Home » Tutorial (Page 2)
Category Archives: Tutorial
Sometimes it is the case that Linux, like other Operating Systems, shows odd behavior. And in some cases the cause of the odd behavior cannot be comprehended although log files are verified and the hardware is checked. I had this problem too often in the past years.
Then often I check the system for malicious software. On Linux are programs available which are scanning for a so called Rootkits. A Rootkit is a malicious software which grant administrative access to the attacker or hacker.
Well known detection software for Rootkits are programs like Rootkit Hunter, Unhide or Chkrootkit.
The difference between a Rootkit and a Virus is that the Virus doesn’t necessarily administrative access to the system.
If the Rootkit scan is done on a System which is already infected, then the Rootkit is probably not found because the Rootkit is hidden. There are only hints which are only difficult to distinguish from false positives.
Rootkit scans can then be done from a Linux Live system. Just follow the following steps:
Download Ubuntu Live Iso file and install the Iso file to a USB stick.
Boot the Ubuntu Live system and select “Try Ubuntu”.
apt-get install chkrootkit
On my system the following partitions exist:
- sda1 – swap space
- sda2 – this is the root partition /
- sda3 – this is my home partition /home
- sda4 – this is the home directory of the root user /root
mkdir /mnt/disk – creates a directory
mount /dev/sda2 /mnt/disk – provides access to the filesystem and the files on the system which I want to scan
mount /dev/sda4 /mnt/disk/root – this location will be also scanned, so it is important to grant access to it
Do the Scan with the following command:
chkrootkit -r /mnt/disk/
Normally the output should say things like “nothing found” or “not infected”.
If there is a detected Rootkit do another scan with Rkhunter. It could still be a false positive.
Rkhunter needs to be installed and updated.
If there is a Rootkit installed you should reinstall the Operating System.
Sometimes it is necessary to highly secure a Linux Server which keeps sensitive data. I want to provide a list of best practice tips, which are a good starting point if you want to keep your data and Server secure.
The steps below, applied to a server which is in a secured LAN Network, will increase the systems and data security once more for the Server.
1. Operating System
CentOS Linux is a good point to start, because CentOS Linux uses a security layer which is called Security-Enhanced Linux (SELinux). This layer is very restrictive and a lot of operations, for example in the Files system, are denied by default. CentOS is maintained by Redhat and the newest variant is “CentOS Stream” which is a rolling release.
The following steps assume that CentOS is used.
LUKS storage encryption of the Server is another good approach. LUKS Version 2 is the current today. I the case the Server is accessible physically by an unauthorized person, the data would be easily accessible. But if LUKS is used then the data is only accessible with the LUKS passphrase. The LUKS passphrase need to be provided when the LUKS encrypted volume is mounted.
Alternatively the ZFS and ZFS encryption could be used for storage encryption. ZFS RAIDz (RAID 5) and ZFS Mirror (RAID 1) also provide data corruption prevention and keeps the data integrity. As well it prevents data loss if a single disk fails.
3. Isolate the Server with a Firewall Appliance
Put the server behind a Firewall Appliance and isolate it from an already secured LAN Network. The Firewall Appliance could set up with OpnSense which provides a good traffic analysis feature. Only publish the SSH port to the rest of the LAN Network. Later on only tunnel all other protocols through an encrypted SSH tunnel and the SSH Port.
Firewall Rules should be applied which allow only connections from the LAN or other necessary network sources.
4. Google Authenticator or other 2FA for SSH
Nowadays 2 Factor Authentication is best practice and a sufficient good provider is Google with the “Google Authenticator“. The one who wants to connect to the server has to install the “Google Authenticator” app from Google on the mobile phone. The app is synced with the Server and provides a time based key.
After applying 2FA, Username, Password and the time based key are then necessary to connect to the SSH Port.
5. Updates and strong Passwords
Always install CentOS Updates if there are any available. It’s a must and it’s a trivial knowledge. Use super strong passwords – this is also well known in professional circles. Strong passwords can be mandatory by applying a password policy. Cracklib can be used to force strong passwords to users.
yum install cracklib
Install “Cracklib” on CentOS and set complex and strong passwords which could mean: 16 positions, digits, numbers, symbols.
6. Harden SSH Daemon
Set SSH Daemon configuration restrictive. Directives like “PermitEmptyPasswords” (set to “no”), “AllowUsers”, “PermitRootLogin” (set to “no”),… should be evaluated and adjusted.
Also Google Authenticator, used for 2FA, needs an adjustment in the SSH Daemon Configuration file.
7. Harden Host Firewall
CentOS brings it’s own firewall package with it which is called “firewalld“. This command can be used to get a first impressions:
sudo firewall-cmd --list-all
Firewall Rules could be applied which allow only connections from the LAN or only allow specific IP addresses to connect to the server.
8. Brute Force Prevention
Password guessing is a problem for IT systems in general but it can be easily prevented on Linux and for the SSH Daemon. Just install and configure the Linux package called “fail2ban“. It can be configured to block automatically a single source IP address for a specific time period if there came too many login attempts from it.
9. Tunnel Services through SSH
Since SSH is now 2FA and fail2ban secured and hardened, we can use it to connect to other services like “https” on the server.
Simply use a command similar to this:
The Servers https port will be accessible on my Notebook with a browser on:
ssh MyUser@192.168.0.1 -L 9000:localhost:443
Sysadmins swear on SSH Public Key Authentication implemented with a strong passphrase. This is also good to implement and can be integrated in the concept.
The steps above, applied to a server which is isolated from an already secured LAN Network, will increase the systems and data security for the specific server.
Feel free to comment this Article.