breadcrumb breadcrumb breadcrumb breadcrumb breadcrumbServer Hardening Policy - Examples and Tips
CIS BenchmarkSYSTEM HARDENING VULNERABILITY MANAGEMENT

Linux Server Hardening

Linux Server Hardening

The Linux Paradigm

The beauty of Linux is that it is so accessible and freely available that it is easy to get up and running with very little training or knowledge. The web-based support community places all the tips and tutorials you’ll ever need to carry out any Linux set-up task or troubleshoot issues you may experience.

Finding and interpreting the right hardening checklist for your Linux hosts may still be a challenge so this guide gives you a concise checklist to work from, encompassing the highest priority hardening measures for a typical Linux server.

NNT Change Tracker Enterprise has been certified by the CIS to 100% accurately audit all RHEL, CentOS, Ubuntu, SUSE and other Linux, identifying where vulnerable configuration settings are present and explaining in plain English, how to mitigate them.

 

Account Policies

  • Enforce password history – 365 days
  • Maximum Password Age - 42 days
  • Minimum password length – 8 characters
  • Password Complexity - Enable
  • Account Lockout Duration - 30 minutes
  • Account Lockout Threshold – 5 attempts
  • Reset Account Lockout Counter - 30 minutes

Edit the /etc/pam.d/common-password to define password policy parameters for your host.

Access Security

  • Ensure SSH version 2 is in use
  • Disable remote root logons
  • Enable AllowGroups to permitted Group names only
  • Allow access to valid devices only
  • Restrict the number of concurrent root sessions to 1 or 2 only

Edit sshd.config to define SSHD policy parameters for your host and /etc/hosts.allow and /etc/hosts.deny to control access. Use /etc/securetty to restrict root access to tty1 or tty1 and tty2 only.

Secure Boot Only

Remove options to boot from CD or USB devices and password protect the computer to prevent the BIOS options from being edited.

Password protect the /boot/grub/menu.lst file, then remove the rescue-mode boot entry.

Disable All Unnecessary Processes, Services, and Daemons

Each system is unique so it is important to review which processes and services are unnecessary for your server to run your applications.

Assess your server by running the ps –ax command and see what is running currently.

Similarly, assess the startup status of all processes by running a chkconfig –list command.

Disable any unnecessary services using the sysv-rc-conf service-name off

Restrict Permissions on Sensitive Files and Folders to root Only

Ensure the following sensitive programs are root executable only

  • /etc/fstab
  • /etc/passwd
  • /bin/ping
  • /usr/bin/who
  • /usr/bin/w
  • /usr/bin/locate
  • /usr/bin/whereis
  • /sbin/ifconfig
  • /bin/nano
  • /usr/bin/vi
  • /usr/bin/which
  • /usr/bin/gcc
  • /usr/bin/make
  • /usr/bin/apt-get
  • /usr/bin/aptitude

Ensure the following folders are root access only

  • /etc
  • /usr/etc
  • /bin
  • /usr/bin
  • /sbin
  • /usr/sbin
  • /tmp
  • /var/tmp

Disable SUID and SGID Binaries

Identify SUID and SGID files on the system: find / \( -perm -4000 -o -perm -2000 \) –print.

Render these files safe by removing the SUID or SGID bits using chmod –s filename

You should also restrict access to all compilers on the system by adding them to a new ‘compilers’ group.

  • chgrp compilers *cc*
  • chgrp compilers *++*
  • chgrp compilers ld
  • chgrp compilers as

Once added to the group, restrict permissions using a chmod 750 compiler

Implement Regular/Real-Time FIM on Sensitive Folders and Files

File integrity should be monitored for all files and folders to ensure permissions and files do not change without approval.

Standard guidance is to implement AIDE on Linux but a commercial Linux FIM solution like NNT Change Tracker can provide real-time FIM with Intelligent Change Control to reduce unwanted 'change noise'

Try it on your Linux Systems Now - Click Here

Configure Auditing on the Linux Server

Ensure key security events are being audited and are forwarded to your Syslog or SIEM server. Edit the Syslog.conf file accordingly.

General Hardening of Kernel Variables

Edit the /etc/sysctl.conf file to set all kernel variables to secure settings in order to prevent spoofing, syn flood, and DOS attacks.

 

Try it on your Linux Systems Now! Click Here

Receive NNT Threat Mitigation Kit to Automatically Harden Server Settings

 

 

Products
  • Change Tracker Gen 7
    Change Tracker Generation 7™

    Device Hardening, File Integrity Monitoring, Change & Configuration Management, Security & Compliance Management all in one easy to use solution!

  • NNT FAST Cloud Integrated Threat Intelligence

    NNT FAST™ (File Approved-Safe technology) Threat Intelligence automatically evaluates file changes in real-time.

  • Log Tracker Enterprise™

    Provides a comprehensive and secure solution to any compliance mandate. Log analysis is a key weapon in the fight against any cyberattack.

USA Offices
New Net Technologies Ltd
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
emailUSinfo@nntws.com
UK Office
New Net Technologies Ltd
Spectrum House, Dunstable Road
Redbourn,
St Albans
Herts
AL3 7PR

Tel: 08456 585 005
Fax: 08456 122 031
emailinfo@newnettechnologies.com
NNT Newsletter
Sign up to receive our monthly newsletter covering breaking security news, how-to-tips, trends and commentary directly to your inbox.


We strongly advise NNT Customers and Partners to sign up for our Product Updates Mailing List to receive information on software updates and new product features.

Information
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
Copyright 2017, New Net Technologies Ltd. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies Ltd.
All other product, company names and trademarks are the property of their respective owners.