Security

Securing Linux

Eliminate Command Line Histories with chattr (change attribute)...

If you use bash as the default shell, it keeps a history of commands accessed via the `history` command for convenience. This could end up being a security problem if someone were able to compromise a users' home directory. In some cases, this could expose improperly used passwords or special privileges available to the user such as sudo.

Consider disabling this by changing the attribute of the file to lock out the ability to update the file. As root:

# cat /dev/null > ~user/.bash_history
# chattr +i ~user/.bash_history

The user will still have a command line history, but it will only apply to the current session. When the user logs out, the information will not be saved. To have this apply to all future users, make the changes in the "/etc/skel" directory.

Disallow direct root login to SSH...

On follow up of the comment at: secure ssh...

To disallow direct root login via SSH, edit the "/etc/ssh/sshd_config" file with a text editor and find the following line:

#PermitRootLogin yes

Change the yes to no and remove the comment character at the beginning of the line:

PermitRootLogin no

Restart the sshd service.

# service sshd restart

It is also recommended to restrict access to your system by limiting users root access with the su command.

Add trusted users to the special administrative group called wheel via:

# usermod -G wheel <username>

Next open the PAM configuration file for su, "/etc/pam.d/su" in a text editor and remove the comment [#] from the following line:

auth  required /lib/security/pam_wheel.so use_uid

The root user is part of the wheel group by default and doing this will permit only members of the administrative group wheel to use the program.

Additionally, you can change the permission on the 'su' binary as below:

# chgrp wheel /bin/su
# chmod 4750 /bin/su

Limit SSH users with PAM

PAM (Pluggable Authentication Module) can be used to limit users who have access to a certain service based on a list. For example, you can limit SSH connections via PAM.

In "/etc/pam.d/sshd", add the following line:

auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist

This will allow a user to login via sshd if they are listed in the "/etc/ssh_allow.pamlist" file. The options specified have the following meanings:

Protection with SmoothWall

SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Linux is the ideal choice for security systems; it is well proven, secure, highly configurable and freely available as open source code. SmoothWall includes a hardened subset of the GNU/Linux operating system, so there is no separate OS to install. Designed for ease of use, SmoothWall is configured via a web-based GUI, and requires absolutely no knowledge of Linux to install or use.

Find out more...

Comment