Basic Guide on IPTables (Linux Firewall) Command

Securing a system in a production from the hands of hackers and crackers is a challenging task for a System Administrator. This is our first article related to “How to Secure Linux box” or “Hardening a Linux Box“. In this post We’ll explain 25 useful tips & tricks to secure your Linux system. Hope, below tips & tricks will help you some extend to secure your system. 

 

1. Keep System updated

   Always keep system updated with latest releases patches, security fixes and kernel when it’s available.
   

   # yum updates
   # yum check-update

2. Minimize Packages to Minimize Vulnerability  

   Do you really want all sort of services installed?. It’s recommended to avoid installing useless packages to avoid vulnerabilities in packages. This may minimize risk that compromise of one service may lead to compromise of other services. Find and remove or disable unwanted services from the server to minimize vulnerability. Use the ‘chkconfig‘ command to find out services which are running on runlevel 3.
   

   # /sbin/chkconfig --list |grep '3:on'

   Once you’ve find out any unwanted service are running, disable them using the following command.
   

   # chkconfig serviceName off

   Use the RPM package manager such as “yum” or “apt-get” tools to list all installed packages on a system and remove them using the following command.
   

   # yum -y remove package-name

   # sudo apt-get remove package-name

3. Check Listening Network Ports

   With the help of ‘netstat‘ networking command you can view all open ports and associated programs. As I said above use ‘chkconfig‘ command to disable all unwanted network services from the system.
   

   # netstat -tulpn

4. Use Secure Shell(SSH)

   Telnet and rlogin protocols uses plain text, not encrypted format which is the security breaches. SSH is a secure protocol that use encryption technology during communication with server. Never login directly as root unless necessary. Use “sudo” to execute commands. sudo are specified in /etc/sudoers file also can be edited with the “visudo” utility which opens in VI editor.
   It’s also recommended to change default SSH 22 port number with some other higher level port number. Open the main SSH configuration file and make some following parameters to restrict users to access.
   

   # vi /etc/ssh/sshd_config

   Disable root Login

   PermitRootLogin no

   Only allow Specific Users

   AllowUsers username

   Use SSH Protocol 2 Version

   Protocol 2

5. Lockdown Cronjobs

   Cron has it’s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ‘ALL‘ line to cron.deny file.

   # echo ALL >>/etc/cron.deny

6. Turn on SELinux

   Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel. Disabling SELinux means removing security mechanism from the system. Think twice carefully before removing, if your system is attached to internet and accessed by the public, then think some more on it.
   SELinux provides three basic modes of operation and they are.
   
   • Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.
   • Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues.
   • Disabled: SELinux is turned off.
   
   You can view current status of SELinux mode from the command line using ‘system-config-selinux‘, ‘getenforce‘ or ‘sestatus‘ commands.
   

   # sestatus

   # setenforce enforcing

    It also can be managed from ‘/etc/selinux/config‘ file, where you can enable or disable it.

7. Turn Off IPv6

   If you’re not using a IPv6 protocol, then you should disable it because most of the applications or policies not required IPv6 protocol and currently it doesn’t required on the server. Go to network configuration file and add followings lines to disable it.
   

   # vi /etc/sysconfig/network

   NETWORKING_IPV6=no
   IPV6INIT=no

8. Restrict Users to Use Old Passwords

   This is very useful if you want to disallow users to use same old passwords. The old password file is located at /etc/security/opasswd. This can be achieved by using PAM module.
   Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.
   

   # vi /etc/pam.d/system-auth

   Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux Mint.
   

   # vi /etc/pam.d/common-password

   Add the following line to ‘auth‘ section.
   

   auth        sufficient    pam_unix.so likeauth nullok

   Add the following line to ‘password‘ section to disallow a user from re-using last 5 password of his or her.
   

   password   sufficient    pam_unix.so nullok use_authtok md5 shadow remember=5

    Only last 5 passwords are remember by server. If you tried to use any of last 5 old passwords, you will get an error like.
   

   Password has been already used. Choose another.

9. Enable Iptables (Firewall)

   It’s highly recommended to enable Linux firewall to secure unauthorised access of your servers. Apply rules in iptables to filters incoming, outgoing and forwarding packets. We can specify the source and destination address to allow and deny in specific udp/tcp port number.

   Basic Guide on IPTables (Linux Firewall) Command

10. Monitor User Activities

    If you are dealing with lots of users, then its important to collect the information of each user activities and processes consumed by them and analyse them at a later time or in case if any kind of performance, security issues. But how we can monitor and collect user activities information.
    There are two useful tools called ‘psacct‘ and ‘acct‘ are used for monitoring user activities and processes on a system. These tools runs in a system background and continuously tracks each user activity on a system and resources consumed by services such as Apache, MySQL, SSH, FTP, etc. For more information about installation, configuration and usage, visit the below url.
    

11. Review Logs Regularly

    Move logs in dedicated log server, this may prevents intruders to easily modify local logs. Below are the Common Linux default log files name and their usage:

    • /var/log/message – Where whole system logs or current activity logs are available.
    • /var/log/auth.log – Authentication logs.
    • /var/log/kern.log – Kernel logs.
    • /var/log/cron.log – Crond logs (cron job).
    • /var/log/maillog – Mail server logs.
    • /var/log/boot.log – System boot log.
    • /var/log/mysqld.log – MySQL database server log file.
    • /var/log/secure – Authentication log.
    • /var/log/utmp or /var/log/wtmp : Login records file.
    • /var/log/yum.log: Yum log files.

12. Ignore ICMP or Broadcast Request

    Add following line in “/etc/sysctl.conf” file to ignore ping or broadcast request.
    

    Ignore ICMP request:
    net.ipv4.icmp_echo_ignore_all = 1
    
    Ignore Broadcast request:
    net.ipv4.icmp_echo_ignore_broadcasts = 1

    Load new settings or changes, by running following command
    

    #sysctl -p

    If you’ve missed any important security or hardening tip in the above list, or you’ve any other tip that needs to be included in the list. Please drop your comments in our comment box. TecMint is always interested in receiving comments, suggestions as well as discussion for improvement.