Mastering Linux Security and Hardening - Second Edition

Book description

A comprehensive guide to securing your Linux system against cyberattacks and intruders

Key Features

  • Deliver a system that reduces the risk of being hacked
  • Explore a variety of advanced Linux security techniques with the help of hands-on labs
  • Master the art of securing a Linux environment with this end-to-end practical guide

Book Description

From creating networks and servers to automating the entire working environment, Linux has been extremely popular with system administrators for the last couple of decades. However, security has always been a major concern. With limited resources available in the Linux security domain, this book will be an invaluable guide in helping you get your Linux systems properly secured.

Complete with in-depth explanations of essential concepts, practical examples, and self-assessment questions, this book begins by helping you set up a practice lab environment and takes you through the core functionalities of securing Linux. You'll practice various Linux hardening techniques and advance to setting up a locked-down Linux server. As you progress, you will also learn how to create user accounts with appropriate privilege levels, protect sensitive data by setting permissions and encryption, and configure a firewall. The book will help you set up mandatory access control, system auditing, security profiles, and kernel hardening, and finally cover best practices and troubleshooting techniques to secure your Linux environment efficiently.

By the end of this Linux security book, you will be able to confidently set up a Linux server that will be much harder for malicious actors to compromise.

What you will learn

  • Create locked-down user accounts with strong passwords
  • Configure firewalls with iptables, UFW, nftables, and firewalld
  • Protect your data with different encryption technologies
  • Harden the secure shell service to prevent security break-ins
  • Use mandatory access control to protect against system exploits
  • Harden kernel parameters and set up a kernel-level auditing system
  • Apply OpenSCAP security profiles and set up intrusion detection
  • Configure securely the GRUB 2 bootloader and BIOS/UEFI

Who this book is for

This book is for Linux administrators, system administrators, and network engineers interested in securing moderate to complex Linux environments. Security consultants looking to enhance their Linux security skills will also find this book useful. Working experience with the Linux command line and package management is necessary to understand the concepts covered in this book.

Publisher resources

Download Example Code

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Mastering Linux Security and Hardening Second Edition
  3. About Packt
    1. Why subscribe?
  4. Contributors
    1. About the author
    2. About the reviewers
    3. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the example code files
      2. Download the color images
      3. Conventions used
    4. Get in touch
      1. Reviews
  6. Section 1: Setting up a Secure Linux System
  7. Running Linux in a Virtual Environment
    1. Looking at the threat landscape
    2. Why do security breaches happen?
    3. Keeping up with security news
    4. Differences between physical, virtual, and cloud setups
    5. Introducing VirtualBox and Cygwin
      1. Installing a virtual machine in VirtualBox
      2. Installing the EPEL repository on the CentOS 7 virtual machine
      3. Installing the EPEL repository on the CentOS 8 virtual machine
      4. Configuring a network for VirtualBox virtual machines
      5. Creating a virtual machine snapshot with VirtualBox
      6. Using Cygwin to connect to your virtual machines
        1. Installing Cygwin on your Windows host
      7. Using Windows 10 Pro Bash shell to interface with Linux virtual machines
        1. Cygwin versus Windows Bash shell
    6. Keeping the Linux systems updated
      1. Updating Debian-based systems
        1. Configuring auto updates for Ubuntu
      2. Updating Red Hat 7-based systems
      3. Updating Red Hat 8-based systems
      4. Managing updates in an enterprise
    7. Summary
    8. Questions
    9. Further reading
  8. Securing User Accounts
    1. The dangers of logging in as the root user
    2. The advantages of using sudo
    3. Setting up sudo privileges for full administrative users
      1. Adding users to a predefined admin group
      2. Creating an entry in the sudo policy file
    4. Setting up sudo for users with only certain delegated privileges
      1. Hands-on lab for assigning limited sudo privileges
    5. Advanced tips and tricks for using sudo
      1. The sudo timer
      2. View your sudo privileges
        1. Hands-on lab for disabling the sudo timer
      3. Preventing users from having root shell access
      4. Preventing users from using shell escapes
      5. Preventing users from using other dangerous programs
      6. Limiting the user's actions with commands
      7. Letting users run as other users
      8. Preventing abuse via user's shell scripts
      9. Detecting and deleting default user accounts
    6. Locking down users' home directories the Red Hat or CentOS way
    7. Locking down users' home directories the Debian/Ubuntu way
      1. useradd on Debian/Ubuntu
      2. adduser on Debian/Ubuntu
        1. Hands-on lab for configuring adduser
    8. Enforcing strong password criteria
      1. Installing and configuring pwquality
        1. Hands-on lab for setting password complexity criteria
    9. Setting and enforcing password and account expiration
    10. Configuring default expiry data for useradd for Red Hat or CentOS only
    11. Setting expiry data on a per-account basis with useradd and usermod
    12. Setting expiry data on a per-account basis with chage
      1. Hands-on lab for setting account and password expiry data
    13. Preventing brute-force password attacks
      1. Configuring the pam_tally2 PAM 
        1. Hands-on lab for configuring pam_tally2
    14. Locking user accounts
      1. Using usermod to lock a user account
      2. Using passwd to lock user accounts
    15. Locking the root user account
    16. Setting up security banners
      1. Using the motd file
      2. Using the issue file
      3. Using the issue.net file
    17. Detecting compromised passwords
      1. Hands-on lab for detecting compromised passwords
    18. Understanding centralized user management
      1. Microsoft Active Directory
      2. Samba on Linux
      3. FreeIPA/Identity Management on RHEL/CentOS
    19. Summary
    20. Questions
    21. Further reading
  9. Securing Your Server with a Firewall - Part 1
    1. Technical requirements
    2. An overview of firewalld
    3. An overview of iptables
      1. Mastering the basics of iptables
      2. Blocking ICMP with iptables
      3. Blocking everything that isn't allowed with iptables
      4. Hands-on lab for basic iptables usage
      5. Blocking invalid packets with iptables
        1. Restoring the deleted rules
        2. Hands-on lab for blocking invalid IPv4 packets
      6. Protecting IPv6
        1. Hands-on lab for ip6tables
    4. Uncomplicated firewall for Ubuntu systems
      1. Configuring ufw
      2. Working with the ufw configuration files
        1. Hands-on lab for basic ufw usage
    5. Summary
    6. Questions
    7. Further reading
  10. Securing Your Server with a Firewall - Part 2
    1. Technical requirements
    2. nftables – a more universal type of firewall system
      1. Learning about nftables tables and chains
      2. Getting started with nftables
        1. Configuring nftables on Ubuntu 16.04
        2. Configuring nftables on Ubuntu 18.04
      3. Using nft commands
      4. Hands-on lab for nftables on Ubuntu
    3. firewalld for Red Hat systems
      1. Verifying the status of firewalld
      2. Working with firewalld zones
      3. Adding services to a firewalld zone
      4. Adding ports to a firewalld zone
      5. Blocking ICMP
      6. Using panic mode
      7. Logging dropped packets
      8. Using firewalld rich language rules
      9. Looking at iptables rules in RHEL/CentOS 7 firewalld
      10. Creating direct rules in RHEL/CentOS 7 firewalld
      11. Looking at nftables rules in RHEL/CentOS 8 firewalld
      12. Creating direct rules in RHEL/CentOS 8 firewalld
      13. Hands-on lab for firewalld commands
    4. Summary
    5. Questions
    6. Further reading
  11. Encryption Technologies
    1. GNU Privacy Guard (GPG)
      1. Hands-on lab – creating your GPG keys
      2. Hands-on lab – symmetrically encrypting your own files
      3. Hands-on lab – encrypting files with public keys
      4. Hands-on lab – signing a file without encryption
    2. Encrypting partitions with Linux Unified Key Setup (LUKS)
      1. Disk encryption during operating system installation
      2. Hands-on lab – adding an encrypted partition with LUKS
      3. Configuring the LUKS partition to mount automatically
        1. Hands-on lab – configuring the LUKS partition to mount automatically
    3. Encrypting directories with eCryptfs
      1. Home directory and disk encryption during Ubuntu installation
      2. Hands-on lab – encrypting a home directory for a new user account
      3. Creating a private directory within an existing home directory
      4. Hands-on lab – encrypting other directories with eCryptfs
      5. Encrypting the swap partition with eCryptfs
    4. Using VeraCrypt for cross-platform sharing of encrypted containers
      1. Hands-on lab – getting and installing VeraCrypt
      2. Hands-on lab – creating and mounting a VeraCrypt volume in console mode
      3. Using VeraCrypt in GUI mode
    5. OpenSSL and the public key infrastructure
      1. Commercial certificate authorities
      2. Creating keys, certificate signing requests, and certificates
        1. Creating a self-signed certificate with an RSA key
        2. Creating a self-signed certificate with an Elliptic Curve key
        3. Creating an RSA key and a Certificate Signing Request
        4. Creating an EC key and a CSR
      3. Creating an on-premises CA
        1. Hands-on lab – setting up a Dogtag CA
      4. Adding a CA to an operating system
        1. Hands-on lab – exporting and importing the Dogtag CA certificate
        2. Importing the CA into Windows
      5. OpenSSL and the Apache web server
        1. Hardening Apache SSL/TLS on Ubuntu
        2. Hardening Apache SSL/TLS on RHEL 8/CentOS 8
        3. Hardening Apache SSL/TLS on RHEL 7/CentOS 7
      6. Setting up mutual authentication
    6. Summary
    7. Questions
    8. Further reading
  12. SSH Hardening
    1. Ensuring that SSH protocol 1 is disabled
    2. Creating and managing keys for passwordless logins
      1. Creating a user's SSH key set
      2. Transferring the public key to the remote server
        1. Hands-on lab – creating and transferring SSH keys
    3. Disabling root user login
    4. Disabling username/password logins
      1. Hands-on lab – disabling root login and password authentication
    5. Configuring Secure Shell with strong encryption algorithms
      1. Understanding SSH encryption algorithms
      2. Scanning for enabled SSH algorithms
        1. Hands-on lab – installing and using ssh_scan
      3. Disabling weak SSH encryption algorithms
        1. Hands-on lab – disabling weak SSH encryption algorithms – Ubuntu 18.04
        2. Hands-on lab – disabling weak SSH encryption algorithms – CentOS 7
    6. Setting system-wide encryption policies on RHEL 8/CentOS 8
      1. Hands-on lab – setting encryption policies on CentOS 8
    7. Configuring more detailed logging
      1. Hands-on lab – configuring more verbose SSH logging
    8. Configuring access control with whitelists and TCP Wrappers
      1. Configuring whitelists within sshd_config
        1. Hands-on lab – configuring whitelists within sshd_config
      2. Configuring whitelists with TCP Wrappers
    9. Configuring automatic logouts and security banners
      1. Configuring automatic logout for both local and remote users
      2. Configuring automatic logout in sshd_config
      3. Creating a pre-login security banner
    10. Configuring other miscellaneous security settings
      1. Disabling X11 forwarding
      2. Disabling SSH tunneling
      3. Changing the default SSH port
      4. Managing SSH keys
      5. Setting different configurations for different users and groups
      6. Creating different configurations for different hosts
    11. Setting up a chroot environment for SFTP users
      1. Creating a group and configuring the sshd_config file
        1. Hands-on lab – setting up a chroot directory for the sftpusers group
    12. Sharing a directory with SSHFS
      1. Hands-on lab – sharing a directory with SSHFS
    13. Remotely connecting from Windows desktops
    14. Summary
    15. Questions
    16. Further reading
  13. Section 2: Mastering File and Directory Access Control (DAC)
  14. Mastering Discretionary Access Control
    1. Using chown to change ownership of files and directories
    2. Using chmod to set permissions on files and directories
      1. Setting permissions with the symbolic method
      2. Setting permissions with the numerical method
    3. Using SUID and SGID on regular files
    4. The security implications of the SUID and SGID permissions
      1. Finding spurious SUID or SGID files
        1. Hands-on lab – searching for SUID and SGID files
      2. Preventing SUID and SGID usage on a partition
    5. Using extended file attributes to protect sensitive files
      1. Setting the a attribute
      2. Setting the i attribute
        1. Hands-on lab – setting security-related extended file attributes
    6. Securing system configuration files
    7. Summary
    8. Questions
    9. Further reading
  15. Access Control Lists and Shared Directory Management
    1. Creating an ACL for either a user or a group
    2. Creating an inherited ACL for a directory
    3. Removing a specific permission by using an ACL mask
    4. Using the tar --acls option to prevent the loss of ACLs during a backup
    5. Creating a user group and adding members to it
      1. Adding members as we create their user accounts
      2. Using usermod to add an existing user to a group
      3. Adding users to a group by editing the /etc/group file
    6. Creating a shared directory
    7. Setting the SGID bit and the sticky bit on the shared directory
    8. Using ACLs to access files in the shared directory
      1. Setting the permissions and creating the ACL
        1. Hands-on lab – creating a shared group directory
    9. Summary
    10. Questions
    11. Further reading
  16. Section 3: Advanced System Hardening Techniques
  17. Implementing Mandatory Access Control with SELinux and AppArmor
    1. How SELinux can benefit a systems administrator
    2. Setting security contexts for files and directories
      1. Installing the SELinux tools
      2. Creating web content files with SELinux enabled
      3. Fixing an incorrect SELinux context
        1. Using chcon
        2. Using restorecon
        3. Using semanage
        4. Hands-on lab – SELinux type enforcement
    3. Troubleshooting with setroubleshoot
      1. Viewing setroubleshoot messages
      2. Using the graphical setroubleshoot utility
      3. Troubleshooting in permissive mode
    4. Working with SELinux policies
      1. Viewing Booleans
      2. Configuring the Booleans
      3. Protecting your web server
      4. Protecting network ports
      5. Creating custom policy modules
        1. Hands-on lab – SELinux Booleans and ports
    5. How AppArmor can benefit a systems administrator
    6. Looking at AppArmor profiles
    7. Working with AppArmor command-line utilities
    8. Troubleshooting AppArmor problems
      1. Troubleshooting an AppArmor profile – Ubuntu 16.04
      2. Troubleshooting an AppArmor profile – Ubuntu 18.04
        1. Hands-on lab – Troubleshooting an AppArmor profile
    9. Exploiting a system with an evil Docker container
      1. Hands-on lab – Creating an evil Docker container
    10. Summary
    11. Questions
    12. Further reading
  18. Kernel Hardening and Process Isolation
    1. Understanding the /proc filesystem
      1. Looking at user-mode processes
      2. Looking at kernel information
    2. Setting kernel parameters with sysctl
    3. Configuring the sysctl.conf file
      1. Configuring sysctl.conf – Ubuntu
      2. Configuring sysctl.conf – CentOS
      3. Setting additional kernel-hardening parameters
        1. Hands-on lab – scanning kernel parameters with Lynis
      4. Preventing users from seeing each others' processes
    4. Understanding process isolation
      1. Understanding Control Groups (cgroups)
      2. Understanding namespace isolation
      3. Understanding kernel capabilities
        1. Hands-on lab – setting a kernel capability
      4. Understanding SECCOMP and system calls
      5. Using process isolation with Docker containers
      6. Sandboxing with Firejail
        1. Hands-on lab – using Firejail
      7. Sandboxing with Snappy
      8. Sandboxing with Flatpak
    5. Summary
    6. Questions
    7. Answers
    8. Further reading
  19. Scanning, Auditing, and Hardening
    1. Technical requirements
    2. Installing and updating ClamAV and maldet
      1. Hands-on lab – installing ClamAV and maldet
      2. Hands-on lab – configuring maldet
      3. Updating ClamAV and maldet
    3. Scanning with ClamAV and maldet
      1. SELinux considerations
    4. Scanning for rootkits with Rootkit Hunter
      1. Hands-on lab – installing and updating Rootkit Hunter
      2. Scanning for rootkits
    5. Performing a quick malware analysis with strings and VirusTotal
      1. Analyze a file with strings
      2. Scanning the malware with VirusTotal
    6. Understanding the auditd daemon
      1. Creating audit rules
      2. Auditing a file for changes
      3. Auditing a directory
      4. Auditing system calls
    7. Using ausearch and aureport
      1. Searching for file change alerts
      2. Searching for directory access rule violations
      3. Searching for system call rule violations
      4. Generating authentication reports
      5. Using predefined rulesets
      6. Hands-on lab – using auditd
    8. Applying OpenSCAP policies with oscap
      1. Installing OpenSCAP
      2. Viewing the profile files
      3. Getting the missing profiles for Ubuntu 18.04 and CentOS 8
      4. Scanning the system
      5. Remediating the system
      6. Using SCAP Workbench
      7. Using the OpenSCAP daemon on Ubuntu 18.04
      8. Choosing an OpenSCAP profile
      9. Applying an OpenSCAP profile during system installation
    9. Summary
    10. Questions
    11. Further reading
  20. Logging and Log Security
    1. Understanding the Linux system log files
      1. The system log and the authentication log
      2. The utmp, wtmp, btmp, and lastlog files
    2. Understanding rsyslog
      1. Understanding rsyslog logging rules
    3. Understanding journald
    4. Making things easier with Logwatch
      1. Hands-on lab – installing Logwatch
    5. Setting up a remote log server
      1. Hands-on lab – setting up a basic log server
      2. Creating an encrypted connection to the log server
        1. Creating a stunnel connection on CentOS 8 – server side 
        2. Creating an stunnel connection on CentOS 8 – client side
        3. Creating a stunnel connection on Ubuntu – server side
        4. Creating a stunnel connection on Ubuntu – client side
      3. Separating client messages into their own files
    6. Summary
    7. Questions
    8. Further reading
  21. Vulnerability Scanning and Intrusion Detection
    1. Introduction to Snort and Security Onion
      1. Obtaining and installing Snort
        1. Hands-on lab – installing Snort on CentOS 7
      2. Graphical interfaces for Snort
      3. Using Security Onion
        1. Hands-on lab – installing Security Onion
    2. IPFire and its built-in Intrusion Prevention System (IPS)
      1. Hands-on lab – creating an IPFire virtual machine
    3. Scanning and hardening with Lynis
      1. Installing Lynis on Red Hat/CentOS
      2. Installing Lynis on Ubuntu
      3. Scanning with Lynis
    4. Finding vulnerabilities with OpenVAS
    5. Web server scanning with Nikto
      1. Nikto in Kali Linux
      2. Installing and updating Nikto on Linux
      3. Scanning a web server with Nikto
    6. Summary
    7. Questions
    8. Further reading
  22. Security Tips and Tricks for the Busy Bee
    1. Technical requirements
    2. Auditing system services
      1. Auditing system services with systemctl
      2. Auditing network services with netstat
        1. Hands-on lab – viewing network services with netstat
      3. Auditing network services with Nmap
        1. Port states
        2. Scan types
        3. Hands-on lab – scanning with Nmap
    3. Password protecting the GRUB 2 bootloader
      1. Hands-on lab – resetting the password for Red Hat/CentOS
      2. Hands-on lab – resetting the password for Ubuntu
      3. Preventing kernel parameter edits on Red Hat/CentOS
      4. Preventing kernel parameter edits on Ubuntu
      5. Password protecting boot options
        1. Disabling the submenu for Ubuntu
        2. Password protecting boot option steps for both Ubuntu and Red Hat
    4. Securely configuring BIOS/UEFI
    5. Using a security checklist for system setup
    6. Summary
    7. Questions
    8. Further reading
  23. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
  24. Other Books You May Enjoy
    1. Leave a review – let other readers know what you think

Product information

  • Title: Mastering Linux Security and Hardening - Second Edition
  • Author(s): Donald A. Tevault
  • Release date: February 2020
  • Publisher(s): Packt Publishing
  • ISBN: 9781838981778