Setting up a secure Linux server
Home Sweet Home
Not all distributions tighten up your home directories by default. Assume my user name is lionel, and I don't want Luis or Neymar to see the files in my home directory. It's easy to keep other users out of my home directory by running the following command as root:
# chmod -R 750 /home/lionel
If you're keen to stop all home directories being accessed by others, simply replace lionel with an asterisk.
Hey, Mr. Postman
The next step is to set up the logwatch tool [1] and configure it to send you a daily digest of any important events found in your system logs. Bear in mind that, when you're finished with these simple steps, you'll also have a fully functional SMTP server. Clearly, I'm zooming through these commands for brevity; I encourage you to take a closer look if you're not sure what you're doing.
Straight out of the box, the Postfix mail server will be fully functioning. Choose Internet Site and add your full hostname (including FQDN) during the configuration process. With a quick shuffle, you can then change the old-school, Sendmail-style /etc/aliases file so that your personal address receives your root user email.
Install Postfix as follows:
# apt-get install postfix
Edit the aliases file and add your external address so you receive the root user's mail:
# pico -w /etc/aliases
Make sure the line starting root: looks similar to the following:
root: chris@binnie.tld
Update the aliases DB file by executing the Postfix newaliases command:
# newaliases
Finally, install the Logwatch package; even as a fresh install it's fabulously functional:
# apt-get install logwatch
The easiest way to execute Logwatch is to set up a cron job that runs at the default cron.daily predefined time, which is 06:25hr on my Jessie 8.1 build. Adjust the time in the /etc/crontab file or move the /etc/cron.daily/00logwatch file somewhere else and execute it specifically at another time from within the /etc/crontab file.
Next up run Logwatch and then check your inbox:
# /etc/cron.daily/00logwatch
The results are mind-blowingly useful. For more on monitoring your logs with logwatch, see the article at the ADMIN Magazine website [2].
Logwatch provides invaluable information about your system (including disk space usage, logins over SSH, new users/groups, service restarts, and unusual log entries). Additionally, you receive a list of the packages that you've installed following the completion of your minimal install.
The packages are also conveniently separated into Installed, Upgraded, and Removed sections. I find these lists are an excellent point for future reference, archived in my email with the subject line "Logwatch for <hostname> (Linux)."
If you ever encounter discrepancies between two servers due to package version or functionality, it is a two-second lookup to scan over how they were built. If you don't want root to directly receive mail via your aliases file, you can add MailTo = followed by an email address in the config file /etc/logwatch/conf/logwatch.conf. You might need to create this file if it doesn't already exist.
I would be remiss not to mention the task of securing of your shiny new SMTP server further. Even if relaying is switched off by default, you still need to take some steps to secure your mail server. The Ask Ubuntu site has a useful post on securing a Postfix mail server [3].
Passwords
If I am expecting a few different (non-sys admin users) to be logging into this box, I should also consider password security. If you have ever stumbled across a list of common passwords, you'll know why admins are very concerned about letting everyday users have access to server systems [4].
The quality of the typical user password is not good news if you haven't locked down access to your server by IP address or some other alternative method.
Without these precautions you are definitely vulnerable to automated dictionary attacks. Thankfully, you can strengthen your password rules on Linux with a sophisticated package called libpam-cracklib.
The following configuration works on my Debian "Wheezy" system. Install libpam-cracklib with:
# apt-get install libpam-cracklib
Then, edit the following file:
# pico -w /etc/pam.d/common-password
Adjust the following command with the necessary settings (comment out the old config line rather than deleting it so you can revert if necessary):
password requisite pam_cracklib.so retry=2 minlen=10 difok=6 dcredit=2 ocredit=2
This hardened configuration means a user is only permitted two password error retries and demands at least 10 characters for a password.
My favorite setting (to annoy colleagues) is difok=6, which means only six characters of the last password can be reused and the last two entries must be a minimum of two numbers and two symbols (or "special characters") present within the password. To activate these settings, on Wheezy at least, you can run the following command:
# pam-auth-update
Try a few tests – carefully, so you can still log back in. For troubleshooting, you might want to check whether UsePAM yes is present in the file /etc/ssh/sshd_config file. Restart the OpenSSH server with systemctl restart ssh if you change the configuration.
Table 1 shows some of the excellent options for enforcing stricter passwords from the pam_cracklib manual, which covers libpam-cracklib. Experiment with these settings to your heart's content.
Table 1
Cracklib Password Enforcement Options
| Option | Description |
|---|---|
| retry=N |
Prompt user at most N times before returning with error. The default is 1. |
| difok=N |
This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password. |
| minlen=N |
The minimum acceptable size for the new password (+1 if credits are not disabled as per the default). More detail for this option is available in the manual. |
| dcredit=N |
(N >= 0) The maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of digits that must be met for a new password. |
| ucredit=N |
(N >= 0) The maximum credit for having upper case letters in the new password. If you have less than or N uppercase letters, each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of uppercase letters that must be met for a new password. |
| lcredit=N |
(N >= 0) The maximum credit for having lowercase letters in the new password. If you have less than or N lowercase letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1, which is the recommended value for minlen less than 10 (N < 0) This is the minimum number of lowercase letters that must be met for a new password. |
| ocredit=N |
(N >= 0) The maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of other characters that must be met for a new password. |
| minclass=N |
The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the credit check is that a specific class if of characters is not required. Instead N out of four of the classes are required. |
| maxrepeat=N |
Reject passwords that contain more than N same consecutive characters. The default is 0, which means that this check is disabled. |
| maxsequence=N |
Reject passwords that contain monotonic character sequences longer than N. The default is 0, which means that this check is disabled. Examples of such sequence are "12345" or "fedcb". Note that most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password. |
| maxclassrepeat=N |
Reject passwords that contain more than N consecutive characters of the same class. The default is 0, which means that this check is disabled. |
| reject_username |
Check whether the name of the user in straight or reversed form is contained in the new password. If so, the new password is rejected. |
| gecoscheck |
Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password. If any such word is found, the new password is rejected. |
| enforce_for_root |
An "error" or "failed check" message prevents the root user from changing the password. This option is off by default, which means that the message about the failed check is printed, but root can change the password anyway. |
| use_authtok |
This argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module. |
If you want to flex your Cracklib muscles, you could also go one step further and introduce your own dictionaries for Cracklib to check against. Look online for an old but nicely-written piece on using Cracklib with Django [5].
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
Zorin OS 17 Beta Available for Testing
The upcoming version of Zorin OS includes plenty of improvements to take your PC to a whole new level of user-friendliness.
-
Red Hat Migrates RHEL from Xorg to Wayland
If you've been wondering when Xorg will finally be a thing of the past, wonder no more, as Red Hat has made it clear.
-
PipeWire 1.0 Officially Released
PipeWire was created to take the place of the oft-troubled PulseAudio and has finally reached the 1.0 status as a major update with plenty of improvements and the usual bug fixes.
-
Rocky Linux 9.3 Available for Download
The latest version of the RHEL alternative is now available and brings back cloud and container images for ppc64le along with plenty of new features and fixes.
-
Ubuntu Budgie Shifts How to Tackle Wayland
Ubuntu Budgie has yet to make the switch to Wayland but with a change in approaches, they're finally on track to making it happen.
-
TUXEDO's New Ultraportable Linux Workstation Released
The TUXEDO Pulse 14 blends portability with power, thanks to the AMD Ryzen 7 7840HS CPU.
-
AlmaLinux Will No Longer Be "Just Another RHEL Clone"
With the release of AlmaLinux 9.3, the distribution will be built entirely from upstream sources.
-
elementary OS 8 Has a Big Surprise in Store
When elementary OS 8 finally arrives, it will not only be based on Ubuntu 24.04 but it will also default to Wayland for better performance and security.
-
OpenELA Releases Enterprise Linux Source Code
With Red Hat restricting the source for RHEL, it was only a matter of time before those who depended on that source struck out on their own.
-
StripedFly Malware Hiding in Plain Sight as a Cryptocurrency Miner
A rather deceptive piece of malware has infected 1 million Windows and Linux hosts since 2017.