LINUX- 46 SECURITY & HARDENING
(BASICS) -P1
IN LINUX (RHEL6 & RHEL7),
WHAT IS SECURITY?
As
I know, to protect something from unwanted or unauthorized access is security. Whatever
is unauthorized its illegal because its done without my consent.
It’s
a generalized statement. But very true in all aspects to secure our belongings
from harm/damage.
Same
is applicable here in case of our Systems.
Area
of Concern,
USER/LOGIN SECURITY
NETWORK SECURITY
FILE / OPERATING
SYSTEM SECURITY
PHYSICAL SECURITY
LOG EVERYTHING
LOG FILE SECURITY
Let’s
start with USER SECURITY,
USER SECURITY:
1. Securing the root account/Disabling root login
2. Finding account with uid 0
3. Finding account with empty password
4. Prevent brute force attack
5. Allow only particular groups for ssh
6. Idle/Inactive session logout
7. Limit the no of parallel client sessions
8. chroot
9. Force sudo
10. Password policy
11. Kill/Terminate unwanted user
11. Kill/Terminate unwanted user
1. Securing the root account/Disabling
root login
Being
root is Great, but Great things having Great responsibility. It might possible
that accidently root access can cause sever damage to system. So, better avoid root
access.
[root@rhel7-server ~]# grep "PermitRootLogin"
/etc/ssh/sshd_config
#PermitRootLogin
yes
We
will get above value, need to change from yes to no and uncomment.
[root@rhel7-server ~]# vi /etc/ssh/sshd_config
PermitRootLogin
no
[root@rhel7-server ~]# systemctl restart sshd
After
that root login is disabled,
login
as: root
root@192.168.135.134's
password:
Access
denied
root@192.168.135.134's
password:
2. Finding account with uid 0
Good,
now root is disabled. Next is to find any ID with UID 0.
# awk -F':' '{ if ( $3 == "0" ) print $1 }' /etc/passwd
root
admin1
Or
we can manually check by “cat /etc/passwd”
Either
disable/expire the account or change the UID/GID manually or change the shell
to false/nologin.
[root@rhel7-server ~]# chage -E 2017-01-01 admin1
[root@rhel7-server ~]# usermod -L -e 1 admin1
[root@rhel7-server ~]# usermod -s /bin/false admin1
Its
UID is 0, so if want to change uid by “usermod” command, then can’t. even we
can’t delete this account directly via command.
[root@rhel7-server ~]# userdel admin1
userdel:
user admin1 is currently used by process 1
[root@rhel7-server ~]# usermod -u 1500 admin1
usermod:
user admin1 is currently used by process 1
Though
we can change the GID, provided GID should available.
[root@rhel7-server ~]# groupadd -g 1500 admin1
[root@rhel7-server ~]# usermod -G 1500 admin1
[root@rhel7-server ~]# grep admin1 /etc/passwd
admin1:x:0:1500::/home/admin1:/bin/bash
[root@rhel7-server ~]# vi /etc/passwd
[root@rhel7-server ~]# grep admin1 /etc/passwd
admin1:x:1500:1500::/home/admin1:/bin/bash
Still
owner of home directory is root, so need to change.
[root@rhel7-server ~]# chown -R admin1:admin1 /home/admin1
Now
all set.
3. Finding account with empty password
[root@rhel7-server ~]# getent shadow | grep '^[^:]*::' | cut -d: -f1
admin1
OR,
[root@rhel7-server ~]# getent shadow | grep -Po '^[^:]*(?=::)'
admin1
OR,
# awk -F':' '{ if ( $2 == "" ) print $1 }' /etc/shadow
admin1
Though
it will not make any sense to have a account with empty password, anyways just
disable it.
[root@rhel7-server ~]# grep admin1 /etc/shadow
admin1::17796:0:5:1::18262:
[root@rhel7-server ~]# usermod -s /bin/false -L -e 1 admin1
[root@rhel7-server ~]# grep admin1 /etc/shadow
admin1:!:17796:0:5:1::1:
4. Prevent brute force attack
By
locking the user after three failed login attempts.
[root@rhel6-server ~]# vi /etc/pam.d/system-auth
auth required pam_tally2.so deny=3
account required pam_tally2.so
insert
above at appropriate place,
[root@rhel6-server ~]# vi /etc/pam.d/password-auth
auth required pam_tally2.so deny=3
account required pam_tally2.so
insert
above at appropriate place,
[root@rhel6-server ~]# pam_tally2
Login Failures Latest failure From
admin1 16 09/22/18 18:47:55 192.168.135.1 çç
its
locked, let’s unlock it.
[root@rhel6-server ~]# pam_tally2 --user=admin1 -r
Login Failures Latest failure From
admin1 16 09/22/18 18:47:55 192.168.135.1
5. Allow only particular groups for ssh
I
don’t want that all groups are allowed to have ssh facility. Let’s take control
over it by limiting the access to particular group.
Added
a group “sshtest”
[root@rhel6-server ~]# groupadd sshtest
[root@rhel6-server ~]# grep sshtest /etc/group
sshtest:x:5011:
joining
users to group,
[root@rhel6-server ~]# usermod -G sshtest anurag
[root@rhel6-server ~]# usermod -G sshtest test1
[root@rhel6-server ~]# usermod -G sshtest test2
Check
the configuration,
[root@rhel6-server anurag]# grep sshtest /etc/group
sshtest:x:5011:anurag,test1,test2
Now
allow that goup in sshd_config,
[root@rhel6-server ~]# vi /etc/ssh/sshd_config
AllowGroups
sshtest
(RHEL6/CENTOS6)
[root@rhel6-server ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
(RHEL7/CENTOS7)
[root@rhel7-server ~]# systemctl restart sshd.service
Check
the config, whether it is working or not?
[root@rhel6-server ~]# tail -f /var/log/secure
Sep
23 14:29:48 rhel6-server sshd[33691]: User root from 192.168.135.1 not allowed because none
of user's groups are listed in AllowGroups
Sep
23 14:29:48 rhel6-server sshd[33692]: input_userauth_request: invalid user root
Sep 23 14:30:01 rhel6-server sshd[33693]: Accepted password for anurag from 192.168.135.1 port 3322 ssh2
Sep 23 14:30:01 rhel6-server sshd[33693]:
pam_unix(sshd:session): session opened for user anurag by (uid=0)
Sep
23 14:33:50 rhel6-server sshd[33806]: User test3 from 192.168.135.1 not allowed because none
of user's groups are listed in AllowGroups
Sep
23 14:33:50 rhel6-server sshd[33807]: input_userauth_request: invalid user
test3
Sep 23 14:33:53 rhel6-server unix_chkpwd[33808]:
password check failed for user (test3)
Sep 23 14:34:11 rhel6-server sshd[33809]: Accepted password for test1 from 192.168.135.1 port 3330 ssh2
Sep 23 14:34:11 rhel6-server sshd[33809]:
pam_unix(sshd:session): session opened for user test1 by (uid=0)
Sep 23 14:34:21 rhel6-server sshd[33855]: User test4 from 192.168.135.1 not allowed because none of user's
groups are listed in AllowGroups
Sep 23 14:34:21 rhel6-server sshd[33856]:
input_userauth_request: invalid user test4
Sep 23 14:36:00 rhel6-server sshd[33872]: User raman from 192.168.135.1 not allowed because none of user's
groups are listed in AllowGroups
Sep 23 14:36:00 rhel6-server sshd[33873]:
input_userauth_request: invalid user raman
Sep 23 14:41:41 rhel6-server sshd[33908]: Accepted password for test2 from 192.168.135.1 port 3377 ssh2
Similarly,
we can restrict ssh login based on user names also.
[root@rhel6-server ~]# vi /etc/ssh/sshd_config
AllowUsers
anurag raman
(RHEL6/CENTOS6)
[root@rhel6-server ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
(RHEL7/CENTOS7)
[root@rhel7-server ~]# systemctl restart sshd.service
[root@rhel6-server ~]# tail -f /var/log/secure
Sep
23 14:51:52 rhel6-server sshd[34020]: User test1 from 192.168.135.1
not allowed because not listed in AllowUsers
Sep
23 14:52:14 rhel6-server sshd[34024]: Accepted password for raman from
192.168.135.1 port 3459 ssh2
Sep
23 14:52:21 rhel6-server sshd[34072]: User test2 from 192.168.135.1
not allowed because not listed in AllowUsers
Similarly,
we can deny users and groups also.
DenyGroups
sshtest
DenyUsers
test1 test2 raman
And
restart the ssh service.
It’s
always better to go with “ALLOW” because it will allow the trusted and block
rest.
6. Idle/Inactive session logout
Here,
something to understand, we can do it by two way.
[root@rhel7-server ~]# vi /etc/ssh/sshd_config
ClientAliveInterval
2m
ClientAliveCountMax
0
Here
session will logout after 2m inactivity and client will not get any client
alive message.
[root@rhel7-server ~]# vi /etc/ssh/sshd_config
ClientAliveInterval
3m
ClientAliveCountMax
2
In
2nd method 3m will multiplied by 2 and timeout will be 6m. in this
case client will get 2 client alive messages each after 3m interval.
[root@rhel7-server ~]# systemctl restart sshd
[root@rhel7-server anurag]# w
15:11:58 up 1
day, 22:08, 8 users, load average: 0.00, 0.01, 0.05
USER
TTY LOGIN@ IDLE
JCPU PCPU WHAT
test2
pts/5 15:11 10.00s 0.04s
0.00s
[root@rhel7-server anurag]# w
15:11:58 up 1
day, 22:08, 8 users, load average: 0.00, 0.01, 0.05
USER
TTY LOGIN@ IDLE
JCPU PCPU WHAT
test2
pts/5 15:11 1:36 0.04s
0.00s
[root@rhel7-server anurag]# w
15:11:58 up 1
day, 22:08, 8 users, load average: 0.00, 0.01, 0.05
USER
TTY LOGIN@ IDLE
JCPU PCPU WHAT
test2
pts/5 15:11 1:59 0.04s
0.00s
[root@rhel7-server anurag]# w
15:11:58 up 1
day, 22:08, 8 users, load average: 0.00, 0.01, 0.05
USER
TTY LOGIN@ IDLE
JCPU PCPU WHAT
Now
it’s gone.
[root@rhel7-server anurag]# grep test2 /var/log/secure
Sep 23 15:11:48 rhel7-server
sshd[39656]: pam_unix(sshd:session): session opened for
user test2 by (uid=0)
Sep 23 15:13:49 rhel7-server
sshd[39656]: pam_unix(sshd:session): session closed for
user test2
7. Limit the No of parallel client sessions
Limiting
one session for one user,
[root@rhel7-server ~]# grep UsePAM /etc/ssh/sshd_config
#
WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause
several
#UsePAM
no
UsePAM
yes
UsePAM
value should be yes.
[root@rhel7-server ~]# cp /etc/pam.d/sshd /etc/pam.d/sshd.22SEP18
[root@rhel7-server ~]# vi /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth
substack password-auth
auth
include postlogin
account
required pam_nologin.so
account
include password-auth
password
include password-auth
# pam_selinux.so close should be the first session
rule
session
required pam_selinux.so close
session
required pam_loginuid.so
# pam_selinux.so open should only be followed by
sessions to be executed in the user context
session required
pam_limits.so ççç
session
required pam_selinux.so open env_params
session
optional pam_keyinit.so force
revoke
session
include password-auth
session
include postlogin
insert
the bold line at appropriate place.
# cp /etc/security/limits.conf /etc/security/limits.conf.23SEP18
[root@rhel7-server ~]# vi /etc/security/limits.conf
* hard maxlogins 1
Insert
above line at end of file.
Now one user will allowed
only one session at a time (this is not applicable for root user)
[root@rhel7-server anurag]# tail -f /var/log/secure
##first try by user “test1
Sep 23 16:41:29 rhel7-server sshd[42724]: Accepted password for test2 from 192.168.135.1 port 4603 ssh2
Sep 23 16:41:29 rhel7-server systemd-logind: New
session 411 of user test2.
Sep 23 16:41:29 rhel7-server sshd[42724]: pam_unix(sshd:session): session opened for user test2 by (uid=0)
Sep 23 16:41:29 rhel7-server sshd[42724]:
pam_tty_audit(sshd:session): changed status from 0 to 1
##Second try by user “test1”
Sep 23 16:41:56 rhel7-server sshd[42775]: Accepted password for test2 from 192.168.135.1 port 4604 ssh2
Sep 23 16:41:56 rhel7-server sshd[42775]:
pam_limits(sshd:session): Too many logins (max 1) for
test2
Sep 23 16:41:56 rhel7-server sshd[42775]:
pam_limits(sshd:session): Too many logins (max 1) for
test2
8. chroot
it
is to restrict user to their login directory. Once user logged in and land to
particular place then its like jail for them, they can’t go anywhere outside
that directory.
I already
explained chroot in great detail, please refer following link.
9. Force
sudo
It’s
a way to limit access or to provide access. Sometimes we need that a user should
perform particular task and for that he has to fire particular command, or a
user can fire all commands but should not have access to administrative commands.
All
above purpose can be solved by applying sudo.
I already
explained SUDO & SU in detail, please refer following link.
10. Password policy
Password
policy having very crucial role in user security.
Following
are the few implementations which enforce users to adhere password policy.
Minimum
password length would be of 8 characters.
Password
expiry duration would be 90 days.
Password
change warning should be flashed to users before 14 days.
Users
must change the password at their first login.
Password
contains at least one number.
Password
contains at least one Upper case alphabet.
Password
contains at least one Lower case alphabet.
Password
contains at least one Special character.
Lock
account after five failed login attempts.
Auto
unlock account after N number of minutes.
Lock
even root user after five failed login attempts
Auto
logout users after 30 minutes of idle/inactive session.
Enforcing
password history up to last three passwords.
I already
explained Password Policy in great detail, please refer following link.
11. Kill/Terminate unwanted
user
[root@rhel7-server anurag]# who
(unknown)
:0 2018-08-18 18:06 (:0)
anurag pts/0
2018-09-23 14:05 (192.168.135.1)
anurag pts/1
2018-09-23 14:05
test1 pts/2
2018-09-23 15:41 (192.168.135.1)
test1 pts/3
2018-09-23 15:41
[root@rhel7-server anurag]# ps -ef |grep pts/2
test1
40345 40340 0 15:41 ? 00:00:00 sshd: test1@pts/2
test1
40346 40345 0 15:41 pts/2 00:00:00 -bash
test1
40395 40346 0 15:41 pts/2 00:00:00 script -q
/var/log/logging/rhel7-server.test1.092318154143
test1
40397 40395 0 15:41 pts/2 00:00:00 script -q
/var/log/logging/rhel7-server.test1.092318154143
root
40431 38336 0 15:42 pts/1 00:00:00 grep --color=auto pts/2
[root@rhel7-server anurag]# ps -dN|grep pts/2
40346 pts/2
00:00:00 bash
[root@rhel7-server anurag]# kill -9 40346
OR,
[root@rhel7-server ~]# pkill -KILL -u test3
No comments:
Post a Comment