Linux Security 101: General Principles & Guidelines
If you didn't catch the previous article, click here
We will now talk about some security principles & guidelines. We won't be getting very specific in this post, but this will help you get a few things inside your head.
These can be used when you don't know what to do -security wise-. Ask yourself questions from the principles/guidelines below, and do what you think best! Do not be afraid to search around the web and ask!
I've already mentioned some of them in the introduction post, but it will be great to have almost everything gathered here!
Keep installed & running software to a bare minimum!
If you don't need a piece of software, do not install it. If you installed it, used it once but you won't use it again, remove it.
Some packages includes what we refer to as a "service" or a "daemon". A process that runs in the background either waiting for input (webservers & mailservers would be a great example), or does things when it needs to (cron jobs).
The more services you run and packages you install, the more security wholes you may be introducing!
Different services on different systems
If you are running various services that are critical for you, make sure to run them in different systems. Either use different servers, of learn about virtualisation and put each service in a different container. The most popular virtualisation systems are OpenVZ, KVM, XEN. Do some research and find which one is better suited for your case. If for example you run a web server with your blog and a VPN to securely access some other parts of your server, if you web server gets compromised, chances are that the attacker will access your VPN as well.
Data transmission encryption
Using secure protocols to do your job (HTTPS, RSYNC, SSH, SFTP) will minimise the chances that you will get compromised. On the other hand, using non secure protocols (such as HTTP, TELNET, FTP) leaves you exposed to eavesdropping and man-in-the-middle attacks.
Avoid shared accounts
If there are multiple people accessing a server, each one should have their own account. The same goes for services. Make the extra mile to give Apache2 its own user instead of running it on the same user account with any other software.
Also, accountability is thrown out of the window. As an administrator, if you try to hold accountable user A because he overlooked a detail, and the account is not shared, he will not do it again. But if the account is shared, he will think twice before overlooking something.
Root access
Do not directly use the root account! This is a no-brainer. Create a standard user account and give root access to yourself by some other way (note: if you create an administrator account for you, it is the same thing as using the root account)
ALWAYS login as a standard user.
Also, be sure to not give root access to any daemons or people who may not know what they are doing.
Account maintenance
This is a usually-overlooked section.
Disable remote logins for service accounts. You don't have to login as "www-data" on your server. You can login with your account and then switch to "www-data".
Disable and/or remove accounts that people no longer use. It will take you a few secods to recreate or re-enable that account if it's needed again.
Passwords
Using multifactor auth can greatly increase your server/computer security.
Add OTP (one time passwords), that are either generated and sent via Email or SMS to the user, or from an app such as Google Authenticator or Authy.
Enforce strong passwords! Using the password "IamDimitrisAndIloveSteemit" may seem secure, but there are various brute-forcing methods that a hacker could generate that password immediatelly. Instead, substituting letters for numbers and adding special characters can and will make a difference. For example "1amD1mi7ri54nd1l0v3St33m17$" is not so easily guessed. Also, using longer passwords also adds to security.
Another way would be to disable password logins for SSH, and add key-based auth.
Principle of Least Privilege/Authority
The principle means giving a user account only those privileges which are essential to perform its intended function. For example, a user account for the sole purpose of creating backups does not need to install software: hence, it has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked. The principle applies also to a personal computer user who usually does work in a normal user account, and opens a privileged, password protected account (that is, a superuser) only when the situation absolutely demands it.
Some examples:
Give the bare-minimum privileges needed for someone to do their job.
Escalate to root with sudo when needed, instead of logging as root.
Avoid running services as root user.
Monitor System Activity
Review your log files regularly. If you find nothing wrong, clean them up (logrotate would do the job)
If possible, keep a copy of the old logs to a remote location.
Use a firewall
Using a firewall to block incoming connections to services that you don't want exposed is a great way to increase security.
Linux already comes with a powerfull firewall, iptables. It's not very easy to master, but it can do wonders! You can always use a frontend, such as ufw.
Allow incoming connections only from trusted sources. If you have static IP at home, you can restrict connections to your server from that IP address only.
Encrypt your sensitive (and non-sensitive) data
Encryption protects your data when not processed. Linux distros allow you to encrypt your home directory, and they can only be accessed with your key. Take advantage of that!
Thanks for reading Security 101: Principles & Guidelines. Upvote and resteem if you liked my post.
Part 3 - Physical Security is now available!
Craving for more? Until the next part is available, have a look at my Server 101 series:
- Intro and getting into your server - Single Article
- Basic Server Security - 3 Parts
- Setting up a Web Server - 4 Parts
- Managing Your Server - 4 Parts
- caddy - Lightweight Web Server - 1 Part
- Emailify your server! - 6 Parts
- Setting up a Password-Protected proxy server with Squid - 1 Part
- OpenVPN in less than 2 minutes
- Piwik - Your personal Google Analytics alternative
- Email notifications for SSH Logins
- Keeping your server up to date
Very good principles to go by. But the hardest part is to make it a recurring process.
It's very common to lose track of accounts and services that aren't used anymore, especially on servers used by multiple teams and/or projects.
That's when the trouble starts: nobody has the balls to disable those unknown accounts/services because it might break things.
Hey man thanks for the great post. Thinking about setting up a computer with linux, if I decide to put more money into crypto.
also Id like to nominate it in a curation group im in
This gem of a post was discovered by the OCD Team!
Reply to this comment if you accept, and are willing to let us share your gem of a post! By accepting this, you have a chance to receive extra rewards and one of your photos in this article may be used in our compilation post!
You can follow @ocd – learn more about the project and see other Gems! We strive for transparency.
Sure, feel free to share :)
Thanks a lot!
Good post, it really encourages me to find same-minded people around here. I will also do same-topic posts here as part of my overall blog approach, may you find me on my first post.
I am now your follower!!!
Very helpful, as all your Linux videos are. Keep them coming :)