6 Good security practices every Linux admin must follow

by on November 23, 2006 · 13 comments· LAST UPDATED November 25, 2006

in , ,

Here is my own good security practices list to make Linux system safe.

(1) All the time keep a system up to date. Apply all patches especially security update. Use up2date or yum or apt-get update commands to apply security updates.

(2) Default firewall policy should be - close all door open required windows. Run iptables or ipf to block unwanted traffic, IPs, unused ports.

(3) Never ever login as root, always use sudo. Disable root access for ssh and ftp session (default).

(4) Do not run any perl or other executable code on production system as root. Always test downloaded stuff locally and use md5 checksum for verification purpose.

(5) Take advantage of SELinux (Security-enhanced Linux) which enables mandatory access control mechanism. It is also recommended that you install anti-virus/anti-spam program on all mail server such as clamav (or you can purchase 3rd party AV/Anti Spam solution).

(6) Finally run all important services in chrooted jail environment.

Update (see comment below) - Other user suggestions

(7) Remove or disable unnecessary services you don't use.

(8) Conduct some (penetration) tests to ensure you didn't misconfig your setup.

(9) Remove all compilers and network scanning tools such as nmap from servers. Why make the attacker's job easier?

Remember you can make attackers life hard but you cannot make anything 100% secure. Continues monitoring and tight security policy will keep running the service for long time without any sort of intrusion :)

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 13 comments… read them below or add one }

1 Luke November 23, 2006 at 7:16 pm

Good tips. One note btw – atp-get update command on debian based systems simply fetches list of currently available packages in the repositories. Upgrading the system is a two step process:

First fetch new package list:

apt-get update

Then run an update:

apt-get upgrade or apt-get dist-upgrade

Reply

2 nixCraft November 23, 2006 at 8:15 pm

Thanks for pointing out :

apt-get update; apt-get upgrade

Reply

3 aussiebear November 23, 2006 at 10:33 pm

Some others…

(7) Remove or disable unnecessary services you don’t use.

(8) Conduct some (penetration) tests to ensure you didn’t misconfig your setup.

Misconfiguration is often a cause of system compromise!…Its right up there with not staying up to date with patches!

Reply

4 nixCraft November 24, 2006 at 10:40 am

aussiebear,

Yup, disabling unwanted service is also important.

Appreciate your post.

Reply

5 Duane Wills November 25, 2006 at 5:13 am

Exactly… WHY is SSH stuff included in a desktop-oriented distribution?? Even so, don’t enable it by default, please! It doesn’t matter if you can’t login as root remotely. How many desktop users SSH into their own machines? I’ll admit I do it on occasion, but only to pull music, and very rarely. If I need it, I’ll start it before I go.

Reply

6 nixCraft November 25, 2006 at 8:39 am

Just a quick note this post is targeted towards Linux servers and not Linux desktop system. However I do agree with you – ssh server is rarely needed on desktop system.

Appreciate your post.

Reply

7 Jeff Schroeder November 25, 2006 at 3:03 pm

You missed a really important one…

7.) Remove all compilers and network scanning tools such as nmap from servers. Why make the attacker’s job easier?

Reply

8 nixCraft November 25, 2006 at 4:45 pm

Jeff,

Good point!

If you are running web server other services in chrooted jail you can safely run gcc and other compilers. I know one admin, once his server is up he will backup and removes gcc, rpm and up2date commands… I don’t like his solution at all. It is better to remove gcc, IMPO

Appreciate your post.

Reply

9 B!n@ry December 16, 2006 at 6:51 pm

Thanx for the points I’d like to add:

(9) if running a web hosting server, use the mod_sec module for appache.

(10) If running a Server in production environment run a IDS like snort.

(11) First level of security always starts from the phisical security.

(12) Always keep your KERENL up2date, if you are a good Kernel Hacker than patch it yourself.

Thanx nixcraft

Reply

10 anonymous May 14, 2007 at 10:45 am

what about :indirect: attacks ;)

Reply

11 lbdog May 14, 2007 at 4:44 pm

thanks a lot, this page is bookmarked

Reply

12 Martin von Wittich August 15, 2007 at 10:37 pm

Rule #3 is nonsense, IMO. Why should disabling root logins make the machine more secure? Just set “PermitRootLogin without-passwort”, make sure it works and be happy. I often use scp to copy data between servers, and I’d become rather unhappy if I couldn’t do this because I use non-privileged accounts that may do su or sudo, but not access the required files directly.

Disabling root logins but enabling password auth is much unsafer. An attacker could bruteforce-crack your password and then would just put a su alias into your bashrc, and the next moment you’re using it you’ll be mailing him the root passwort without even noticing.

Reply

13 Martin von Wittich August 15, 2007 at 10:52 pm

Oh, I forgot… @Jeff Schroeder:

Why remove GCC and nmap? [btw: I wouldn’t dare removing gcc on my gentoo server :>]
If the attacker is on your server, maybe even as root, then nmap won’t really make it worse. If he’s root and needs it, he will simply install it; if he’s a non-privileged user, he could try e.g. wget/GET to download a suitable executable. And things that you can do in C/C++ (->gcc) are much easier to do in script languages like shell script, Perl, PHP, Python. As especially Perl will be installed on many servers, removing GCC seems rather pointless to me.

Better chroot as much server software as possible and give each chroot really only the tools needed. If an attacker gains control of one of the server softwares, he will be locked into the chroot (unless the server software is running as root) and there he will most probably not even find simple tools like mail, cp or mv.

Reply

Leave a Comment

Previous post:

Next post: