- SSH keys
- Virtual Private Network
- Use sudo instead of su
- Vulnerability updates
- Login failure delay
- Iptables
- Passwords
Securing a Linux server is very important. There are many attacks against UNIX servers and the security of corporate networks must be protected by many layered security devices and comprehensive security plans to deal with any problems experienced by network administrators due to a DDOS or malicious software attack.
SSH keys
Securing the server and maintaining the security by using SSH keys to login instead of passwords. Tightly securing computers that connect to the Internet and not allowing established connections to be left open when an employee leaves the computer.
Another consideration is the strength of user passwords. The /etc/pam.d/passwd file controls the strength of passwords used by your users. Edit the /etc/pam.d/passwd file and add this code to it.
#%PAM-1.0 password required pam_cracklib.so retry=2 minlen=10 difok=6 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 password required pam_unix.so use_authtok sha512 shadow |
This enforces a 10 digit minimum password length and at least 6 characters of a new password should differ from the old one. This does not affect the root password, this must be very well protected. You would assume that a user trusted with the root password would know how to secure the system with a stronger password.
Virtual Private Network
Installation of a secure Virtual Private Network. This will greatly aid the security of the current network infrastructure. Routing all connections through a secure private and encrypted connection will enable access to the head office SQL server and any other required services whilst maintaining security. All remote desktop connections may be routed through the VPN connection. This will also secure the connections from snooping. All corporate data routed through a Virtual Private Network will be concatenated into one encrypted data stream.
A secure Linux VPN connection would be ideal for securing the corporate network. This would be easily installed on the corporate network and the network configuration altered to accommodate the new hardware. OpenVPN is what I would choose to secure the network. This allows the safe and easy transfer of data to and from the employees to the head office without the worry associated with unrestricted transfer of data over the open Internet. A Linux machine may be installed and a Virtual Private Network configured to route data safely. OpenVPN supports 256-bit encryption; this is more than sufficient for securing a network connection. All operating systems are supported. This means that any authorized client accessing the VPN is able to make use of the secured connection.
Easy way to setup a working OpenVPN configuration on Ubuntu server on Amazon AWS.
The VPN will connect a remote computer to the VPN server and this will then allow an RDP connection for management of the POS systems over a safe connection without exposing ports to the Internet. The head office will be provided with easy to use instructions to connect to each remote machine. This will greatly simplify the process of connecting to client machines. A GUI OpenVPN client for Windows is available to make the job of the technical support officer even easier. The Viscosity OpenVPN client will be used. This will serve as the interface to the VPN network.
Use sudo instead of su
Use sudo instead of su to run administrator commands.
Add the user adler to the /etc/sudoers file and then they can run a command with their own password.
adler ALL=(ALL:ALL) ALL |
Every sudo access failure is logged.
On a Fedora Core system this is in
/var/log/secure |
And on a Debian or Ubuntu server it is in this file.
/var/log/auth.log |
Check this file to look for login failures, when attempting to use the sudo command.
Vulnerability updates
Subscribe to the Common Vulnerabilities and Exposure (CVE) Security Alert updates, made available by National Vulnerability Database. This can provide warning of discovered vulnerabilities in software and give time to address the vulnerability before it is exploited.
National Vulnerability Database: https://nvd.nist.gov/vuln/data-feeds.
More information about Debian security here.
https://www.debian.org/security/.
Login failure delay
A delay can be enforced after each failed login attempt.
Use PAM to implement this security on your server.
https://wiki.archlinux.org/index.php/security#Enforce_a_delay_after_a_failed_login_attempt. This would be a good defense against attempts to brute force a user password.
Iptables
Iptables is a firewall built in to Linux. This would be very good for filtering unwanted traffic.
How to have iptables rules applied on each boot.
https://securitronlinux.com/bejiitaswrath/how-to-have-iptables-entries-applied-on-boot/.
Use the iptables firewall to block ads on your Linux machine.
Passwords
Passwords are not complicated enough sometimes, especially for WIFI. This is why a nice password policy must be implemented to enforce stronger passwords. This can prevent security breaches due to insufficient password strength. With Linux, a very strong password can be generated using the Linux command line. This makes it easy.
Create a stupidly complicated random passkey using the Linux command line.