Linux Security

linuxsystemhardening linuxfundamentals linuxprivilegeescalation

Linux Unified Key Setup (LUKS)

LUKS (Linux Unified Key Setup) is a disk encryption tool that can be used to encrypt a whole drive, or create an encrypted folder on a drive to store sensitive files.

It is shipped with most modern versions of Linux and can be configured at install when we need to encrypt the whole disk. You may use Veracrypt to manipulate encrypted drives.

You may alternatively use commands.

  • Unlock the drive (you'll need a password)
# Ex: device=/dev/sda2 and label=mydrive
$ sudo cryptsetup luksOpen device label
$ sudo cryptsetup luksOpen --type luks device label
  • Mount the drive
$ sudo mount /dev/mapper/<label> /mnt/mydisk
$ sudo mount /dev/mapper/<label>-<partition> /mnt/mydisk_p1
  • Lock the drive
$ sudo cryptsetup luksClose label

Linux Update Management

The operating system and its packages must be updated periodically.

$ sudo apt-get dist-upgrade

Installed packages must be updated periodically.

$ sudo apt update
$ sudo apt upgrade

The firmware should be updated whenever possible.

$ sudo fwupdmgr refresh --force
$ sudo fwupdmgr get-updates
$ sudo fwupdmgr update

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • πŸ’€ Grub (Linux bootloader) to reset the root password
    • βœ… BIOS and UEFI firmwares allow a boot Password
    • grub2-mkpasswd-pbkdf2 (generate a hash to add to configuration)
    • Ubuntu
  • linux-securite
  • apparmor (aa-status, shipped with many linux distros, application profiles to define which resources they can access)
  • SELinuxProject (enforce access control on processes/files, labels, policy rules between labeled)
  • Disable root account (/sbin/nologin) +service (www-data)
  • Strong password policy
  • Use LTS
    • https://ubuntu.com/about/release-cycle
    • https://access.redhat.com/support/policy/updates/errata/
  • Protection_ring
  • Exec Shield
  • unattended-upgrades, read HT2TB notes
  • LXC

Disable ssh login for root/..., and change the default port.

$ sudo vim /etc/ssh/sshd_config
$ sudo systemctl restart sshd

Install a firewall.

$ sudo apt install fail2ban
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ sudo vim /etc/fail2ban/jail.local

Random

  • Remove/Disable unused apps/services/...
  • NTP, Syslog
  • password policy and account lock
  • rootkis: chkrootkit, rkhunter
  • Hardening: Lynis