Feed on
Posts
Comments

Hardening Debian Linux

March 30th, 2010 by Kim Chee Leong

Here are a few tips for hardening your Debian/Ubuntu server.

SSH key based authentication

Only allow logins using public SSH keys. This way we prevent brute force attacks. Create private and public keys using the ssh-keygen command. First copy the public key from your pc to the server using:

$ ssh-copy-id -i .ssh/id_rsa.pub user@host

Test if you can login with your public key. The public key is stored in .ssh/authorized_keys. So if you add a new user ask them their pub key and copy this into authorized keys.

Change /etc/sshd_config to disable password based logins:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Filesystem permissions

The default user permission has umask 022 where other/world user also have access. Using umask 007 the owner en group has rw access, other/world hasn’t got any access.

Change default umask 022 to 007:

/etc/profile/
/etc/login.defs

Mounted volumes must have proper permissions

Add two mount options in /etc/fstab for partitions that have no suid programs and no device nodes.

Example:

/dev/sda5       /tmp            ext3    defaults,nosuid,nodev        0       2
/dev/sda6       /var            ext3    defaults,nosuid,nodev        0       2
/dev/sda7       /data2          ext3    defaults,nosuid,nodev        0       2

Dedicated group for su

Only allow users in adm group to become root using pam_wheel.

In /etc/pam.d/su uncomment this line and add group part.

auth       required   pam_wheel.so group=adm

Separate temp directories for users

Using a pam tmpdir modules each user has a separate tmp dir. So instead of using /tmp each user gets /tmp/user/USERID. A user cannot see the temp files of other users.

Install the tmpdir pam module:

apt-get install libpam-tmpdir

Add the following line to /etc/pam.d/common-session

session    optional     pam_tmpdir.so

Do a security audit for the system

Lynis is an excellent tool to audit the system. Download the latest tarball, decompress and run. Lynis is an auditing tool which tests and gathers (security) information for *nix based systems.

1 Comment »

One Response to “Hardening Debian Linux”

  1. on 11 Apr 2010 at 14:00   Leong » Blog Archive » Hardening Debian Linux - Phat Site Blog

    [...] Leong » Blog Archive » Hardening Debian Linux :device nodes, wheel No comments for this entry yet… [...]

Trackback URI | Comments RSS

Leave a Reply