332.1 Host Hardening (weight: 5)

Tech Tutorial: 332.1 Host Hardening (weight: 5) #

Introduction #

Host hardening refers to the processes and practices of securing a computer system to reduce its attack surface and vulnerability. This involves configuring system settings and policies to mitigate risks and protect against threats. The objective of this tutorial is to provide a detailed guide on how to harden a Linux host effectively, focusing on practical, hands-on examples.

Key Knowledge Areas: #

  • Understanding of security policies and standards
  • Filesystem permissions and attributes
  • User and password policies
  • Securing services
  • Network configuration and firewalls

Utilities: #

  • chmod, chown, umask
  • usermod, chage
  • systemctl, sshd_config
  • iptables, firewalld

Step-by-Step Guide #

This guide will take you through the essential steps of hardening a Linux host, with detailed code examples for each step.

1. Filesystem Permissions and Attributes #

Setting File Permissions #

Permissions on critical system files should be restricted to prevent unauthorized access:

# Set permissions on /etc/shadow to allow only root read access
chmod 600 /etc/shadow

# Set permissions on /etc/gshadow
chmod 600 /etc/gshadow

# Set permissions on /etc/passwd to be readable by others but writable only by root
chmod 644 /etc/passwd

Changing File Ownership #

Ownership of system files should be properly set to the root or respective system users:

# Change ownership of /var/log to root
chown root:root /var/log

# Ensure the Apache config directory is owned by root
chown -R root:root /etc/apache2

Setting Default Permissions with umask #

The umask command sets the default permissions for newly created files and directories:

# Set default umask in /etc/profile or /etc/bashrc
echo "umask 027" >> /etc/profile

2. User and Password Policies #

Modifying User Policies #

Ensure strict password and account policies:

# Lock a user account
usermod -L username

# Set password expiry for a user
chage -M 90 username  # Set maximum days between password change to 90 days

Setting Password Aging Policies #

Password aging policies force regular updates and can disable accounts after certain criteria:

# Set password aging information
chage -m 7 -M 90 -W 7 username

3. Securing Services #

Disabling Unnecessary Services #

Disable services that are not required to minimize the attack surface:

# Stop and disable Telnet
systemctl stop telnet.service
systemctl disable telnet.service

Securing SSH #

Secure SSH by modifying /etc/ssh/sshd_config:

# Disable root login via SSH
echo "PermitRootLogin no" >> /etc/ssh/sshd_config

# Disable empty passwords
echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config

# Use only secure SSH protocol 2
echo "Protocol 2" >> /etc/ssh/sshd_config

# Restart SSH service to apply changes
systemctl restart sshd

4. Network Configuration and Firewalls #

Setting Up a Basic Firewall #

Using iptables or firewalld to set up basic firewall rules:

# Using iptables to block all incoming connections except SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

# Using firewalld to accomplish the same
firewalld-cmd --zone=public --add-service=ssh
firewalld-cmd --zone=public --set-target=DROP

Conclusion #

Host hardening is a critical aspect of system administration and security management. By following the steps outlined in this tutorial and applying the code examples provided, you can significantly enhance the security of your Linux host. Regularly review and update your configurations to adapt to new vulnerabilities and threats. Always test changes in a safe environment before applying them to production systems.