Setting up a secure Linux server
Home Sweet Home
Not all distributions tighten up your home directories by default. Assume my user name is lionel, and I don't want Luis or Neymar to see the files in my home directory. It's easy to keep other users out of my home directory by running the following command as root:
# chmod -R 750 /home/lionel
If you're keen to stop all home directories being accessed by others, simply replace lionel with an asterisk.
Hey, Mr. Postman
The next step is to set up the logwatch tool [1] and configure it to send you a daily digest of any important events found in your system logs. Bear in mind that, when you're finished with these simple steps, you'll also have a fully functional SMTP server. Clearly, I'm zooming through these commands for brevity; I encourage you to take a closer look if you're not sure what you're doing.
Straight out of the box, the Postfix mail server will be fully functioning. Choose Internet Site and add your full hostname (including FQDN) during the configuration process. With a quick shuffle, you can then change the old-school, Sendmail-style /etc/aliases file so that your personal address receives your root user email.
Install Postfix as follows:
# apt-get install postfix
Edit the aliases file and add your external address so you receive the root user's mail:
# pico -w /etc/aliases
Make sure the line starting root: looks similar to the following:
root: chris@binnie.tld
Update the aliases DB file by executing the Postfix newaliases command:
# newaliases
Finally, install the Logwatch package; even as a fresh install it's fabulously functional:
# apt-get install logwatch
The easiest way to execute Logwatch is to set up a cron job that runs at the default cron.daily predefined time, which is 06:25hr on my Jessie 8.1 build. Adjust the time in the /etc/crontab file or move the /etc/cron.daily/00logwatch file somewhere else and execute it specifically at another time from within the /etc/crontab file.
Next up run Logwatch and then check your inbox:
# /etc/cron.daily/00logwatch
The results are mind-blowingly useful. For more on monitoring your logs with logwatch, see the article at the ADMIN Magazine website [2].
Logwatch provides invaluable information about your system (including disk space usage, logins over SSH, new users/groups, service restarts, and unusual log entries). Additionally, you receive a list of the packages that you've installed following the completion of your minimal install.
The packages are also conveniently separated into Installed, Upgraded, and Removed sections. I find these lists are an excellent point for future reference, archived in my email with the subject line "Logwatch for <hostname> (Linux)."
If you ever encounter discrepancies between two servers due to package version or functionality, it is a two-second lookup to scan over how they were built. If you don't want root to directly receive mail via your aliases file, you can add MailTo = followed by an email address in the config file /etc/logwatch/conf/logwatch.conf. You might need to create this file if it doesn't already exist.
I would be remiss not to mention the task of securing of your shiny new SMTP server further. Even if relaying is switched off by default, you still need to take some steps to secure your mail server. The Ask Ubuntu site has a useful post on securing a Postfix mail server [3].
Passwords
If I am expecting a few different (non-sys admin users) to be logging into this box, I should also consider password security. If you have ever stumbled across a list of common passwords, you'll know why admins are very concerned about letting everyday users have access to server systems [4].
The quality of the typical user password is not good news if you haven't locked down access to your server by IP address or some other alternative method.
Without these precautions you are definitely vulnerable to automated dictionary attacks. Thankfully, you can strengthen your password rules on Linux with a sophisticated package called libpam-cracklib.
The following configuration works on my Debian "Wheezy" system. Install libpam-cracklib with:
# apt-get install libpam-cracklib
Then, edit the following file:
# pico -w /etc/pam.d/common-password
Adjust the following command with the necessary settings (comment out the old config line rather than deleting it so you can revert if necessary):
password requisite pam_cracklib.so retry=2 minlen=10 difok=6 dcredit=2 ocredit=2
This hardened configuration means a user is only permitted two password error retries and demands at least 10 characters for a password.
My favorite setting (to annoy colleagues) is difok=6, which means only six characters of the last password can be reused and the last two entries must be a minimum of two numbers and two symbols (or "special characters") present within the password. To activate these settings, on Wheezy at least, you can run the following command:
# pam-auth-update
Try a few tests – carefully, so you can still log back in. For troubleshooting, you might want to check whether UsePAM yes is present in the file /etc/ssh/sshd_config file. Restart the OpenSSH server with systemctl restart ssh if you change the configuration.
Table 1 shows some of the excellent options for enforcing stricter passwords from the pam_cracklib manual, which covers libpam-cracklib. Experiment with these settings to your heart's content.
Table 1
Cracklib Password Enforcement Options
| Option | Description |
|---|---|
| retry=N |
Prompt user at most N times before returning with error. The default is 1. |
| difok=N |
This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password. |
| minlen=N |
The minimum acceptable size for the new password (+1 if credits are not disabled as per the default). More detail for this option is available in the manual. |
| dcredit=N |
(N >= 0) The maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of digits that must be met for a new password. |
| ucredit=N |
(N >= 0) The maximum credit for having upper case letters in the new password. If you have less than or N uppercase letters, each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of uppercase letters that must be met for a new password. |
| lcredit=N |
(N >= 0) The maximum credit for having lowercase letters in the new password. If you have less than or N lowercase letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1, which is the recommended value for minlen less than 10 (N < 0) This is the minimum number of lowercase letters that must be met for a new password. |
| ocredit=N |
(N >= 0) The maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of other characters that must be met for a new password. |
| minclass=N |
The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the credit check is that a specific class if of characters is not required. Instead N out of four of the classes are required. |
| maxrepeat=N |
Reject passwords that contain more than N same consecutive characters. The default is 0, which means that this check is disabled. |
| maxsequence=N |
Reject passwords that contain monotonic character sequences longer than N. The default is 0, which means that this check is disabled. Examples of such sequence are "12345" or "fedcb". Note that most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password. |
| maxclassrepeat=N |
Reject passwords that contain more than N consecutive characters of the same class. The default is 0, which means that this check is disabled. |
| reject_username |
Check whether the name of the user in straight or reversed form is contained in the new password. If so, the new password is rejected. |
| gecoscheck |
Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password. If any such word is found, the new password is rejected. |
| enforce_for_root |
An "error" or "failed check" message prevents the root user from changing the password. This option is off by default, which means that the message about the failed check is printed, but root can change the password anyway. |
| use_authtok |
This argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module. |
If you want to flex your Cracklib muscles, you could also go one step further and introduce your own dictionaries for Cracklib to check against. Look online for an old but nicely-written piece on using Cracklib with Django [5].
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
Kubuntu Focus Announces XE Gen 2 Linux Laptop
Another Kubuntu-based laptop has arrived to be your next ultra-portable powerhouse with a Linux heart.
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.
-
openSUSE Leap 15.5 Beta Now Available
The final version of the Leap 15 series of openSUSE is available for beta testing and offers only new software versions.
-
Linux Kernel 6.2 Released with New Hardware Support
Find out what's new in the most recent release from Linus Torvalds and the Linux kernel team.