Setting up a secure Linux server

Home Sweet Home

Not all distributions tighten up your home directories by default. Assume my user name is lionel, and I don't want Luis or Neymar to see the files in my home directory. It's easy to keep other users out of my home directory by running the following command as root:

# chmod -R 750 /home/lionel

If you're keen to stop all home directories being accessed by others, simply replace lionel with an asterisk.

Hey, Mr. Postman

The next step is to set up the logwatch tool [1] and configure it to send you a daily digest of any important events found in your system logs. Bear in mind that, when you're finished with these simple steps, you'll also have a fully functional SMTP server. Clearly, I'm zooming through these commands for brevity; I encourage you to take a closer look if you're not sure what you're doing.

Straight out of the box, the Postfix mail server will be fully functioning. Choose Internet Site and add your full hostname (including FQDN) during the configuration process. With a quick shuffle, you can then change the old-school, Sendmail-style /etc/aliases file so that your personal address receives your root user email.

Install Postfix as follows:

# apt-get install postfix

Edit the aliases file and add your external address so you receive the root user's mail:

# pico -w /etc/aliases

Make sure the line starting root: looks similar to the following:

root: chris@binnie.tld

Update the aliases DB file by executing the Postfix newaliases command:

# newaliases

Finally, install the Logwatch package; even as a fresh install it's fabulously functional:

# apt-get install logwatch

The easiest way to execute Logwatch is to set up a cron job that runs at the default cron.daily predefined time, which is 06:25hr on my Jessie 8.1 build. Adjust the time in the /etc/crontab file or move the /etc/cron.daily/00logwatch file somewhere else and execute it specifically at another time from within the /etc/crontab file.

Next up run Logwatch and then check your inbox:

# /etc/cron.daily/00logwatch

The results are mind-blowingly useful. For more on monitoring your logs with logwatch, see the article at the ADMIN Magazine website [2].

Logwatch provides invaluable information about your system (including disk space usage, logins over SSH, new users/groups, service restarts, and unusual log entries). Additionally, you receive a list of the packages that you've installed following the completion of your minimal install.

The packages are also conveniently separated into Installed, Upgraded, and Removed sections. I find these lists are an excellent point for future reference, archived in my email with the subject line "Logwatch for <hostname> (Linux)."

If you ever encounter discrepancies between two servers due to package version or functionality, it is a two-second lookup to scan over how they were built. If you don't want root to directly receive mail via your aliases file, you can add MailTo = followed by an email address in the config file /etc/logwatch/conf/logwatch.conf. You might need to create this file if it doesn't already exist.

I would be remiss not to mention the task of securing of your shiny new SMTP server further. Even if relaying is switched off by default, you still need to take some steps to secure your mail server. The Ask Ubuntu site has a useful post on securing a Postfix mail server [3].

Passwords

If I am expecting a few different (non-sys admin users) to be logging into this box, I should also consider password security. If you have ever stumbled across a list of common passwords, you'll know why admins are very concerned about letting everyday users have access to server systems [4].

The quality of the typical user password is not good news if you haven't locked down access to your server by IP address or some other alternative method.

Without these precautions you are definitely vulnerable to automated dictionary attacks. Thankfully, you can strengthen your password rules on Linux with a sophisticated package called libpam-cracklib.

The following configuration works on my Debian "Wheezy" system. Install libpam-cracklib with:

# apt-get install libpam-cracklib

Then, edit the following file:

# pico -w /etc/pam.d/common-password

Adjust the following command with the necessary settings (comment out the old config line rather than deleting it so you can revert if necessary):

password requisite pam_cracklib.so retry=2 minlen=10 difok=6 dcredit=2 ocredit=2

This hardened configuration means a user is only permitted two password error retries and demands at least 10 characters for a password.

My favorite setting (to annoy colleagues) is difok=6, which means only six characters of the last password can be reused and the last two entries must be a minimum of two numbers and two symbols (or "special characters") present within the password. To activate these settings, on Wheezy at least, you can run the following command:

# pam-auth-update

Try a few tests – carefully, so you can still log back in. For troubleshooting, you might want to check whether UsePAM yes is present in the file /etc/ssh/sshd_config file. Restart the OpenSSH server with systemctl restart ssh if you change the configuration.

Table 1 shows some of the excellent options for enforcing stricter passwords from the pam_cracklib manual, which covers libpam-cracklib. Experiment with these settings to your heart's content.

Table 1

Cracklib Password Enforcement Options

Option

Description

retry=N

Prompt user at most N times before returning with error. The default is 1.

difok=N

This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password.

minlen=N

The minimum acceptable size for the new password (+1 if credits are not disabled as per the default). More detail for this option is available in the manual.

dcredit=N

(N >= 0) The maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of digits that must be met for a new password.

ucredit=N

(N >= 0) The maximum credit for having upper case letters in the new password. If you have less than or N uppercase letters, each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of uppercase letters that must be met for a new password.

lcredit=N

(N >= 0) The maximum credit for having lowercase letters in the new password. If you have less than or N lowercase letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1, which is the recommended value for minlen less than 10 (N < 0) This is the minimum number of lowercase letters that must be met for a new password.

ocredit=N

(N >= 0) The maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of other characters that must be met for a new password.

minclass=N

The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the credit check is that a specific class if of characters is not required. Instead N out of four of the classes are required.

maxrepeat=N

Reject passwords that contain more than N same consecutive characters. The default is 0, which means that this check is disabled.

maxsequence=N

Reject passwords that contain monotonic character sequences longer than N. The default is 0, which means that this check is disabled. Examples of such sequence are "12345" or "fedcb". Note that most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password.

maxclassrepeat=N

Reject passwords that contain more than N consecutive characters of the same class. The default is 0, which means that this check is disabled.

reject_username

Check whether the name of the user in straight or reversed form is contained in the new password. If so, the new password is rejected.

gecoscheck

Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password. If any such word is found, the new password is rejected.

enforce_for_root

An "error" or "failed check" message prevents the root user from changing the password. This option is off by default, which means that the message about the failed check is printed, but root can change the password anyway.

use_authtok

This argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module.

If you want to flex your Cracklib muscles, you could also go one step further and introduce your own dictionaries for Cracklib to check against. Look online for an old but nicely-written piece on using Cracklib with Django [5].

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Command Line: More Secure Passwords

    Even with encrypted drives, account passwords remain one of the prime security methods for any Linux system. With a little knowledge of the available commands and their options, you can make your account passwords more secure.

  • Password Tools

    Create secure passwords with the help of a password generator and check for quality at the same time.

  • Five lean tools for monitoring logfiles

    Anyone wanting to monitor logfiles could use one of the big dogs like Nagios or Icinga. However, lightweight alternatives can also sniff out threats and take much less time to set up. We put five of these little guard dogs to the test.

  • Security in Linux

    Linux is a very secure system, but it still pays to be cautious.

  • One-Time Passwords

    A one-time password won't compromise security if it falls in the wrong hands. OPIE and OTPW bring the safety of one-time password security to Linux.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News