Discover LinuxSecurity Features
Top Tips for Securing Your Linux System
Linux servers are at greater risk than ever. While only a few years ago Linux users could count themselves as the “lucky few” who didn’t have to worry about malware and computer viruses, this era has unfortunately come to an end.
Attackers now view Linux servers as a viable target that often provides a valuable return on investment. The past few years have been plagued with emerging Linux malware strains which have demonstrated new and dangerous tactics for spreading, remaining undetected and compromising servers - Cloud Snooper, EvilGnome, HiddenWasp, QNAPCrypt, GonnaCry, FBOT and Tycoon being among the most notorious examples. Here’s what you need to know to secure your Linux system against malware, rootkits and other dangerous attacks.
How Secure is Linux?
Regardless of the rise in attacks targeting Linux servers in recent years, Linux still offers notable security and privacy advantages over proprietary OSes like Windows or MacOS. Because of the availability of its open-source code and the constant, thorough review that this code undergoes by a vibrant worldwide community of developers and security experts, vulnerabilities are found and fixed very quickly and reliably compared to in the closed-source code of proprietary OSes. Linux also greatly restricts root access through a strict user privilege model and features a selection of built-in kernel security defenses including firewalls that use packet filters in the kernel, the UEFI Secure Boot firmware verification mechanism, the Linux Kernel Lockdown configuration option and the SELinux or AppArmor Mandatory Access Control (MAC) security enhancement systems. However, despite the inherent security benefits that Linux offers, the OS is still vulnerable to compromise as a result of frequent misconfigurations and poorly managed services.
While all Linux distros offer inherent security advantages over Windows or MacOS, pentesters, security researchers and users who are simply looking to maximize their security, privacy and anonymity online can achieve this by choosing a specialized secure Linux distro.
Regardless of the disto you choose, there are certain behaviors and best practices that all system administrators should engage in to secure their system against malware, viruses and other exploits. Here are our top tips for optimizing the security of your Linux system in this modern, ever-evolving threat environment.
Focus On The Fundamentals First
The majority of security issues impacting Linux systems can be attributed to either misconfigurations or poor system administration - such a failure to keep up with security updates, and are not a reflection of the security of Linux source code.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) urge system administrators to prioritize patching known security vulnerabilities - especially those being exploited by foreign threat actors. Cyber criminals often begin by focusing their efforts on known vulnerabilities, as exploitation of these flaws requires fewer resources when compared to zero-day exploits (for which no patches are available) or the exploitation of vulnerable applications. LinuxSecurity.com tracks the latest Linux distribution security advisories (and has an RSS feed dedicated specifically to advisories), providing you with an easy and convenient way to stay informed of the latest updates issued by your distro.
When looking to improve the security of your system, begin by ensuring that it is properly configured and up-to-date. Implementing the other tips and tools that we suggest in this article will do very little to keep you safe if these best practices haven’t been addressed.
Control Access to Your System with SELinux
Implementing Security-Enhanced Linux - often referred to as SELinux - is a great way to increase the control you have over access to your system. SELinux is a highly fine-grained and fairly technical mandatory access control (MAC) system that restricts access beyond what traditional discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) can achieve. For example, there is no reason that a web browser should need access to an SSH key, so in SELinux this information would not be provided to the web browser.
Stringent access controls are critical in preventing malicious actors from gaining administrative access to your system and installing rootkits or other types of malware. For this reason, SELinux has been adopted by multiple popular Linux distros including Fedora, Ubuntu and Debian, and typically enabled by default.
Prioritize Network Security
Using a VPN to encrypt data between you and your server is an excellent way to protect your privacy and anonymity online. By masking your internet protocol (IP) address, VPNs ensure that your web browsing history and other online actions are virtually untraceable. VPN use is crucial in staying safe online while working remotely. However, boosting your online privacy isn’t as simple as implementing any VPN - the VPN that you select is extremely important. When choosing a VPN, users should evaluate a range of characteristics including speed, security, ease of use and the reliability of the encryption technology used, among other factors. Wireguard (pictured below) is our top choice. The free and open-source VPN, which runs as a Linux kernel module (LKM), aims to exceed its competitors (namely OpenVPN) in performance and power saving ability. Wireguard offers the best of both worlds - it is both user-friendly and highly effective. Wireguard’s use of versioning of cryptography packages enables the VPN to focus on ciphers believed to be among the most secure current methods of encryption.
In addition to using a quality VPN like Wireguard, users should check their routers for security bugs. Research conducted by Fraunhofer Institute for Communication (FKIE) this past year has revealed that the firmware present in a large number of popular home routers - many of which have neve received a single security firmware update in their lifetime - is vulnerable to a wide range of serious security issues. Your router may very well be the biggest security hole in your network!
Install Linux Kernel Runtime Guard to Detect Vulnerability Exploits
Linux Kernel Runtime Guard (LKRG) is a kernel module created by Openwall that performs runtime integrity checking of the Linux kernel to detect security vulnerability exploits against the kernel. LKRG attempts to post-detect and rapidly respond to unauthorized kernel modifications or changes to credentials of running system processes - protecting against exploits gaining unauthorized root access through kernel vulnerabilities, exploits escaping e.g. from Docker containers, LKM rootkits and other serious threats to the security of a Linux system. The module is capable of combating the majority of both pre-existing and hopefully future Linux kernel vulnerability exploits. LKRG provides security through diversity - without the usability drawbacks associated with running an uncommon OS.
LKRG is most useful on systems that realistically won't be promptly rebooted into new kernels, nor live-patched, whenever a new kernel vulnerability is discovered. OpenWall Founder Alexander Peslyak elaborates: “LKRG offers best-effort protection against kernel vulnerability exploits with little effort on behalf of the user - no need to configure a policy, etc. - making it especially beneficial for systems that are not expected to be consistently kept up-to-date.”
The module is compatible with a wide range of popular distros’ kernels, and can be easily installed in distros including RHEL, CentOS, Debian, Ubuntu and Whonix.
Use Fail2ban to Prevent Brute Force Attacks
Brute force attacks are very common among Linux servers. These attacks are often successful simply due to a lack of adequate intrusion prevention measures. Fail2ban is an excellent intrusion prevention application designed to secure servers against brute-force attacks. Fail2ban monitors logs and reacts to intrusion attempts by either installing firewall rules to reject potentially-malicious IP addresses for a certain amount of time, or by blocking access to a specific port.
You can download Fail2ban here.
Learn how to install, configure and test Fail2ban in this How-To Geek tutorial.
Download the Privacy Badger Extension to Secure Your Browser Against Trackers
Privacy Badger is a free and open-source browser extension created by the Electronic Frontier Foundation (EFF) that prevents advertisers and other third-party trackers from secretly tracking the web pages you visit and your actions online. Privacy Badger takes a balanced approach to Internet privacy between advertisers and consumers by blocking advertisements and tracking cookies that violate the Do Not Track header on outgoing requests - which the extension automatically adds so users conveniently don’t have to configure this setting in their browser. With Privacy Badger downloaded on your system, if it appears that an advertiser is tracking you across multiple websites without your permission, the add-on automatically prevents that advertiser from being able to load any further content in your web browser. In the eyes of the advertiser, you’ve suddenly and mysteriously disappeared.
Privacy Badger can be installed on Google Chrome, Mozilla Firefox, Opera and Firefox for Android.
Generate an SSH Key Pair to Help Protect Your Privacy & Secure Your Server
While utilizing strong passwords is a great step toward strengthening your privacy and securing your server, generating a secure shell (SSH) key pair is an even better method and should be one of the first measures implemented when taking a proactive approach to server security. It is important to keep in mind that security is all about tradeoffs, and determining whether to rely on passwords or use SSH keys is a prime example of this. While passwords are certainly more convenient for most users, they are also often fairly easy for malicious hackers to guess or crack through brute force - leaving sensitive data and entire systems vulnerable. SSH key pairs are not as user-friendly as passwords, but are far more secure due to the encryption used by both the server being logged into and the computer being used.
An SSH key pair consists of two cryptographically secure keys that can be used to authenticate a client to a server. Each pair is made up of a public key that may be known by others and a private key that is retained by the client and should remain private. When an administrator generates an SSH key pair to secure a server, the public key is uploaded to the remote server that he or she wants to be able to log into with SSH. When a client attempts to authenticate to the server, the server can test the client on whether they possess the private key.
In order for an SSH key pair and the server it is protecting to remain secure, SSH keys must be stored in a safe location. When determining where to save keys, administrators should weigh the likelihood of a physical attack against the likelihood of a server hack. When in doubt, save SSH keys to a local device kept in a secure location to mitigate vulnerability in the event of a hack.
Learn how to generate and test an SSH key pair on Linux in this nixCraft tutorial.
Perform Regular Security Audits
The only way to be sure your system is as well protected as you think it is - or as it needs to be - is to frequently test and verify its security. Conducting regular security audits is a great way to identify gaps in your security defenses and determine how they can be addressed to better protect your server against vulnerabilities and attacks.
The Linux Auditing System (AuditD) is a native feature to the Linux kernel that can provide administrators with valuable insight into the security, stability and functionality of their systems. It works on the kernel level (where it can oversee all system processes) and collects and logs information on system activity to facilitate the investigation of potential security incidents. AuditD logs information according to its auditing rules as well as any rules that have been added.
Learn how to install and configure AuditD, create rules, and view the AuditD log file in this TechRepublic tutorial.
While threats to the security and privacy of Linux systems are at an all-time high, Linux users are still safer online than their Windows- and MacOS-using friends. The increasingly popular open-source OS offers inherent security benefits due to the transparency of its source code and its relatively small user base, and a selection of specialized privacy- and security-focused Linux distros are available for users looking to take their digital security and anonymity one step further.
Regardless of the distro they choose, all Linux users can improve their security posture by engaging in good cyber hygiene and implementing the tips and best practices offered in this article. LinuxSecurity Founder Dave Wreski explains, “With the drastic uptick in attacks targeting Linux systems in recent years, now is definitely not the time to slack when it comes to system security and maintenance. The majority of successful attacks on Linux systems cannot be blamed on the OS as a whole, but rather can be attributed to misconfigured servers and poor system administration.”
Have additional questions about securing your system? Please do not hesitate to reach out - we’re here to help!
Connect with us on social media: