Linux Fundamentals - Linux Security - Nikola's Digital Garden

#readwise # Linux Fundamentals - Linux Security ![rw-book-cover](https://academy.hackthebox.com/images/favicon-32x32.png) ## Metadata - Author: [[Hack The Box]] - Full Title: Linux Fundamentals - Linux Security - URL: https://academy.hackthebox.com/module/18/section/98 ## Summary Linux systems are generally more secure than others, but they still need protection measures. Keeping the operating system and packages updated is crucial for security. Tools like SELinux and TCP wrappers help control access and limit vulnerabilities. Regular audits and user management based on the principle of least privilege also enhance security. ## Highlights If firewall rules are not appropriately set at the network level, we can use the Linux firewall and/or `iptables` to restrict traffic into/out of the host. ([View Highlight](https://read.readwise.io/read/01jn9q327xy0s6w9kn9sw4hbrv)) --- If SSH is open on the server, the configuration should be set up to disallow password login and disallow the root user from logging in via SSH. It is also important to avoid logging into and administering the system as the root user whenever possible and adequately managing access control. Users' access should be determined based on the principle of least privilege. For example, if a user needs to run a command as root, then that command should be specified in the `sudoers` configuration instead of giving them full sudo rights. ([View Highlight](https://read.readwise.io/read/01jn9q45w12j0d4wzdg5r763my)) ^9mu1b5 --- Another common protection mechanism that can be used is `fail2ban`. This tool counts the number of failed login attempts, and if a user has reached the maximum number, the host that tried to connect will be handled as configured. ([View Highlight](https://read.readwise.io/read/01jn9q50a2rr80b9ez44c84fzc)) --- An option for further locking down Linux systems is `Security-Enhanced Linux` (`SELinux`) or `AppArmor`. This is a kernel security module that can be used for security access control policies. In SELinux, every process, file, directory, and system object is given a label. Policy rules are created to control access between these labeled processes and objects and are enforced by the kernel. This means that access can be set up to control which users and applications can access which resources. SELinux provides very granular access controls, such as specifying who can append to a file or move it. ([View Highlight](https://read.readwise.io/read/01jn9qyt923p9a55vqyj7g4f1r)) --- there are different applications and services such as [Snort](https://www.snort.org/), [chkrootkit](http://www.chkrootkit.org/), [rkhunter](https://packages.debian.org/sid/rkhunter), [Lynis](https://cisofy.com/lynis/), and others that can contribute to Linux's security. In addition, some security settings should be made, such as: - Removing or disabling all unnecessary services and software - Removing all services that rely on unencrypted authentication mechanisms - Ensure NTP is enabled and Syslog is running - Ensure that each user has its own account - Enforce the use of strong passwords - Set up password aging and restrict the use of previous passwords - Locking user accounts after login failures - Disable all unwanted SUID/SGID binaries ([View Highlight](https://read.readwise.io/read/01jn9qzw172rbmxdz74dybym9p)) --- TCP wrapper is a security mechanism used in Linux systems that allows the system administrator to control which services are allowed access to the system. It works by restricting access to certain services based on the hostname or IP address of the user requesting access. ... TCP wrappers use the following configuration files: - `/etc/hosts.allow` - `/etc/hosts.deny` In short, the `/etc/hosts.allow` file specifies which services and hosts are allowed access to the system, whereas the `/etc/hosts.deny` file specifies which services and hosts are not allowed access. These files can be configured by adding specific rules to the files. `/etc/hosts.allow`: ```sh cat /etc/hosts.allow ``` ``` # Allow access to SSH from the local network sshd : 10.129.14.0/24 # Allow access to FTP from a specific host ftpd : 10.129.14.10 # Allow access to Telnet from any host in the inlanefreight.local domain telnetd : .inlanefreight.local ``` `/etc/hosts.deny`: ```sh cat /etc/hosts.deny ``` ``` # Deny access to all services from any host in the inlanefreight.com domain ALL : .inlanefreight.com # Deny access to SSH from a specific host sshd : 10.129.22.22 # Deny access to FTP from hosts with IP addresses in the range of 10.129.22.0 to 10.129.22.255 ftpd : 10.129.22.0/24 ``` It is important to remember that the order of the rules in the files is important. The first rule that matches the requested service and host is the one that will be applied. It is also important to note that TCP wrappers are not a replacement for a firewall, as they are limited by the fact that they can only control access to services and not to ports. ---