13.Lock StylizedMotherboard

It has become clearly apparent in recent years that cybercrime is on the rise. Online crime affects everyone, and Linux is no longer the exception.

Cybercriminals have found great success attacking Linux systems, and Linux is now a key target. The number of new Linux malware variants reached a record high in the first half of 2022, as nearly 1.7 million samples were discovered. As a result of this trend, taking the necessary steps to secure your Linux systems has never been more critical in protecting against attacks leading to compromise.  

It is well established that firewalls offer effective protection against potential cyber threats; however, they must be properly configured and regularly maintained. Firewalls are also not a stand-alone defense; they work best within a comprehensive security strategy that has multiple layers of protection so that if one fails, the next holds. Using only a firewall can create a false sense of security that can ultimately put you at even greater risk. Firewalls alone cannot stop many attacks on a Linux system, including sensitive data exposure, broken authentication, broken access control, security misconfiguration, cross-site scripting (XSS) and insufficient logging and monitoring.

This article will investigate the limitations of firewalls and offer advice on ways you can secure your Linux system with additional layers of protection beyond a firewall.

What is a Firewall, and Does Linux Need One?

A firewall is a filter that sits between your computer and the Internet. It stops files flowing in either direction if they are perceived to be a threat, but users typically focus on stopping the flow inbound. For example, your firewall should stop potential viruses from downloading onto your computer. You can set up a firewall as an appliance on your system or through a dedicated computer, which normally runs Linux. 

Linux comes with a built-in firewall, but it needs to be activated. Many people believe that they are safe enough without one because, most times, the operating system does not have any open ports through which a criminal can gain access. However, it is still best practice to use the firewall configured correctly for your system. 

Your Linux System is Vulnerable to These Attacks Even with a Firewall in Place 

As previously mentioned, Linux systems are vulnerable to certain attacks, even if the firewall is set up and configured correctly. We will explore these attacks in more detail below. 

Sensitive Data Exposure

Sensitive data (passwords etc.) should be encrypted. If it is not, then it can be compromised in a cyberattack, either when stored or in transit. This can allow unauthorized access to systems and data such as bank accounts or customer data, which cybercriminals can use to steal money or sell personal information, potentially leading to lost client trust for businesses. Data should only be stored when absolutely necessary, and you should always encrypt it with secure protocols, for instance, TLS with PFS ciphers. 

Broken Authentication 

This is a scenario in which the authentication system is vulnerable, and these vulnerabilities are exploited by criminals to gain unauthorized access to the system. This might happen when an unencrypted password list is lost, for example. This type of vulnerability can easily be exploited if there are no restrictions to password attempts or other authentication fail-safes. It is quite possible, once inside the system, for a criminal to either take data and funds or corrupt the system for future attacks. Multi-factor authentication is a great way to make a security system more robust, but using password checkers to test the strength of passwords is a great first step. 

Broken Access Control 

Access control gives certain users different privileges on a system so not all users can access certain types of data, for instance. If there are vulnerabilities that can be exploited, then it results in broken access control. Vulnerabilities can easily be found using open-source vulnerability scanning tools, and are normally caused by a lack of system testing. Using broken access control, a criminal can act as an administrator and attack the whole system. Protections against this should be put on the server-side code, including lock-downs after multiple failed login attempts and disabling the listing of server directories. 

Security Misconfiguration 

This is one of the most common vulnerabilities. Using default configuration settings or leaving them incomplete, as well as error messages which provide too much information, can all expose a system to attack. If any area is left open or a file is unprotected, a criminal can use this area of weakness to gain access to the entire system. These are easily detected by automated tools. This type of vulnerability can be prevented by ensuring that there are no open ports, that everything is up to date, and by streamlining the code as much as possible to reduce unnecessary features. 

Cross-Site Scripting (XSS)

This type of attack happens when a web application allows untrusted data to be put on a website without authorization, and when the user of the website can add code to the URL, which can be seen by others. These additions are usually used to run malicious code on a browser. For instance, the victim might be sent a link to a business URL that has been altered to contain the extra code, which might then trace keystrokes or similar. Putting up protections such as frameworks like React JS, making sure any limitations of the frameworks are covered, and preventing unnecessary and untrusted HTML everywhere in the code should prevent this. 

Insufficient Logging and Monitoring 

Most systems are slow to detect data breaches, and incomplete logging allows vulnerabilities to remain unaddressed. This means that the system is exposed and vulnerable to repeated attacks. Setting up automatic reporting (for instance, for access control failures) and holding the reports for enough time to be analyzed will help here. The generated reports should also be compatible with other monitoring systems so they are regularly accessed. 

Tips & Advice for Securing your Linux System 

Ensure your Firewall is Properly Configured & Maintained

Cyber 4508911  340When properly configuring your firewall, you should make use of Iptables, firewall-cmd, and firewalld. 

  • Iptables is a command-line tool that regulates traffic with policy chains. When a connection attempt is made, Iptables searches its allowed rules for a match, and if none is found, it resorts to a default action. 
  • Firewall-cmd is the control interface for Firewalld (you might need to install it if it isn’t already present on your system). 
  • Firewalld is a firewall that supports network and firewall zones, particularly those which specify the level of trust for network connections. 

If you want to use Firewalld, first make sure it is running on your system. Once running, you will be able to use Firewall-cmd to control it. There are zones pre-existing in firewall-cmd, which makes it easier to get started; just check the right options for your system. 

Use a Trustworthy VPN

A VPN uses a public network (typically the Internet) to connect remote sites or users. It creates an encrypted connection or "tunnel" between your device and a remote server operated by the VPN service. By doing this, it protects your privacy as it stops your IP from being tracked, and your connection is encrypted, which in turn allows for better security. However, you might find that it slows your internet speed, and you tend to get more for your money with a paid service. VPNs can sometimes be difficult to configure with Linux systems, and if you don’t do it properly, you might still have security or privacy leaks. You can access more information on the best VPN protocols here to decide which one is right for you. 

Use a Web Application Firewall (WAF)

A WAF protects web applications by monitoring and filtering traffic between the application and the end user and blocking any malicious sources. It’s a layer of protection that will always be in place rather than having to update or write a new script to protect against threats. A good WAF should be easy for you to use and have the ability to scale the applications you have. There are a number of different WAFs around; you can have a look at some great open-source and commercial ones here

Secure PHP

Patches and fixes for PHP are released all the time, and it is important to stay up to date on these releases. Find workarounds if you are not able to update the version you are using. To prevent information leaking, make sure that you have turned the expose_php directive off; you should also make sure that you control file system access through the open_basedr directive.

PHP has many useful functions, but also a lot that can be exploited by criminals – disable any dangerous functions through the disable_functions directive. You should also use external tools to frequently scan and audit your PHP scripts and code for any vulnerabilities. If you want more in-depth information on PHP security and how to implement it, explore our Getting Started Guide to Improving PHP Security.

Be sure to subscribe to our Linux Advisory Watch newsletter and follow our @LS_advisories Twitter handle to get live updates on critical Linux security advisories

Test & Verify Server Security 

Server SecurityThere’s not much use putting a lot of work into making your server secure if you don’t bother to check that it’s worked. The only way you can be sure your server is fully protected is to test it as thoroughly as possible. 

  • Port scanning is used to evaluate ports and highlight any vulnerabilities. It will tell you which ports are open and the security layers used between traffic. 
  • Intrusion detection is a critical part of securing a server. The information about the attacks can be used to analyze what types of attacks are being used against the server and, therefore, the best strategy for security. 
  • Monitoring Logs should be done regularly, but there are many ways to automate this task. 
  • Auditing – The Linux Auditing System (AuditD) is a valuable feature for administrators – you should use it regularly to assess your system. 

You can find more information on these points in our article on verifying Linux Server Security

Penetration Testing 

Penetration testing is also known as pentesting and ethical hacking. The idea is to stage a cyberattack and identify what works and any weaknesses in a system. You can choose how you want to stage the attack, for instance, pretending the would-be hacker is an employee or an external agent. Penetration testing gives administrators insight into where the system is vulnerable, which they can then improve before it is really attacked. It’s also a useful way of testing updates or alterations to the system. There are lots of tools you can use for penetration testing, which are covered in more detail in this article on Linux Pentesting

Reverse Engineering and Malware Scanning 

Reverse engineering focuses on deconstructing malware in an artificial environment to gain insight into how it works. This can then help to create protection against future attacks. By reverse engineering a malicious program, reverse engineers can study its characteristics and analyze its behavior and the vulnerabilities that it exploits. These insights can be used to improve security solutions and close up vulnerable spots. There are a number of toolkits you can use for reverse engineering and malware scanning, which we look at in more detail here

Secure Your ERP Data

Istockphoto 1163541985 612x612Enterprise Resource Planning (ERP) systems unify different platforms and departments, collecting all of your administration into one application for ease of use. This means they are a weak point for criminals to target, and they hold large amounts of business-critical data. Therefore, securing ERP systems should be a high priority. You should also make sure that your data is protected from internal threats and unauthorized access, as well as from external attacks. ERP application security relies on users updating their systems and usually has weak authorization restrictions. One-factor authentication tends to be used, and by nature, the system is large and complex, meaning many people have access without restrictions. 

Your ERP application is likely to come with built-in controls and security measures, but usually these are not enough. You should go a step further to shore up this weak point by looking at implementing proper ERP security. Certainly, authorization should be controlled and monitored, and as much data encrypted as possible. Security experts have compiled a complete guide on ERP data security, so you can identify weak points in your system and put corrective measures in place. 

Final Thoughts on Securing a Linux System with More than a Firewall

As you can see, firewalls are an effective layer of security in your system when maintained and configured correctly. However, alone they will not provide adequate security for your Linux system. This is especially true now that cybercriminals are aware of common vulnerabilities and see Linux as fair game and no longer unbreakable. Therefore, as well as installing and properly setting up your firewall, you should look into the other security strategies discussed in this article, which will be of use to you. What you need will depend on your system and your own particular vulnerabilities, but we have highlighted a few areas for concern here and suggested a few solutions. A multi-layered security strategy will always be best, particularly when combined with the implementation of security best practices.