Optimizing Security For Linux Users

9th July, 2019 by

Linux operating systems were first developed to power personal computers. However, they have since evolved into the leading operating systems for servers, mainframes, and supercomputers. Indeed, Linux software now runs the majority of the world’s servers. It’s especially well-suited to this thanks to a combination of sheer power, transparency, and customizability.

One thing Linux doesn’t have is the same ‘out of the box’ security as an OS like Windows. Consequently, it’s necessary for users to take steps to optimize security for Linux software. These are our recommendations for ensuring unwelcome visitors can’t access your systems or software…

User accounts and updates

With regards to optimizing security for Linux, it’s advisable to avoid using the root account for day-to-day operations. If you’re deploying a new server, it will only have the root account at the outset. That means you need to set up a new user account for yourself. If you want to use that account for system management, you’ll have to give it sudo execution privileges. With sudo permissions set up, you can perform the same operations as the root account, but without compromising on security.

Once you’ve set up the account you’re going to use, disable SSH remote login for the root account – this closes off one path by which a hacker might try to access the system. The OpenSSH server settings are defined in a configuration file, accessed via Debian or Ubuntu with the command “sudo nano /etc/ssh/sshd_config”. In this file, find the authentication options, and set root login permission to ‘no’. Following this, it’s just a case of restarting the system.

Linux software updates and patches are regularly distributed to fix security vulnerabilities. Outdated software puts systems at risk, so make sure your packages and OS are constantly updated. To do this, the key command is “apt-get update && apt-get upgrade”.

Passwords

As with any systems, passwords are key to heightening security for Linux. Your first port of call should be to check that no user accounts have empty passwords. Such accounts are vulnerable as they’re much easier for hackers to access. Happily, they’re also easy to find by running “awk -F: ‘($2 == “ ”) {print} /etc/shadow”. That may look complex, but it simply checks when an account password is blank. It then returns the username of these accounts, allowing individuals to give those accounts strong passwords. To stop the same vulnerability creeping in again, set password policies.

The best way to identify weak passwords is by using a Linux PAM module called “pam_cracklib.so”. The module checks user passwords against dictionary words to help prevent weak password usage. You can also use it to set minimum password requirements in terms of length, complexity and other factors.

SSH Configuration

SSH is the standard protocol for controlling a server remotely. It’s important to minimize the danger of an attacker gaining access to your server via SSH. To do this, add restrictions to the configuration file located at “/etc/ssh/ssh_config.” There are a variety of restrictions which may be implemented, such as disallowing a system from trusting a host-based only on its IP. You may also want to set the system to drop SSH connections after five failed authorization attempts, preventing brute force logins.

One of the most useful restrictions is to limit SSH access to certain users, such as the system’s main administrator. You can do this by entering the relevant username into the “AllowUsers [username]” field. Only users who require remote access with SSH are able to get in, closing the various routes an attacker may follow to breach a system via SSH.