Setting up a secure Linux server
Home Sweet Home
Not all distributions tighten up your home directories by default. Assume my user name is lionel
, and I don't want Luis
or Neymar
to see the files in my home directory. It's easy to keep other users out of my home directory by running the following command as root
:
# chmod -R 750 /home/lionel
If you're keen to stop all home directories being accessed by others, simply replace lionel
with an asterisk.
Hey, Mr. Postman
The next step is to set up the logwatch tool [1] and configure it to send you a daily digest of any important events found in your system logs. Bear in mind that, when you're finished with these simple steps, you'll also have a fully functional SMTP server. Clearly, I'm zooming through these commands for brevity; I encourage you to take a closer look if you're not sure what you're doing.
Straight out of the box, the Postfix mail server will be fully functioning. Choose Internet Site and add your full hostname (including FQDN) during the configuration process. With a quick shuffle, you can then change the old-school, Sendmail-style /etc/aliases
file so that your personal address receives your root
user email.
Install Postfix as follows:
# apt-get install postfix
Edit the aliases
file and add your external address so you receive the root
user's mail:
# pico -w /etc/aliases
Make sure the line starting root:
looks similar to the following:
root: chris@binnie.tld
Update the aliases DB file by executing the Postfix newaliases
command:
# newaliases
Finally, install the Logwatch package; even as a fresh install it's fabulously functional:
# apt-get install logwatch
The easiest way to execute Logwatch is to set up a cron job that runs at the default cron.daily
predefined time, which is 06:25hr on my Jessie 8.1 build. Adjust the time in the /etc/crontab
file or move the /etc/cron.daily/00logwatch
file somewhere else and execute it specifically at another time from within the /etc/crontab
file.
Next up run Logwatch and then check your inbox:
# /etc/cron.daily/00logwatch
The results are mind-blowingly useful. For more on monitoring your logs with logwatch, see the article at the ADMIN Magazine website [2].
Logwatch provides invaluable information about your system (including disk space usage, logins over SSH, new users/groups, service restarts, and unusual log entries). Additionally, you receive a list of the packages that you've installed following the completion of your minimal install.
The packages are also conveniently separated into Installed, Upgraded, and Removed sections. I find these lists are an excellent point for future reference, archived in my email with the subject line "Logwatch for <hostname> (Linux)."
If you ever encounter discrepancies between two servers due to package version or functionality, it is a two-second lookup to scan over how they were built. If you don't want root
to directly receive mail via your aliases
file, you can add MailTo =
followed by an email address in the config file /etc/logwatch/conf/logwatch.conf
. You might need to create this file if it doesn't already exist.
I would be remiss not to mention the task of securing of your shiny new SMTP server further. Even if relaying is switched off by default, you still need to take some steps to secure your mail server. The Ask Ubuntu site has a useful post on securing a Postfix mail server [3].
Passwords
If I am expecting a few different (non-sys admin users) to be logging into this box, I should also consider password security. If you have ever stumbled across a list of common passwords, you'll know why admins are very concerned about letting everyday users have access to server systems [4].
The quality of the typical user password is not good news if you haven't locked down access to your server by IP address or some other alternative method.
Without these precautions you are definitely vulnerable to automated dictionary attacks. Thankfully, you can strengthen your password rules on Linux with a sophisticated package called libpam-cracklib
.
The following configuration works on my Debian "Wheezy" system. Install libpam-cracklib
with:
# apt-get install libpam-cracklib
Then, edit the following file:
# pico -w /etc/pam.d/common-password
Adjust the following command with the necessary settings (comment out the old config line rather than deleting it so you can revert if necessary):
password requisite pam_cracklib.so retry=2 minlen=10 difok=6 dcredit=2 ocredit=2
This hardened configuration means a user is only permitted two password error retries and demands at least 10 characters for a password.
My favorite setting (to annoy colleagues) is difok=6
, which means only six characters of the last password can be reused and the last two entries must be a minimum of two numbers and two symbols (or "special characters") present within the password. To activate these settings, on Wheezy at least, you can run the following command:
# pam-auth-update
Try a few tests – carefully, so you can still log back in. For troubleshooting, you might want to check whether UsePAM yes
is present in the file /etc/ssh/sshd_config
file. Restart the OpenSSH server with systemctl restart ssh
if you change the configuration.
Table 1 shows some of the excellent options for enforcing stricter passwords from the pam_cracklib
manual, which covers libpam-cracklib
. Experiment with these settings to your heart's content.
Table 1
Cracklib Password Enforcement Options
Option | Description |
---|---|
retry=N |
Prompt user at most N times before returning with error. The default is 1. |
difok=N |
This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password. |
minlen=N |
The minimum acceptable size for the new password (+1 if credits are not disabled as per the default). More detail for this option is available in the manual. |
dcredit=N |
(N >= 0) The maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of digits that must be met for a new password. |
ucredit=N |
(N >= 0) The maximum credit for having upper case letters in the new password. If you have less than or N uppercase letters, each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of uppercase letters that must be met for a new password. |
lcredit=N |
(N >= 0) The maximum credit for having lowercase letters in the new password. If you have less than or N lowercase letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1, which is the recommended value for minlen less than 10 (N < 0) This is the minimum number of lowercase letters that must be met for a new password. |
ocredit=N |
(N >= 0) The maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1, which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of other characters that must be met for a new password. |
minclass=N |
The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the credit check is that a specific class if of characters is not required. Instead N out of four of the classes are required. |
maxrepeat=N |
Reject passwords that contain more than N same consecutive characters. The default is 0, which means that this check is disabled. |
maxsequence=N |
Reject passwords that contain monotonic character sequences longer than N. The default is 0, which means that this check is disabled. Examples of such sequence are "12345" or "fedcb". Note that most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password. |
maxclassrepeat=N |
Reject passwords that contain more than N consecutive characters of the same class. The default is 0, which means that this check is disabled. |
reject_username |
Check whether the name of the user in straight or reversed form is contained in the new password. If so, the new password is rejected. |
gecoscheck |
Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password. If any such word is found, the new password is rejected. |
enforce_for_root |
An "error" or "failed check" message prevents the root user from changing the password. This option is off by default, which means that the message about the failed check is printed, but root can change the password anyway. |
use_authtok |
This argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module. |
If you want to flex your Cracklib muscles, you could also go one step further and introduce your own dictionaries for Cracklib to check against. Look online for an old but nicely-written piece on using Cracklib with Django [5].
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.