Hardening Your System with Tools and Services.

What is system hardening:

System hardening aims to reduce security risk by eliminating potential attack vectors and condensing the system’s attack surface. By removing superfluous programs, accounts functions, applications, ports, permissions, access, etc. attackers and malware have fewer opportunities to gain a foothold within your IT ecosystem.

In this article, I try to cover some of the most common services and tools that need to be protected to increase the Linux server's security.

1. Desktop security:

• Password security: Creating and forcing strong passwords, configuring password aging. The pam_pwquality module in Linux OS is used to check a password’s strength against a set of rules.
• Account locking: Configure pam_faillock PAM module, which allows system administrators to lock out user accounts after a specified number of failed attempts.
• Session locking: Alleviate these risks by using session locking features that prevent access to the system until a correct password is entered.
• Enforcing read-only mounting of removable media: To enforce read-only mounting of removable media (such as USB flash disks), the administrator can use a udev rule to detect removable media and configure them to be mounted read-only using the blockdev utility

2. Controlling root access:

• Root access: Controlling, disallowing, and limiting the root access for the users
• Enable automatic logouts:
• Securing the boot loader:
  i) Preventing Access to Single User Mode
  ii) Preventing Access to the GRUB 2 Console.
  iii) Preventing Access to Insecure Operating Systems
  iv) Disabling interactive setup
• Protecting hard and soft symbolic links: This protection is turned on by default. It is controlled by the following options in the /usr/lib/sysctl.d/50-default.conf file:

3. Securing services:

• Risk to services can lead to attacks like DOS, DDOS, Script vulnerability attack, and Buffer overflow attack
• Avoid using and configuring insecure services on the server.
• Securing rpcbind and rpc.mountd.
• Following all the necessary security steps while configuring servers such as NIS, NFS, HTTP, FTP, Postfix, SSH, PostgreSQL, and Docker.

4. Securing Network Access:

• Securing services with the TCP wrappers and connection banners: Displaying a suitable banner when users connect to a service is a good way to let potential attackers know that the system administrator is being vigilant. You can also control what information about the system is presented to users.
• Verifying which port is listening using the netcat utility and close the unnecessary ports.
• Disabling source routing: An Internet Protocol mechanism that allows an IP packet to carry information, a list of addresses, tells a router the path the packet must take. There is also an option to record the hops as the route is traversed. The list of hops taken, the “route record”, provides the destination with a return path to the source. This allows the source (the sending host) to specify the route, loosely or strictly, ignoring the routing tables of some or all of the routers. It can allow a user to redirect network traffic for malicious purposes. Therefore, source-based routing should be disabled.

5. Secure DNS traffic by configuring DNSSEC.

6. Secure Virtual private network using the tool Libreswan.

7. Use OpenSSL in creating and managing encryption keys and generating certificates.

8. Disable ping replies on the server so no one from the outside world can ping by editing the file /etc/sysctl.conf

9. Using USBguard: It is a software framework that provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes.

10. Installing and updating the software patches regularly to keep them up to date.

11. Configure the firewall, IDS, and IPS on a server by applying and making rich set rules and policies according to the organizational structure.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

“Even the bravest cyber defense will experience defeat when weaknesses are neglected.”

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -