Mastering Linux Security and Hardening

Mastering Linux Security and Hardening

by Donald A. Tevault
Released January 2018
Publisher(s): Packt Publishing
ISBN: 9781788620307

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

A comprehensive guide to mastering the art of preventing your Linux system from getting compromised.

Key Features

  • Leverage this guide to confidently deliver a system that reduces the risk of being hacked
  • Perform a number of advanced Linux security techniques such as network service detection, user authentication, controlling special permissions, encrypting file systems, and much more
  • Master the art of securing a Linux environment with this end-to-end practical guide

Book Description

This book has extensive coverage of techniques that will help prevent attackers from breaching your system, by building a much more secure Linux environment. You will learn various security techniques such as SSH hardening, network service detection, setting up firewalls, encrypting file systems, protecting user accounts, authentication processes, and so on. Moving forward, you will also develop hands-on skills with advanced Linux permissions, access control, special modes, and more. Lastly, this book will also cover best practices and troubleshooting techniques to get your work done efficiently.

By the end of this book, you will be confident in delivering a system that will be much harder to compromise.

What you will learn

  • Use various techniques to prevent intruders from accessing sensitive data
  • Prevent intruders from planting malware, and detect whether malware has been planted
  • Prevent insiders from accessing data that they aren’t authorized to access
  • Do quick checks to see whether a computer is running network services that it doesn’t need to run
  • Learn security techniques that are common to all Linux distros, and some that are distro-specific

Who this book is for

If you are a systems administrator or a network engineer interested in making your Linux environment more secure, then this book is for you. Security consultants wanting to enhance their Linux security skills will also benefit from this book. Prior knowledge of Linux is mandatory.

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Get in touch
      1. Reviews
  2. Running Linux in a Virtual Environment
    1. The threat landscape
      1. So, how does this happen?
    2. Keeping up with security news
    3. Introduction to VirtualBox and Cygwin
      1. Installing a virtual machine in VirtualBox
      2. The EPEL repository on the CentOS virtual machine
      3. Configuring a network for VirtualBox virtual machines
      4. Creating a virtual machine snapshot with VirtualBox
    4. Using Cygwin to connect to your virtual machines
      1. Installing Cygwin on your Windows host
    5. Summary
  3. Securing User Accounts
    1. The dangers of logging in as the root user
    2. The advantages of using sudo
    3. Setting up sudo privileges for full administrative users
      1. Method 1 – adding users to a predefined admin group
      2. Method 2 – creating an entry in the sudo policy file
    4. Setting up sudo for users with only certain delegated privileges
      1. Hands-on lab for assigning limited sudo privileges
    5. Advanced tips and tricks for using sudo
      1. The sudo timer
        1. Hands-on lab for disabling the sudo timer
      2. Preventing users from having root shell access
      3. Preventing users from using shell escapes
      4. Preventing users from using other dangerous programs
      5. Limiting the user's actions with commands
      6. Letting users run as other users
    6. Locking down users' home directories the Red Hat or CentOS way
    7. Locking down users' home directories the Debian/Ubuntu way
      1. useradd on Debian/Ubuntu
      2. adduser on Debian/Ubuntu
        1. Hands-on lab for configuring adduser
    8. Enforcing strong password criteria
      1. Installing and configuring pwquality
        1. Hands-on lab for setting password complexity criteria
    9. Setting and enforcing password and account expiration
      1. Configuring default expiry data for useradd – for Red Hat or CentOS only
      2. Setting expiry data on a per-account basis, with useradd and usermod
      3. Setting expiry data on a per-account basis, with chage
        1. Hands-on lab for setting account and password expiry data
    10. Preventing brute-force password attacks
      1. Configuring the pam_tally2 PAM module
        1. Hands-on lab for configuring pam_tally2
    11. Locking user accounts
      1. Using usermod to lock a user account
      2. Using passwd to lock user accounts
      3. Locking the root user account
    12. Setting up security banners
      1. Using the motd file
      2. Using the issue file
      3. Using the issue.net file
    13. Summary
  4. Securing Your Server with a Firewall
    1. An overview of iptables
      1. Basic usage of iptables
        1. Hands-on lab for basic iptables usage
    2. Uncomplicated Firewall for Ubuntu systems
      1. Basic usage of ufw
        1. Hands-on lab for basic ufw usage
    3. firewalld for Red Hat systems
      1. Verifying the status of firewalld
      2. firewalld zones
      3. firewalld services
      4. Adding ports to a firewalld zone
      5. firewalld rich language rules
        1. Hands-on lab for firewalld commands
    4. nftables – a more universal type of firewall system
      1. nftables tables and chains
      2. Getting started with nftables
      3. Using nft commands
        1. Hands-on lab for nftables on Ubuntu
    5. Summary
  5. Encrypting and SSH Hardening
    1. GNU Privacy Guard
      1. Creating your GPG keys
      2. Symmetrically encrypting your own files
        1. Hands-on lab – combining gpg and tar for encrypted backups
      3. Using private and public keys for asymmetric encryption and signing
      4. Signing a file without encryption
    2. Encrypting partitions with Linux Unified Key Setup – LUKS
      1. Disk encryption during operating system installation
      2. Adding an encrypted partition with LUKS
      3. Configuring the LUKS partition to mount automatically
    3. Encrypting directories with eCryptfs
      1. Home directory and disk encryption during Ubuntu installation
      2. Encrypting a home directory for a new user account
      3. Creating a private directory within an existing home directory
      4. Encrypting other directories with eCryptfs
      5. Encrypting the swap partition with eCryptfs
    4. Using VeraCrypt for cross-platform sharing of encrypted containers
      1. Getting and installing VeraCrypt
      2. Creating and mounting a VeraCrypt volume in console mode
      3. Using VeraCrypt in GUI mode
    5. Ensuring that SSH protocol 1 is disabled
    6. Creating and managing keys for password-less logins
      1. Creating a user's SSH key set
      2. Transferring the public key to the remote server
    7. Disabling root user login
    8. Disabling username/password logins
    9. Setting up a chroot environment for SFTP users
      1. Creating a group and configuring the sshd_config file
        1. Hands-on lab – setting up a chroot directory for sftpusers group
    10. Summary
  6. Mastering Discretionary Access Control
    1. Using chown to change ownership of files and directories
    2. Using chmod to set permissions values on files and directories
      1. Setting permissions with the symbolic method
      2. Setting permissions with the numerical method
    3. Using SUID and SGID on regular files
    4. The security implications of the SUID and SGID permissions
      1. Finding spurious SUID or SGID files
        1. Hands-on lab – searching for SUID and SGID files
      2. Preventing SUID and SGID usage on a partition
    5. Using extended file attributes to protect sensitive files
      1. Setting the a attribute
      2. Setting the i attribute
        1. Hands-on lab – setting security-related extended file attributes
    6. Summary
  7. Access Control Lists and Shared Directory Management
    1. Creating an access control list for either a user or a group
    2. Creating an inherited access control list for a directory
    3. Removing a specific permission by using an ACL mask
    4. Using the tar --acls option to prevent the loss of ACLs during a backup
    5. Creating a user group and adding members to it
      1. Adding members as we create their user accounts
      2. Using usermod to add an existing user to a group
      3. Adding users to a group by editing the /etc/group file
    6. Creating a shared directory
    7. Setting the SGID bit and the sticky bit on the shared directory
    8. Using ACLs to access files in the shared directory
      1. Setting the permissions and creating the ACL
      2. Charlie tries to access Vicky's file with an ACL set for Cleopatra
        1. Hands-on lab – creating a shared group directory
    9. Summary
  8. Implementing Mandatory Access Control with SELinux and AppArmor
    1. How SELinux can benefit a systems administrator
    2. Setting security contexts for files and directories
      1. Installing the SELinux tools
      2. Creating web content files with SELinux enabled
      3. Fixing an incorrect SELinux context
        1. Using chcon
        2. Using restorecon
        3. Using semanage
        4. Hands-on lab – SELinux type enforcement
    3. Troubleshooting with setroubleshoot
      1. Viewing setroubleshoot messages
      2. Using the graphical setroubleshoot utility
      3. Troubleshooting in permissive mode
    4. Working with SELinux policies
      1. Viewing the Booleans
      2. Configuring the Booleans
      3. Protecting your web server
      4. Protecting network ports
      5. Creating custom policy modules
        1. Hands-on lab – SELinux Booleans and ports
    5. How AppArmor can benefit a systems administrator
    6. Looking at AppArmor profiles
    7. Working with AppArmor command-line utilities
    8. Troubleshooting AppArmor problems
    9. Summary
  9. Scanning, Auditing, and Hardening
    1. Installing and updating ClamAV and maldet
      1. Installing ClamAV and maldet
      2. Configuring maldet
      3. Updating ClamAV and maldet
    2. Scanning with ClamAV and maldet
    3. SELinux considerations
    4. Scanning for rootkits with Rootkit Hunter
      1. Installing and updating Rootkit Hunter
      2. Scanning for rootkits
    5. Controlling the auditd daemon
    6. Creating audit rules
      1. Auditing a file for changes
      2. Auditing a directory
      3. Auditing system calls
    7. Using ausearch and aureport
      1. Searching for file change alerts
      2. Searching for directory access rule violations
      3. Searching for system call rule violations
      4. Generating authentication reports
      5. Using predefined rules sets
    8. Applying OpenSCAP policies with oscap
      1. Installing OpenSCAP
      2. Viewing the profile files
      3. Scanning the system
      4. Remediating the system
    9. Using SCAP Workbench
    10. More about OpenSCAP profiles
    11. Applying an OpenSCAP profile during system installation
    12. Summary
  10. Vulnerability Scanning and Intrusion Detection
    1. Looking at Snort and Security Onion
      1. Obtaining and installing Snort
      2. Graphical interfaces for Snort
      3. Getting Snort in prebuilt appliances
      4. Using Security Onion
    2. Scanning and hardening with Lynis
      1. Installing Lynis on Red Hat/CentOS
      2. Installing Lynis on Ubuntu
      3. Scanning with Lynis
    3. Finding vulnerabilities with OpenVAS
    4. Web server scanning with Nikto
      1. Nikto in Kali Linux
      2. Installing and updating Nikto on Linux
      3. Scanning a web server with Nikto
    5. Summary
  11. Security Tips and Tricks for the Busy Bee
    1. Auditing system services
      1. Auditing system services with systemctl
      2. Auditing network services with netstat
      3. Auditing network services with Nmap
        1. Port states
        2. Scan types
    2. Password-protecting the GRUB 2 bootloader
      1. Resetting the password for Red Hat/CentOS
      2. Resetting the password for Ubuntu
      3. Preventing kernel parameter edits on Red Hat/CentOS
      4. Preventing kernel parameter edits on Ubuntu
      5. Password-protecting boot options
        1. Disabling the submenu for Ubuntu
        2. Password-protecting boot option steps for both Ubuntu and Red Hat
    3. Securely configuring BIOS/UEFI
    4. Using a security checklist for system setup
    5. Summary
  12. Other Books You May Enjoy
    1. Leave a review – let other readers know what you think

Product information

  • Title: Mastering Linux Security and Hardening
  • Author(s): Donald A. Tevault
  • Release date: January 2018
  • Publisher(s): Packt Publishing
  • ISBN: 9781788620307