Skip to main content

Hardening the Linux server - Part 5


Hardening the Linux server - Part 5

Encryption
Encryption is the process of taking data stored on a computer and scrambling it in a manner that makes it unreadable to anyone who doesn't possess the key to re-create the data in its original form. Data that has been encrypted can be stored on the local computer, stored on a network share, or transmitted to other users and computers.
It's possible to encrypt an entire hard disk or the partitions of the disk. This should be done at installation. You can also secure data through encryption by creating a directory and encrypting it. For example, if you've set up a file server, you may want to encrypt a directory that holds sensitive information.
Before you go forward with protecting your data, you need to install eCryptfs from the Ubuntu repositories by typing

# sudo aptitude install ecryptfs-utils

Press Enter, and type your root password.

Encrypt a directory

The next step is to create a directory to encrypt. The example uses a directory called secure, but you can name it anything you wish. Follow these steps:
  1. Enter the following command:
    1. # mkdir ~/secure
  1. Just to keep others from snooping around, change the permissions to 700:
    1. # chmod 700 ~/secure
  1.  Mount the new directory with the eCryptfs file system:
    1. # sudo mount -t ecryptfs  ~/secure ~/secure
  1. You're asked a series of questions. Be sure you remember the answers, because you'll need them when you remount. The first question asks which type of key you'd like to use. Make your selection by typing the number that corresponds to your choice. Next, select the cipher you wish to use and the size of the key.
  2. Once you've answered all the questions, your directory is ready to add files and other subdirectories to. When you're ready to secure your directory, unmount it with 
    1. # sudo unmount ~/secure


Additional security steps
Now that you've created a solid foundation for hardening your server, you should take a few steps to further enhance the security measures you've put into place. These last few tips introduce some of the extra points to keep in mind when hardening your GNU/Linux server.



Updates
A production server should never have updates and patches installed unless they were first tested on a test, or development, server. Because a GUI may not be installed on your server, you have to download any updates and patches through the terminal. When you're ready to install updates, enter the command sudo apt-get update and then sudo apt-get dist-upgrade. In some cases, you need to restart your server.



Malware
Many system administrators find installing antivirus software on a server running GNU/Linux to be a waste of resources because no viruses in the wild can attack the GNU/Linux operating system. But any GNU/Linux administrator who is running SAMBA to share Windows files should definitely make sure an antivirus scanner like ClamAV is installed to make sure infected files don't spread throughout your system.
Although viruses don't pose as much of a threat to the GNU/Linux server, rootkits can cause you a headache. Rootkits are tools that attackers use to gain root-level permissions to a system, capture passwords, intercept traffic, and create other vulnerabilities. To combat this threat, you should install tools such as RKHunter and chkrootkit on the server.



Backup and recovery
Servers that house gigabytes of information, corporate Web sites, or catalogs for directory services need to have a backup and recovery strategy in place. Most corporate networks can afford redundancy through multiple servers, and smaller networks can find peace of mind through virtualization and back-up and recovery software.
If you're planning to run backup and recovery software from the Ubuntu repositories, Sbackup is an excellent choice because it can be run from either the command line or a GUI. When backing up server data on a corporate network, it's important that your backup files be stored outside the server. Portable storage devices provide large amounts of storage space at extremely reasonable prices, and they're excellent options for storing backed-up files and directories.



Passwords
As the system administrator, you're required to set passwords for your server's root account and possibly other sensitive accounts in your organization such as MySQL databases or FTP connections. You can't force strong passwords for your users with Ubuntu Server, but you can be sure you train users on how to create a strong password.

Network password policy

If you're running directory services like OpenLDAP, you have the option to enforce strong passwords across your network with some of the configuration options available.



Make sure your users' passwords contain at least three of the following: an uppercase letter, a lowercase letter, a number, or a symbol. To further strengthen the password, make it a policy that all passwords are at least eight characters long.
One way to teach users to use strong passwords but keep them from writing down complex passwords on sticky notes is to have them use passphrases. Something like Myf@voritecolorisBlue! is much easier to remember than M$iuR78$, and both meet minimal complexity standards.

Comments

Popular posts from this blog

Virtual Box and Alt/Tab Keys

I use virtual box for all my testing activities. It comes too often that I have a virtual box VM window open & I want to switch to my host machine to see some stuff like tutorials etc.. If you press the alt+tab combination it just works inside the VM & doesn't switches to host machine. In these scenarios you can press the host key once ( not hold it ) & then whatever you press goes to host machine. So in general where host key is the default Right Ctrl, just press Right Ctrl once & now press the alt+tab & it will switch you out to host machine. This is really helpful when you have the VM windows open or you're working on seamless mode. Hope it help others too.

CentOS / Redhat : Configure CentOS as a Software Router with two interfaces

Linux can be easily configured to share an internet connection using iptables. All you need to have is, two network interface cards as follows: a) Your internal (LAN) network connected via eth0 with static ip address 192.168.0.1 b) Your external WAN) network is connected via eth1 with static ip address 10.10.10.1  ( public IP provided by ISP ) Please note that interface eth1 may have public IP address or IP assigned by ISP. eth1 may be connected to a dedicated DSL / ADSL / WAN / Cable router: Step # 1: Enable Packet Forwarding Login as the root user. Open /etc/sysctl.conf file # vi /etc/sysctl.conf Add the following line to enable packet forwarding for IPv4: net.ipv4.conf.default.forwarding=1 Save and close the file. Restart networking: # service network restart Step # 2: Enable IP masquerading In Linux networking, Network Address Translation (NAT) or Network Masquerading (IP Masquerading) is a technique of transce...

AMD Radeon™ HD 7670M on Ubuntu 12.04

Update:   Recently I install kubuntu 13.10 and there is no problem with graphics. It just works  fine out of the box. I've seen many blog posts on how to make AMD HD7670M work on Ubuntu 12.04, specially when its in switchable graphics board like Dell Inspiron 15R 5520. I tried many things to make it work so that I could use the cinnamon desktop on ubuntu & other things too.. But to my surprise even the drivers from AMD site didn't work. Then I tried a combination of those blog posts I read & somehow I became successful in running the full graphics including compiz settings inside My Ubuntu Machine. Following are the steps I followed & it worked... 1. Create a backup of your xorg configuration file: sudo cp /etc/X11/xorg.conf /etc/X11/xorg.conf.BAK 2. Remove/purge current fglrx and fglrx-amdcccle : sudo apt-get remove --purge fglrx* 3. Install the driver: sudo apt-get install fglrx fglrx-amdcccle 4. Install additiona...