Google Authenticator generates time-based one-time passcodes (TOTPs) that users must enter alongside their regular password during SSH authentication. This dynamic authentication method significantly reduces the risk of unauthorized access even if login credentials are compromised. The implementation involves configuring the OpenSSH server to support 2FA, installing and configuring the Google Authenticator PAM module, and then enabling 2FA for specific users.
When selecting a location, consider the potential for SSH key sprawl, in which individuals and organizations lack proper inventory. This is a huge problem because many maintain dozens or even hundreds of SSH key pairs per server. 14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant. This reality linux hardening and security lessons is even more evident in the business world, where Linux is responsible for the web presence of companies of all sizes. In fact, Netcraft’s June 2020 survey shows that Linux also powers nine of the top 10 most reliable host companies’ websites. Nix-Auditor is a tool to help with scanning Linux systems and test them against CIS benchmarks.
Secure BIOS
Once you’re prompted to choose a password, the process is complete. Given the ease of executing this security essential, there’s no reason to avoid or procrastinate. Nixarmor is a set of shell scripts to harden Linux systems and help with security automation. System Security Checker, or sysechk, is a tool to perform a system audit against a set of best practices.
The software for the system is typically selected during the installation phase. That means that you have the choice to select roles, a group of packages, https://remotemode.net/ or individual packages. It speeds up the installation, reduces disk space, and decreases the risk of vulnerable software packages later on.
Linux System Level Hardening
Please note that you need to reset the change to read-write if you need to upgrade the kernel in future. In NIC bonding, we bond two or more Network Ethernet Cards together and make one single virtual Interface where we can assign IP address to talk with other servers. Our network will be available in case of one NIC Card is down or unavailable due to any reason.
It’s important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation. If you’ve missed any important security or hardening tip in the above list, or you’ve any other tip that needs to be included in the list. TecMint is always interested in receiving comments, suggestions as well as discussion for improvement. To unlock or enable access to an locked account, use the command as.
Policy Compliance
If you tried to use any of last 5 old passwords, you will get an error like. You can view current status of SELinux mode from the command line using ‘system-config-selinux‘, ‘getenforce‘ or ‘sestatus‘ commands. Always keep system updated with latest releases patches, security fixes and kernel when it’s available. Once you’ve find out any unwanted service are running, disable them using the following command.
- All users accessing the system via FTP, SSH, or any other remote protocol should be forced to use their own username for login.
- Once access to USB and Thunderbolt devices is disabled, a user cannot harm the system in these ways.
- Approaching system hardening with a four-level approach is an effective way to secure your system in multiple areas.
- So, it’s not a good idea to have this option enabled at least on production servers, if someone by mistakenly does this.
- However, no one password manager is ideal for every server; therefore, it’s important to examine your options thoroughly to ensure you find a tailored approach that meets your unique needs.
Use the ‘chkconfig‘ command to find out services which are running on runlevel 3. Disabling boot from external devices can only safeguard you from unauthorized access. Users who have access to the system and a malicious intent can still copy sensitive files to their USB and thunderbolt sticks. Worse still, they can install malware, viruses, or backdoors on your servers.
Enable automatic updates
Once we have access to the root account, we have complete system access. Because the username is always root and the access rights are unlimited, this account is the most valuable target for hackers. Disabling root login will therefore reduce the attack surface by giving an attacker a harder time guessing or finding available users in an application. The second risk is that old accounts may be lingering on the server too long. Sometimes employees or customers that no longer for the company.
Of course, never use root and always make sure that sudo elevation is used only on an as-needed basis. Many times it happens that we want to restrict users from using USB stick in systems to protect and secure data from stealing. Create a file ‘/etc/modprobe.d/no-usb‘ and adding below line will not detect USB storage. It’s also recommended to change default SSH 22 port number with some other higher level port number. Open the main SSH configuration file and make some following parameters to restrict users to access. However, if you want to use it, then you have to change the default configuration of SSH.