Before we jump into Tails and QubesOS, let's get a hardening guide out to make your Linux system as secure and private as possible.

Physical System Security

1. Configure BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS.

2. Enable BIOS password and protect GRUB with a password to restrict physical access to your system.

Disk encryption

Use encrypted LVM volumes during the installation of your Ubuntu desktop and/or server system. this is very effective in toughening up your system.

Although it won’t protect against every attacks, it matters for 'data at rest' which means that if your system gets stolen, the data can only be retrieved if the thief has the required key or passphrase.

Select the guided partition method with 'use entire disk and set up encrypted LVM'

Select a passphrase, this is needed during the boot process to unlock the disk (or volume). Make it as secure as practical.

Install UFW Firewall on Ubuntu and Debian

The UFW (Uncomplicated Firewall) should be the default installation. If not, install it using the APT package manager using the following command.

$ sudo apt install ufw

Once the installation is completed check the status by typing.

$ sudo ufw status verbose

On first install, the UFW Firewall is disabled by default and the output will be like this:

Status: inactive

Enable UFW Firewall

You can activate or enable UFW Firewall using the following command which will load the firewall and enable it on boot.

$ sudo ufw enable

To disable UFW Firewall, use the following command which unloads and disables it

$ sudo ufw disable

Disable USB stick to Detect

It is necessary to restrict users from employing a USB stick in systems to protect and secure data from stealing. Create a file ‘/etc/modprobe.d/no-usb‘ and adding this line will not detect USB storage.

install usb-storage /bin/true

Turn Off IPv6

When using a IPv6 protocol, then you should disable it as many of the applications or policies are not required, go to network configuration file and add the following lines to disable it.

# vi /etc/sysconfig/network

NETWORKING_IPV6=no

IPV6INIT=no

Keep Linux Kernel and Software Up to Date

Applying security patches is important. Linux provides the tools necessary to keep your system updated and allow easy upgrades. Security updates should be applied as soon as practical. Use the RPM package manager eg yum or apt-get or dpkg to apply them.

# yum update

or

# apt-get update && apt-get upgrade

You can configure Red hat , CentOS and Fedora Linux to send yum package update notifications by email.

Another option is to apply security updates via a cron job for Debian / Ubuntu Linux.

It is also possible to configure unattended upgrades for Debian/Ubuntu Linux server using apt-get command/apt command:

$ sudo apt-get install unattended-upgrades apt-listchanges bsd-mailx

Linux User Accounts and Strong Password Policy

Use the useradd / usermod commands to create & maintain user accounts. Follow a strong password creation protocol. You know what you need to do!

Set Up Password Aging For Linux Users For Better Security

The chage command changes the number of days between password changes and the date of the last password change. This is used to determine when a user should change their password.

The /etc/login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration. To disable password aging, enter:

Locking User Accounts After Login Failure.

Under Linux you can use the faillog command to display faillog records and set up login failure limits. faillog formats the failure log from /var/log/faillog database / log file.

To see failed login attempts, enter:

faillog

To unlock an account after login failures, run:

faillog -r -u userName

Note you can use passwd command to lock/ unlock accounts:

# lock Linux account

passwd -l userName

# unlock Linux account

passwd -u userName

Verify No Accounts Have Empty Passwords?

Type the following command:

# awk -F: '($2 == "") {print}' /etc/shadow

Lock all empty password accounts:

# passwd -l accountName

Make Sure No Non-Root Accounts Have UID Set To 0

Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:

# awk -F: '($3 == "0") {print}' /etc/passwd

You should see this line:

root:x:0:0:root:/root:/bin/bash

If you see other lines, delete them or make sure other accounts are authorized to use UID 0.

Disable root Login

Never login as root user. You should use sudo to execute root level commands, when needed. sudo does enhances the security of the system without sharing root password with any other users or admins. sudo also provides auditing and tracking features.

Linux Kernel /etc/sysctl.conf Hardening

/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time.

Sample /etc/sysctl.conf:

# Turn on execshield

kernel.exec-shield=1

kernel.randomize_va_space=1

# Enable IP spoofing protection

net.ipv4.conf.all.rp_filter=1

# Disable IP source routing

net.ipv4.conf.all.accept_source_route=0

# Ignoring broadcasts request

net.ipv4.icmp_echo_ignore_broadcasts=1

net.ipv4.icmp_ignore_bogus_error_messages=1

# Make sure spoofed packets get logged

net.ipv4.conf.all.log_martians = 1

Restrict Users to Use Old Passwords

Disallow users from using the same old passwords:

The old password file is located at /etc/security/opasswd.

This can be achieved using PAM module.

Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.

# vi /etc/pam.d/system-auth

Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux Mint.

# vi /etc/pam.d/common-password

Add the following line to ‘auth‘ section.

auth        sufficient    pam_unix.so likeauth nullok

Add the following to ‘password‘ section and thereby disallow a user from re-using any of their last 5 passwords.

password   sufficient    pam_unix.so nullok use_authtok md5 shadow remember=5

Using any of the last 5 old passwords you will get you the following error:

Password has been already used. Choose another.

Please always remember to check if your system or applications have updates waiting as a secure system is only as secure as the latest patch applied.

We will cover software you can use and provide recommendations of good software for use on Linux in our next Chapter.