Book Image

Mastering Linux Security and Hardening - Second Edition

By : Donald A. Tevault
Book Image

Mastering Linux Security and Hardening - Second Edition

By: Donald A. Tevault

Overview of this book

From creating networks and servers to automating the entire working environment, Linux has been extremely popular with system administrators for the last couple of decades. However, security has always been a major concern. With limited resources available in the Linux security domain, this book will be an invaluable guide in helping you get your Linux systems properly secured. Complete with in-depth explanations of essential concepts, practical examples, and self-assessment questions, this book begins by helping you set up a practice lab environment and takes you through the core functionalities of securing Linux. You'll practice various Linux hardening techniques and advance to setting up a locked-down Linux server. As you progress, you will also learn how to create user accounts with appropriate privilege levels, protect sensitive data by setting permissions and encryption, and configure a firewall. The book will help you set up mandatory access control, system auditing, security profiles, and kernel hardening, and finally cover best practices and troubleshooting techniques to secure your Linux environment efficiently. By the end of this Linux security book, you will be able to confidently set up a Linux server that will be much harder for malicious actors to compromise.

Related Content you might be interested in

Current Title:

Small book image
Mastering Linux Security and Hardening - Second Edition
Donald A. Tevault
Feb, 2020 | 666 pages
Small book image
Linux Service Management Made Easy with systemd
Donald A Tevault
Feb, 2022 | 420 pages
Small book image
Practical Linux Security Cookbook
Tajinder Kalsi
Aug, 2018 | 482 pages
Small book image
Linux Administration Cookbook
Adam K Dean
Dec, 2018 | 826 pages
Table of Contents (20 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
1
Section 1: Setting up a Secure Linux System
Section 1: Setting up a Secure Linux System
Free Chapter
2
Running Linux in a Virtual Environment
Running Linux in a Virtual Environment
Looking at the threat landscape
Why do security breaches happen?
Keeping up with security news
Differences between physical, virtual, and cloud setups
Introducing VirtualBox and Cygwin
Keeping the Linux systems updated
Summary
Questions
Further reading
3
Securing User Accounts
Securing User Accounts
The dangers of logging in as the root user
The advantages of using sudo
Setting up sudo privileges for full administrative users
Setting up sudo for users with only certain delegated privileges
Advanced tips and tricks for using sudo
Locking down users' home directories the Red Hat or CentOS way
Locking down users' home directories the Debian/Ubuntu way
Enforcing strong password criteria
Setting and enforcing password and account expiration
Configuring default expiry data for useradd for Red Hat or CentOS only
Setting expiry data on a per-account basis with useradd and usermod
Setting expiry data on a per-account basis with chage
Preventing brute-force password attacks
Locking user accounts
Locking the root user account
Setting up security banners
Detecting compromised passwords
Understanding centralized user management
Summary
Questions
Further reading
4
Securing Your Server with a Firewall - Part 1
Securing Your Server with a Firewall - Part 1
Technical requirements
An overview of firewalld
An overview of iptables
Uncomplicated firewall for Ubuntu systems
Summary
Questions
Further reading
5
Securing Your Server with a Firewall - Part 2
Securing Your Server with a Firewall - Part 2
Technical requirements
nftables – a more universal type of firewall system
firewalld for Red Hat systems
Summary
Questions
Further reading
6
Encryption Technologies
Encryption Technologies
GNU Privacy Guard (GPG)
Encrypting partitions with Linux Unified Key Setup (LUKS)
Encrypting directories with eCryptfs
Using VeraCrypt for cross-platform sharing of encrypted containers
OpenSSL and the public key infrastructure
Summary
Questions
Further reading
7
SSH Hardening
SSH Hardening
Ensuring that SSH protocol 1 is disabled
Creating and managing keys for passwordless logins
Disabling root user login
Disabling username/password logins
Configuring Secure Shell with strong encryption algorithms
Setting system-wide encryption policies on RHEL 8/CentOS 8
Configuring more detailed logging
Configuring access control with whitelists and TCP Wrappers
Configuring automatic logouts and security banners
Configuring other miscellaneous security settings
Setting up a chroot environment for SFTP users
Sharing a directory with SSHFS
Remotely connecting from Windows desktops
Summary
Questions
Further reading
8
Section 2: Mastering File and Directory Access Control (DAC)
Section 2: Mastering File and Directory Access Control (DAC)
9
Mastering Discretionary Access Control
Mastering Discretionary Access Control
Using chown to change ownership of files and directories
Using chmod to set permissions on files and directories
Using SUID and SGID on regular files
The security implications of the SUID and SGID permissions
Using extended file attributes to protect sensitive files
Securing system configuration files
Summary
Questions
Further reading
10
Access Control Lists and Shared Directory Management
Access Control Lists and Shared Directory Management
Creating an ACL for either a user or a group
Creating an inherited ACL for a directory
Removing a specific permission by using an ACL mask
Using the tar --acls option to prevent the loss of ACLs during a backup
Creating a user group and adding members to it
Creating a shared directory
Setting the SGID bit and the sticky bit on the shared directory
Using ACLs to access files in the shared directory
Summary
Questions
Further reading
11
Section 3: Advanced System Hardening Techniques
Section 3: Advanced System Hardening Techniques
12
Implementing Mandatory Access Control with SELinux and AppArmor
Implementing Mandatory Access Control with SELinux and AppArmor
How SELinux can benefit a systems administrator
Setting security contexts for files and directories
Troubleshooting with setroubleshoot
Working with SELinux policies
How AppArmor can benefit a systems administrator
Looking at AppArmor profiles
Working with AppArmor command-line utilities
Troubleshooting AppArmor problems
Exploiting a system with an evil Docker container
Summary
Questions
Further reading
13
Kernel Hardening and Process Isolation
Kernel Hardening and Process Isolation
Understanding the /proc filesystem
Setting kernel parameters with sysctl
Configuring the sysctl.conf file
Understanding process isolation
Summary
Questions
Answers
Further reading
14
Scanning, Auditing, and Hardening
Scanning, Auditing, and Hardening
Technical requirements
Installing and updating ClamAV and maldet
Scanning with ClamAV and maldet
Scanning for rootkits with Rootkit Hunter
Performing a quick malware analysis with strings and VirusTotal
Understanding the auditd daemon
Using ausearch and aureport
Applying OpenSCAP policies with oscap
Summary
Questions
Further reading
15
Logging and Log Security
Logging and Log Security
Understanding the Linux system log files
Understanding rsyslog
Understanding journald
Making things easier with Logwatch
Setting up a remote log server
Summary
Questions
Further reading
16
Vulnerability Scanning and Intrusion Detection
Vulnerability Scanning and Intrusion Detection
Introduction to Snort and Security Onion
IPFire and its built-in Intrusion Prevention System (IPS)
Scanning and hardening with Lynis
Finding vulnerabilities with OpenVAS
Web server scanning with Nikto
Summary
Questions
Further reading
17
Security Tips and Tricks for the Busy Bee
Security Tips and Tricks for the Busy Bee
Technical requirements
Auditing system services
Password protecting the GRUB 2 bootloader
Securely configuring BIOS/UEFI
Using a security checklist for system setup
Summary
Questions
Further reading
18
Assessments
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
19
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review – let other readers know what you think

To get the most out of this book

To get the most out of this book, you don't need much. However, the following things would be quite helpful:

  • A working knowledge of basic Linux commands and how to navigate through the Linux filesystem
  • A basic knowledge about tools such as less and grep
  • Familiarity with command-line editing tools, such as vim or nano
  • A basic knowledge of how to control systemd services with systemctl commands

For hardware, you don't need anything fancy. All you need is a machine that's capable of running 64-bit virtual machines. So, you can use any host machine that runs with almost any modern CPU from either Intel or AMD. (The exception to this rule is with Intel Core i3 and Core i5 CPUs. Even though they're 64-bit CPUs, they lack the hardware acceleration that's needed to run 64-bit virtual machines. Ironically, Intel Core 2 CPUs and AMD Opteron CPUs that are much older work just fine.) For memory, I'd recommend at least 8 GB.

You can run any of the three major operating systems on your host machine, because the virtualization software that we'll be using comes in flavors for Windows, macOS, and Linux.

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

  1. Log in or register at www.packt.com.
  2. Select the Support tab.
  3. Click on Code Downloads.
  4. Enter the name of the book in the Search box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

  • WinRAR/7-Zip for Windows
  • Zipeg/iZip/UnRarX for Mac
  • 7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Mastering-Linux-Security-and-Hardening-Second-Edition. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Download the installation .iso files for Ubuntu Server 18.04, CentOS 7, and CentOS 8."

A block of code is set as follows:

//Unattended-Upgrade::Automatic-Reboot "false";
  Unattended-Upgrade::Automatic-Reboot "true";

Any command-line input or output is written as follows:

sudo apt update
sudo apt dist-upgrade

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Spend some time perusing the Common Vulnerabilities and Exposures database, and you'll soon see why it's so important to keep your systems updated."

Warnings or important notes appear like this.
Tips and tricks appear like this.
Previous Section
Next Section