Policy | Home user | Server |
Disable SSH | ✔ | x |
Disable SSH root access | x | ✔ |
Change SSH port | x | ✔ |
Disable SSH password login | x | ✔ |
Iptables | ✔ | ✔ |
IDS (Intrusion Detection System) | x | ✔ |
BIOS Security | ✔ | ✔ |
Disk Encryption | ✔ | x/✔ |
System update | ✔ | ✔ |
VPN (Virtual Private Network) | ✔ | x |
Enable SELinux | ✔ | ✔ |
Common Practices | ✔ | ✔ |
- SSH Access
- Firewall (iptables)
- Intrusion Detection System (IDS)
- BIOS Security
- Hard disk encryption
- System update
- VPN (Virtual Private Network)
- Enable SELinux (Security-Enhanced Linux)
- Common Practices
SSH Access
Home users:
Home users do not really use ssh, dynamic IP addresses and router NAT configurations made alternatives with reverse connection like TeamViewer more attractive. When a service is unused the port must be closed both by disabling or removing the service and by applying restrictive firewall rules.
Servers:
Contrary to domestic users workers accessing different servers, network administrators are frequent ssh/sftp users. If you must keep your ssh service enabled you can take the following measures:
- Disable root access through SSH.
- Disable password login.
- Change the SSH port.
Common SSH Configuration Options Ubuntu
Iptables
Iptables is the interface to manage netfilter to define firewall rules. Home users may trend to UFW (Uncomplicated Firewall) which is a frontend for iptables to make firewall rules creation easy. Independent of the interface the point is immediately after the setup the firewall is among the first changes to apply. Depending on your desktop or server needs the most recommended for security concerns are restrictive policies allowing only what you need while blocking the rest. Iptables will be used to redirect the SSH port 22 to a different one, to block unnecessary ports, filter services and set rules for known attacks.
For more information on iptables check: Iptables for beginners
Intrusion Detection System (IDS)
Due the high resources they require IDS are not used by home users but they are a must on servers exposed to attacks. IDS brings the security to the next level allowing to analyze packets. Most known IDS are Snort and OSSEC, both previously explained at LinuxHint. IDS analyzes traffic over the network looking for malicious packets or anomalies, it is a network monitoring tool oriented to security incidents. For instructions on installation and configuration for the most 2 popular IDS solutions check: Configure Snort IDS and Create Rules
Getting started with OSSEC (Intrusion Detection System)
BIOS Security
Rootkits, malwares and server BIOS with remote access represent additional vulnerabilities for servers and desktops. The BIOS can be hacked through code executed from the OS or through update channels to get unauthorized access or forget information like security backups.
Keep BIOS update mechanisms updated. Enable BIOS Integrity Protection.
Understanding the Boot process — BIOS vs UEFI
Hard disk Encryption
This is a measure more relevant to Desktop users who may lose their computer, or be theft victim, it is especially useful for laptop users. Today almost every OS supports Disk and partition encryption, distributions like Debian allow to encrypt the hard disk during the installation process. For instructions on disk encryption check: How to Encrypt a Drive on Ubuntu 18.04
System update
Both desktop users and sysadmin must keep the system up to date to prevent vulnerable versions from offering unauthorized access or execution. Additionally to using the OS provided package manager to check for available updates running vulnerability scans may help to detect vulnerable software which wasn’t updated on official repositories or vulnerable code which needs to be rewritten. Below some tutorials on updates:
- How to Keep Ubuntu 17.10 up to Date
- Linux Mint How to Update System
- How to Update All Packages on elementary OS
VPN (Virtual Private Network)
Internet users must be aware that ISPs monitor all their traffic and the only way to afford this is using a VPN service. The ISP is able to monitor the traffic to the VPN server but not from the VPN to destinations. Due speed issues paid services are the most recommendable, but there are free good alternatives like https://protonvpn.com/.
Enable SELinux (Security-Enhanced Linux)
SELinux is a set of the Linux Kernel modifications focused on managing security aspects related to security policies by adding MAC (Mechanism Access Control), RBAC (Role Based Access Control), MLS (Multi Level Security) and Multi Category Security (MCS). When SELinux is enabled an application can only access the resources it needs specified on a security policy for the application. Access to ports, processes, files and directories are controlled through rules defined on SELinux which allows or denies operations based on the security policies. Ubuntu uses AppArmor as alternative.
Common Practices
Almost always security failures are due to user negligence. Additionally to all points numerated previously follow the next practices:
- Do not use root unless necessary.
- Never use X Windows or browsers as root.
- Use password managers like LastPass.
- Use strong and unique passwords only.
- Try no to install non-free packages or packages unavailable at official repositories.
- Disable unused modules.
- On servers enforce strong passwords and prevent users from using old passwords.
- Uninstall unused software.
- Don’t use same passwords for different accesses.
- Change all default access usernames.
Policy | Home user | Server |
Disable SSH | ✔ | x |
Disable SSH root access | x | ✔ |
Change SSH port | x | ✔ |
Disable SSH password login | x | ✔ |
Iptables | ✔ | ✔ |
IDS (Intrusion Detection System) | x | ✔ |
BIOS Security | ✔ | ✔ |
Disk Encryption | ✔ | x/✔ |
System update | ✔ | ✔ |
VPN (Virtual Private Network) | ✔ | x |
Enable SELinux | ✔ | ✔ |
Common Practices | ✔ | ✔ |
I hope you found this article useful to increase your security. Keep following LinuxHint for more tips and updates on Linux and networking.