Security Lockdown for Linux
Automatic updates
If you’re using Ubuntu you can do this by editing /etc/apt/apt.conf.d/50unattended-upgrades
. Running out of date packages with security holes is a good way to get your machine pwnd.
Remove unused software
Every piece of software installed on your system provides one more attack point for malicious users. You should inventory your system and remove anything you don’t need. E.g. to remove Ubuntu One from your system:
sudo apt-get purge ubuntuone*
Secure SSH
Edit /etc/ssh/sshd_config
:
PermitRootLogin no
AllowUsers bmccann nx gitolite
You may also disable password authentication and replace it with public key authentication:
PasswordAuthentication no
PubkeyAuthentication yes
Restart the SSH daemon:
sudo service ssh restart
or
sudo /etc/init.d/ssh restart
This disallows login via password and instead replaces it with login via public/private key pair. To setup your public key encryption run ssh-keygen on the client and put ~/.ssh/id_rsa.pub
from the client into ~/.ssh/authorized_keys
on server.
Sometimes while messing around with SSH settings, you’ll lock yourself out. I this case it’s nice to use the -v
option with the ssh client.
You can also setup shortcuts in ~/.ssh/config
. E.g. the shortcut below turns ssh gitolite into an alias for ssh -l gitolite -p 77777 bensdynamicdns.getmyip.com.
Host gitolite
User gitolite
Hostname bensdynamicdns.getmyip.com
Port 77777
IdentityFile ~/.ssh/id_rsa
Secure NX
If you’d like to setup NX in a secure manner, you can follow these instructions.
Secure MySQL
Run mysql_secure_installation
Install fail2ban
- Install fail2ban by running sudo apt-get install fail2ban, which will lockout users who repeatedly try to access your system by guessing passwords.
- Make your own copy of the configuration file: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- Check if fail2ban is running properly: sudo fail2ban-client status
More
Andrew Ault and CyberCiti wrote good articles as well.
The NSA has a comprehensive guide to securing a Linux system
Wow thanks for this. I’ve been trying to figure out how to get NX running again after securing SSH, and this post helped a lot.
The only addition I would make is that when you add the line “AllowUsers nx” to the sshd_config, you also need to add the user that you will be logging in as (i.e. AllowUsers nx bmccann). When you set AllowUsers, it will ONLY allow the ones listed there, so your SSH will suddenly stop working unless you also add your username.
I got stuck on that for a long time, and couldn’t figure out what was wrong.