book

Mastering Linux Security and Hardening - Third Edition

by Donald A. Tevault

February 2023

Intermediate to advanced

620 pages

15h 45m

English

Packt Publishing

Read now

Unlock full access

Who this book is forWhat this book coversTo get the most out of this bookGet in touch
Getting the most out of this book – get to know your free benefits Looking at the threat landscapeWhy do security breaches happen?Keeping up with security newsDifferences between physical, virtual, and cloud setupsIntroducing VirtualBox and CygwinInstalling a virtual machine in VirtualBoxInstalling the EPEL repository on the CentOS 7 virtual machineInstalling the EPEL repository on the AlmaLinux 8/9 virtual machinesConfiguring a network for VirtualBox virtual machinesCreating a virtual machine snapshot with VirtualBoxUsing Cygwin to connect to your virtual machinesInstalling Cygwin on your Windows hostUsing the Windows 10 SSH client to interface with Linux virtual machinesUsing the Windows 11 SSH client to interface with Linux virtual machinesCygwin versus the Windows shellKeeping the Linux systems updatedUpdating Debian-based systemsConfiguring auto updates for UbuntuUpdating Red Hat 7-based systemsUpdating Red Hat 8/9-based systemsManaging updates in an enterpriseSummaryQuestionsFurther readingAnswers
The dangers of logging in as the root userThe advantages of using sudoSetting up sudo privileges for full administrative usersAdding users to a predefined admin groupCreating an entry in the sudo policy fileSetting up sudo for users with only certain delegated privilegesHands-on lab for assigning limited sudo privilegesAdvanced tips and tricks for using sudoThe sudo timerView your sudo privilegesHands-on lab for disabling the sudo timerPreventing users from having root shell accessPreventing users from using shell escapesPreventing users from using other dangerous programsLimiting the user’s actions with commandsLetting users run as other usersPreventing abuse via a user’s shell scriptsDetecting and deleting default user accountsNew sudo featuresSpecial sudo considerations for SUSE and OpenSUSESummaryQuestionsFurther readingAnswers
Locking down users’ home directories the Red Hat wayLocking down users’ home directories the Debian/Ubuntu wayuseradd on Debian/Ubuntuadduser on Debian/UbuntuHands-on lab for creating an encrypted home directory with adduserEnforcing strong password criteriaInstalling and configuring pwqualityHands-on lab for setting password complexity criteriaSetting and enforcing password and account expirationConfiguring default expiry data for useradd for Red Hat-type systems onlySetting expiry data on a per-account basis with useradd and usermodSetting expiry data on a per-account basis with chageHands-on lab for setting account and password expiry dataPreventing brute-force password attacksConfiguring the pam_tally2 PAM module on CentOS 7Hands-on lab for configuring pam_tally2 on CentOS 7Configuring pam_faillock on AlmaLinux 8/9Hands-on lab for configuring pam_faillock on AlmaLinux 8 or AlmaLinux 9Configuring pam_faillock on Ubuntu 20.04 and Ubuntu 22.04Hands-on lab for configuring pam_faillock on Ubuntu 20.04 and Ubuntu 22.04Locking user accountsUsing usermod to lock a user accountUsing passwd to lock user accountsLocking the root user accountSetting up security bannersUsing the motd fileUsing the issue fileUsing the issue.net fileDetecting compromised passwordsHands-on lab for detecting compromised passwordsUnderstanding centralized user managementMicrosoft Active DirectorySamba on LinuxFreeIPA/Identity Management on RHEL-type distrosSummaryQuestionsFurther readingAnswers
Technical requirementsAn overview of the Linux firewallAn overview of iptablesMastering the basics of iptablesBlocking ICMP with iptablesBlocking everything that isn’t allowed with iptablesHands-on lab for basic iptables usageBlocking invalid packets with iptablesRestoring the deleted rulesHands-on lab for blocking invalid IPv4 packetsProtecting IPv6Hands-on lab for ip6tablesnftables – a more universal type of firewall systemLearning about nftables tables and chainsGetting started with nftablesConfiguring nftables on UbuntuUsing nft commandsHands-on lab for nftables on UbuntuSummaryQuestionsFurther readingAnswers
Technical requirementsThe Uncomplicated Firewall for Ubuntu systemsConfiguring ufwWorking with the ufw configuration filesHands-on lab for basic ufw usagefirewalld for Red Hat systemsVerifying the status of firewalldWorking with firewalld zonesAdding services to a firewalld zoneAdding ports to a firewalld zoneBlocking ICMPUsing panic modeLogging dropped packetsUsing firewalld rich language rulesLooking at iptables rules in RHEL/CentOS 7 firewalldCreating direct rules in RHEL/CentOS 7 firewalldLooking at nftables rules in RHEL/AlmaLinux 8 and 9 firewalldCreating direct rules in RHEL/AlmaLinux firewalldHands-on lab for firewalld commandsSummaryQuestionsFurther readingAnswers
GNU Privacy Guard (GPG)Hands-on lab – creating your GPG keysHands-on lab – symmetrically encrypting your own filesHands-on lab – encrypting files with public keysHands-on lab – signing a file without encryptionEncrypting partitions with Linux Unified Key Setup (LUKS)Disk encryption during operating system installationHands-on lab – adding an encrypted partition with LUKSConfiguring the LUKS partition to mount automaticallyHands-on lab – configuring the LUKS partition to mount automaticallyEncrypting directories with eCryptfsHands-on lab – encrypting a home directory for a new user accountCreating a private directory within an existing home directoryHands-on lab – encrypting other directories with eCryptfsEncrypting the swap partition with eCryptfsUsing VeraCrypt for cross-platform sharing of encrypted containersHands-on lab – getting and installing VeraCryptHands-on lab – creating and mounting a VeraCrypt volume in console modeUsing VeraCrypt in GUI modeOpenSSL and the Public Key InfrastructureCommercial certificate authoritiesCreating keys, certificate signing requests, and certificatesCreating a self-signed certificate with an RSA keyCreating a self-signed certificate with an Elliptic Curve keyCreating an RSA key and a Certificate Signing RequestCreating an EC key and a CSRCreating an on-premises CAHands-on lab – setting up a Dogtag CAAdding a CA to an operating systemHands-on lab – exporting and importing the Dogtag CA certificateImporting the CA into WindowsOpenSSL and the Apache webserverHardening Apache SSL/TLS on UbuntuHardening Apache SSL/TLS on RHEL 9/AlmaLinux 9Setting FIPS mode on RHEL 9/AlmaLinux 9Hardening Apache SSL/TLS on RHEL 7/CentOS 7Setting up mutual authenticationIntroducing quantum-resistant encryption algorithmsSummaryQuestionsFurther readingAnswers
Ensuring that SSH protocol 1 is disabledCreating and managing keys for passwordless loginsCreating a user’s SSH key setTransferring the public key to the remote serverHands-on lab – creating and transferring SSH keysDisabling root user loginDisabling username/password loginsHands-on lab – Disabling root login and password authenticationEnabling two-factor authenticationHands-on lab — Setting up two-factor authentication on Ubuntu 22.04Hands-on lab – Using Google Authenticator with key exchange on UbuntuHands-on lab — Setting up two-factor authentication on AlmaLinux 8Hand-on lab — Using Google Authenticator with key exchange on AlmaLinux 8Configuring Secure Shell with strong encryption algorithmsUnderstanding SSH encryption algorithmsScanning for enabled SSH algorithmsHands-on lab – Scanning with NmapDisabling weak SSH encryption algorithmsHands-on lab – disabling weak SSH encryption algorithms – Ubuntu 22.04Hands-on lab – disabling weak SSH encryption algorithms – CentOS 7Setting system-wide encryption policies on RHEL 8/9 and AlmaLinux 8/9Hands-on lab – setting encryption policies on AlmaLinux 9Configuring more detailed loggingHands-on lab – configuring more verbose SSH loggingConfiguring access control with whitelists and TCP WrappersConfiguring whitelists within sshd_configHands-on lab – configuring whitelists within sshd_configConfiguring whitelists with TCP WrappersConfiguring automatic logouts and security bannersConfiguring automatic logout for both local and remote usersConfiguring automatic logout in sshd_configCreating a pre-login security bannerConfiguring other miscellaneous security settingsDisabling X11 forwardingDisabling SSH tunnelingChanging the default SSH portManaging SSH keysSetting different configurations for different users and groupsCreating different configurations for different hostsSetting up a chroot environment for SFTP usersCreating a group and configuring the sshd_config fileHands-on lab – Setting up a chroot directory for the sftpusers groupSharing a directory with SSHFSHands-on lab – Sharing a directory with SSHFSRemotely connecting from Windows desktopsSummaryQuestionsFurther readingAnswers

Using chown to change ownership of files and directoriesUsing chmod to set permissions on files and directoriesSetting permissions with the symbolic methodSetting permissions with the numerical methodUsing SUID and SGID on regular filesThe security implications of the SUID and SGID permissionsFinding spurious SUID or SGID filesPreventing SUID and SGID usage on a partitionUsing extended file attributes to protect sensitive filesSetting the a attributeSetting the i attributeSecuring system configuration filesSummaryQuestionsFurther readingAnswers
Creating an ACL for either a user or a groupCreating an inherited ACL for a directoryRemoving a specific permission by using an ACL maskUsing the tar --acls option to prevent the loss of ACLs during a backupCreating a user group and adding members to itAdding members as we create their user accountsUsing usermod to add an existing user to a groupAdding users to a group by editing the /etc/group fileCreating a shared directorySetting the SGID bit and the sticky bit on the shared directoryUsing ACLs to access files in the shared directorySetting the permissions and creating the ACLHands-on lab – creating a shared group directorySummaryQuestionsFurther readingAnswers
How SELinux can benefit a systems administratorSetting security contexts for files and directoriesInstalling the SELinux toolsCreating web content files with SELinux enabledFixing an incorrect SELinux contextUsing chconUsing restoreconUsing semanageHands-on lab – SELinux type enforcementTroubleshooting with setroubleshootViewing setroubleshoot messagesUsing the graphical setroubleshoot utilityTroubleshooting in permissive modeWorking with SELinux policiesViewing BooleansConfiguring the BooleansProtecting your web serverProtecting network portsCreating custom policy modulesHands-on lab – SELinux Booleans and portsHow AppArmor can benefit a systems administratorLooking at AppArmor profilesWorking with AppArmor command-line utilitiesTroubleshooting AppArmor problemsTroubleshooting an AppArmor profile – Ubuntu 16.04Troubleshooting an AppArmor profile – Ubuntu 18.04Hands-on lab – Troubleshooting an AppArmor profileTroubleshooting Samba problems in Ubuntu 22.04Exploiting a system with an evil Docker containerHands-on lab – Creating an evil Docker containerSummaryQuestionsFurther readingAnswers
Understanding the /proc filesystemLooking at user-mode processesLooking at kernel informationSetting kernel parameters with sysctlConfiguring the sysctl.conf fileConfiguring sysctl.conf – UbuntuConfiguring sysctl.conf – CentOS and AlmaLinuxSetting additional kernel-hardening parametersHands-on lab – scanning kernel parameters with LynisPreventing users from seeing each others’ processesUnderstanding process isolationUnderstanding Control Groups (cgroups)Understanding namespace isolationUnderstanding kernel capabilitiesHands-on lab – setting a kernel capabilityUnderstanding SECCOMP and system callsUsing process isolation with Docker containersSandboxing with FirejailHands-on lab – using FirejailSandboxing with SnappySandboxing with FlatpakSummaryQuestionsFurther readingAnswers
Installing and updating ClamAV and maldetHands-on lab – installing ClamAV and maldetHands-on lab – configuring maldetUpdating ClamAV and maldetScanning with ClamAV and maldetSELinux considerationsScanning for rootkits with Rootkit HunterHands-on lab – installing and updating Rootkit HunterScanning for rootkitsPerforming a quick malware analysis with strings and VirusTotalAnalyze a file with stringsScanning the malware with VirusTotalUnderstanding the auditd daemonCreating audit rulesAuditing a file for changesAuditing a directoryAuditing system callsUsing ausearch and aureportSearching for file change alertsSearching for directory access rule violationsSearching for system call rule violationsGenerating authentication reportsUsing pre-defined rulesetsHands-on lab – using auditdHands-on lab –Using pre-configured rules with auditdAuditing files and directories with inotifywaitApplying OpenSCAP policies with oscapInstalling OpenSCAPViewing the profile filesGetting the missing profiles for UbuntuScanning the systemRemediating the systemUsing SCAP WorkbenchChoosing an OpenSCAP profileApplying an OpenSCAP profile during system installationSummaryQuestionsFurther readingAnswers
Understanding the Linux system log filesThe system log and the authentication logThe utmp, wtmp, btmp, and lastlog filesUnderstanding rsyslogUnderstanding rsyslog logging rulesUnderstanding journaldMaking things easier with LogwatchHands-on lab – installing LogwatchSetting up a remote log serverHands-on lab – setting up a basic log serverCreating an encrypted connection to the log serverCreating a stunnel connection on AlmaLinux 9 – server sideCreating a stunnel connection on AlmaLinux – client sideCreating a stunnel connection on Ubuntu – server sideCreating a stunnel connection on Ubuntu – client sideSeparating client messages into their own filesMaintaining Logs in Large EnterprisesSummaryQuestionsFurther readingAnswers
Introduction to Snort and Security OnionObtaining and installing SnortHands-on lab – installing Snort via a Docker containerUsing Security OnionIPFire and its built-in Intrusion Prevention System (IPS)Hands-on lab – Creating an IPFire virtual machineScanning and hardening with LynisInstalling Lynis on Red Hat/CentOSInstalling Lynis on UbuntuScanning with LynisFinding vulnerabilities with the Greenbone Security AssistantWeb server scanning with NiktoNikto in Kali LinuxHands-on lab–Installing Nikto from GithubScanning a web server with NiktoSummaryQuestionsFurther readingAnswers
Mount Partitions with the no optionsUnderstanding fapolicydUnderstanding the fapolicyd rulesInstalling fapolicydSummaryFurther readingQuestionsAnswers
Technical requirementsAuditing system servicesAuditing system services with systemctlAuditing network services with netstatHands-on lab – viewing network services with netstatAuditing network services with NmapPort statesScan typesHands-on lab – scanning with NmapPassword-protecting the GRUB2 bootloaderHands-on lab – resetting the password for Red Hat/CentOS/AlmaLinuxHands-on lab – resetting the password for UbuntuPreventing kernel parameter edits on Red Hat/CentOS/AlmaLinuxPreventing kernel parameter edits or recovery mode access on UbuntuDisabling the submenu for UbuntuSecurely configuring BIOS/UEFIUsing a security checklist for system setupSummaryQuestionsFurther readingAnswers

Content preview from Mastering Linux Security and Hardening - Third Edition

14 Vulnerability Scanning and Intrusion Detection

There are lots of threats out there, and some of them might even penetrate your network. You’ll want to know when that happens, so you’ll want to have a good Network Intrusion Detection System (NIDS) or Network Intrusion Prevention System (NIPS) in place. In this chapter, we’ll look at Snort, which is probably the most famous one. Then, I’ll show you a way to cheat so that you can have a good NIDS/NIPS up and running in no time at all. I’ll also show you a quick and easy way to set up an edge firewall appliance, complete with a built-in NIPS.

We’ve already learned how to scan a machine for viruses and rootkits by installing scanning tools on the machines that we want to scan. However, there are ...