The implementation of secure configurations within computing environments, including Unix and Linux systems, is a crucial component of security. This process, known as "hardening," aims to reduce the "attack surface," that is, the potential vulnerabilities that cybercriminals could exploit. Strengthening these systems not only limits the damage from a potential cyber attack but also helps comply with various controls established by compliance regulations.
Although a completely powered off and disconnected system is the safest, this option is not practical in operational scenarios. Therefore, hardening a system seeks to maximize its defenses while it is active and connected to a network.
Fundamental Principles of System Hardening
To effectively harden systems, three main rules must be considered:
1. Eliminate the Unnecessary
Operating systems and applications often come with numerous pre-installed features and utilities. Each of these additional features represents a potential security gap. For this reason, it is essential to uninstall any software and disable services that are not absolutely necessary for the function of the machine. This includes disabling physical ports, like USBs, that are not in use.
2. Keep Everything Updated
Vulnerabilities in software design are a breeding ground for attackers. Developers frequently release patches and updates to address these issues. Therefore, it is crucial to keep all software—from the operating system to applications—always updated to the latest version.
3. Secure Configurations
It is not enough to simply install software; it is also necessary to enable and maintain configurations that reinforce security. Before making any changes, it is crucial to take a complete backup of the system and run tests after rebooting to avoid accidentally locking out access.
Key Steps for Hardening in Linux
Despite the variety of Linux distributions such as RedHat, Debian, and Ubuntu, the following steps are universally applicable:
1. Minimize Network Exposure
Network attacks are among the most common. To mitigate this risk, it is vital to identify and close all non-essential network ports. Tools such as firewalls like iptables or firewalld should be used, starting with an initial policy of "deny all" for both IPv4 and IPv6 traffic. It is also advisable to block ICMP traffic to make it harder for hackers' tools to discover devices on the network.
2. Strengthen Accounts and Authentication
It is essential to review all local user accounts and eliminate those that are no longer needed. For the accounts that will be kept, a robust password policy must be implemented, outlining guidelines on length, complexity, expiration, and reuse. It’s also important to adopt strong encryption algorithms for password storage. Instead of managing accounts locally, it is suggested to use a centralized system like Active Directory or, preferably, a Privileged Access Management (PAM) solution that operates under a "zero privilege" model. Additionally, it is essential to avoid using the root account for everyday tasks, utilizing sudo only when necessary.
3. Secure Remote Access (SSH)
The SSH service is the primary means of remote management for Linux systems, making its security critical. Security configurations should include enabling only version 2 of the SSH protocol, which offers greater security compared to version 1. Other recommendations include limiting the number of login attempts, disabling the root user login, and displaying a warning message to those attempting to connect.
4. Hardening the Apache Web Server
If the system hosts web applications, securing the server (like Apache) is necessary. The principle to follow is the same: minimize functionality. This involves disabling all non-essential Apache modules and restricting access to system packages. It is also vital to configure the server not to disclose version information or technologies used, disable unnecessary management ports, and ensure the service runs with a user account with minimal privileges.
5. Kernel-Level Hardening
To provide an additional layer of security, tools like SELinux (in systems like CentOS or RHEL) or AppArmor (in Debian and Ubuntu distributions) can be used. These tools modify the Linux kernel to enforce mandatory access controls, limiting what processes can do, acting as an effective defense against advanced malware, such as rootkits.
Hardening on Specific Platforms
- Embedded Linux: Simplified operating systems, such as those used in routers (OpenWrt) or Android devices, require specific hardening approaches tailored to their hardware and functionality. On Android, this means keeping firmware updated, applying Google security patches, and configuring options like screen locking and restricting app installation from unknown sources.
- Kali Linux, Linux Mint, and Arch Linux: For distributions that derive from others (e.g., Kali and Mint from Debian), the same hardening principles that apply to their base system can be adopted. In the case of more minimalistic distributions like Arch Linux, the task of eliminating unnecessary services is lessened due to the reduced pre-installed software.
Conclusion: Hardening is Just the Beginning
Even a system that has undergone meticulous hardening may be vulnerable to unknown threats, such as "zero-day" attacks, ransomware, or insider threats, including malicious employees or compromised credentials. Therefore, hardening must be complemented with other defenses. Continuous monitoring of file integrity and system health is essential to detect any unexpected changes that may indicate a potential security breach.
For more information and tips on cybersecurity, readers are encouraged to explore more content on the blog.
