posts

Linux security hardening for server and cloud

figure
Aug 10, 2022
Dmitry Chuyko

For a long time, Linux remained a niche operating system and thus enjoyed peace and quiet in a world filled to the brim with cybercrime. But today, about 80% of servers and 90% of cloud infrastructure run on Linux. The sky-rocketing popularity of this OS couldn’t escape the attention of hackers, and as a result,

Impressive? Frightening. Linux is not the problem — it is as secure by design as any other OS. But it is not enough to download and deploy a Linux distribution, which would be similar to fencing off the territory and leaving the backdoor open. A company should apply additional measures for security hardening. So read on and discover the best practices for strengthening your Linux-based system in server and cloud environments.

  1. Best practices for Linux server security
    1. User authentication and password policy
    2. Only necessary packages
    3. Regular updates
    4. Network protection
    5. SSH hardening
  2. Safety in the cloud
  3. Choosing a secure Linux distribution
    1. Security features
    2. Regular update cycle
    3. SELinux vs AppArmor
    4. Comparative table
  4. New Linux with accent on security
  5. Further Reading

Best practices for Linux server security

User authentication and password policy

If this recommendation seems obvious to you, remember that 81% of data breaches are caused by weak passwords. Enforce the strong password policy at your company: a password should be a mix of at least ten characters, including digits, special characters, and letters in lower and upper cases. In addition, enable password expiration and “faillog” to set the limit of login attempts. To configure user authentication and password verification policies, use Linux PAM (Pluggable Authentication Modules).

Numerous Linux-compatible password managers on the market provide additional password hardening functionalities such as two-factor authentication, vault auditioning, etc. Some are open-source (Bitwarden), and others require a subscription (1Password, Dashlane). The choice depends on your budget, requirements, and distro.

Another good practice is to disable root via SSH and never use it. This prevents attackers from gaining access to the entire system.

Only necessary packages

Software packages tend to accumulate on systems like garbage. But the more utilities you install and preserve, the more vulnerabilities you bring into your system. So keep only the software required for a server, disable unnecessary services, and delete other components and features.

First, get a list of all services and packages. Linux distros have different package managers, so the commands vary slightly:

For RHEL/CentOS, run

yum list installed

In case of Debian/Ubuntu, run

apt list --installed

Alpine Linux uses apk (Alpine Package Keeper) tool, so the command is

apk info

After that, you can analyze the packages, remove unnecessary ones, and update the remaining. Note that instead of unsafe tools such as telnet, rlogin, rsh, etc. you should utilize their more secure alternatives: SSH, sftp, SCP, and so on.

Regular updates

Regular software updates are part of the security hardening procedure. Linux distribution providers, be it a community or a company, release regular security patches to the Linux kernel and other packages. These patches should be integrated as soon as possible after they come out to protect the server from exploits.

It is possible to perform manual or automatic updates. You can update only the kernel, selected packages, or the whole system. For the sake of brevity, let us take yum as an example.

To check whether there are available updates, run

yum check-update

To update all packages, run

sudo yum update

To update only selected packages, run

sudo yum update <packagename>

In addition, yum enables the integration of security updates only without bug fixes:

sudo yum update --security

If you want to update only the kernel, run

sudo yum update kernel

and

sudo reboot

Some companies also offer kernel live patching to avoid system reboot and minimize downtime.

An important step is to check your Linux distribution for end-of-life (EOL) when vendors stop supporting and releasing updates for an outdated OS version. The EOL schedule can be found on the vendor’s website. To minimize security risks, you should plan the migration to a newer version in advance.

Note that your application runtime should also be regularly updated. Java boasts quarterly security releases in the form of Critical Patch Updates (CPU) with CVE fixes and other enhancements. Java updates can also be automated through Liberica Administration Center (LAC), a tool for monitoring and updating Java runtimes in the Windows PC fleet from a single dashboard.

Network protection

Network intrusions are widespread: In the US, they accounted for 32% of cyberattacks in 2022. To protect your network, close unused open TCP and UPD ports. Use the ss or netstat commands to list all open ports, for example:

ss -tulpn | grep LISTEN

or

netstat -tulpn | grep LISTEN

where -t stands for all TCP ports, -u for UPD ports, -l for listening server sockets, -p for the PID, -n for not resolving names. After closing the unwanted ports, use a firewalld or iptables tool to configure the firewall rules. Fail2ban is a valuable tool that prevents brute force attacks by scanning the log files and banning IPs associated with malicious activities.

SSH hardening

Secure Shell (SSH) is a reliable protocol, but should be configured with care. Use the

nano /etc/ssh/sshd_config

command to retrieve the configuration file and adjust several default settings. First thing first, enable the more secure v2 of the protocol by removing # before Protocol 2:

# The default requires explicit activation of protocol 1

Protocol 2

Secondly, disable empty passwords by changing

#PermitEmptyPasswords no

to

PermitEmptyPasswords no

Thirdly, if you have servers with GUI, you might want to disable X11 forwarding that allows tunneling GUI applications to SSH. Change

X11Forwarding yes

to

X11Forwarding no

It is also possible to change the max. authentication attempts, which is set to six by default. Let’s set it to three, for example:

MaxAuthTries 3

These are just a few basic SSH hardening tips. You can find more in the dedicated article. After you are done, save the file and restart SSH by running

systemctl restart sshd   

Safety in the cloud

Linux is the most popular OS for Docker containers, and LXC (Linux Containers) accounted for 33.5 percent market share of the containerized technologies in 2021, followed by Docker. Developers choose Linux for its flexibility and security, but as the recent Linux Thread Report shows, this OS is not invincible. So extra measures should be taken to protect your Linux-based containers.

Firstly, choose a reliable Linux distribution. A more detailed overview of Linux distros by security is presented below, but as far as the cloud is concerned, the most frequently attacked OS (50.8%) is CentOS. The support for this distro was suspended in 2019, so it contains numerous vulnerabilities. Coupled with the fact that it is the most heavyweight Linux in the cloud, we highly recommend migrating to another distribution.

In addition, watch what you put into your containers. It applies both to the OS version and open-source components. According to the report by Snyk, 56% of survey respondents experienced misconfiguration or incidents with known unpatched vulnerabilities in the cloud-native environment. So our advice is: never pull packages from untrusted sources and always check for the latest versions with vulnerability fixes.

In most cases, containers run as root by default. The problem is that the root user in the containers is the same as on the host machine. Therefore, the compromised container enables the attacker to take control of the host easily. To avoid that, switch to rootless containers, which make it possible for an unprivileged user to create and manage containers without being a root. This method minimizes the attack surface and protects the host.

Choosing a secure Linux distribution

The most popular Linux distributions are relatively similar regarding security features integrated into the system. Linux patches are released whenever they become available. The main difference resides in the level of support, additional tooling, and configuration.

Security features

First, a distribution should be as clean as possible, i.e., contain only necessary packages. The rule of thumb is the fewer components there are, the smaller the attack surface. Instead of manually deleting packages as described above, installing an already concise distro would be better. Alpine Linux is the most convenient solution, with a base image size of 2.67MB.

Not all distributions have commercial support and offer only community-based help (Debian, CentOS, Alpine Linux). Although a free distro helps to save money in the short term, for safety reasons, you should work with a vendor that delivers prompt fixes and emergency patches. A security advisory set up by the vendor is a bonus as it helps to stay aware of recently discovered CVEs.

Some vendors also offer convenient tools for integrity checking, which are used to protect the system from unauthorized modifications. For instance, Advanced Intrusion Detection Environment (AIDE) installed as an additional package creates a database consisting of system files and monitors intrusions.

Regular update cycle

2021 witnessed a record number of zero-day attacks that target zero-day vulnerabilities, which have been discovered but not yet patched. The longer a vendor delays patch updates, the higher the risk of exploits for the system. That’s why a Linux vendor shouldn’t delay releasing patches. Some vendors offer automatic updates and kernel live patching that helps to minimize downtime while keeping to security standards.

In addition, LTS releases that receive security updates for an extended period are more beneficial for companies because they can migrate at their own pace.

SELinux vs AppArmor

Linux distributions also vary by the isolation technology — SELinux or AppArmor. Both are Mandatory Access Control (MAC) mechanisms aimed at restricting access of processes to files and isolating them from one another.

SELinux controls access based on labels, whereas AppArmor uses file paths. SELinux provides a wide range of security policies but is very complex and challenging to use. On the other hand, AppArmor is more straightforward to deploy and use.

In addition, SELinux is based on the “deny by default principle,” where all processes are blocked and require explicit permission for performing activities. AppArmor, in turn, enables the administrator to define restrictions from the start.

SELinux is included with RHEL, CentOS, and Fedora, whereas Ubuntu, Debian, and SUSE Linux use AppArmor by default.

Comparative table

Below is a summary of popular Linux distributions according to their security features.

CentOS RHEL Debian Ubuntu Alpine Linux
Commercial support x x x
Security Advisory x
MAC tool SELinux SELinux AppArmor AppArmor AppArmor
Base container image size (compressed) 79.65MB 10.3MB 29.93MB 27.01MB 2.67MB
Comparing Linux distributions by security

New Linux with accent on security

BellSoft’s expertise in delivering the highest level of security to its customers has become the bedrock of its new Linux distribution, characterized by

  • baked-in security features
  • the smallest attack surface
  • LTS versions and timely updates
  • 24/7 support

Subscribe to our newsletter so as not to miss the release date and stay safe!

Further Reading

Are you unsure about whether you need commercial support for Linux? Discover the value of dedicated support for Linux Server and Cloud

Do you want to compare various Linux distros to choose a suitable solution for your business? Read our article about the best Linux distributions for server and cloud

Are you tempted to cut the size of your OS? Find out how Linux can be both minuscule and powerful in our article about Alpine Linux