Linux Hardening & How It’s Done
When it comes to System Administration, nothing could be easier than installing a fresh new Operating System for yourself or your clients.
After you’ve done it a couple of times it becomes pretty straightforward.
What’s hard is the maintenance and securing involved for those very same systems.
Or at least doing it in a good and comprehensive way.
Although this topic extends to all sorts of Operating Systems in general, here we will be focusing mainly on Linux.
As the OS of choice for many commercial grade operational servers, we believe that it is a worthy endeavor. Especially when the hardening process of such systems has taken a back seat as of late, as Penetration Testers will attest.
In general, hardening your Operating System does not have to be an act performed on commercial grade products only. It can be a very practical procedure for everyday users as well.
Privacy & Security should be an applied concept for everyone.
WHAT IS LINUX HARDENING & WHY DO IT?
Linux Hardening, or any Operating System Hardening for that matter is the act of enhancing the security of the system by introducing proactive measures.
Linux Systems are made of a large number of components carefully assembled together. This results in the possibility of many loose ends. The more complex a machine gets the more security threats it introduces.
We call this the Surface. The bigger the surface the more places to attack.
These components, usually have their own way of functioning, their own settings and more importantly their own security “allowance” of sorts.
So basically, if one of them is compromised, depending on their security “allowance” on the system, the attacker can go as deep as it allows.
That is why we need Linux Hardening, to prevent malicious activities to be run on our system through its components, thus making sure Data Security is on top of its game.
In order to get a good understanding why this process is needed, let’s see what we get with our average default installation of such an Operating System, especially in custom commercial purposed instances:
- Default Credentials
- Default Configurations
- Not Updated/Upgraded (Depends on Download Date)
- Not Optimized
- No Proactive Security
Default Configurations would mean that the system is not using best practice settings.
Let’s take a few examples:
All Ciphers Allowed
This could mean that a piece of software which you use to communicate with your best friend is potentially unsafe, since “All Ciphers” involve dangerously outdated Ciphers as well.
If someone were to intercept your communication, they might be able to decrypt whatever was being sent.
Generic Port Serving
Some ports on your system simply need to stay closed or at least not serve publicly. The reasoning behind this is that, ports sometimes give out more information than they should.
This could fall under dangerous information disclosure, giving attackers on the network extra details on what your OS is using and how they can try to find ways to attack it.
Some services on your OS simply do not auto configure credentials. So if you don’t configure it manually, that same service could potentially be left open for anyone to connect. The implications of this are numerous.
From the above examples, we can see how simply not paying attention to our default configurations could leave us potentially vulnerable.
Some of these such as “Not Optimized” could use with a bit more explaining. Normally you would think, how can something not being Optimized for example to run faster can result in a Security Breach?
Imagine this scenario.
An attacker finds out that your server is not well optimized and the service that it gives out can not go above any specific limit.
Basically it was not optimized well enough to notice that if a user wants to go beyond some limits, it should queue that user or reduce bandwidth for example. But instead, this service restarts when getting there.
Thus, the attacker can make an ingenious attempt to continuously make your service go above limit, thus restarting it, not only for themselves, but for the entire user base as well. Rendering this service out of service.
With this, we can see that even not optimizing your service well enough could lead to potential threats.
If Linux Servers like these, were previously well optimized/configured, all of the previous situation would have been impossible and the server would be a lot more Secure.
So Linux Hardening, is basically that. Making sure that each component on your system is tweaked in order to be ready for many setbacks and potential threats.
Nothing more, nothing less.
The big misconception when someone mentions OS Hardening is that they believe some super secret security software is set in place and from now on that piece of machinery is 100% hack-proof.
Speaking of super secret security software, this is not to say that there aren’t pieces of software that help in proactively monitoring and acting on security threats, but purely to stress that it’s not the only or even the main reason for secure Linux Servers.
As an example, some of this proactive software can be pieces of code which could alert you for any suspicious changes on your system.
This kind of information is invaluable in most situations.
Knowing that something is amiss in a timely manner could be the difference between a successful breach or a timely response.
And of course, this list wouldn’t be full without No Updates & Default Credentials in place, or well, not in place.
Having outdated software is a good recipe for disaster. Usually older software has been around a lot longer. Long enough for attackers to have analyzed it and found holes in its design.
As for Default Credentials, the greatest success stories for Penetration Testers (Ethical Hackers) come from accessing their clients servers via simple authentication.
Default credentials are usually well known and coupled with a port that gives out a bit of extra information such as what version of software is running is a full proof way of someone to get access without even trying.
Combine solutions for all of the above and you get a good idea of how Linux Hardening works.
WHO SHOULD CONDUCT LINUX HARDENING?
Linux Hardening is usually performed by experienced industry professionals, which have usually undergone a good Recruitment Process.
Basically, the minimum bar for such a task is pretty high, because in order to do it you need to have a thorough understanding of how each components works and what you can do to make it better.
Since all components are pretty much a story of their own, professionals need to practice on all of them, well, individually.
For example, Web Site Software will usually differ from E-Mail software.
The security concepts may be the same, but the configurations are very much different and whoever is going to perform the task needs to know this well.
The titles that these professionals posses range a lot, but the most commonly seen are:
- Linux Administrators
- Security Engineers
- Incident Respondents
Since their jobs usually revolve around OS Administration and Security, they are ideal for this type of task.
Although, even when having this type of title, still, there should be a good period of training for the OS that they will be hardening. Linux System vary a lot as well. Not all of them are the same. Each type of Linux System will have their own way of hardening.
A Debian based System will usually not use the same type of procedure as a RedHat based System.
Recently, more and more courses have appeared in specialization for this type of task.
Usually when starting out, professionals read documentations on their own in order to find out how it’s done, but having a well laid out course in order to educate one self is very welcome as well.
WHAT PARTS OF LINUX SHOULD BE HARDENED?
Linux Operating Systems can be quite big and daunting.
There are tons of places to look at, but here we will discuss the most common ones.
Usually when doing this, it’s good to have a checklist in order to follow through a machine a bit more thoroughly and stay consistent for all of ones projects.
The following is a small sample of such a Checklist:
- Kernel Hardening
- Network Hardening
- Software Secure Configuration (Best Practice)
- Disk Encryption
- Custom Partitioning
- Boot Locking
- Block Unneeded Services / Open Ports
- Password Policies
- Ensure Permissions
- Pro-Active Security Software
Some components may seem more important than others, but the thing is, Linux Hardening works best in Layers.
What that means is, the more protective measures you have in place that work together, the better.
Let’s discuss some of the above Linux Components.
Disk Encryption and Boot Locking for example are much needed.
The Boot Partition holds very vital information for the system overall so it is best practice to make it read-only for all users except the admin.
Opposed to this, anyone could modify things in order to either break or initiate malicious intent.
Disk Encryption on its own is usually one of the more general security practices.
Doing this helps you avoid anyone from extracting data from your Disk.
If it is encrypted it will be under a heavy algorithm and ask for a pass phrase before it will release any information.
Opposed from this, anyone with proper access, can extract information from the disk no matter what security privileges they possess.
Software Secure Configuration is meant for any type of program/service running on Linux which has a configuration file or any other way of optimization.
A good example would be SSH.
As a default service, it allows many unfavourable preferences such as, allowing direct login with a Root account, various types of ciphers which may be outdated instead of using only the ones that are secure for sure, etc.
By manually modifying these service configuration files, we make sure that we take security in our very own hands and allow what we believe is right. Depending on default configurations is a folly, most of the times.
Pro-Active Security measures usually means installing third party software to monitor your Linux Server and alert for any type of inconsistency found.
For example, the system itself can have an everyday state and if something deviates too much from what is expected, alerts go off to the System Administrator and tons of problems could be caught way before anything more drastic happens.
Updating/Upgrading your Linux Operating System of course goes without saying, is very much needed.
Having the latest equipment sort to say will provide you with the best experience, for security as well as everything else.
Usually, attackers use vulnerabilities associated with well known older and more established attack vectors. So the older your software, the bigger the chance that there are official vulnerabilities explained for it.
Blocking unneeded ports is making sure that only the doors that you need are open and nothing else.
There is no need for something that nobody uses to be open and spread information which could prove valuable for an attacker to develop an attack vector.
By sort of explaining some of the Check Points from above, we get the idea of which parts are more gravely in danger and which are not, but as previously mentioned, good hardening improves on all points that could be improved on and not pick favorites.
Also there are plenty of online resources for different types of official Checklists, it is up to the System Administrators usually to pick the best one for their case.
WHAT IS BAD LINUX HARDENING & WHY IS COMPLIANCE GOOD?
As with any job, there are ways to botch this one up as well.
As this is a very specific field, specialized knowledge is required in order to make it work. Applying “solutions” from random blogs on your proprietary commercial products is not the way to go.
Common pitfalls are:
- Too Preventive
- Wrong Solutions
- Placebo Security
Yes, too much of anything can be bad for you as well.
If you don’t talk to your clients and don’t really know what they will be using the system for, you could eventually lock out services which were the main purpose for the Linux Server itself.
For example, a client simply tells you to harden their machine without telling you that its main focus is serving a Web Page and return you end up blocking their serving ports.
A good communication needs to be set up before doing OS Hardening.
While performing, some professionals from lack of knowledge mostly, apply solutions from various unconfirmed sources on the internet.
This can not only botch up the system, but it could also introduce vulnerabilities on its own if its not examined correctly.
Always making sure that we know exactly what we are applying is the best way to do it. If not sure, the best course of action is to not apply it and talk to someone with more experience in that specific field.
And the worst of all, the Placebo Security Effect. Believing you have a top notch configured Server, but it ends up that something from the above examples has been done and the client does not know.
To avoid such mistakes, there are a couple of rules to follow.
As mentioned above, always do what you know and do it the way your client wants.
This needs to be assured, especially if you are about to apply for Compliance Audits.
Today it seems the only reason systems are hardened is for compliance.
Compliance for those that don’t know is the act of following a strict set of rules for your environment in order to prove that you have some sort of standard in place.
There are various types of Compliance. Depending on what sector your Linux Server operates in, the Compliance will differ.
If you are working in the Health Industry you will need to be HIPAA compliant, while working in the financial industry you will need to be PCI-DSS Compliant.
These acronyms all have their meaning, but in order to clarify, we will be talking about the financial sector – PCI-DSS.
PCI-DSS (Payment Card Industry Data Security Standard) is a set of rules as we previously mentioned specific for the Financial Sector.
Some of the rules for Linux Systems in this area include, improving your firewall rules, making sure that roles are segregated and that vulnerability assessments are held in order to make sure that all of this works.
The reason for mentioning Compliance types is the following:
Following these guidelines resemble everyday Linux Hardening tasks. Whatever they want you to do from their guidelines are very similar to what you would usually do if your system is well protected.
Since getting compliant is one of the industries ways of proving that you are up to standard, it is very common and almost everyone is trying to obtain it, which in turn makes Linux Hardening even more relevant than it already is.
WHAT ARE THE BEST GUIDELINES FOR HARDENING AND HOW TO DETERMINE ITS VALIDITY?
Although there are many official and very respected guides in order to perform hardening there are some that stand out.
The CIS Benchmarking style of Linux Hardening is very good for example.
CIS (Center For Internet Security) has hardening documents for a huge variety of Operating Systems, including Linux.
These documents contain 300+ pages of content, of course depending on the type of system you are hardening this can vary.
What you get, is an incredibly comprehensive standard of a document that explains everything in detail. It goes from point to point and offers a view on Security that you might have missed if you would do it alone.
It becomes a good standard to follow since it can make you consistent on all of your projects.
The question here is, after you’ve performed the audit, how can you make sure that you’ve done a good job? Well, there are a few pretty good Open Source tools out there.
Tools such as Lynis for example. You can download and start it on your system to do regular audit. It will go through all of your configurations and see if you have implemented them correctly. In the end it will provide a score % which can gauge you on your work.
This way, you not only depend on your own intuition, but insert a more methodical and automated approach as well.
The big benefit is that, since these tools are well known, you can use your final report to show to auditors for example in order to prove that you are up to standard when it comes to Security.
The other method for validating everything is called Penetration Testing.
The act of letting someone simulate a real attack on your systems can be the most effective way to prove that you are as secure as you think.
Enter, Ethical Hackers.
These people are employed to think like, well, Hackers.
By using this mindset and their acquired skill set, they can probe your Linux System to see if everything is configured properly. Upon any findings, they try to exploit whatever they can in order to get in.
Either way, in the end, you get a full comprehensive report on what they succeeded to do, what you need to fix and how you should fix it.
Their services are invaluable in order to make sure that you are protected.
Of course there is no silver bullet for all, and this does not mean that you are 100% secure, but what it does mean is that a good part of your system is well established & protected and you can rest assure that you are safe from most attacks.
Linux Hardening is a great way to ensure that your Security does not remain mediocre.
Holding on to default installations has proven time and time again to be ineffective and in some cases extremely dangerous.
For whatever reason you can come up with, Personal, Commercial or Compliant, Linux Hardening is the way forward for you and your company.
|HIPAA||Health Insurance Portability & Accountability Act|
|PCI DSS||Payment Card Industry Data Security Standard|
|CIS||Center For Internet Security|