeguard data in transit. The default Secure Shell configuration is anything but secure, and could lead to a security breach if left as is. This chapter shows how to fix that.

Chapter 8, Mastering Discretionary Access Control, covers how to set ownership and permissions on files and directories. We’ll also cover what SUID and SGID can do for us, and the security implications of using them. We’ll wrap things up by covering extended file attributes.

Chapter 9, Access Control Lists and Shared Directory Management, explains that normal Linux file and directory permissions settings aren’t very granular. With Access Control Lists, we can allow only a certain person to access a file, or we can allow multiple people to access a file with different permissions for each person. We’re also going to put what we’ve learned together in order to manage a shared directory for a group.

Chapter 10, Implementing Mandatory Access Control with SELinux and AppArmor, talks about SELinux, which is a Mandatory Access Control technology that is included with Red Hat-type Linux distributions. We’ll give a brief introduction here on how to use SELinux to prevent intruders from compromising a system. We’ll also give a brief introduction to AppArmor, which is another Mandatory Access Control technology that is included with Ubuntu and SUSE-type Linux distributions.

Chapter 11, Kernel Hardening and Process Isolation, covers how to tweak the Linux kernel to make it even more secure against certain types of attacks. It also covers some process isolation techniques to help prevent attackers from exploiting a Linux system.

Chapter 12, Scanning, Auditing, and Hardening, talks about how viruses that are a big problem for Windows users aren’t yet a huge problem for Linux users. If your organization has Windows clients that access Linux file servers, then this section is for you. You can use auditd to audit accesses to files, directories, or system calls on a Linux system. It won’t prevent security breaches, but it will let you know if some unauthorized person is trying to access a sensitive resource. SCAP, the Security Content Application Protocol, is a compliance framework that’s promulgated by the National Institute of Standards and Technology. OpenSCAP, the open source implementation, can be used to apply a hardening policy to a Linux computer.

Chapter 13, Logging and Log Security, gives you the basics about ryslog and journald, the two most prevalent logging systems that come with Linux-based operating systems. We’ll show you a cool way to make log reviews easier, and how to set up a secure central log server. We’ll do all of this just with the packages that come in your normal Linux distribution’s repositories.

Chapter 14, Vulnerability Scanning and Intrusion Detection, explains how to scan our systems to see if we’ve missed anything in our security configurations. We’ll also take a quick look at an intrusion detection system.

Chapter 15, Prevent Unwanted Programs from Running, explains how to use fapolicyd and partition mounting options to prevent untrusted programs from running on your system.

Chapter 16, Security Tips and Tricks for the Busy Bee, explains that since you’re dealing with security, we know that you’re a busy bee. This chapter introduces you to some quick tips and tricks to help make the job easier.

To get the most out of this book

For hardware, you don’t need anything fancy. All you need is a machine that’s capable of running 64-bit virtual machines. So, you can use any host machine that runs with almost any modern CPU from either Intel or AMD. (There are a couple of exceptions, though. First, some Intel Core i3 and Core i5 CPUs lack the required hardware acceleration to run virtual machines. Also, AlmaLinux 9, which we’ll be using, won’t run on the first generation of x86_64 CPUs. So, if you have an x86_64 machine that was made prior to 2010, AlmaLinux 9 won’t run on it.) For memory, I’d recommend using a host machine with at least 8 GB.

You can run any of the three major desktop operating systems on your machine, because the virtualization software that we’ll be using comes in flavors for Windows, macOS, and Linux.

Download the example code files

The code bundle for the book is hosted on GitHub at https://github.com/PacktPublishing/Mastering-Linux-Security-and-Hardening-3E. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://packt.link/wcaG3

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. For example: “open Firefox and navigate to https://localhost:9392"

A block of code is set as follows:

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see on the screen. For instance, words in menus or dialog boxes appear in the text like this. For example: “Set one to Bridged mode and leave the other in NAT mode.”

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book’s title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you reported this to us. Please visit http://www.packtpub.com/submit-errata, click Submit Errata, and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit http://authors.packtpub.com.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781837630516

Share your thoughts

Once you’ve read Mastering Linux Security and Hardening, Third Edition, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Section 1

Setting up a Secure Linux System

In this section, we will set up a practice lab with Ubuntu, CentOS, and AlmaLinux virtual machines. Windows users will learn how to remotely access Linux machines from Windows.

This section contains the following chapters:

1

Running Linux in a Virtual Environment

So, you may be asking yourself: Why do I need to study Linux security? Isn’t Linux already secure? After all, it’s not Windows. But the fact is, there are many reasons.

It’s true that Linux has certain advantages over Windows when it comes to security. These include the following:

But even with those advantages, Linux is just like everything else that’s been created by mankind. That is, it isn’t perfect.

Here are the topics that we’ll cover in this chapter:

Let’s begin by talking about threats.

Looking at the threat landscape

If you’ve kept up with IT technology news over the past few years, you’ll likely have seen at least a few articles about how attackers have compromised Linux servers. For example, while it’s true that Linux isn’t really susceptible to virus infections, there have been several cases where attackers have planted other types of malware on Linux servers. Here are some examples:

And, of course, there have been plenty of breaches that don’t involve malware, such as where attackers have found a way to steal user credentials, credit card data, or other sensitive information.

Now, let’s talk a bit more about security breaches.

Why do security breaches happen?

Regardless of whether you’re running Linux, Windows, or whatever else, the reasons for security breaches are usually the same. They could be security bugs in the operating system or security bugs in an application that’s running on that operating system. Often, a bug-related security breach could have been prevented had the administrators applied security updates in a timely manner.

Another big issue is poorly configured servers. A standard, out-of-the-box configuration of a Linux server is actually quite insecure and can cause a whole ton of problems. One cause of poorly configured servers is simply the lack of properly trained personnel to securely administer Linux servers. (Of course, that’s great news for the readers of this book, because—trust me—there’s no lack of well-paying IT security jobs.)

And now, in addition to Linux on servers and desktops, we have Linux on devices that are part of the Internet of Things (IoT). There have been many security problems with these devices, in large part because people just don’t know how to configure them securely.

As we journey through this book, we’ll see how to do business the right way, to make our servers as secure as possible. One thing we can do is to keep up with security-related news.

Keeping up with security news

If you’re in the IT business, even if you’re not a security administrator, you’ll want to keep up with the latest security news. In the age of the Internet, that’s easy to do.

First, there are quite a few websites that specialize in network security news. Examples include Packet Storm Security and The Hacker News. Regular tech news sites and Linux news websites, such as Ars Technica, Fudzilla, The Register, ZDNet, and LXer, also carry reports about network security breaches. And, if you’d rather watch videos than read, you’ll find plenty of good YouTube channels, such as BeginLinux Guru.

Finally, regardless of which Linux distro you’re using, be sure to keep up with the news and current documentation for your Linux distro. Distro maintainers should have a way of letting you know if a security problem crops up in their products.

Here are some links to some good security-related websites:

Here are some links to more generalized tech websites:

You can check out some general Linux learning resources as well as Linux news sites:

(Full disclosure: I am the world-famous BeginLinux Guru.)

One thing to always remember as you go through this book is that the only operating system you’ll ever see that’s totally 100% secure will be installed on a computer that never gets turned on.

Differences between physical, virtual, and cloud setups

So you can do the hands-on labs, I’ll introduce you to the concept of virtual machines. This is just a way of running one operating system within another operating system. So, it doesn’t matter whether you’re running Windows, macOS, or Linux on your host machine. In any case, you can run a Linux virtual machine that you can use for practice, and that you won’t have to worry about if it gets trashed.

Oracle’s VirtualBox, which is what we’ll be using, is great for what we’ll be doing. In an enterprise setting, you’ll find other forms of virtualization software that are better suited for use in data centers. In the past, server hardware could only handle doing one thing at a time, which meant that you had to have one server running DNS, another running DHCP, and so on. Nowadays, we have servers with gobs of memory, gobs of drive space, and CPUs with as many as 96 cores each. So, it’s now cheaper and more convenient to install multiple virtual machines on each server, with each virtual machine doing its own specific job. This also means that you not only have to worry about security on the physical server that hosts these virtual machines but you also need to worry about the security of each virtual machine. An added problem is that you need to ensure that the virtual machines remain properly isolated from each other, especially ones that contain sensitive data.

And then, there’s the cloud. Many different outfits provide cloud services, where a person or a company can spin up an instance of either Windows or their choice of a Linux distro. When setting up a Linux distro on a cloud service, there are things that you’ll have to do right away to enhance security. (That’s something that we’ll cover in Chapter 7, SSH Hardening.) And realize that when you set up a server on a cloud service, you’ll always have more concerns about proper security, because it will have an interface that connects to the wild and woolly Internet. (Your on-premises servers, except for ones that are meant to serve the public, are usually isolated from the Internet.)

With our introductory material out of the way, let’s get to the real meat of the matter, starting with an introduction to our virtualization software.

Introducing VirtualBox and Cygwin

Whenever I write or teach, I try very hard not to provide students with a cure for insomnia. Throughout this book, you’ll see a bit of theory whenever it’s necessary, but I mainly like to provide good, practical information. There will also be plenty of step-by-step hands-on labs and an occasional bit of humor.

The best way to do the labs is to use Linux virtual machines. Most of what we’ll do can apply to any Linux distro, but we will also do some things that are specific to either Red Hat Enterprise Linux (RHEL) or Ubuntu Linux. (RHEL is the most popular for enterprise use, while Ubuntu is the most popular for cloud deployments.) SUSE is the third big enterprise Linux distro. We won’t be doing too much with SUSE, but on occasion, I’ll point out some of its little quirks.

Since Red Hat is a fee-based product, we’ll substitute CentOS 7, AlmaLinux8, and AlmaLinux9, which are built from Red Hat source code and are free of charge. (We’re using all three of these distros because there are some differences between them, and all of them will be supported for quite some time to come.) CentOS and AlmaLinux offer various download images. You’ll want to download the DVD images, because they contain necessary things that are missing from the minimal images. Specifically, download these image files:

For Ubuntu, we’ll concentrate on version 22.04, since it’s the newest Long Term Support (LTS) version. (We’ll also take an occasional look at Ubuntu 20.04, since it’s still supported and there are a few differences between it and 22.04.) A new LTS version of Ubuntu comes out in April of every even-numbered year, and non-LTS versions come out in April of every odd-numbered year and every October. For production use, you’ll mainly want to stick with the LTS versions, because the non-LTS versions can sometimes be a bit problematic.

There are several different virtualization platforms that you can use, but my own preferred choice is VirtualBox.

VirtualBox is available for Windows, Linux, and Mac hosts, and is free of charge for all of them. (It’s also available for Solaris hosts, but I doubt that many of you will be running that.) It has features that you have to pay for on other platforms, such as the ability to create snapshots of virtual machines.

Some of the labs that we’ll be doing will require you to simulate creating a connection from your host machine to a remote Linux server. If your host machine is either a Linux or a Mac machine, you’ll just be able to open the terminal and use the built-in Secure Shell (SSH) tools. If your host machine is running Windows, you’ll need to install some sort of Bash shell, such as Cygwin, or just use the Bash shell that’s built into Windows 10/11 Pro.

Installing a virtual machine in VirtualBox

For those of you who’ve never used VirtualBox, here’s a quick guide to get you going:

Figure 1.1:Create the virtual drive

Figure 1.2: Choose the .iso file

Figure 1.3: Installing Ubuntu

The user account creation screen of the AlmaLinux 9 installer—which looks the same as the one on CentOS 7 and AlmaLinux 8—is shown here:

Figure 1.4: User creation for AlmaLinux

For Ubuntu 22.04, you’ll see just one self-explanatory screen to set up your real name, a username, and a password. The Ubuntu installer will automatically add your user account to the sudo group, which will give you full administrator privileges.

Here’s the user account creation screen for Ubuntu 22.04:

Figure 1.5: Ubuntu user creation

Now, let’s change gears and move on to CentOS 7.

Installing the EPEL repository on the CentOS 7 virtual machine

While the Ubuntu package repositories have pretty much everything that you need for this course, the CentOS and AlmaLinux package repositories are—shall we say—lacking. To have the packages that you’ll need for the CentOS and AlmaLinux hands-on labs, you’ll need to install the EPELrepository. (The EPEL project is run by the Fedora team.) When you install third-party repositories on Red Hat 7 and CentOS 7 systems, you’ll also need to install a priorities package and edit the .repo files to set the proper priorities for each repository. This will prevent packages from the third-party repository from overwriting official Red Hat and CentOS packages if they just happen to have the same name. The following steps will help you install the required packages and edit the .repo files:

Now, let’s move on to AlmaLinux.

Installing the EPEL repository on the AlmaLinux 8/9 virtual machines

To install the EPEL repository on AlmaLinux, all you have to do is run this command:

There’s no priorities package as there is on CentOS 7 and earlier, so we won’t have to worry about configuring the repository priorities.

When the package installation is complete, update the system and create a list of available software packages with these two commands:

Next, let’s configure our network.

Configuring a network for VirtualBox virtual machines

Some of our training scenarios will require you to simulate creating a connection to a remote server. You would do this by using your host machine to connect to a virtual machine. When you first create a virtual machine on VirtualBox, the networking is set to NAT mode. In order to connect to the virtual machine from the host, you’ll need to set the virtual machine’s network adapter to Bridged Adapter mode. Here’s how you can do this:

Figure 1.6: Configuring the network

Creating a virtual machine snapshot with VirtualBox

One of the beautiful things about working with virtual machines is that you can create a snapshot and roll back to it if you mess something up. With VirtualBox, that’s easy to do, by following these steps:

Figure 1.7: Taking a snapshot

After you’ve made changes to the virtual machine, you can roll back to the snapshot by shutting down the virtual machine, then highlighting the snapshot name, and clicking on the Restore button.

Using Cygwin to connect to your virtual machines

If your host machine is either a Linux or Mac machine, you’ll simply open the host’s terminal and use the tools that are already there to connect to the virtual machine. Windows 10 and Windows 11, even in the base Home Edition, now come with a Secure Shell client that’s built into both the normal Command Prompt and PowerShell, and you can use that if you desire. But if you’d prefer to use something that comes closer to the actual Linux experience, you might consider Cygwin.

Cygwin, a project of the Red Hat company, is a free open source Bash shell that’s built for Windows. It’s free of charge and easy to install.

Installing Cygwin on your Windows host

Here’s a quick how-to to get you going with Cygwin:

Figure 1.8: Installing Cygwin packages

Figure 1.9: Select the OpenSSH package

Figure 1.10: After selecting the OpenSSH package

Next, we’ll look at the Windows 10/11 Bash shell.

Using the Windows 10 SSH client to interface with Linux virtual machines

If you’re using Windows 10, you already have an SSH client built into your operating system.

So, let’s see how to do this:

Figure 1.11: Windows 10 Command Prompt

Figure 1.12: SSH remote from Windows Command Prompt

Figure 1.13: PowerShell command prompt

Figure 1.14: Remote login from PowerShell

If you have the choice, go with PowerShell instead of Command Prompt. PowerShell is a bit closer to the Linux Bash shell experience, and you’ll be much happier with it.

Using the Windows 11 SSH client to interface with Linux virtual machines

You’ll work with Windows 11 the same way, except that the menu entries for the Command Prompt and PowerShell are in different places. The Command Prompt now has its own Terminal item on the main menu, and PowerShell is now under the Windows Tools submenu. Windows 11 also has a third option, which is a built-in Ubuntu virtual machine. You’ll see an icon for that in the bottom taskbar.

Cygwin versus the Windows shell

Both Cygwin and the SSH client that’s built into Windows 10/11 have their pros and cons. In favor of Cygwin, you can install a variety of packages to customize it pretty much any way you want. Also, Cygwin stores the SSH known_hosts and keys files in the .ssh directory of the user’s home directory, which is where you’d expect to find them if you’re used to working with Linux. If you use the SSH client that’s built into Windows, you’ll have to search for these files in other locations.

In favor of the Windows 10/11 built-in SSH client, there’s the fact that it’s already there. Also, it’s much easier to use if you need to access your normal Windows folders because Cygwin traps you in its own sandboxed directory structure.

Keeping the Linux systems updated

Spend some time perusing the Common Vulnerabilities and Exposures database, and you’ll soon see why it’s so important to keep your systems updated. Yes, indeed, you’ll even find that there have been security flaws with our beloved Linux, as you can see here:

Figure 1.15: Common Vulnerabilities and Exposures

Updating a Linux system only requires one or two simple commands, and it’s generally faster and less painful than updating a Windows system.

Next, let’s look at updating the Debian-based systems, which include Ubuntu.

Updating Debian-based systems

Let’s take a look at how to update Debian-based systems:

Next, we will configure auto updates for Ubuntu.

Configuring auto updates for Ubuntu

When you first install Ubuntu 22.04, automatic updates are turned on by default. To verify that, you’ll first check the status of the unattended-upgrades service, like so:

Then, look in the /etc/apt/apt.conf.d/20auto-upgrades file. If auto-updating is enabled, you’ll see this:

I must confess, though, that I have mixed feelings about this. I mean, it’s nice that the security updates get installed without me having to do anything, but a lot of those updates require that the system be rebooted before they can take effect. By default, Ubuntu systems don’t automatically reboot after an update is installed. If you keep it that way, you’ll see a message about it when you log into the system. But if you prefer, you can set Ubuntu to automatically reboot after it automatically updates itself. Here’s how to do it:

You can also use the apt command to install only the security updates, but it would require piping the apt output into a convoluted set of text filters in order to mask the non-security updates. Using the unattended-upgrade command is much easier.