Linux Security: OS & Service Level Security in Linux Part-1

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMFmQISinvMM4jFGdzoHmTpjTD5mRx9mkdFwcsN2S_exRJPyb0Hu0AScpp3Tb1_U09_rrfxIRpEHDCfku8qtn7p1MTwo2nmWM4fR2h7_x2qn2iplTsgo_gause0mIapCDV1UxnaMMzjJsk/s1600/Linux-security-part11-700x454.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMFmQISinvMM4jFGdzoHmTpjTD5mRx9mkdFwcsN2S_exRJPyb0Hu0AScpp3Tb1_U09_rrfxIRpEHDCfku8qtn7p1MTwo2nmWM4fR2h7_x2qn2iplTsgo_gause0mIapCDV1UxnaMMzjJsk/s1600/Linux-security-part11-700x454.jpg" /></a></div> <br /> <h1 class="entry-title" itemprop="name" style="background-color: white; color: #222222; font-family: 'Roboto Condensed', sans-serif; font-size: 34px; font-weight: normal; line-height: 40px; margin: 17px 0px 7px; text-rendering: optimizeLegibility; word-wrap: break-word;"> <div class="wpb_row row-fluid" style="color: #262626; font-family: 'PT Sans', sans-serif; font-size: 15px; line-height: 23px; width: 699.96875px;"> <div class="span12 wpb_column column_container" style="box-sizing: border-box; float: left; margin-left: 0px; min-height: 31px; position: relative; width: 699.96875px;"> <div class="wpb_wrapper"> <div class="wpb_text_column wpb_content_element "> <div class="wpb_wrapper"> <div style="margin-bottom: 23px;"> <strong>Linux Security > OS & Service Level Security in Linux > sshd  server</strong></div> </div> </div> </div> </div> </div> </h1> <h4 class="block-title" style="border-bottom-color: rgb(77, 178, 236); border-bottom-style: solid; border-bottom-width: 2px; color: #222222; font-family: 'PT Sans', sans-serif; font-size: 28px; line-height: 34px; margin: 25px 0px 27px; position: relative; text-rendering: optimizeLegibility;"> <span style="background-color: #4db2ec; color: white; font-family: 'Roboto Condensed', sans-serif; padding: 3px 10px; z-index: 1;">SSH Server security</span></h4> <h6 style="color: #222222; font-family: 'PT Sans', sans-serif; font-size: 22px; line-height: 28px; margin: 25px 0px 27px; text-rendering: optimizeLegibility;"> <strong>About SSH Server:</strong></h6> <h1 class="entry-title" itemprop="name" style="background-color: white; color: #222222; font-family: 'Roboto Condensed', sans-serif; font-size: 34px; font-weight: normal; line-height: 40px; margin: 17px 0px 7px; text-rendering: optimizeLegibility; word-wrap: break-word;"> <div class="wpb_row row-fluid" style="color: #262626; font-family: 'PT Sans', sans-serif; font-size: 15px; line-height: 23px; width: 699.96875px;"> <div class="span12 wpb_column column_container" style="box-sizing: border-box; float: left; margin-left: 0px; min-height: 31px; position: relative; width: 699.96875px;"> <div class="wpb_wrapper"> <div class="td_block_wrap td_text_with_title" style="padding-bottom: 20px !important; position: relative;"> <div class="td_mod_wrap" style="margin-bottom: 15px;"> <div style="margin-bottom: 23px; position: relative; top: -9px;"> </div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> An SSH server is a software program which uses the secure shell protocol to accept connections from remote computers. SFTP/SCP file transfers and remote terminal connections are popular use cases for an SSH server. This article compares a selection of popular servers.<br /> Embedded Security With SSH</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>Service</strong>: sshd<br /> <strong>Port</strong> : 80<br /> <strong>Config File:</strong> /etc/sshd/sshd-config</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> ———————————————————————-<br /> <strong>Changing default port</strong><br /> Everybody knows that ssh works on port no 22 and root  user is able to login by default. We can change port no  for that, go to config file</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> # vi /etc/ssh/sshd_config<br /> #Port 22 <span style="color: red;"><– change port</span><br /> <strong>Port 6987</strong></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>Listen Port  192.168.1.254:6987</strong> <span style="color: red;"> <— it allows port 6987 for ssh on IP 192.168.1.254</span></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <br /></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>Disable root login</strong><br /> By enabling this feature , root can not login , we have to access ssh through another user, then switch user to root , for that search</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>PermitRootLogin</strong><br /> In the config file and modify<br /> #PermitRootLogin yes<br /> <strong>PermitRootLogin no</strong>  <span style="color: red;"> <— modify here and allow only some user to login through ssh</span></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>AllowUsers vikas prabhat</strong>  <span style="color: red;"> < —  add this lines</span></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>UsePAM  yes </strong></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> Banner  “warning ….”    <span style="color: red;"><– always user ssh banner to warn users from unsolicited works</span></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>#LoginGraceTime 2m</strong>   <span style="color: red;"><— login grace time is 2 min by default, we can reduce it</span></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>#MaxAuthTries 6 </strong>  <span style="color: red;"><–maximum password retries, 3 is idle ..here 6 is default</span></div> </div> </div> </div> </div> </div> </h1> <h4 class="block-title" style="border-bottom-color: rgb(77, 178, 236); border-bottom-style: solid; border-bottom-width: 2px; color: #222222; font-family: 'PT Sans', sans-serif; font-size: 28px; line-height: 34px; margin: 25px 0px 27px; position: relative; text-rendering: optimizeLegibility;"> <span style="background-color: #4db2ec; color: white; font-family: 'Roboto Condensed', sans-serif; padding: 3px 10px; z-index: 1;">/etc/nologin</span></h4> <h1 class="entry-title" itemprop="name" style="background-color: white; color: #222222; font-family: 'Roboto Condensed', sans-serif; font-size: 34px; font-weight: normal; line-height: 40px; margin: 17px 0px 7px; text-rendering: optimizeLegibility; word-wrap: break-word;"> <div class="wpb_row row-fluid" style="color: #262626; font-family: 'PT Sans', sans-serif; font-size: 15px; line-height: 23px; width: 699.96875px;"> <div class="span12 wpb_column column_container" style="box-sizing: border-box; float: left; margin-left: 0px; min-height: 31px; position: relative; width: 699.96875px;"> <div class="wpb_wrapper"> <div class="td_block_wrap td_text_with_title" style="padding-bottom: 20px !important; position: relative;"> <div class="td_mod_wrap" style="margin-bottom: 15px;"> <strong>/etc/nologin</strong><br /> <div style="margin-bottom: 23px; position: relative; top: -9px;"> </div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> Create this file to disallow user logins and notify users when a system will be unavailable for an extended period of time because of a system shutdown or routine maintenance.</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> If a user attempts to log in to a system where this file exists, the contents of the nologin file is displayed, and the user login is terminated. Superuser logins are not affected</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> This file is not there by default, we have to create it, this is a blank file only, protect all non root users to login. This option does not effect on existing non root users ,who are already logged in.</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> </div> </div> </div> </div> </div> </div> </h1> <h4 class="block-title" style="border-bottom-color: rgb(77, 178, 236); border-bottom-style: solid; border-bottom-width: 2px; color: #222222; font-family: 'PT Sans', sans-serif; font-size: 28px; line-height: 34px; margin: 25px 0px 27px; position: relative; text-rendering: optimizeLegibility;"> <span style="background-color: #4db2ec; color: white; font-family: 'Roboto Condensed', sans-serif; padding: 3px 10px; z-index: 1;">Secure terminal in Linux : /etc/securetty</span></h4> <h1 class="entry-title" itemprop="name" style="background-color: white; color: #222222; font-family: 'Roboto Condensed', sans-serif; font-size: 34px; font-weight: normal; line-height: 40px; margin: 17px 0px 7px; text-rendering: optimizeLegibility; word-wrap: break-word;"> <div class="wpb_row row-fluid" style="color: #262626; font-family: 'PT Sans', sans-serif; font-size: 15px; line-height: 23px; width: 699.96875px;"> <div class="span12 wpb_column column_container" style="box-sizing: border-box; float: left; margin-left: 0px; min-height: 31px; position: relative; width: 699.96875px;"> <div class="wpb_wrapper"> <div class="td_block_wrap td_text_with_title" style="padding-bottom: 20px !important; position: relative;"> <div class="td_mod_wrap" style="margin-bottom: 15px;"> # vi /etc/securetty<br /> console<br /> vc/1<br /> vc/2<br /> vc/3<br /> vc/4<br /> vc/5<br /> vc/6<br /> vc/7<br /> vc/8<br /> vc/9<br /> vc/10<br /> vc/11<br /> tty1<br /> tty2<br /> tty3<br /> tty4<br /> <strong>#tty5</strong>   <span style="color: red;"><—-modified  line </span><br /> tty6<br /> tty7<br /> tty8<br /> tty9<br /> tty10<br /> tty11<br /> <div style="margin-bottom: 23px; position: relative; top: -9px;"> </div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> root can login in every terminal by default, if we modify this file <strong>/etc/securetty</strong> ,  <strong>#tty5</strong>  for example, root cannot login  in this terminal.</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> Note: <strong>/etc/securetty</strong> and <strong>/etc/nologin</strong> is controlled by  pam.d , If<strong> /etc/nologin</strong> file is created, then pam modules <strong>pan_nologin</strong> deny to all non-root users to login locally. As you can see in third line of<strong>/ete/pam.d/login</strong> file, <strong>pam_securetty</strong> modules checks the <strong>/etc/securetty</strong> file, which terminal are available to root. If terminal is not available in this file then<strong> pam_securetty module</strong> deny to login on unavailable terminal to root user.</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong># vi /ete/pam.d/login</strong></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> #%PAM-1.0<br /> auth [user_unknown=ignore success=ok ignore=ignore default=bad] <span style="color: red;">pam_securetty.so</span><br /> auth include system-auth<br /> <span style="color: red;">account required pam_nologin.so</span><br /> account include system-auth<br /> password include system-auth<br /> # pam_selinux.so close should be the first session rule<br /> session required pam_selinux.so close<br /> session required pam_loginuid.so<br /> session optional pam_console.so<br /> # pam_selinux.so open should only be followed by sessions to be executed in the user context<br /> session required pam_selinux.so open<br /> session required pam_namespace.so<br /> session optional pam_keyinit.so force revoke<br /> session include system-auth<br /> session optional pam_ck_connector.so</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> </div> </div> </div> </div> </div> </div> </h1> <h4 class="block-title" style="border-bottom-color: rgb(77, 178, 236); border-bottom-style: solid; border-bottom-width: 2px; color: #222222; font-family: 'PT Sans', sans-serif; font-size: 28px; line-height: 34px; margin: 25px 0px 27px; position: relative; text-rendering: optimizeLegibility;"> <span style="background-color: #4db2ec; color: white; font-family: 'Roboto Condensed', sans-serif; padding: 3px 10px; z-index: 1;">VSFTPD Server Security</span></h4> <h1 class="entry-title" itemprop="name" style="background-color: white; color: #222222; font-family: 'Roboto Condensed', sans-serif; font-size: 34px; font-weight: normal; line-height: 40px; margin: 17px 0px 7px; text-rendering: optimizeLegibility; word-wrap: break-word;"> <div class="wpb_row row-fluid" style="color: #262626; font-family: 'PT Sans', sans-serif; font-size: 15px; line-height: 23px; width: 699.96875px;"> <div class="span12 wpb_column column_container" style="box-sizing: border-box; float: left; margin-left: 0px; min-height: 31px; position: relative; width: 699.96875px;"> <div class="wpb_wrapper"> <div class="td_block_wrap td_text_with_title" style="padding-bottom: 20px !important; position: relative;"> <div class="td_mod_wrap" style="margin-bottom: 15px;"> <strong>About vsftpd server:</strong><br /> <div style="margin-bottom: 23px; position: relative; top: -9px;"> </div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> vsftpd, (or very secure FTP daemon), is an FTP server for Unix-like systems, including Linux.</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> Service:  vsftpd<br /> Port: 20/21<br /> Config File: /etc/vsftpd/vsftpd.conf</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> ————————————————–<br /> <strong>Embeded Security with vsftpd server</strong></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> security options are already given in config file</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>pam_service_name=vsftpd</strong><br /> <strong>userlist_enable=YES <span style="color: red;"><– control by /etc/vsftpd/userlist</span></strong><br /> <strong>tcp_wrappers=YES</strong>  <strong><span style="color: red;"><–control by /etc/host.allow and /etc/host.deny</span></strong></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> go to /etc/vsftpd</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> # <strong>vi /etc/vsftpd/userlist</strong></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> # vsftpd userlist<br /> # If<span style="color: red;"> userlist_deny=NO</span>, only allow users in this file<br /> # If <span style="color: red;">userlist_deny=YES</span> (default), never allow users in this file, and<br /> # do not even prompt for a password.<br /> # <span style="color: red;">Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers</span><br /> # for users that are denied.<br /> root<br /> bin<br /> daemon<br /> adm<br /> lp<br /> sync<br /> shutdown<br /> halt<br /> mail<br /> news<br /> uucp<br /> operator<br /> games<br /> nobody</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> ———————————————————-</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> modify /etc/vsftpd/vsftpd.conf  at the bottom of the file</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> pam_service_name=vsftpd<br /> userlist_enable=YES<br /> <strong>userlist_deny=NO</strong>  <—place this file here<br /> tcp_wrappers=YES</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>Note: userlist_deny=NO</strong>  here means only allow users mentioned in the file /etc/vsftpd/userlist, if we modify like this</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> # vi /etc/vsftpd/userlist</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> # vsftpd userlist<br /> # If userlist_deny=NO, only allow users in this file<br /> # If userlist_deny=YES (default), never allow users in this file, and<br /> # do not even prompt for a password.<br /> # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers<br /> # for users that are denied.<br /> #root<br /> #bin<br /> #daemon<br /> #adm<br /> #lp<br /> #sync<br /> #shutdown<br /> #halt<br /> #mail<br /> #news<br /> #uucp<br /> #operator<br /> #games<br /> #nobody<br /> <strong><span style="color: black;">vikas</span> </strong>   <span style="color: red;"><—–comment all and placed this two line</span>s<br /> <strong><span style="color: black;">prabhat</span></strong></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> this means, user prabhat and vikas can only use ftp service now, other users are denied. ( all users are allowed by default except root)</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> Other Securities</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>anonymous_enable=YES</strong><br /> <strong>local_enable=YES</strong><br /> <strong>anon_mkdir_write_enable=YES</strong></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> we can control ftp by using this lines, enable disable anonymous ftp ( ftpd without username and password )<br /> ——————————————————————————-</div> </div> </div> </div> </div> </div> </h1> <h5 style="color: #222222; font-family: 'PT Sans', sans-serif; font-size: 25px; line-height: 32px; margin: 25px 0px 27px; text-rendering: optimizeLegibility;"> Disable Linux FTP User Account</h5> <h1 class="entry-title" itemprop="name" style="background-color: white; color: #222222; font-family: 'Roboto Condensed', sans-serif; font-size: 34px; font-weight: normal; line-height: 40px; margin: 17px 0px 7px; text-rendering: optimizeLegibility; word-wrap: break-word;"> <div class="wpb_row row-fluid" style="color: #262626; font-family: 'PT Sans', sans-serif; font-size: 15px; line-height: 23px; width: 699.96875px;"> <div class="span12 wpb_column column_container" style="box-sizing: border-box; float: left; margin-left: 0px; min-height: 31px; position: relative; width: 699.96875px;"> <div class="wpb_wrapper"> <div class="td_block_wrap td_text_with_title" style="padding-bottom: 20px !important; position: relative;"> <div class="td_mod_wrap" style="margin-bottom: 15px;"> <div style="margin-bottom: 23px; position: relative; top: -9px;"> If you have vsftp server  add user to /etc/vsftpd/ftpusers (VSFTPD) file</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>#/etc/vsftpd/ftpusers</strong><br /> gopal<br /> shahzad</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> this will protect user gopal and shahzad to use ftp service<br /> ————————————————————————–</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>Deny uploading files to ftp share</strong></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> deny_file={*.mp3,*.wma,*.rpm,*.private,*.text}</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> —————————————————————————</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>Allow interface IP to listen FTP request</strong></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> listen_address=192.168.0.254 192.168.0.251<br /> —————————————————————————–</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <span style="color: black;"><strong>Change default Port ( 20,21 ) to specific Port like 2121</strong></span><strong><u> </u></strong></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> listen_port=2121<br /> ——————————————————————————-</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>Place the FTP Directory on its Own Partition</strong></div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> Separation of the operating system files from FTP users files may result into a better and secure system. Restricting the growth of certain file systems is possible using various techniques. For example, use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample<strong>/etc/fstab</strong> entry:</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> /dev/sda5  /ftp          ext3    defaults,nosuid,nodev,noexec,usrquota 1 2</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> —————————————————————————</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> <strong>To lock down users to their home directories:</strong><br /> chroot_local_user=NO</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> ——————————————————————</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> You can create warning banners for all FTP users, by defining the path:</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> banner_file=/etc/vsftpd/banner</div> <div style="margin-bottom: 23px; position: relative; top: -9px;"> create your own banner</div> </div> </div> </div> </div> </div> </h1> </div>

Linux Security: OS & Service Level Security in Linux Part-1

Linux Security > OS & Service Level Security in Linux > sshd  server SSH Server security About SSH Server: ...

Read more »