Shulou(Shulou.com)06/02 Report--

What are the common methods to protect the Linux server, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

In the actual production environment, developers and testers try their best to ensure security to avoid some important information leakage or even theft. Many enterprises or organizations still have relatively perfect threat modeling, but even so, security problems emerge one after another. Some enterprises expect to help them to complete the security construction of the enterprise together through the white hat or black hat on the network. But as an enterprise, you need to understand that not all white or black hats are willing to share their safety advice with them. For security, it's not just about using 2FA and password manager, installing updates and not clicking on suspicious links.

In fact, I have spoken twice at some security meetings, and here I have made some changes and hope to share them with you again, mainly for those who have just learned or learned about Linux security. In this article, I will not actually discuss the security of Web applications. If you want to know and learn about this, you can refer to OWASP Top 10, which can teach developers and testers about SQL injection, CSRF,XSS, session management and so on. If you are worried about more advanced attackers and need to prevent possible malicious code or authorization scripts from being executed, you will learn what you want to know in this article. A remote intruder or even a humble internal threat may already be lurking in your system.

Below I will mention some basic concepts and include related tools. In the meantime, here you need to ask yourself:

ACL (access control list)

Is your infrastructure divided into different systems with different levels of role-based access, or do users have exactly the same privileges?

Acl: getfacl+setfacl

System audit

Have you been thoughtful about users who log in to a machine?

View: auditd, go-audit

Static analysis and fuzzing

You may be running Candlestick +. Memory security issues occupy most of the loopholes. Have you done any auditing, static analysis, or fuzzing testing of the code to ensure its security? Have you ever considered developing in Rust?

View: afl, Radamsa, Sulley, boofuzz, Coverity Scan, Valgrind, sanitizers

Network segmentation

Have you correctly separated your back end from your front end and load balancer? Did you take the time to set up the company VPN and give your machine a private internal address?

View: iptables, ufw

Isolation

Do your employees use their work computers for personal activities, such as games or applications that have nothing to do with their work? Or do they use things like virtual machines or containers for messaging, browsing, development?

View: Qubes, VirtualBox

File permissions and umask

Anyone with a basic understanding of Unix will be familiar with file permissions. If you do not strictly control the read and write permissions of certain files, then I strongly recommend that you implement access control according to the strictest specifications.

More content

Container

Containerization is of great help to safety in theory. But I want to know who is allowed to set up and put the image into the production environment, and do they also sign and verify, and monitor security updates and CVE?

View: Docker, LXC

Use threat intelligence

Malicious IP streams are initiated from the IPv4 address space, botnets preparing for DDoS attacks, and automated utilization scans are under way. You can collect information about such activities yourself, or you can subscribe to feed or blacklist lists of related products. But has your endpoint / firewall responded to this and merged this information?

Viewing: list of threat intelligence resourc

Firewalls and packet filtering

How often do you review your iptables rules or do you know what your router / firewall performs, and do you run verification tests on them? Have you correctly configured packet filtering rules to ensure that the machine can only communicate with the data you need?

View: pfSense, OPNsense

DNS and domain name registrars

How much effort have you locked in for this? How much effort have you put into locking it? Do you receive an alert when your domain name server or DNS zone file is changed without authorization? In addition, have you enabled DNSSEC?

Personally, I recommend using Namecheap as a registered service provider and using Cloudflare for high-performance DNS.

Physical access

If I am a court law enforcement officer, a data center staff or your hosting service provider, can I freely read the contents of your server (except full encryption)? When your disk is retired or replaced, will its contents be erased? If someone plugs USB into a 1U rack server, will you receive an alarm?

Viewing: LUKS/cryptsetup

Do you have a deterministic build?

When developers push build code into a production environment, can you verify the true intent of the code and ensure that the dependencies of the source code or static links are not maliciously modified?

Viewing: Gitian

Verify digital signature

There is no doubt that you may obtain or download some code and software from some unofficial sites. So did you compare the checksum / hash or verify the signature of the download before the team members continued to build or install?

Viewing: making and verifying signatures using GnuPG

Sandboxie environment

Does it have AppArmor profiles, seccomp filters, or RBAC policies that specify its functions in terms of system calls and access rights?

View: seccomp, AppArmor

TLS and encryption configuration

Have you completely abandoned those insecure cipher suites and algorithms (such as MD5,SHA1,RC4)? And choose the best encryption method, HMAC and key exchange algorithm in terms of compatibility and user expectations. If available, the RSA encryption algorithm is preferred. This applies to OpenSSH,GnuPG,OpenVPN and so on. Using Let's Encrypt.t, you can easily get a free certificate from ssl.

View: apply password hardening, SSL and TLS, server-side TLS

Public key management

If each of your employees has their own key, consider synchronizing it across the domain and moving the key out of version control.

View: GPGSync, sops, Vault

HTTP head security

For HTTP header security, here is a list for your reference: X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, X-Download-Options, X-Permitted-Cross-Domain-Policies, Content-Security-Policy, Referrer-Policy, Strict-Transport-Security, Public-Key-Pins. The correct configuration of these response heads is also critical to security.

View: securityheaders.io, Mozilla web Security Guide

File integrity monitoring

Do you regularly check important documents to ensure that they have not been modified and generate alerts that have been changed?

View: Tripwire, OSSEC

Intrusion detection

You may have deployed many types of intrusion detection tools, but do you just run it according to the default rule configuration and do not take the time to learn the relevant technical knowledge? and configure the appropriate rule set according to your own application?

View: compare host-based intrusion detection systems, Snort

Vulnerability management

By subscribing to email, we can get new vulnerability reports and fix them. So, do you remember the last time you checked the CVE activity?

View: Nessus, CoreOS clair

Security of the basic system

Do you really trust Debian/Ubuntu,RHEL or any company's third-party software repository to always provide you with non-malicious software packages? Here's an idea: you can host your own repository, pin it to a specific version, and upgrade only after testing.

Alternatively, you can run a minimal operating system based on Alpine or LinuxKit, which minimizes your attack surface.

LSM (Linux Security Module)

AppArmor or SELINUX, have they done anything for you recently?

Linux kernel hardening

Here I suggest you check out the PaX and grsecurity patches directly. The Spectre and Meltdown vulnerabilities exposed not long ago have also sounded the alarm for our kernel security problems.

Check out: grsecurity.net,Linux kernel security guard, kernel self-protection project

Remove unnecessary equipment

If you don't use Thunderbolt,Firewire, wireless network cards, or any modules with DMA (Direct memory access) mode, then you have no reason to load these kernel modules.

View: blacklist of kernel modules

Log filtering

Maybe you're still checking log files manually, so you should learn to write Logstash filtering and grok pattern. Grok is the most important plug-in for Logstash. You can predefine a named regular expression in grok and reference it later (in the grok parameter or other regular expressions). It works well with syslog logs,apache and some other webserver logs, as well as mysql logs. Grok has a lot of well-defined pattern, and of course you can define it yourself.

View: Filebeat, rsyslog, Logstash

How do you monitor the use of resources?

RAM,CPU load, free disk space. Although these may seem insignificant, these places are key locations for abnormal activities, so they are worth mentioning.

View: Metricbeat, Prometheus node_exporter, Nagios, Osquery

Infrastructure testing

People are familiar with all aspects of software testing, but not with infrastructure testing. How do you ensure that the state of your system always meets your expectations?

View: Serverspec, Testinfra

Platform and firmware security

Your BIOS and other low-level interfaces are affected by errors. Intel ®AMT and Supervisor engine, as well as Computrace should be disabled. The following link provides a very useful framework for analyzing the security of system firmware and hardware components.

Viewing: CHIPSEC

Secure remote shell

General sshd guidelines: disable root login, use keys instead of passwords, and set burst protection. A better solution is to place it behind the VPN, hide the service through authenticated Tor, or require port probing to dynamically open specific ports to connect to the host.

View: fail2ban, denyhosts, sshguard, Secure Secure Shell

Webserver best practices

If you do not want to divulge the version information of your currently running server, you can do this by setting the parameter server_tokens to off for nginx, or set ServerSignature to off for Apache.

When running complex applications that rely on dynamic scripting languages, consider running WAF (Web Application Firewall) like ModSecurity. Cloudflare is offering this service to its customers on a large scale.

Secondary factor

I highly recommend using YubiKey, which has many useful features. It can be configured to output static passwords (ideal for PAM user login or mount volume encryption), HOTP or universal two-factor (U2F) authentication, or you can use an OpenPGP smart card. These devices are indispensable to any system administrator. To this end, I have released a detailed installation guide for YubiKey GPG+SSH.

DNS parsing

Is your / etc/resolv.conf file configured correctly? Quad9 is an alternative to Google's public DNS or OpenDNS that prevents clients from accessing malicious domain names, similar to the way Chrome browsers protect users through secure browsing. So setting your domain name server to 9.9.9.9 will better ensure your security.

Audit trusting party

In addition to keeping the system's trusted root certificate store up to date, you should check the package manager at regular intervals to see which third parties are trusted, whether their repository signing keys are strong enough (many still use 1024-bit DSA), and delete those that have expired.

Try: apt-key list, rpm-qa gpg-pubkey

Signing git submission and tagging

Currently, almost everyone is using git for version control. When you release a new version, is it based on the GPG signature git tag? If you like, you can also sign and submit.

View: use GPG signature tags, Git signatures, Git tools   to sign your work

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.