Setting up a secure Linux server
Home Sweet Home
Not all distributions tighten up your home directories by default. Assume my user name is lionel, and I don't want Luis or Neymar to see the files in my home directory. It's easy to keep other users out of my home directory by running the following command as root:
# chmod -R 750 /home/lionel
If you're keen to stop all home directories being accessed by others, simply replace lionel with an asterisk.
Hey, Mr. Postman
The next step is to set up the logwatch tool [1] and configure it to send you a daily digest of any important events found in your system logs. Bear in mind that, when you're finished with these simple steps, you'll also have a fully functional SMTP server. Clearly, I'm zooming through these commands for brevity; I encourage you to take a closer look if you're not sure what you're doing.
Straight out of the box, the Postfix mail server will be fully functioning. Choose Internet Site and add your full hostname (including FQDN) during the configuration process. With a quick shuffle, you can then change the old-school, Sendmail-style /etc/aliases file so that your personal address receives your root user email.
Install Postfix as follows:
# apt-get install postfix
Edit the aliases file and add your external address so you receive the root user's mail:
# pico -w /etc/aliases
Make sure the line starting root: looks similar to the following:
root: chris@binnie.tld
Update the aliases DB file by executing the Postfix newaliases command:
# newaliases
Finally, install the Logwatch package; even as a fresh install it's fabulously functional:
# apt-get install logwatch
The easiest way to execute Logwatch is to set up a cron job that runs at the default cron.daily predefined time, which is 06:25hr on my Jessie 8.1 build. Adjust the time in the /etc/crontab file or move the /etc/cron.daily/00logwatch file somewhere else and execute it specifically at another time from within the /etc/crontab file.
Next up run Logwatch and then check your inbox:
# /etc/cron.daily/00logwatch
The results are mind-blowingly useful. For more on monitoring your logs with logwatch, see the article at the ADMIN Magazine website [2].
Logwatch provides invaluable information about your system (including disk space usage, logins over SSH, new users/groups, service restarts, and unusual log entries). Additionally, you receive a list of the packages that you've installed following the completion of your minimal install.
The packages are also conveniently separated into Installed, Upgraded, and Removed sections. I find these lists are an excellent point for future reference, archived in my email with the subject line "Logwatch for <hostname> (Linux)."
If you ever encounter discrepancies between two servers due to package version or functionality, it is a two-second lookup to scan over how they were built. If you don't want root to directly receive mail via your aliases file, you can add MailTo = followed by an email address in the config file /etc/logwatch/conf/logwatch.conf. You might need to create this file if it doesn't already exist.
I would be remiss not to mention the task of securing of your shiny new SMTP server further. Even if relaying is switched off by default, you still need to take some steps to secure your mail server. The Ask Ubuntu site has a useful post on securing a Postfix mail server [3].
Passwords
If I am expecting a few different (non-sys admin users) to be logging into this box, I should also consider password security. If you have ever stumbled across a list of common passwords, you'll know why admins are very concerned about letting everyday users have access to server systems [4].
The quality of the typical user password is not good news if you haven't locked down access to your server by IP address or some other alternative method.
Without these precautions you are definitely vulnerable to automated dictionary attacks. Thankfully, you can strengthen your password rules on Linux with a sophisticated package called libpam-cracklib.
The following configuration works on my Debian "Wheezy" system. Install libpam-cracklib with:
# apt-get install libpam-cracklib
Then, edit the following file:
# pico -w /etc/pam.d/common-password
Adjust the following command with the necessary settings (comment out the old config line rather than deleting it so you can revert if necessary):
password requisite pam_cracklib.so retry=2 minlen=10 difok=6 dcredit=2 ocredit=2
This hardened configuration means a user is only permitted two password error retries and demands at least 10 characters for a password.
My favorite setting (to annoy colleagues) is difok=6, which means only six characters of the last password can be reused and the last two entries must be a minimum of two numbers and two symbols (or "special characters") present within the password. To activate these settings, on Wheezy at least, you can run the following command:
# pam-auth-update
Try a few tests – carefully, so you can still log back in. For troubleshooting, you might want to check whether UsePAM yes is present in the file /etc/ssh/sshd_config file. Restart the OpenSSH server with systemctl restart ssh if you change the configuration.
Table 1 shows some of the excellent options for enforcing stricter passwords from the pam_cracklib manual, which covers libpam-cracklib. Experiment with these settings to your heart's content.
Table 1
Cracklib Password Enforcement Options
| Option | Description |
|---|---|
| retry=N |
Prompt user at most N times before returning with error. The default is 1. |
| difok=N |
This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password. |
| minlen=N |
The minimum acceptable size for the new password (+1 if credits are not disabled as per the default). More detail for this option is available in the manual. |
| dcredit=N |
(N >= 0) The maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of digits that must be met for a new password. |
| ucredit=N |
(N >= 0) The maximum credit for having upper case letters in the new password. If you have less than or N uppercase letters, each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of uppercase letters that must be met for a new password. |
| lcredit=N |
(N >= 0) The maximum credit for having lowercase letters in the new password. If you have less than or N lowercase letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1, which is the recommended value for minlen less than 10 (N < 0) This is the minimum number of lowercase letters that must be met for a new password. |
| ocredit=N |
(N >= 0) The maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of other characters that must be met for a new password. |
| minclass=N |
The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the credit check is that a specific class if of characters is not required. Instead N out of four of the classes are required. |
| maxrepeat=N |
Reject passwords that contain more than N same consecutive characters. The default is 0, which means that this check is disabled. |
| maxsequence=N |
Reject passwords that contain monotonic character sequences longer than N. The default is 0, which means that this check is disabled. Examples of such sequence are "12345" or "fedcb". Note that most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password. |
| maxclassrepeat=N |
Reject passwords that contain more than N consecutive characters of the same class. The default is 0, which means that this check is disabled. |
| reject_username |
Check whether the name of the user in straight or reversed form is contained in the new password. If so, the new password is rejected. |
| gecoscheck |
Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password. If any such word is found, the new password is rejected. |
| enforce_for_root |
An "error" or "failed check" message prevents the root user from changing the password. This option is off by default, which means that the message about the failed check is printed, but root can change the password anyway. |
| use_authtok |
This argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module. |
If you want to flex your Cracklib muscles, you could also go one step further and introduce your own dictionaries for Cracklib to check against. Look online for an old but nicely-written piece on using Cracklib with Django [5].
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
elementary OS 7.1 Now Available for Download
The team behind elementary OS has released the latest version of its operating system with a focus on personalization, inclusivity, accessibility, and privacy.
-
The GNU Project Celebrates Its 40th Birthday
September 27 marks the 40th anniversary of the GNU Project, and it was celebrated with a hacker meeting in Biel/Bienne, Switzerland.
-
Linux Kernel Reducing Long-Term Support
LTS support for the Linux kernel is about to undergo some serious changes that will have a considerable impact on the future.
-
Fedora 39 Beta Now Available for Testing
For fans and users of Fedora Linux, the first beta of release 39 is now available, which is a minor upgrade but does include GNOME 45.
-
Fedora Linux 40 to Drop X11 for KDE Plasma
When Fedora 40 arrives in 2024, there will be a few big changes coming, especially for the KDE Plasma option.
-
Real-Time Ubuntu Available in AWS Marketplace
Anyone looking for a Linux distribution for real-time processing could do a whole lot worse than Real-Time Ubuntu.
-
KSMBD Finally Reaches a Stable State
For those who've been looking forward to the first release of KSMBD, after two years it's no longer considered experimental.
-
Nitrux 3.0.0 Has Been Released
The latest version of Nitrux brings plenty of innovation and fresh apps to the table.
-
Linux From Scratch 12.0 Now Available
If you're looking to roll your own Linux distribution, the latest version of Linux From Scratch is now available with plenty of updates.
-
Linux Kernel 6.5 Has Been Released
The newest Linux kernel, version 6.5, now includes initial support for two very exciting features.