Mastering Linux Security and Hardening - Third Edition

Mastering Linux Security and Hardening - Third Edition

by Donald A. Tevault
Released February 2023
Publisher(s): Packt Publishing
ISBN: 9781837630516

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Gain a firm practical understanding of how to secure your Linux system from intruders, malware attacks, and other cyber threats Purchase of the print or Kindle book includes a free eBook in PDF format.

Key Features

  • Discover security techniques to prevent malware from infecting a Linux system, and detect it
  • Prevent unauthorized people from breaking into a Linux system
  • Protect important and sensitive data from being revealed to unauthorized persons

Book Description

The third edition of Mastering Linux Security and Hardening is an updated, comprehensive introduction to implementing the latest Linux security measures, using the latest versions of Ubuntu and AlmaLinux.

In this new edition, you will learn how to set up a practice lab, create user accounts with appropriate privilege levels, protect sensitive data with permissions settings and encryption, and configure a firewall with the newest firewall technologies. You’ll also explore how to use sudo to set up administrative accounts with only the privileges required to do a specific job, and you’ll get a peek at the new sudo features that have been added over the past couple of years. You’ll also see updated information on how to set up a local certificate authority for both Ubuntu and AlmaLinux, as well as how to automate system auditing. Other important skills that you’ll learn include how to automatically harden systems with OpenSCAP, audit systems with auditd, harden the Linux kernel configuration, protect your systems from malware, and perform vulnerability scans of your systems. As a bonus, you’ll see how to use Security Onion to set up an Intrusion Detection System.

By the end of this new edition, you will confidently be able to set up a Linux server that will be secure and harder for malicious actors to compromise.

What you will learn

  • Prevent malicious actors from compromising a production Linux system
  • Leverage additional features and capabilities of Linux in this new version
  • Use locked-down home directories and strong passwords to create user accounts
  • Prevent unauthorized people from breaking into a Linux system
  • Configure file and directory permissions to protect sensitive data
  • Harden the Secure Shell service in order to prevent break-ins and data loss
  • Apply security templates and set up auditing

Who this book is for

This book is for Linux administrators, system administrators, and network engineers interested in securing moderate to complex Linux environments. Security consultants looking to enhance their Linux security skills will also find this book useful. Working experience with the Linux command line and package management is necessary to understand the concepts covered in this book.

Table of contents

  1. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Get in touch
  2. Section 1: Setting up a Secure Linux System
  3. Running Linux in a Virtual Environment
    1. Looking at the threat landscape
    2. Why do security breaches happen?
    3. Keeping up with security news
    4. Differences between physical, virtual, and cloud setups
    5. Introducing VirtualBox and Cygwin
      1. Installing a virtual machine in VirtualBox
      2. Installing the EPEL repository on the CentOS 7 virtual machine
      3. Installing the EPEL repository on the AlmaLinux 8/9 virtual machines
      4. Configuring a network for VirtualBox virtual machines
      5. Creating a virtual machine snapshot with VirtualBox
      6. Using Cygwin to connect to your virtual machines
        1. Installing Cygwin on your Windows host
      7. Using the Windows 10 SSH client to interface with Linux virtual machines
      8. Using the Windows 11 SSH client to interface with Linux virtual machines
        1. Cygwin versus the Windows shell
    6. Keeping the Linux systems updated
      1. Updating Debian-based systems
      2. Configuring auto updates for Ubuntu
      3. Updating Red Hat 7-based systems
      4. Updating Red Hat 8/9-based systems
      5. Managing updates in an enterprise
    7. Summary
    8. Questions
    9. Further reading
    10. Answers
  4. Securing Administrative User Accounts
    1. The dangers of logging in as the root user
    2. The advantages of using sudo
    3. Setting up sudo privileges for full administrative users
      1. Adding users to a predefined admin group
      2. Creating an entry in the sudo policy file
    4. Setting up sudo for users with only certain delegated privileges
      1. Hands-on lab for assigning limited sudo privileges
    5. Advanced tips and tricks for using sudo
      1. The sudo timer
      2. View your sudo privileges
        1. Hands-on lab for disabling the sudo timer
      3. Preventing users from having root shell access
      4. Preventing users from using shell escapes
      5. Preventing users from using other dangerous programs
      6. Limiting the user’s actions with commands
      7. Letting users run as other users
      8. Preventing abuse via a user’s shell scripts
      9. Detecting and deleting default user accounts
    6. New sudo features
    7. Special sudo considerations for SUSE and OpenSUSE
    8. Summary
    9. Questions
    10. Further reading
    11. Answers
  5. Securing Normal User Accounts
    1. Locking down users’ home directories the Red Hat way
    2. Locking down users’ home directories the Debian/Ubuntu way
      1. useradd on Debian/Ubuntu
      2. adduser on Debian/Ubuntu
        1. Hands-on lab for creating an encrypted home directory with adduser
    3. Enforcing strong password criteria
      1. Installing and configuring pwquality
        1. Hands-on lab for setting password complexity criteria
    4. Setting and enforcing password and account expiration
    5. Configuring default expiry data for useradd for Red Hat-type systems only
    6. Setting expiry data on a per-account basis with useradd and usermod
    7. Setting expiry data on a per-account basis with chage
      1. Hands-on lab for setting account and password expiry data
    8. Preventing brute-force password attacks
      1. Configuring the pam_tally2 PAM module on CentOS 7
        1. Hands-on lab for configuring pam_tally2 on CentOS 7
      2. Configuring pam_faillock on AlmaLinux 8/9
        1. Hands-on lab for configuring pam_faillock on AlmaLinux 8 or AlmaLinux 9
      3. Configuring pam_faillock on Ubuntu 20.04 and Ubuntu 22.04
        1. Hands-on lab for configuring pam_faillock on Ubuntu 20.04 and Ubuntu 22.04
    9. Locking user accounts
      1. Using usermod to lock a user account
      2. Using passwd to lock user accounts
    10. Locking the root user account
    11. Setting up security banners
      1. Using the motd file
      2. Using the issue file
      3. Using the issue.net file
    12. Detecting compromised passwords
      1. Hands-on lab for detecting compromised passwords
    13. Understanding centralized user management
      1. Microsoft Active Directory
    14. Samba on Linux
      1. FreeIPA/Identity Management on RHEL-type distros
    15. Summary
    16. Questions
    17. Further reading
    18. Answers
  6. Securing Your Server with a Firewall – Part 1
    1. Technical requirements
    2. An overview of the Linux firewall
    3. An overview of iptables
      1. Mastering the basics of iptables
      2. Blocking ICMP with iptables
      3. Blocking everything that isn’t allowed with iptables
        1. Hands-on lab for basic iptables usage
      4. Blocking invalid packets with iptables
      5. Restoring the deleted rules
        1. Hands-on lab for blocking invalid IPv4 packets
      6. Protecting IPv6
        1. Hands-on lab for ip6tables
    4. nftables – a more universal type of firewall system
      1. Learning about nftables tables and chains
        1. Getting started with nftables
      2. Configuring nftables on Ubuntu
      3. Using nft commands
        1. Hands-on lab for nftables on Ubuntu
    5. Summary
    6. Questions
    7. Further reading
    8. Answers
  7. Securing Your Server with a Firewall — Part 2
    1. Technical requirements
    2. The Uncomplicated Firewall for Ubuntu systems
      1. Configuring ufw
      2. Working with the ufw configuration files
        1. Hands-on lab for basic ufw usage
    3. firewalld for Red Hat systems
      1. Verifying the status of firewalld
      2. Working with firewalld zones
      3. Adding services to a firewalld zone
      4. Adding ports to a firewalld zone
      5. Blocking ICMP
      6. Using panic mode
      7. Logging dropped packets
      8. Using firewalld rich language rules
      9. Looking at iptables rules in RHEL/CentOS 7 firewalld
      10. Creating direct rules in RHEL/CentOS 7 firewalld
      11. Looking at nftables rules in RHEL/AlmaLinux 8 and 9 firewalld
      12. Creating direct rules in RHEL/AlmaLinux firewalld
        1. Hands-on lab for firewalld commands
    4. Summary
    5. Questions
    6. Further reading
    7. Answers
  8. Encryption Technologies
    1. GNU Privacy Guard (GPG)
      1. Hands-on lab – creating your GPG keys
      2. Hands-on lab – symmetrically encrypting your own files
      3. Hands-on lab – encrypting files with public keys
      4. Hands-on lab – signing a file without encryption
    2. Encrypting partitions with Linux Unified Key Setup (LUKS)
      1. Disk encryption during operating system installation
        1. Hands-on lab – adding an encrypted partition with LUKS
      2. Configuring the LUKS partition to mount automatically
      3. Hands-on lab – configuring the LUKS partition to mount automatically
    3. Encrypting directories with eCryptfs
      1. Hands-on lab – encrypting a home directory for a new user account
      2. Creating a private directory within an existing home directory
      3. Hands-on lab – encrypting other directories with eCryptfs
    4. Encrypting the swap partition with eCryptfs
    5. Using VeraCrypt for cross-platform sharing of encrypted containers
      1. Hands-on lab – getting and installing VeraCrypt
        1. Hands-on lab – creating and mounting a VeraCrypt volume in console mode
      2. Using VeraCrypt in GUI mode
    6. OpenSSL and the Public Key Infrastructure
      1. Commercial certificate authorities
      2. Creating keys, certificate signing requests, and certificates
        1. Creating a self-signed certificate with an RSA key
        2. Creating a self-signed certificate with an Elliptic Curve key
        3. Creating an RSA key and a Certificate Signing Request
        4. Creating an EC key and a CSR
      3. Creating an on-premises CA
      4. Hands-on lab – setting up a Dogtag CA
      5. Adding a CA to an operating system
        1. Hands-on lab – exporting and importing the Dogtag CA certificate
        2. Importing the CA into Windows
      6. OpenSSL and the Apache webserver
        1. Hardening Apache SSL/TLS on Ubuntu
        2. Hardening Apache SSL/TLS on RHEL 9/AlmaLinux 9
        3. Setting FIPS mode on RHEL 9/AlmaLinux 9
        4. Hardening Apache SSL/TLS on RHEL 7/CentOS 7
      7. Setting up mutual authentication
    7. Introducing quantum-resistant encryption algorithms
    8. Summary
    9. Questions
    10. Further reading
    11. Answers
  9. SSH Hardening
    1. Ensuring that SSH protocol 1 is disabled
    2. Creating and managing keys for passwordless logins
      1. Creating a user’s SSH key set
      2. Transferring the public key to the remote server
        1. Hands-on lab – creating and transferring SSH keys
      3. Disabling root user login
      4. Disabling username/password logins
        1. Hands-on lab – Disabling root login and password authentication
      5. Enabling two-factor authentication
        1. Hands-on lab — Setting up two-factor authentication on Ubuntu 22.04
        2. Hands-on lab – Using Google Authenticator with key exchange on Ubuntu
        3. Hands-on lab — Setting up two-factor authentication on AlmaLinux 8
        4. Hand-on lab — Using Google Authenticator with key exchange on AlmaLinux 8
      6. Configuring Secure Shell with strong encryption algorithms
        1. Understanding SSH encryption algorithms
      7. Scanning for enabled SSH algorithms
        1. Hands-on lab – Scanning with Nmap
      8. Disabling weak SSH encryption algorithms
        1. Hands-on lab – disabling weak SSH encryption algorithms – Ubuntu 22.04
        2. Hands-on lab – disabling weak SSH encryption algorithms – CentOS 7
      9. Setting system-wide encryption policies on RHEL 8/9 and AlmaLinux 8/9
        1. Hands-on lab – setting encryption policies on AlmaLinux 9
      10. Configuring more detailed logging
        1. Hands-on lab – configuring more verbose SSH logging
    3. Configuring access control with whitelists and TCP Wrappers
      1. Configuring whitelists within sshd_config
        1. Hands-on lab – configuring whitelists within sshd_config
      2. Configuring whitelists with TCP Wrappers
    4. Configuring automatic logouts and security banners
      1. Configuring automatic logout for both local and remote users
      2. Configuring automatic logout in sshd_config
      3. Creating a pre-login security banner
    5. Configuring other miscellaneous security settings
      1. Disabling X11 forwarding
      2. Disabling SSH tunneling
      3. Changing the default SSH port
      4. Managing SSH keys
    6. Setting different configurations for different users and groups
    7. Creating different configurations for different hosts
    8. Setting up a chroot environment for SFTP users
      1. Creating a group and configuring the sshd_config file
        1. Hands-on lab – Setting up a chroot directory for the sftpusers group
    9. Sharing a directory with SSHFS
      1. Hands-on lab – Sharing a directory with SSHFS
    10. Remotely connecting from Windows desktops
    11. Summary
    12. Questions
    13. Further reading
    14. Answers
  10. Section 2: Mastering File and Directory Access Control (DAC)
  11. Mastering Discretionary Access Control
    1. Using chown to change ownership of files and directories
      1. Using chmod to set permissions on files and directories
        1. Setting permissions with the symbolic method
        2. Setting permissions with the numerical method
      2. Using SUID and SGID on regular files
      3. The security implications of the SUID and SGID permissions
        1. Finding spurious SUID or SGID files
        2. Preventing SUID and SGID usage on a partition
      4. Using extended file attributes to protect sensitive files
        1. Setting the a attribute
        2. Setting the i attribute
      5. Securing system configuration files
    2. Summary
    3. Questions
    4. Further reading
    5. Answers
  12. Access Control Lists and Shared Directory Management
    1. Creating an ACL for either a user or a group
    2. Creating an inherited ACL for a directory
    3. Removing a specific permission by using an ACL mask
    4. Using the tar --acls option to prevent the loss of ACLs during a backup
    5. Creating a user group and adding members to it
      1. Adding members as we create their user accounts
      2. Using usermod to add an existing user to a group
      3. Adding users to a group by editing the /etc/group file
    6. Creating a shared directory
    7. Setting the SGID bit and the sticky bit on the shared directory
    8. Using ACLs to access files in the shared directory
      1. Setting the permissions and creating the ACL
        1. Hands-on lab – creating a shared group directory
    9. Summary
    10. Questions
    11. Further reading
    12. Answers
  13. Section 3: Advanced System Hardening Techniques
  14. Implementing Mandatory Access Control with SELinux and AppArmor
    1. How SELinux can benefit a systems administrator
    2. Setting security contexts for files and directories
      1. Installing the SELinux tools
      2. Creating web content files with SELinux enabled
      3. Fixing an incorrect SELinux context
        1. Using chcon
        2. Using restorecon
        3. Using semanage
        4. Hands-on lab – SELinux type enforcement
    3. Troubleshooting with setroubleshoot
      1. Viewing setroubleshoot messages
      2. Using the graphical setroubleshoot utility
      3. Troubleshooting in permissive mode
    4. Working with SELinux policies
      1. Viewing Booleans
      2. Configuring the Booleans
      3. Protecting your web server
      4. Protecting network ports
      5. Creating custom policy modules
        1. Hands-on lab – SELinux Booleans and ports
    5. How AppArmor can benefit a systems administrator
      1. Looking at AppArmor profiles
      2. Working with AppArmor command-line utilities
      3. Troubleshooting AppArmor problems
      4. Troubleshooting an AppArmor profile – Ubuntu 16.04
      5. Troubleshooting an AppArmor profile – Ubuntu 18.04
        1. Hands-on lab – Troubleshooting an AppArmor profile
      6. Troubleshooting Samba problems in Ubuntu 22.04
    6. Exploiting a system with an evil Docker container
      1. Hands-on lab – Creating an evil Docker container
    7. Summary
    8. Questions
    9. Further reading
    10. Answers
  15. Kernel Hardening and Process Isolation
    1. Understanding the /proc filesystem
      1. Looking at user-mode processes
      2. Looking at kernel information
    2. Setting kernel parameters with sysctl
    3. Configuring the sysctl.conf file
      1. Configuring sysctl.conf – Ubuntu
      2. Configuring sysctl.conf – CentOS and AlmaLinux
      3. Setting additional kernel-hardening parameters
        1. Hands-on lab – scanning kernel parameters with Lynis
      4. Preventing users from seeing each others’ processes
    4. Understanding process isolation
      1. Understanding Control Groups (cgroups)
      2. Understanding namespace isolation
      3. Understanding kernel capabilities
        1. Hands-on lab – setting a kernel capability
      4. Understanding SECCOMP and system calls
      5. Using process isolation with Docker containers
      6. Sandboxing with Firejail
        1. Hands-on lab – using Firejail
      7. Sandboxing with Snappy
      8. Sandboxing with Flatpak
    5. Summary
    6. Questions
    7. Further reading
    8. Answers
  16. Scanning, Auditing, and Hardening
    1. Installing and updating ClamAV and maldet
      1. Hands-on lab – installing ClamAV and maldet
      2. Hands-on lab – configuring maldet
      3. Updating ClamAV and maldet
    2. Scanning with ClamAV and maldet
      1. SELinux considerations
    3. Scanning for rootkits with Rootkit Hunter
      1. Hands-on lab – installing and updating Rootkit Hunter
      2. Scanning for rootkits
    4. Performing a quick malware analysis with strings and VirusTotal
      1. Analyze a file with strings
      2. Scanning the malware with VirusTotal
    5. Understanding the auditd daemon
      1. Creating audit rules
      2. Auditing a file for changes
      3. Auditing a directory
      4. Auditing system calls
    6. Using ausearch and aureport
      1. Searching for file change alerts
      2. Searching for directory access rule violations
      3. Searching for system call rule violations
      4. Generating authentication reports
      5. Using pre-defined rulesets
      6. Hands-on lab – using auditd
      7. Hands-on lab –Using pre-configured rules with auditd
    7. Auditing files and directories with inotifywait
    8. Applying OpenSCAP policies with oscap
      1. Installing OpenSCAP
      2. Viewing the profile files
      3. Getting the missing profiles for Ubuntu
      4. Scanning the system
      5. Remediating the system
      6. Using SCAP Workbench
      7. Choosing an OpenSCAP profile
      8. Applying an OpenSCAP profile during system installation
    9. Summary
    10. Questions
    11. Further reading
    12. Answers
  17. Logging and Log Security
    1. Understanding the Linux system log files
      1. The system log and the authentication log
      2. The utmp, wtmp, btmp, and lastlog files
    2. Understanding rsyslog
      1. Understanding rsyslog logging rules
    3. Understanding journald
    4. Making things easier with Logwatch
      1. Hands-on lab – installing Logwatch
    5. Setting up a remote log server
      1. Hands-on lab – setting up a basic log server
      2. Creating an encrypted connection to the log server
        1. Creating a stunnel connection on AlmaLinux 9 – server side
        2. Creating a stunnel connection on AlmaLinux – client side
        3. Creating a stunnel connection on Ubuntu – server side
        4. Creating a stunnel connection on Ubuntu – client side
      3. Separating client messages into their own files
    6. Maintaining Logs in Large Enterprises
    7. Summary
    8. Questions
    9. Further reading
    10. Answers
  18. Vulnerability Scanning and Intrusion Detection
    1. Introduction to Snort and Security Onion
      1. Obtaining and installing Snort
        1. Hands-on lab – installing Snort via a Docker container
    2. Using Security Onion
    3. IPFire and its built-in Intrusion Prevention System (IPS)
      1. Hands-on lab – Creating an IPFire virtual machine
    4. Scanning and hardening with Lynis
      1. Installing Lynis on Red Hat/CentOS
      2. Installing Lynis on Ubuntu
      3. Scanning with Lynis
    5. Finding vulnerabilities with the Greenbone Security Assistant
    6. Web server scanning with Nikto
      1. Nikto in Kali Linux
        1. Hands-on lab–Installing Nikto from Github
        2. Scanning a web server with Nikto
    7. Summary
    8. Questions
    9. Further reading
    10. Answers
  19. Prevent Unwanted Programs from Running
    1. Mount Partitions with the no options
    2. Understanding fapolicyd
      1. Understanding the fapolicyd rules
      2. Installing fapolicyd
    3. Summary
    4. Further reading
    5. Questions
    6. Answers
  20. Security Tips and Tricks for the Busy Bee
    1. Technical requirements
    2. Auditing system services
      1. Auditing system services with systemctl
      2. Auditing network services with netstat
        1. Hands-on lab – viewing network services with netstat
      3. Auditing network services with Nmap
        1. Port states
        2. Scan types
        3. Hands-on lab – scanning with Nmap
    3. Password-protecting the GRUB2 bootloader
      1. Hands-on lab – resetting the password for Red Hat/CentOS/AlmaLinux
      2. Hands-on lab – resetting the password for Ubuntu
      3. Preventing kernel parameter edits on Red Hat/CentOS/AlmaLinux
      4. Preventing kernel parameter edits or recovery mode access on Ubuntu
      5. Disabling the submenu for Ubuntu
    4. Securely configuring BIOS/UEFI
    5. Using a security checklist for system setup
    6. Summary
    7. Questions
    8. Further reading
    9. Answers
  21. Other Books You May Enjoy
  22. Index

Product information

  • Title: Mastering Linux Security and Hardening - Third Edition
  • Author(s): Donald A. Tevault
  • Release date: February 2023
  • Publisher(s): Packt Publishing
  • ISBN: 9781837630516