Mastering Linux Security and Hardening Secure your Linux server and protect it from intruders, malware attacks, and other external threats Donald A. Tevault BIRMINGHAM - MUMBAI Mastering Linux Security and Hardening Copyright © 2018 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Vijin Boricha Acquisition Editor: Rohit Rajkumar Content Development Editor: Devika Battike Technical Editor: Mohd Riyan Khan Copy Editors: Safis Editing, Dipti Mankame Project Coordinator: Judie Jose Proofreader: Safis Editing Indexer: Pratik Shirodkar Graphics: Tania Dutta Production Coordinator: Deepika Naik First published: January 2018 Production reference: 1090118 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78862-030-7 www.packtpub.com mapt.io Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website. Why subscribe? Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals Improve your learning with Skill Plans built especially for you Get a free eBook or video every month Mapt is fully searchable Copy and paste, print, and bookmark content PacktPub.com Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. Contributors About the author Donald A. Tevault—but you can call him Donnie—got involved with Linux way back in 2006, and has been working with it ever since. He holds the Linux Professional Institute Level 3—Security certification, and the GIAC Incident Handler certification. Donnie is a professional Linux trainer, and thanks to the magic of the internet, teaches Linux classes literally the world over from the comfort of his living room. First, I'd like to thank the good folk at Packt, who were most delightful to work with on this project. I'd also like to thank my cats, who so graciously allowed me to use their names in the demos. About the reviewer Salman Aftab has 10+ years of experience in Linux and 7+ years of experience in networks and security. He authored the book Linux Security and Unified Threat Management System. Salman is an owner of the Linux Zero To Hero project, where he teaches Linux from very basic to advanced level free of cost. He is skilled in Linux, AWS, Networks and Security, and VOIP. He is RHCE trained and holds NCLA, SCNS, CEH, 3 X CCNA, CCNA Security, CCNA Voice, CCNP Security, CCNP, and OSCP is in progress. Packt is searching for authors like you If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Table of Contents Preface 1 Chapter 1: Running Linux in a Virtual Environment 6 The threat landscape 7 So, how does this happen? 8 Keeping up with security news 8 Introduction to VirtualBox and Cygwin 9 Installing a virtual machine in VirtualBox 10 The EPEL repository on the CentOS virtual machine 14 Configuring a network for VirtualBox virtual machines 15 Creating a virtual machine snapshot with VirtualBox 16 Using Cygwin to connect to your virtual machines 18 Installing Cygwin on your Windows host 18 Summary 20 Chapter 2: Securing User Accounts 21 The dangers of logging in as the root user 22 The advantages of using sudo 23 Setting up sudo privileges for full administrative users 24 Method 1 – adding users to a predefined admin group 24 Method 2 – creating an entry in the sudo policy file 26 Setting up sudo for users with only certain delegated privileges 27 Hands-on lab for assigning limited sudo privileges 31 Advanced tips and tricks for using sudo 33 The sudo timer 33 Hands-on lab for disabling the sudo timer 34 Preventing users from having root shell access 35 Preventing users from using shell escapes 35 Preventing users from using other dangerous programs 36 Limiting the user's actions with commands 37 Letting users run as other users 38 Locking down users' home directories the Red Hat or CentOS way 38 Locking down users' home directories the Debian/Ubuntu way 39 useradd on Debian/Ubuntu 40 adduser on Debian/Ubuntu 41 Hands-on lab for configuring adduser 42 Table of Contents Enforcing strong password criteria 43 Installing and configuring pwquality 45 Hands-on lab for setting password complexity criteria 48 Setting and enforcing password and account expiration 49 Configuring default expiry data for useradd – for Red Hat or CentOS only 50 Setting expiry data on a per-account basis, with useradd and usermod 52 Setting expiry data on a per-account basis, with chage 54 Hands-on lab for setting account and password expiry data 55 Preventing brute-force password attacks 56 Configuring the pam_tally2 PAM module 57 Hands-on lab for configuring pam_tally2 58 Locking user accounts 59 Using usermod to lock a user account 60 Using passwd to lock user accounts 61 Locking the root user account 62 Setting up security banners 63 Using the motd file 63 Using the issue file 64 Using the issue.net file 65 Summary 65 Chapter 3: Securing Your Server with a Firewall 66 An overview of iptables 67 Basic usage of iptables 67 Hands-on lab for basic iptables usage 73 Uncomplicated Firewall for Ubuntu systems 75 Basic usage of ufw 75 Hands-on lab for basic ufw usage 76 firewalld for Red Hat systems 77 Verifying the status of firewalld 78 firewalld zones 79 firewalld services 83 Adding ports to a firewalld zone 87 firewalld rich language rules 88 Hands-on lab for firewalld commands 90 nftables – a more universal type of firewall system 91 nftables tables and chains 92 Getting started with nftables 92 Using nft commands 95 Hands-on lab for nftables on Ubuntu 100 Summary 101 [ ii ] Table of Contents Chapter 4: Encrypting and SSH Hardening 102 GNU Privacy Guard 103 Creating your GPG keys 104 Symmetrically encrypting your own files 106 Hands-on lab – combining gpg and tar for encrypted backups 109 Using private and public keys for asymmetric encryption and signing 110 Signing a file without encryption 115 Encrypting partitions with Linux Unified Key Setup – LUKS 116 Disk encryption during operating system installation 117 Adding an encrypted partition with LUKS 119 Configuring the LUKS partition to mount automatically 124 Encrypting directories with eCryptfs 126 Home directory and disk encryption during Ubuntu installation 126 Encrypting a home directory for a new user account 128 Creating a private directory within an existing home directory 129 Encrypting other directories with eCryptfs 131 Encrypting the swap partition with eCryptfs 133 Using VeraCrypt for cross-platform sharing of encrypted containers 134 Getting and installing VeraCrypt 134 Creating and mounting a VeraCrypt volume in console mode 135 Using VeraCrypt in GUI mode 138 Ensuring that SSH protocol 1 is disabled 139 Creating and managing keys for password-less logins 140 Creating a user's SSH key set 141 Transferring the public key to the remote server 142 Disabling root user login 143 Disabling username/password logins 144 Setting up a chroot environment for SFTP users 145 Creating a group and configuring the sshd_config file 145 Hands-on lab – setting up a chroot directory for sftpusers group 147 Summary 148 Chapter 5: Mastering Discretionary Access Control 149 Using chown to change ownership of files and directories 150 Using chmod to set permissions values on files and directories 152 Setting permissions with the symbolic method 153 Setting permissions with the numerical method 153 Using SUID and SGID on regular files 155 The security implications of the SUID and SGID permissions 156 [ iii ] Table of Contents Finding spurious SUID or SGID files 157 Hands-on lab – searching for SUID and SGID files 158 Preventing SUID and SGID usage on a partition 159 Using extended file attributes to protect sensitive files 160 Setting the a attribute 161 Setting the i attribute 162 Hands-on lab – setting security-related extended file attributes 163 Summary 164 Chapter 6: Access Control Lists and Shared Directory Management 165 Creating an access control list for either a user or a group 166 Creating an inherited access control list for a directory 169 Removing a specific permission by using an ACL mask 170 Using the tar --acls option to prevent the loss of ACLs during a backup 172 Creating a user group and adding members to it 174 Adding members as we create their user accounts 175 Using usermod to add an existing user to a group 175 Adding users to a group by editing the /etc/group file 176 Creating a shared directory 177 Setting the SGID bit and the sticky bit on the shared directory 178 Using ACLs to access files in the shared directory 181 Setting the permissions and creating the ACL 181 Charlie tries to access Vicky's file with an ACL set for Cleopatra 182 Hands-on lab – creating a shared group directory 183 Summary 184 Chapter 7: Implementing Mandatory Access Control with SELinux and AppArmor 185 How SELinux can benefit a systems administrator 186 Setting security contexts for files and directories 187 Installing the SELinux tools 189 Creating web content files with SELinux enabled 189 Fixing an incorrect SELinux context 193 Using chcon 193 Using restorecon 194 Using semanage 195 Hands-on lab – SELinux type enforcement 197 Troubleshooting with setroubleshoot 198 Viewing setroubleshoot messages 199 Using the graphical setroubleshoot utility 200 Troubleshooting in permissive mode 202 [ iv ]