Essential tools for hardening and securing Unix based Environments
System administrators are aware as how important their systems security is, not just the runtime of their servers. Intruders, spammers, DDOS attack, crackers, are all out there trying to get into people
Being able to identify tools and techniques to harden your systems is a key play on securing your systems. Moreover, choosing the right tools is a matter of experience. You should try most of them, or perhaps the ones that are popular. I chose free and open source software because, if I want to, I can check the applications source code and see for myself how did programmers wrote the software, how did they manage to keep the software easy to understand etc.
Without trying to explain the networks peripherals particular importance on the security of the whole system, I will dig deep into software that check systems protocols, passwords, vulnerabilities, weaknesses, security flaws, best practices on protecting and securing your system and so on and then some important security steps any system administrator should know.
I chose two popular security tools: Tiger and Lynis. Both state of the art security-auditing tools.
Lynis is Unix based software and its free under the GPL and a popular security hardening solution. The advantage here is that it does not change any of your configuration files. Instead, it lists what it seas as weak or needs to change. It can scan your system in details and very extensively. Its use is straight forward, and it is OS independent, which means it will run in almost any Linux or Unix environment. You can run Lynis from USB, Cd, ext. HDD or any other media.
With proper plugins, Lynis can test your databases, e-mail servers, web and what not. There are many documentations and video presentation regarding installing and configuring as well as using Lynis. I advice you to search for these and read as much as you can until you feel comfortable and start testing and using it.
Latest version of Lynis as of now is 2.1.0 and can be obtained at:
Just like Lynis, Tiger supports multiple UNIX platforms and it is free under GPL License. Besides system hardening tools, system configuration checks etc, Tiger offers host-based intrusion detection, and it is very successful at it.
Its worth to note for Linux/Unix environment newcomers that, while there are lots of intrusion detection tools out there, most of them if not all are command line and offers minimal X based or GUI mode.
As of now, the latest and stable version of Tiger is 3.2.3, and can be obtained at:
I’ll write some Tiger scripts and their use. You are advised to check its documentation and find what interests you and what you are trying to accomplish.
- check_inetd – This script will check your init.d and find any misconfiguration.
- check_group – As its name suggests, it will check group passwords vulnerability, duplication and so on.
- check_accounts – This scrips will check your accounts for anything suspicious, home directories, shells, accounts with no passwords etc.
- check_anonftp – This checks your ftp configuration for any vulnerability.
- check_passwd – Checks for password configurations.
- I can’t stress enough how important it is for a Unix system to have root login disabled. This is crucial step and should be deactivated on all systems running important services, period.
- Besides disabling root login, it is advisable and yet very important to have X windows uninstalled. This is necessary if you’re running apache web server and you don’t need X windows. Remember, X windows are and can be vulnerable to attacks.
- Never use unsecured connections like telnet, ftp and so on! Use SSH, sftp instead!
- Set strong password policies and password expiration date, so that the user is prompted to change the password when it expires. This will ensure consistent password changes on all user accounts. I would advice to set it to three months at latest.
- Check file permissions periodically, this can create havoc if not set properly.
- Close unused ports.
- Remove unnecessary software
- Check various security websites (do these daily) for security holes people and programmers found, and patch them immediately if your system is vulnerable!
- sysctl: an interface for changing parameters in Unix like environments. Read for sysctl and tweak the configuration the way you want it.
- Implement firewalls (iptables)
- Make daily backups! This is very important.
- Relocate another backup server away from the server room in case of disaster recovery etc…
I could have filled this document with print screens and information on how to do all these things I explained, but I though it would be much better if you try them yourself. When you search for knowledge, I strongly believe, you will learn things much better, and sooner.
You can refer to these two system hardening software and security advices, but don’t limit yourself. Try anything you can find, perhaps, look for popular software and try them on your test-machines, simulate real-life situations, configurations and so on.
Remember, security measurements start with your systems version up to date!
Last but not least, I would be very happy if you share some security tips with us on this post, so people can enjoy and learn more and be successful on what they do.
About the Author
Mr. Ibrahimi is a freelance Unix/Linux specialist and consultant with over 15+ years of experience on Open Source software. He is a regular contributor to UNIX community online as well as locally on projects involving his expertise on implementing Unix/Linux on IT infrastructures.