Secure Your Linux/Unix Server

If you are permitted to access or maintain sensitive institutional data using a server that you manage, please meet the minimum expectations below.

Note that while the general instructions apply to most Unix/Linux systems, these specific configuration instructions are current for Red Hat Enterprise Linux 6.7.

Expand All Content

Configuration and Management

Set a system use or logon notification that references SPG 601.07.

Responsible Use of Information Resources (SPG 601.07) is available online.

To set a banner to appear on every attempted ssh connection before a login attempt:

  1. Open a terminal window and enter the command:
    sudo nano /etc/issue.net
  2. Add a sample message. This, for example, would be a good notification text for a server maintained by the university:

    ftpd_banner =
    <*******************************************************************************
    * This is <your Dept/Unit< Network at the University of Michigan.
    * You must be authorized to use these resources. Unauthorized or criminal use
    * is prohibited. By your use of these resources, you agree to abide by
    * "Responsible Use of Information Resources (SPG 601.07),"in addition to all
    * relevant state and federal laws.
    * http://spg.umich.edu/policy/601.07
    **************************************************************************************>

  3. Edit the ssh configurations with the command:
    sudo nano /etc/ssh/sshd_config
  4. Look for the word "Banner" in the file and uncomment it.
  5. Exit nano with ctrl+x and press y to save. Your message will appear on all attempted logins.

Set your screensaver to activate after a period of inactivity and require your password to unlock it.

Usually a period of 15 minutes of less of inactivity is best for triggering the screensaver.

Use the Gnome environment in RedHat Linux to set a screensaver:

  1. From the menu bar, select System, then Preferences, then Screensaver. This will open a new window from which you can select a screen saver.
  2. Check the box that says to require a password to unlock the screen saver, and set the time to 15 minutes or less.
  3. Next, set a grace period. From the menu bar, select System, then Brightness and Lock.
  4. Adjust the Lock screen after setting to 5.
  5. For Gnome, use the Gnome screensaver. Note: Configuration may vary by version.
  6. To enforce a screensaver in RHEL6, edit /etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/%gconf.xml and add the following:
    <entry mtime="1463490116" name="logout_delay" type="int" value="15"></entry> <entry mtime="1463490116" name="idle_activation_enabled" type="bool" value="true"></entry>
  7. For additional configurations on systems using xscreensaver, install it with this command:
    sudo yum install xscreensaver
  8. For Debian/ubuntu, use a command like:
    sudo apt-get install xscreensaver
  9. Edit your screensaver settings with xscreensaver and xscreensaverdemo
  10. To set a five-second grace period while xscreensaver is active, use this command:
    xscreensaver lockTimeout 5
  11. Set the lock time to 15 minutes or less.

Install and use anti-virus software.

While not required, it is recommended that you use anti-virus software on your systems. Anti-virus is especially important if Windows or Mac clients upload or download files using a web application, email, and/or file services running on your server. Below are steps for using ClamAV, an available open-source anti-virus option. See the Viruses page for more guidance.

Install ClamAV open source antivirus

  1. Open a terminal window.
  2. To download ClamAV on an RHEL server, first enable the EPEL Repository. The way this is done depends on RHEL version and architecture. (For the appropriate command for your version and architecture, see Tecmint's How to Enable EPEL Repository for RHEL/CentOS 7.x/6.x/5.x.) For example, to activate the EPEL Repository on RHEL 6 with a 64 bit architecture, use this command:
    sudo rpm -ivh epel-release-6-8.noarch.rpm
  3. Install ClamAV using this command:
    sudo yum install clamav clamav-db

Run a basic scan with ClamAV

  • Issue these commands to run a basic scan:
    sudo freshclam
    sudo clamscan -r --bell -i /

Configure daily scans with ClamAV

  1. Open the Daily Clam Options file using this command:
    sudo nano /etc/cron.daily/manual_clamscan
  2. Add the following lines to the file:
    #!/bin/bash
    SCAN_DIR="/home"
    LOG_FILE="/var/log/clamav/manual_clamscan.log"
    /usr/bin/clamscan -i -r $SCAN_DIR >> $LOG_FILE
  3. Exit nano with ctrl+x and press y to save.

Configure ntp time synchronization.

It is a good idea to do this because many Internet services rely on the computer's clock being accurate. Also, accurate time/date stamps in logged activity aids any forensics analysis and system troubleshooting. Install the ntp package. Configure the ntp.conf to use the university's time servers at ntp.itd.umich.edu .

Update the services and applications within 30 days of an official security patch release by a vendor.

Set up weekly auto updates:

  1. Open a terminal window and issue this command:
    sudo nano /etc/cron.weekly/yumupdate.shNow
  2. Add the following lines to the file:
    #!/bin/bash
    /usr/bin/yum -y -d 0 -e 0 update yum
    /usr/bin/yum -y -d 0 -e 0 update
  3. Exit nano with ctrl+x and press y to save.
  4. Make the script executable by issuing this command:
    sudo chmod +x /etc/cron.weekly/yumupdate.sh

Back up your data.

The university offers the MiBackup service for server backups. The Sensitive Data Guide entry for MiBackup provides detail about which types of data can or cannot be backed up using the MiBackup service.

Backup Recommendations

  • Determine a backup schedule that works for you based on how frequently the data stored on the system changes.
  • The most recent full backup of the system should be stored off-site in case of disaster.
  • Run one full backup of the system once a week, and differential backups on every other day. Schedule the backups for times when the system is not in use to ensure that all files are captured and performance issues are avoided.
  • Test system restores using the backups on a regular basis.

Assign a Static or reserve a DHCP IP address and register a DNS name for your server.

Using ITS DNS is recommended. In addition, set up reverse DNS for the server and each service hosted on the server. Include email contact information in the DNS record. You can access Proteus through Bluecat to add this information.

Avoid running local versions of services such as DHCP, NTP, and DNS that ITS provides centrally.

The local versions of these services may create vulnerabilities for exploit or attack.

Request an SSL server certificate and enable its use by the web server.

You can order an SSL server certificate from UMWeb. Do not use default certificates in production.

Disable any unused or unnecessary features of the server or the service/application.

If they cannot be turned off, use a firewall to restrict access to services that can be installed/enabled by primary services—like DNS or NTP to U-M campus IP space.

Locate servers in an ITS-maintained data center.

ITS provides data center services and can house your servers using a service such as MiDatabase or MiServer.

If you are unable to use an ITS-maintained data center, follow these expectations:

  1. Secure physical server access. Keep your server in a physically locked space. Do not keep your server in a publicly accessible location.
  2. Maintain constant power. For the safety of the server equipment and the data stored on it, use an uninterruptible power source to supply power to the server.

Dispose of safely and securely.

Before decommissioning the server hardware, securely erase the data from the system. See Prepare Devices for Disposal.

Access and Accounts

Require a password for access to the machine and single user boot.

Follow these guidelines for a strong password. Unauthenticated access should not be permitted, whether by unauthenticated web servers, anonymous ftp servers, or open network shares which allow access to the server's file system.

Require Password Authentication

  1. Open a terminal window and copy the system authentication folder into working directory with this command:
    sudo cp /etc/pam.d/system-auth /etc/pam.d/system-auth.ORI
  2. Edit the file by issuing this command:
    sudo nano /etc/pam.d/system-auth
  3. From the line that reads:
    auth sufficient /lib/security/pam_unix.so likeauth nullok
    remove " nullok" so that the line reads as follows:
    auth sufficient /lib/security/pam_unix.so likeauth
  4. Exit nano with ctrl+x and press y to save.

Change default or vendor-supplied passwords to secure and unique passwords.

Require first-time users to change their default password.

  • When you provide a user with access to a machine, it is important that they set their own account password rather than sticking with the default. Set this requirement for each user.
    • Open a terminal window and issue the following command:
      sudo chage -d 0 {username} This only applies to local accounts.

Disable or remove guest and default accounts.

Best practice is to not allow guest, default or shared accounts access to the machine. Verify that there are no suspicious accounts in the /etc/passwd file.

Disable root login / su - and implement sudo.

Implementation of sudo will allow privileged access as required and will log all such activity and link specific actions to specific individuals. It also avoids shared root accounts, which can make it more difficult to securely deprovision access for an individual or contain security incidents involving compromised credentials.

Note: Many Linux distributions already implement the no root login feature and force the use of sudo. If the distribution you are using does not already support sudo, install the sudo package and configure it appropriately (ensure "su -" does not switch user to root. Consider bash, vi, and other apps that can shell out to root).

Prevent Remote Root Logins via the SSH Protocol

  1. Open a terminal window and edit the SSH daemon's configuration file (/etc/ssh/sshd_config) using this command:
    sudo nano /etc/ssh/sshd_config
  2. Find the line that reads:
    PermitRootLogin yes
    and change it to this:
    PermitRootLogin no
  3. Exit nano with ctrl+x and press y to save.
  4. Stop and restart the SSH Daemon using these commands:
    service sshd stop
    service sshd start

Restrict server and application access whenever possible.

  1. Restrict access to the application through groups or sudo. Create an account exclusively for the daemon with specific, limited rights.
  2. Avoid using administrative or root level accounts to run the daemon or services.
  3. Accounts that access or administer the server should have the minimum permissions necessary to conduct the appropriate functions. (I.e., specify who may, and who may not run cron jobs)

Require centralized authentication.

Avoid using local accounts for authentication into any service or application hosted on your server or the server daemon itself. Instead, use directory-based accounts, such as U-M Kerberos accounts. Do not allow authentication with shared accounts.

Implement account lifecycle management procedures to remove access of employees and collaborators that no longer require access to the server or applications.

Remove ctrl-alt-del option to restart server.

  1. Open a terminal window.
  2. Issue this command:
    cp -v /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.override
  3. Followed by this:
    sudo nano /etc/init/control-alt-delete.override
  4. Change the line that says exec /sbin/shutdown -r now "Control-Alt-Delete pressed" to say:
    exec /usr/bin/logger -p authpriv.notice -t init "Ctrl-Alt-Del was pressed and ignored"
    Note that this will not prevent ctrl+alt+del in a GUI environment.
  5. Exit nano with ctrl+x and press y to save.

Force session timeouts.

Regularly disconnect sessions idle more than two hours using a scheduled task or other methods.

The autologout file below will implement a 120-minute idle timeout for the default /bin/bash shell. Note that TMOUT can be set to 300 to implement a 5-minute idle timeout and so on.

  1. Open a terminal window.
  2. Create a file called /etc/profile.d/autologout.sh by issuing this command:
    sudo touch /etc/profile.d/autologout.sh
  3. Edit the file using this command:
    sudo nano /etc/profile.d/autologout.sh
  4. Append the following:
    TMOUT=7200
    readonly TMOUT
    export TMOUT
  5. Exit nano with ctrl+x and press y to save
  6. Set permissions with this command:
    sudo chmod +x /etc/profile.d/autologout.sh

The autologout file below will implement a 120-minute idle timeout for the C shell.

  1. Open a terminal window.
  2. Create a file called /etc/profile.d/autologout.csh by issuing this command:
    sudo touch /etc/profile.d/autologout.csh
  3. Edit the file using this command:
    sudo nano /etc/profile.d/autologout.csh
  4. Append the following:
    # Log out after 2 hours, as recomended by
    # https://safecomputing.umich.edu/hardening
    set -r autologout=120
  5. Exit nano with ctrl+x and press y to save
  6. Set permissions with this command:
    sudo chmod +x /etc/profile.d/autologout.csh

If you need to leave your session open, you can run "screen" or "top," to prevent the session from being idle and logging you out. This should be done only when necessary to prevent autologout from interfering with your work.

Enable two-factor authentication, especially if the system will be storing sensitive data.

To implement two-factor authentication with Shibboleth, see Configuring Your Service Provider for Two-Factor Authentication (S4396).

Monitoring

Configure the logging for unique services, and syslog for the server system itself.

If using remote logging, then ensure the data is encrypted in transit.

Configure Service Audit Log

  1. If you have not done so, install the syslog package with this command:
    sudo yum -y install rsyslog
  2. Edit syslog configurations with this command:
    sudo nano /etc/rsyslog.conf
  3. To enable listening on the UDP and TCP ports, remove the comment symbol # before each $ModLoad statement and each ServerRun statement to get this:
    $ModLoad Input
    $UDPServerRun 514
    ......
    $ModLoad imtcp
    $InputTCPServerRun 514
  4. Exit nano with ctrl+x and press y to save.
  5. Restart the syslog service to make the changes take effect with this command:
    sudo service rsyslog restart
  6. Configure the machine to send logs to a central server by opening syslog configurations with this command:
    sudo nano /etc/rsyslog.conf
  7. At the end of the file, append the following line to point the client message log to the server:
    *.info;mail.none;authpriv.none;cron.none @192.168.0.105
  8. Exit nano with ctrl+x and press y to save.

Note that you can either mention hostname or ip address. All message logs will be sent to a central server as well as copied locally.

Log authentications for services or applications housed on the server using a centralized logging system. Enable login auditing of failed and successful login attempts.

Enable Enforcing SELinux, or Permissive SELinux if restrictions prevent use of enforcing mode.

Increase audit log size to accommodate the increased activity occurring on a server.

Configure logs to start a new log file each day, and retain at least the last 30 days of log files.

Configure notifications to alert the system owner or administrator when the system stops or restarts.

Monitor file system modifications for unauthorized changes using a binary file integrity check service such as tripwire or aide.

Monitor File System Details with Tripwire

  1. Install the tripwire package by issuing this command:
    sudo yum install tripwire -y
  2. Begin the setup with the command:
    sudo tripwire-setup-keyfiles
  3. Create both a site passphrase and a local passphrase. Keep these passwords handy as they will be used repeatedly in the subsequent steps. (See ITS guidelines on choosing strong passwords.)
  4. Initialize tripwire with this command:
    sudo tripwire --init
    (Note that it is normal to see errors when initializing, because tripwire hasn't mapped the files of your system yet.)
  5. Configure tripwire with this command:
    sudo nano /etc/tripwire/twpol.txt
    Tripwire includes a preexisting example file, but you should be sure to comment out services you will not need.
  6. Exit nano with ctrl+x and press y to save.
  7. Update tripwire's policy with this command:
    sudo tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt
  8. Exit with ctrl+x and press y to save.
  9. Run a base test with this command:
    sudo tripwire --check --interactive
    This should return no results.
  10. For an additional test, log in as root and add a file with this command:
    touch test.txt
  11. Once again, run this command:
    sudo tripwire --check --interactive
    You should see that A user root has added one new file.

Detect and monitor brute force attempts by using a service such as DenyHosts or Fail2ban to monitor your logs for failed remote attempts and prevent brute force password attacks.

Monitor Using DenyHosts

  1. Open a terminal window.
  2. Enter the following command to install DenyHosts:
    sudo yum -y install denyhosts
  3. Edit the allow script so you don't block yourself with this command:
    sudo nano /etc/hosts.allow
  4. Add the following to the script:
    sshd: 202.54.1.2 203.51.2.3
  5. Exit nano with ctrl+x and press y to save.
  6. Type the following two commands to enable DenyHosts:
    # chkconfig denyhosts on
    # service denyhosts start

See denyhosts.sourceforge.net for a more complete guide

Monitor Using Fail2ban

  1. Open a terminal window.
  2. If you have not already installed Fail2ban, install it with this command:
    sudo yum install fail2ban
  3. Copy the configuration file for editing
    cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  4. Modify the configuration file using this command:
    sudo nano /etc/fail2ban/jail.local
    The defaults should be sufficient for most servers, but you can adjust features such as ban time, attempts before ban, and which addresses are always blocked. Detailed instructions for how to do so are included in /etc/fail2ban/jail.conf.
  5. Exit nano with ctrl+x and press y to save.

Report security incidents.

If your server or associated devices are compromised, stolen, or otherwise accessed in an unauthorized manner, report it as a security incident.

Connections

Enable your local firewall, if it is not on by default.

Current versions of Linux use the iptables firewall. Use a default deny policy and only allow necessary ports to be accessible by authorized systems and users. Consult the documentation for your system to learn how to adjust the firewall rules to ensure that only the services you require are accessible.

Configure Local Firewall (iptables)

  1. Open a terminal window.
  2. To modify iptables first stop it with this command:
    service iptables stop
  3. Now you can add exceptions with this command:
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    where -p and --dport specify port, and -j says what to do with that port. In the example here, it is set it to accept on that port. Specify REJECT to reject instead of accept.
  4. Likewise, use the following to list all existing rules:
    iptables -L
  5. Then delete a specific rule with this command:
    iptables -D INPUT 5
  6. Save your iptables rules to the file that is loaded by the iptables service:
    iptables-save > /etc/sysconfig/iptables
  7. Start iptables with this command:
    service iptables start

A list of U-M subnets can be found at UMnet.

Disable unused optional network connections such as Wi-Fi or Bluetooth.

Disable Wireless

  1. Open a terminal window.
  2. Use the following command to list all interfaces using a wireless connection:
    ifconfig -a
  3. Go through the list and disable each one that is unused. Modify /etc/sysconfig/network-scripts/ifcfg-$DEVICENAME (where $DEVICENAME is the device to disable) to permanently disable wireless on a device. You may need to disable mutliple devices, depending on your particular system.

Disable Bluetooth

  1. Open a terminal window.
  2. Use the following two commands:
    /etc/init.d/bluetooth stop
    chkconfig bluetooth off

Other services you might want to disable:

  • cupsd or lpd (if not running a printer)
  • xinetd

Connect securely to the server.

Do not use insecure or clear text protocols to authenticate to the server. If insecure methods must be used, restrict server access to specific IP addresses or the U-M campus network using iptables. Use an SSH tunnel or another encryption method to protect the data in transit.

Cleartext Services/Protocols to Avoid

Avoid using these cleartext services/protocols to connect to your Linux server:

  • FTP
  • Telnet
  • etc.

Should you have a business case for using one of these services/protocols, you should restrict access to specific networks and IP addresses.

Copy Files Between Systems Securely

  • To securely copy files between systems it is highly recommended that you use the scp command. This command is used in the form:
    scp your_username@remotehost.edu:foobar.txt /some/local/directory
    Where scp your_username@remotehost.edu:foobar.txt /some/local/directory is your destination, foobar.txt is the file you are trying to send, and /some/local/directory is the destination directory in the destination account.

Limit network access to the service to LAN or U-M campus networks only, by using the local or a gateway-style firewall. Run a port scan of the system to confirm that ports are properly protected.

Require VPN connections.

Configure the firewall (iptables) to allow access from the U-M virtual private network (VPN) and appropriate campus networks.

Configure Firewall to Allow VPN Access

  1. Open a terminal window.
  2. First flush old rules with this command:
    iptables -F
  3. Block everything except the rules you're about to make with the following three commands:
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
  4. Allow loopback access using these two commands:
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
  5. Accept the U-M VPN with this command:
    iptables -A INPUT -s 141.213.168.0/21 -j ACCEPT
  6. Finally, make sure that all incoming and outgoing traffic is using the VPN with these commands:
    iptables -A INPUT -j ACCEPT -p udp s Y.Y.Y.Y --sport 1194
    iptables -A OUTPUT -j ACCEPT -p udp d Y.Y.Y.Y --dport 1194
  7. Save your iptables rules to the file that is loaded by the iptables service:
    iptables-save > /etc/sysconfig/iptables
  8. Start iptables with this command:
    service iptables start

Additional information about U-M subnets can be found at UMnet.

Restrict access to remote access management cards (such as IPMI interfaces used by system administrators for out-of-band management) to U-M campus networks and require use of the U-M VPN for off-campus access.

Other Things to Consider

If using Network File System (NFS), use NFS version 4 or later and restrict direct NFS mounts to specific campus IPs.

NFS mount is 'squashed root' by default, ensure that it is set to that. nfs mount root_squash

If using an older version of Linux or Unix, limit user processes to prevent fork bombs.

Enable encryption.

You can encrypt the hard drive (full disk encryption), partitions on the hard drive, or files and file directories. Hard drive encryption can be set up during the installation of the operating system.

Partition hard drive.

Isolate sensitive data on separate hard drive partition/s. Isolate boot and critical OS files on separate partitions, and ensure the boot partition is set to read-only to reduce the risk of unauthorized modifications to boot files.

Restrict boot source in BIOS.

Configure BIOS to disable boot from CD/DVD, external devices (USB), or from a floppy drive if the physical security of the server could be compromised. Additionally, consider setting a BIOS password to further restrict access to the system.

Regularly scan the server for vulnerabilities.

Check the Sensitive Data Guide to confirm that your server is eligible to access or maintain the type(s) of sensitive data it is storing or processing.

Checking the Sensitive Data Guide is especially important if your server is a virtual machine.

If you are accessing or maintaining Credit Card or Payment Card Information (PCI) or Protected Health Information (PHI) on your server, you should consult with IIA to determine if your server is approved.

Centrally manage anti-virus and update utilities.

This is especially important if the server network is large or distributed. Send anti-virus logs to a centralized logging system such as splunk.

Use appropriate settings or controls to ensure that sensitive data accessed or maintained by your server cannot be cached to client systems connecting to your server.

Disable Interactive Key Startup at Boot

This is done to prevent an attacker with physical access to the machine from disabling the firewall and other security services.

  1. Open a terminal window.
  2. Edit the configurations file with this command:
    sudo nano /etc/sysconfig/init
  3. Modify the setting as follows:
    PROMPT=no
  4. Exit nano with ctrl+x and press y to save.

Add no_root_squash for NFS

This prevents servers from obtaining client root access. Use the command:
sudo nfs mount root_squash

Require Authentication for Single User Recovery Boot

This is done to prevent an attacker with physical access to the machine from booting into recovery mode as a means to bypass security protocols.

  1. Open a terminal window.
  2. Edit the configurations file with this command:
    sudo nano /etc/sysconfig/init
  3. Add the following line to the file:
    SINGLE=/sbin/sulogin
  4. Exit nano with ctrl+x and press y to save.