Linux Security

Linux security Best Practices 2018

Security is a false feeling that if we are secure, we have a feeling that we are not secure and if have a feeling that we are secure our system should have flaws. But we can take some precautions to make our Linux systems secure by following some best practices. Here I am discussing some of the practices for Linux security.

Update the applications

Always keep the applications up to date. Normally the application providers give updates to fix the reported vulnerabilities and for adding new features. So always update it to fix the vulnerabilities. If possible make it in an automated way to update it and do a manual check to verify it is updating automatically or not.

Keep the file permissions to default

In linux, the default permission for a web server ( in the case of cPanel control panel ) is 644 for file and 755 for directories. Most of the applications will work fine with this permission. Noticed lots of users set 777 permission to the files or directories to fix some issues without troubleshooting the exact issues. This is a bad practice.

Block unwanted ports

Install a firewall and open the required ports only and block all other ports is a good option. Even if any suspicious process started, they cannot communicate with outside, if the ports are blocked. Another option of adding security is changing the default ports of services like ssh, rdp, ftp etc. to custom ports. ssh and ftp are the most commonly attacked ports.

Common usernames and passwords

Do not use common username and passwords while creating logins for a system. The administrator username for a linux server/system is root and some of the distributions come with preset root password “toor” and if it is not changed it is a vulnerability. Like that most of the web interface for network devices come with a default username “admin” and password “admin”. And if we didn’t change that, anyone can access the device.

Few days before I bought an IP cam and its login details are admin/admin. As a linux admin, I will do the password change as the first measure to configure the device. Another thing I noticed the wordpress admin login, by default all are set username as “admin” and use some dictionary words as passwords. Setting a complex password is good. If we set the username other than admin, it is an additional security. Make sure the password also is complex. Following are some of the most common passwords by users.

123456
qwerty
p@ssw0rd
zxcvbnm

You can google with the string “most commonly used passwords” to get the list of passwords. Always use a combination of alphabets, numbers, and alphanumeric for making a password.

Keeping unused accounts

Keeping unused accounts is a security risk too. In the case of a website, the site application will not uptodate, since we will not take care of the site updates for an unused website. Even though they are not using, the site is up and accessible to the internet. Site application without an update means it is vulnerable to attack. So it is better option to remove the unused accounts from the server. Another thing I noticed as a system admin is creating test accounts ( test mail accounts ) with simple passwords and keep those accounts without deleting after use and they are one of the key access to the hackers or spammers.

Same situation with the unused themes, plugins, and modules in the web applications. Users will not update them since they are not active on the site, but they are accessible from the internet. As I said before an application/site without an update is vulnerable to attack. so remove the unused plugins and themes is a good option to keep the site secure.

Backups

Keeping regular backup for the accounts is a good practice. 100% security is just a myth. We follow some security procedures,  to secure the linux system/server. The accounts will hacked by hacking experts, even if we harden the servers. If we keep a regular backup for the account, we can easily restore the files and databases from the working backup. Scanners are not perfect to find all the vulnerable files, so cleaning the account is not a good option to  keep the account secure. Finding the vulnerability before restoring from the backup and fix it after the restore is the good option to get a clean account.

As a system admin, I use some popular scanner tool to identify the vulnerable files, use log analysis, and recently modified file lists for finding the vulnerable files. The hackers are “system admins”, so they think like we do and make the modifications based on that. So the chances of missing the vulnerable files are there. Keeping the vulnerable files under the account is like giving the room key to the thief itself. So cleaning the account is last resort and always give priority to restore from backups.

About the author

Suhesh K.S.

Suhesh K.S.

Mr. Suhesh KS is Linux System Administrator by profession with 10 Years of work experience in Linux system administration in web hosting, data center and data warehousing industry and have worked with reputed support companies. His wide range of skills include team management, system administration ( Linux ), programming ( bash, perl, php, java ,python), web hosting, data center support, cPanel Plugin development, website optimisation, Social media marketing.

1 Comment

  • In general it’s okay, but there are much more Options to tighten Linux Security.

    1) Browser
    A Browser must always run in an sandboxed Environment. This is easily possible with Tools like Firejail or as Flatpak in Future. There must always be Addons like uBlock, uMatrix and NoScript present, to mitigate many Web based Threats.

    2) Encryption
    Whenever it’s possible, make massive use of Encryption. Also only with trusted Software like GPG and dm-crypt/LUKS, to mitigate Data Theft and Manipulation of your System.

    3) Clever Setup
    With Linux it’s possible to Split the complete System into many separate Volumes. And now each Volume can be much more secured than before. It can be read-only all the Time, or can get more secure with nodev, noexec and nosuid Mountoptions. This Praktice also makes Backups more easily. The Program chattr is also nice, to make specific Files immutable.

    4) Choose the right Desktop
    There are so many Linux-Desktops out there, but only 2-3 (KDE, Sway, GNOME) of them make use of Security-Features like, Wayland or Isolation with Sandboxes for her own Desktop and Programs. Also make use of Flatpak, to isolate many Programs out of the Box. At this Time all Gnome-Programs are available as Flatpak, and this is a huge Step forward for Linux-Desktop Security.

    5) SELinux and AppArmor
    Solutions like these are always a good Addition for Security.

    6) VMs and Containers
    For Security Reasons i suggest a massive use of them, for many different and dangerous Tasks.

    7) Systemd
    With Systemd it’s possible to run System Services much more securely. It’s all explained in the Manpage systemd.exec. This is highly recommended for Services like, SSH, Apache and many more.

    8) Validate Backups
    Many People make Backups, but never test them. And if you can’t restore them, all Backups are completely useless.

    These are my Recommendations. Maybe you can update your Blog if you like them.