@r0x000000000033
- Password Bootloader GRUB
- Disable reboot using Ctrl-Alt-Del Keys
- DNSCrypt
- Sandboxing
- Lockdown Cronjobs
- HidePID
- MAC (Mandatory Access Control)
- Security SSH
- Pam_Tally2
- Port Knocking
- RootKits and Malwares Analyzis
- FireWall
- Full Disk Encryption
- Security Server Apache
- Security FTP
- Listening Ports
- Security Auditing Tools Open Source
Hardening is a process of mapping threats, mitigating risks and executing corrective activities, focusing on infrastructure and the main objective of making it prepared to face attack attempts. This documentation presents a series of tips and recommendations to improve the security of any Linux distribution.
- Using
grub2-setpassword:
- RHEL8/CentOS8
- Debian
# Set Password:
grub2-setpassword
# File containing the password hash:
cat /boot/grub2/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.[...]
# Remove –unrestricted from the main CLASS= declaration in /etc/grub.d/10_linux file:
sed -i "/^CLASS=/s/ --unrestricted//" /etc/grub.d/10_linux
# Recreate the grub config with grub2-mkconfig and reboot:
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot- Using
grub2-mkpasswd-pbkdf2:
- RHEL8/CentOS8
- Debian
# Set password and copy the encrypted password hash:
# RHEL8/CentOS8
grub2-mkpasswd-pbkdf2
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.[...]
# Debian-based:
grub-mkpasswd-pbkdf2
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.[...]
# It is not recommended to edit the grub.cfg file directly (/boot/grub2/grub.cfg).
# We can configure GRUB2 Bootloader by modifying the files in the /etc/grub.d/ directory without having to modify the main file.
# Edit the file /etc/grub.d/40_custom and add:
set superusers="root"
password_pbkdf2 root <password-hash>
# Recreate the grub config with grub2-mkconfig and reboot:
# RHEL8/CentOS8:
grub2-mkconfig -o /boot/grub2/grub.cfg
# Debian-based:
grub-mkconfig -o /boot/grub/grub.cfg
rebootRemove GRUB password:
# RHEL8/CentOS8:
rm -f /boot/grub2/user.cfg
# Debian-based:
grub-mkconfig -o /boot/grub/grub.cfg- RHEL8/CentOS8
- Debian
masking is a feature of systemd to prevent service activation
systemctl mask ctrl-alt-del.target
# or:
ln -s /dev/null /usr/lib/systemd/system/ctrl-alt-del.target
# Check if it's masked:
systemctl list-unit-files --type target | grep ctrl
# Removed mask:
systemctl unmask ctrl-alt-del.target- Installation OS-specific: https://github.com/jedisct1/dnscrypt-proxy/wiki/installation
Protocol created by OpenBSD that authenticates communications between a client and a DNS resolver. It encapsulates through a secure channel to improve security and prevent DNS spoofing. Uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and have not been tampered with.
apt install dnscrypt-proxyEnter your preferred DNS Server, below a list of supported servers.
Another way to check DNS servers:
Local: /var/cache/dnscrypt-proxy/public-resolvers.mdEdit dnscrypt-proxy.toml and add the server of your choice:
# Edit the file /etc/dnscrypt-proxy/dnscrypt-proxy.toml:
server_names = ['cloudflare']For dnscrypt-proxy to work, you need to configure DNS locally for - 127.0.0.1 or 127.0.2.1 (Debian/Ubuntu).
To know which one to use, check which listen the socket is using:
cat /lib/systemd/system/dnscrypt-proxy.socket | grep ListenDatagramThen add localhost:
# Edit the file /etc/resolv.conf:
nameserver 127.0.2.1
Started dnscrypt-proxy:
systemctl start dnscrypt-proxy.serviceChecking active service:
ss -lp 'sport = :domain'Security mechanism to separate running programs from an end of supply to a highly controlled and secure environment.
-
Exemples of implementations:
- RHEL8/CentOS8
- Debian-based
# Block all users:
echo ALL >> /etc/cron.deny
# Release specific users to access cron:
echo "<user>" >> /etc/cron.allow- RHEL8/CentOS8
- Debian-based
By default, all local users are allowed to have access to other users' PID and process information.
hidepid=0: Allowed for all users
hidepid=1: Remain visible but not accessible for all users.
hidepid=2: hidden to all users.
# Add in /etc/fstab:
proc /proc proc defaults,hidepid=2 0 0
# Checking:
ls -ld /proc/[0-9]*
ps -aux
topMAC is based on a hierarchical model. The hierarchy is based on security level. All users are assigned a security or clearance level. All objects are assigned a security label. Users can only access resources that correspond to a security level equal to or lower than theirs in the hierarchy.
In a MAC model, access is controlled strictly by the administrator. The administrator sets all permissions. Users cannot set their own permissions, even if they own the object. Because of this, MAC systems are considered very secure. This is because of the centralized administration. Centralized administration makes it easier for the administrator to control who has access to what. The administrator doesn’t have to worry about someone else setting permissions improperly. Because of the high-level security in MAC systems, MAC access models are often used in government systems.
- RHEL8/CentOS8
- Debian-based
By default, SSH listens on port 22, it is recommended to switch to a high port to make discovering ssh difficult with portscanner. The maximum value given to a door is 65536
# Edit the file /etc/ssh/sshd_config:
[...]
Port 2222
[...]# Edit the file /etc/ssh/sshd_config:
[...]
# Authentication:
Permitrootlogin no
[...]
# Edit the file /etc/ssh/sshd_config:
[...]
AllowUsers <user>
[...]
RSA (Rivest-Shamir-Adleman) is the algorithm used for the SSH protocol version 2.
# generating the key
ssh-keygen -t rsa
# Copy key to customers:
ssh-copy-id <user>@<host>
# Enable key authentication:
/etc/ssh/sshd_config
[...]
PubkeyAuthentication yes
[...]By default, TCP Wrappers first consult the /etc/hosts.deny file to see which hosts cannot access which service. Then, consult the /etc/hosts.allow file to see if there are any rules that allow certain hosts to connect to specific services.
# Edit the file /etc/hosts.deny and add:
sshd: ALL
# This means that, by default, all hosts are prohibited from accessing the SSH service.
# Create rule to authorize only specific hosts:
# Edit the file /etc/hosts.deny and add:
sshd: 192.168.1.2pam_tally2: Block user after N number of incorrect login attempts
unlock_time: Blocking time. even_deny_root: Policy is also apply to root user. deny: Block by N number of retries. file: failure logs
- RHEL8/CentOS8
# Edit the file /etc/pam.d/system-auth
[...]
auth required pam_tally2.so deny=2 unlock_time=60
[...]
account required pam_tally2.so- Debian-based
# Edit the file /etc/pam.d/common-auth.
# add the following line before the start of the configuration blockto make it the first configuration item.
auth required pam_tally2.so file=/var/log/tallylog even_deny_root deny=2 unlock_time=900Check if SSH daemon is using PAM module:
sshd -T | grep -E "(challenge|pam)"
usepam yes
challengeresponseauthentication noRestart service ssh:
systemctl restart sshdView the count of login attempts:
pam_tally2 --user <user>
Login Failures Latest failure From
<user> 6 yy/xx/ww 00:00:00 <IP-Address>Unblock user:
pam_tally2 --reset --user <user>
- FWKnop (FireWall KNock OPerator): implements SPA (Single Packet Authorization)
- Knockd
- CHKRootKit
- Rkhunter
- Lynis
- ClamAV
- LMD (Linux Malware Detect)
# Benchmark Encryption:
cryptsetup benchmark- Cryptsetup: LUKS(Linux Unified Key Setup) + DM-Crypt(Back-end)
Minimalize your apache web server, disabling unnecessary modules
- RHEL8/CentOS8
# List all modules:
httpd -t -D DUMP_MODULES
apachectl -M
# Directory of all modules:
ls /etc/httpd/modules
ls /usr/lib64/httpd/modulesEnable/Disable Modules:
# Comment the lines 'LoadModule':
/etc/httpd/conf.modules.d/00-base.conf
[...]
#LoadModule buffer_module modules/mod_buffer.so
#LoadModule watchdog_module modules/mod_watchdog.so
[...]
# Checking:
apachectl restart
apachectl -M | grep <module>- Debian-based
# List all modules:
apachectl -M
apachectl -t -D DUMP_MODULES
a2query -m
# Directory of all modules:
/etc/apache2/mods-available/
/etc/apache2/mods-available/enabled/Enable/Disable Modules:
# Enabled:
a2enmod <module>
# Disabled:
a2dismod <module>
# Check modules status:
a2query -m rewriteList of directories activated on websites can leave important files to the public With dorks it is possible to search for sites with this setting enabled in apache.
:.com.br "index of"
:.gov.br "index of"
Disabled:
# Remove 'Indexes' to disable.
# RHEL8/CentOS8
# Edit the file /etc/httpd/conf/httpd.conf:
# Debian-based:
# Edit the file /etc/apache2/apache2.conf:
[...]
<Directory "/var/www/html">
Options FollowSymLinks
</Directory>
[...]Cross-Site Tracing (XST) attacks, can steal sensitive header and cookie information on any domain with support for the HTTP TRACE method.
Test the TRACE Method on the web server:
curl -i -X TRACE http://<IP>/Disabled
# RHEL8/CentOS8
# Edit the file /etc/httpd/conf/httpd.conf
# Debian-based:
# Edit the file /etc/apache2/conf-enabled/security.conf:
TraceEnable off
- RHEL8/CentOS8
Config:/etc/httpd/conf.d/mod_security.conf
Debug Log: /var/log/httpd/modsec_debug.log
Audit log: /var/log/httpd/modsec_audit.log
Rules: /etc/httpd/modsecurity.d/activated_rules
mod_security_crs: Provide basic rules for mod_security
dnf install httpd mod_security mod_security_crs- Debian-based:
apt install libapache2-mod-security2 -yConfigure ModSecurity:
cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
# Edit the file /etc/modsecurity/modsecurity.conf:
SecRuleEngine OnOWASP ModSecurity Core Rule Set (CRS):
git clone https://github.com/coreruleset/coreruleset
cd coreruleset/
mv rules/ /etc/modsecurity/Restart service apache:
# RHEL8/CentOS8
systemctl restart httpd
# Debian-based:
systemctl restart apache2Check if the ModSecurity module was loaded in Apache:
# Verify that the firewall is working:
# RHEL8/CentOS8
tail /var/log/httpd/error.log | grep ModSecurity
# Debian-based:
tail /var/log/apache2/error.log | grep ModSecurity
[:notice] [pid 1601] ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
[:notice] [pid 1601] ModSecurity: PCRE compiled version="8.32 "; loaded version="8.32 2012-11-30"
[:notice] [pid 1601] ModSecurity: LUA compiled version="Lua 5.1"
[:notice] [pid 1601] ModSecurity: LIBXML compiled version="2.9.1"
[:notice] [pid 1601] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.- RHEL8/CentOS8
- Debian-based
# RHEL8/CentOS8
dnf install -y openssl
# Debian-based
apt install -y opensslGenerating certificate:
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem
# Edit the file /etc/sysconfig/proftpd for enabled:
PROFTPD_OPTIONS="-DTLS"# Edit the file /etc/shells and add:
/bin/false
# Create user:
useradd <user> -s /bin/false
passwd <user>AllowUser: User permission DenyAll: Deny all
# Edit the file /etc/proftpd.conf
<Limit LOGIN>
AllowUser <user>
DenyAll
</Limit>- RHEL8/CentOS8
- Debian-based
It is important to check for open ports to identify system intruders that open doors for backdoor, malware or to receive outside input
Checking with netstat:
netstat -tulpn
netstat -anp | grep <ip>Checking with ss
ss -tulpnChecking with nmap:
nmap -sT -O localhostIdentify ports:
cat /etc/services | grep <port>Information about a port with lsof:
lsof -i | grep <port>