Linux Hardening (SEC 300) - Chromosom3/TechNotes GitHub Wiki
Linux Hardening
Sudo
Note: To edit sudo user file you must use visudo.
Mail Badpass:
mail_badpass is used to email someone when an incorrect sudo password is given. This is used depending on your risk tolerance. When someone fails the password there will be a log created either way.
Secure Path
Secure_path is used to restrict where sudo commands can be ran. If the path is not in secure path then the user can not run a command located there.
Insults:
insults is a silly option for sudo. If a user provides an incorect password then it will present what ever insult message you specifiy.
Host Alias:
Host_Alias provides host in the orgination (FQDN, IP, or Subnet) that sudo user can run sudo on the system. Can use this to configure one file and post to all systems on the network.
User Alias:
User_Alias is user permissions for sudo. You can set multiple users to one variable kinda like a group. This is good in orgs that have dosen of users that you may identify specific users that can preform specific commands on the system.
Command Alias:
Cmnd_Alias allows certain commands to be run. The commands are stored in a variable. Format: VAR = COMMAND, OTHER COMMANDS, !NOT ALLOWED TO RUN THIS ONE
Assigning Permissions to Users and Groups:
%GROUP HOST_ALIAS = (COMMAND) AS
%sudo ALL=(ALL:ALL) ALL
USER_ALIAS HOST_ALIAS = NOPASSWD: CMND_ALIAS
WEBADMIN OTHER = NOPASSWD: APACHE
WEBADMIN SYSTEM = PASSCHANGE
Example Config:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
User_Alias MAILADMIN = joe, linda
User_Alias MAILADMIN2 = linda
User_Alias WEBADMIN = joe
User_Alias POWERUSER = tracy
# Cmnd alias specification
Cmnd_Alias MANAGEMAIL = /bin/systemctl restart postfix
Cmnd_Alias MANAGEMAIL2 = /bin/systemctl stop postfix, /bin/systemctl start postfix
Cmnd_Alias MANAGEWEB = /bin/systemctl restart apache2, /bin/systemctl stop apache2, /bin/systemctl start apache2
Cmnd_Alias WEBSOCKETS = /usr/bin/lsof -i -n, /bin/netstat -pan
Cmnd_Alias PASSCHANGE = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
Cmnd_Alias MODIFYUSERS = /usr/bin/chage, /usr/sbin/useradd
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
MAILADMIN ALL = MANAGEMAIL
MAILADMIN2 ALL = MANAGEMAIL2
WEBADMIN ALL = MANAGEWEB
POWERUSER ALL = PASSCHANGE, MODIFYUSERS
#includedir /etc/sudoers.d
Firewall
Uncomplicated Firewall
These notes are based on using ufw (Uncomplicated Firewall). To download ufw simply run sudo apt install ufw -y. This (ufw) helps you manage ip tables rules. Ip tables is the default firewall on liniux systems.
Commands:
ufw status - Checks the status of ufw.
ufw default deny incoming - Sets the default rule to deny all incomming traffic.
ufw default allow outgoing - Sets the default rule to allow all outgoing traffic. .
ufw allow 22 - Allows SSH.
ufw enable - Starts firewall and enables on system startup.
ufw deny from IP - Blocks certain IP from connecting.
Fail2Ban
Fail 2 ban drops connections from ip addresses that fail to authenticate to SSH connection. Can be installed with sudo apt install fail2ban -y.
Configuration:
Fail2ban configuration file is located at /etc/fail2ban/jail.conf. However you should not edit that configuration file! You should provide customizations in a jail.local file or a jail.d/customisation.local. You can also edit /etc/fail2ban/jail.d/defaults-debian.conf on debian systems. The default file already has a lot of configurations.
Checking The System:
The following command will search the /etc/shadow file and sees if any user does not have a password set. The /etc/shadow file contains all users and their password hashes. Only root and edit this file. This command should return no results. If results are returned those users do not have a password set and can log on without using one. This may mean your system has been compromised.
awk -F: ` ( $2 == “” ) { print } ` /etc/shadow
The following command will search the /etc/passwd file and checks if any user has an ID of 0. The /etc/shadow file contains all users and their password hashes. Only root should be returned! If anything other than root is retured it may mean your system has been compromised.
awk -F: ` ( $3 == “0” ) { print } ` /etc/passwd
The following command can be used to view enabled services on the machine. This command is for debian based systems as it uses systemctl. For redhat/centos use chkconfig command. You shoudl review these services and disable anything that should not be running.
systemctl list-unit-files --type=service | grep enable
The following command will list listening sockets. Some programs may hide themselves from netsat and other software. ss runs at a lower level and can find these programs.
ss -tulpn
The following shows open ports, file, and devices associated with a process. Good for a forensics analysist.
lsof -i -n
or specify pid
lsof -p PID -n
Example Security Check file:
echo “Checking for users with no password, should return nothing.”
awk -F: ` ( $2 == “” ) { print } ` /etc/shadow
echo “Checking for users with uid of 0, should only return root.”
awk -F: ` ( $3 == “0” ) { print } ` /etc/passwd
echo “Checking enabled services.”
systemctl list-unit-files --type=service | grep enable
echo “Open Network Sockets: ”
ss -tulpn
echo “Listing files opened by processes.”
lsof -i -n
Logwatch:
Logwatch monitors the system log files and emails the administrator a break down of the logs. Logwatch can be configured to send logs on a set time base as well as how detailed the logs are. If you want to configure logwatch navigate to /usr/share/logwatch/default.conf/logwatch.conf.
Install Process:
First run the command: sudo apt install logwatch -y
Keep the settings default for postfix except for selecting satalite and then specify the address dime.champlain.edu
If you mess up do sudo apt purge logwatch postfix
Resources:
Example Email:
