Linux Security ¶

• 💀 Grub (Linux bootloader) to reset the root password
  • ✅ BIOS and UEFI firmwares allow a boot Password
  • grub2-mkpasswd-pbkdf2 (generate a hash to add to configuration)
  • Ubuntu
• Encryption systems
  • many modern Linux distributions ship with LUKS (Linux Unified Key Setup)
  • sudo cryptsetup -y -v luksFormat device
  • sudo cryptsetup luksOpen device name
  • sudo cryptsetup luksOpen --type luks device name
  • sudo cryptsetup luksDump device
  • sudo mount /dev/mapper/name dest
• linux-securite
• apparmor (aa-status, shipped with many linux distros, application profiles to define which resources they can access)
• SELinuxProject (enforce access control on processes/files, labels, policy rules between labeled)
• Disable root account (/sbin/nologin) +service (www-data)
• Strong password policy
• Use LTS
  • https://ubuntu.com/about/release-cycle
  • https://access.redhat.com/support/policy/updates/errata/
• Protection_ring
• Exec Shield
• unattended-upgrades, read HT2TB notes

• LXC

Upgrade packages.

$ sudo apt update
$ sudo apt upgrade
$ sudo apt-get dist-upgrade

Disable ssh login for root/..., and change the default port.

$ sudo vim /etc/ssh/sshd_config
$ sudo systemctl restart sshd

Install a firewall.

$ sudo apt install fail2ban
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ sudo vim /etc/fail2ban/jail.local

Random

• Remove/Disable unused apps/services/...
• NTP, Syslog
• password policy and account lock
• rootkis: chkrootkit, rkhunter
• Hardening: Lynis