Linux SysAdmin Security Mistakes

System administrators make mistakes and that's fine, as long as they learn from them. Learning from your mistakes will develop more skills, advance your career, and make you a better systems admin. However, It’s also helpful to learn from the blunders of others. This is why I’ve compiled a list of common 10 mistakes that system admins make, and how to address these problems.

Overuse of Privilege Escalation

Sudo permits users to run commands with elevated privileges from terminals and to control who can run these commands on the system. A system administrator can delegate permission to grant users the ability to perform certain commands as root or another user whPrivilege Escalationile providing an audit record of the actions and their arguments. 

Adversaries can take advantage of poorly configured methods to escalate privileges without requiring the user's password. For example, It's easy for a system administrator to get frustrated every time a user requires sudo access for a minor task, so rather than finding an alternative, the system administrator will grant permanent sudo access to specific programs for specific users. You have a clear path to root if the software gives you access to an interactive shell or can write to the file system.

Some mitigations to this are privileged account management. Even if an attacker has terminal access, they must know the password to run anything in the sudoers file. Another mitigation is to restrict file and directory permissions.  The sudoers file should be modified so that passwords are always required and that users with greater privileges cannot initiate dangerous processes. 

Key Takeaways:

  • Use Privilege Account Management
  • Restrict Files and Directories
  • Avoid using sudo if you don't have to

Use of Outdated Software

Many of us are guilty of postponing a software update. As a system administrator, this laziness can be detrimental to your organization. It is critical that sysadmins track security advisories, and as soon as security updates become available, install them. Many servers have been affected because a year-old fix was never installed, and instead were compromised by a zero-day attack.System Update

Some issues of missing an update are obviously vulnerabilities that go unpatched. Hackers can sometimes see the patches made in an update and use that to attack systems that haven’t been updated. Another issue with missing updates might not be due to mismanagement, but it might be blocked because it would damage a legacy app. 

If it's a crucial server, a few minutes of downtime as part of a scheduled maintenance window is preferable to losing hours or days because the box has been effectively compromised. Test patches as soon as they're issued and set up a schedule for releasing updates. Perhaps there are ways to quarantine the servers to limit risk, or to adopt new technologies to lessen reliance on legacy services. Patching can be a political minefield in real life. If a higher-ranking manager prohibits a system from being patched, make sure everyone understands the consequences of not doing so. Bring the issue to the attention of the proper stakeholders and management. 

Key Takeaways:

  • Test Patches as soon as they are available
  • Quarantine servers if you can’t push a crucial update
  • Make sure that management understands the importance of the update

Bad Password Management

Although passwords are still one of the most secure ways of authentication available, they are vulnerable to a variety of security risks when misused. The role of password management is useful in this situation. Password management is a collection of guideliPassword Qwertynes and best practices that users should follow while saving and managing passwords in order to keep them as secure as possible and prevent unwanted access.

Servers are frequently set up with weak administrator credentials or the same password as other machines. Because many people still make this basic mistake, brute-force attacks utilizing common passwords work. The problem becomes much worse when numerous machines share the same password.

System admins should utilize a key file instead of using the same root password on all computers. Each server should have a public key file, and the private key should be paired with the public key on the system admin's desktop.

Key Takeaways:

  • Don’t use the same root password on all machines, use a key file instead
  • Make sure admin credentials are strong 
  • Do not have a list of passwords stored in a text file

Troubleshoot Incorrect VLAN Assignment

System administrators use virtual local area networks (VLANS) to segment and organize a network. The ability to segment the network has a number of benefits, including greater security because devices can only connect with other VLAN systems. Only the systems in their VLAN segment are visible to users. It can aid in the control of broadcast traffic and the movement of end systems around the network.

Users will be sent to the wrong VLAN if they are not correctly configured. This is why sysadmins have to deal with difficulties like network devices not being able to connect to switch ports, failed device registration efforts, and the inability to connect the device to important servers, among other things.

To ensure that the device has the right IP address, test the switch port. Check which VLAN is configured on that port using a VLAN tag and make the necessary modifications.

With documentation, you can avoid making a mistake with your VLAN settings. VLAN is frequently assigned to the wrong port due to a lack of communication. System Admins, for example, would never know that specific ports need to be adjusted in order to be compatible with new services if there was no documentation.

Key Takeaways:

  • Reconfigure ports to support new service
  • Check switch configuration to validate new VLAN assignment
  • Test the port to see which VLANs are supported

Monitor Log Files for Tampering and Attack Signals

Log files keep track of what's going on behind the scenes so that if something goes wrong with a complex system, you can refer to a complete record of events that occurred prior to the failure. This record includes transactions, errors, and intrusions.

There could be an advanced persistent threat or APT in your organization, or some other attack happening. Signs of this attack could be in your log files. There could also be signs of transaction errors that might need your attention.

By keeping track of log files, you can increase the chance of catching an intruder and stopping them before any serious damage can occur. There is log filtering software that can help you analyze the data and find relevant log messages.

Key Takeaways:

  • Write logs to two separate locations and compare hashes
  • Don't log passwords or failed passwords from logins
  • Use log filtering software to help find relevant information 

IP Address Conflict

At any one time, one IP address is assigned to each device on a network by default. However, two devices sharing the same IP address can prevent users from connecting to the network. The default Dynamic Host Configuration Protocol (DHCP) configuration on your router could be to blame, as well as manual human error.

It's critical to have a good DHCP server on your network to protect your devices from IP conflicts. Bad DHCP servers may contain vulnerabilities that cause IP conflicts by assigning IP addresses to network devices incorrectly during dynamic IP allocation.

Reconfigure the router to assign DHCP addresses to the top end of your subnet, leaving the static IP addresses out of the mix.

Key Takeaways:

  • Check IP conflicts that arise from DHCP servers
  • Check BYOD Policies
  • Release and Renew Your IP Address

Prevent DNS Failures

The Domain Name System (DNS) is a decentralized and hierarchical naming system for identifying computers, services, and other resources accessible via the Internet or other Internet Protocol networks.What Is DNS Failure Article Image

DNS failure prevents users from accessing the internet and other critical applications.A failed connection request occurs when the client PC is unable to resolve the server name with the server's IP address. Cache poisoning,DDoS attack, DNS rebinding attack are some exploits that adversaries might use to induce DNS failure.

For extremely active networks, workstations may be configured to use their DNS server, resulting in a DNS traversal to your ISP's servers, overloading the router. To directly access their DNS servers, change the client's DHCP settings. Disable DNS recursion to prevent DNS poisoning attacks. Have a server that will activate in the event of the nameservers failure.

Key Takeaways:

  • Properly configure DHCP settings
  • Be prepared with a DNS failover
  • Disable DNS recursion to prevent cache poisoning

Security Audits Best Practices

A security audit is a thorough examination of your company's information system. Often, this examination compWhen To Conduct A Security Auditares the security of your system to a checklist of industry best practices, externally defined standards, or federal regulations. The audit entails a thorough examination of all aspects of your IT infrastructure, including operating systems, servers, digital communication and sharing tools, apps, data storage and gathering methods, and so on.

A security audit will give a roadmap of your organization's primary information security flaws, identifying where it is meeting and where it is not fulfilling the requirements set forth by the organization. For firms that deal with individuals' sensitive and confidential data, security audits are essential for building risk assessment plans and mitigation measures.

On the market, there are a variety of computer-assisted audit techniques (CAATs) that can help you automate the audit process. CAATs go through the processes of an audit on a regular basis, looking for vulnerabilities and generating audit reports automatically.

Key Takeaways:

  • Understand that audits are essential for security
  • Enlist a third-party auditor 
  • Use CAATs to automate the audit process

Poor SSH Key Management

SSH is a secure protocol that is commonly used to connect to Linux servers. By establishing a remote shell, it provides a text-based interface. All commands you enter in your terminal are transferred to the remote server and executed there after you connect. Any commands you type into your terminal are transferred across an encrypted SSH tunnel and executed on your server for the length of your SSH session. SSH is used by system administrators frequently, together with SSH keys.

Mismanagement of SSH keys exposes you to risk and puts you out of compliance with industry regulations. If you have your keys laying around or you frequently hand them out to everyone, that's obviously very bad for security. Having an improper key management set up could also affect compliance needs.

SSH key management is a set of policies, processes, and tools that enable you to safeguard and manage such digital key pairs. Users can utilize secure shell keys to authenticate themselves to your network, servers, or other systems and securely transfer files without having to log in every time.

Key Takeaways:

  • Keep an eye on the SSH key rotation
  • SSH keys should be tied to a specific person rather than an account that can be accessed by several people
  • Find and keep inventory of all SSH keys

Improperly Configured & Open Ports

Ports allow devices to communicate with one another. To perform their tasks, internet-facing services and applications essentially listen on ports for a connection from the outside. Communication between hosts via the internet is impossible without ports.

https://lh3.googleusercontent.com/A5xFXm9RRUQ-1ABlgBCSk-MRN28ZOBDtP3VKCgPZdFeB5YuO9KnYg-5Nmg2K_3xcWJTp9Iq0AcpoC7k5yO33itlBe7acikWbT8mlt6hA0mq6mtwgRqRV-tv6j4Z8yqtdMKWnVVIpWhen it comes to ports, one of the most common issues is that those that aren't supposed to be open are accidentally left open. An administrator may have opened a port to fulfill a request and then forgotten about it. A program may have automatically changed a firewall configuration, leaving some ports open without your knowledge.

Ports that aren't absolutely necessary should be closed as soon as possible. One way to help mitigate this risk is to run port scans with tools such as Nmap on a regular basis.

Key Takeaways:

  • Check for open ports with vulnerability scanners
  • After opening a port for requests, remember to close them
  • Check for ports that may have been opened from firewall configuration

Conclusion

Making mistakes and learning from them is part of the process of growing as a sysadmin. Learning from others’ mistakes can be an invaluable tool as well, without compromising the security in the process. In this article, we took a look at 10 common mistakes that sysadmins make when it comes to security, and tips for avoiding these pitfalls. 

We encourage you to explore more tips for securing your Linux systems in this LinuxSecurity must-read article on top tips for securing your Linux system.

Have you made any of these mistakes yourself, or do you have additional advice for avoiding these issues? We’d love to discuss this with you!

Connect with LinuxSecurity on Social Media:

Twitter | Facebook | LinkedIn