School of Computing: COC Module - Securing Linux Based OS Discussion

Verified

Added on 2023/04/25

AI Summary

This report delves into the critical aspects of securing Linux-based operating systems, crucial for any IT security engineer. It begins by emphasizing the importance of proactive security measures, despite Linux's relative resilience compared to Windows. The report provides a stepwise guide to harden Linux systems, focusing on Ubuntu 16.04 LTS and later versions. Key areas covered include installing and configuring security tools like uncomplicated firewall (ufw), securing SSH through public/private key authentication, securing the network via sysctl settings, disabling recursion of Open DNS and renaming Version Info, and securing PHP. The report details practical implementations, such as configuring firewalls using ufw and securing shared memory. It also addresses SSH hardening, including disabling root login and changing the SSH port, along with network hardening via sysctl settings to prevent IP spoofing and source routing. Furthermore, the report covers BIND DNS server security, including disabling recursion and renaming version information, and strengthening PHP security by editing the ini file. Finally, the report concludes by highlighting the importance of security tools like ufw, rootkit scanners, and PSAD for intrusion detection. The report emphasizes that a combination of these tools is essential for comprehensive security, providing a robust defense against various cyber threats.

Running head: SECURING LINUX BASED OS
Discussion
Methodologies
Linux based operating systems may not be as exposed to cyber security risks as
Windows based ones but it would be foolish for anyone to let the guard down. For, more than
actual threats from attackers, vulnerabilities in open source tools and environments are very
common as they are more accessible and the exploits are pretty much well known. Hence
focus must be given in securing Linux based operating systems. In relative terms, the
following is easy to implement stepwise guide to harden Linux based operating systems
against the most common as well as critical security threats and vulnerabilities (Wang and Lu
2013). These techniques can be used to secure Ubuntu 16.04 LTS server or later versions:
 Installation and configuring of security tools like uncomplicated firewall (ufw)
 Secure SSH by configuring login based on public/private keys
 Securing network via sysctl settings
 Disabling recursion of Open DNS as also renaming of Version Info (Bind9 DNS)
 Securing PHP
Security Tools for Ubuntu - Uncomplicated Firewall (ufw)
The best and easiest way to start securing Linux Ubuntu systems is by installing
firewalls. The Uncomplicated Firewall is among the very basic firewall solutions which
performs decently and configuring can be easily done with the provided tool ‘gufw’ or by
using fwbuilder, Firestarter or even Shorewall (Vanickis et al. 2018). Firestarter provides the
users with a GUI interface for configuring the firewall. To install the ufw, it is necessary to
enter the following command in the terminal window:
sudo apt-get install ufw

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1SECURING LINUX BASED OS
For allowing the services SSH and HTTP, enter:
sudo ufw allow ssh
sudo ufw allow http
For enabling firewall, enter:
sudo ufw enable
For checking firewall status, enter:
sudo ufw status verbose
Securing the shared memory
The shared memory is often manipulated to attack a running service. They can be
secured by modifying the /etc/fstab. To perform this, one has to enter the /etc/fstab file, add
the line tmpfs /run/shm tmpfs defaults, noexec, nosuid 0 0 and save. Then a reboot should be
done.

2SECURING LINUX BASED OS
Following the reboot process if the file /etc/fstab if opened again, shows that the security
modifications to the file are saved.

3SECURING LINUX BASED OS
Hardening of SSH
The most comprehensive means of securing the SSH is by making use of
public/private keys for logging in (Main and Sha 2017). When using password authentication,
the easiest method for securing SSH is by disabling the root login while also changing port
number of SSH with values other than default which is 22. Prior to disabling of root login, a
fresh SSH user needs to be created and made sure that this user is belonging to admin groups.
The SSH port number if changed must have a value less than 1024 for these ports are
privileged ones which cannot be opened by processes other than the root and processes that
run like root. For changing the SSH port, the newly chosen port on firewall needs to be
opened and port 22 should be closed. For the configuration the following command should
be entered:
sudo vi /etc/ssh/sshd_config

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4SECURING LINUX BASED OS
For setting up the port, necessary changes or additions should be made below:
Port <ENTER YOUR PORT>
Protocol 2
PermitRootLogin no
DebianBanner no
Then the server needs to be restarted by entering the below command in the terminal
window:
sudo service SSH restart
Network hardening through sysctl settings
The sysctl interface allow users in making changes to an already running kernel of a
linux based operating system. All sysctl related settings are contained in the file named
sysctl.conf (Breitwieser 2015). The primary concern here is source routing of incoming
packets which must be prevented and the malformed set of IPs can be logged by these
commands in the terminal window.
sudo vi /etc/sysctl.conf
This /etc/sysctl.conf file should be edited for adding the below lines:
# Protect against IP Spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignoring requests of ICMP broadcast
net.ipv4.icmp_echo_ignore_broadcasts = 1

5SECURING LINUX BASED OS
# Disabling source routing of packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignoring redirect of send messages
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Blocking SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Martians Log
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignoring redirect of IMCP packets
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

6SECURING LINUX BASED OS
net.ipv6.conf.default.accept_redirects = 0
# Ignoring directed ping requests
net.ipv4.icmp_echo_ignore_all = 1
For reloading the sysctl with the recent edits, enter:
sudo sysctl –p
BIND DNS Server – Renaming of Version Info and Disabling of recursion
The most critical set of vulnerabilities stem from BIND DNS servers. Though the
majority of DNS servers over the internet are powered by BIND, it has been found that more
than 50% of these servers are vulnerable to popular exploits (Winstead 2014). Generating
multiple queries only to answer other queries is called recursion and limiting or disabling this
process can greatly enhance the security of the servers. The following command must be
entered in the terminal window:
sudo vi /etc/bind.named.conf.options
These changes should be added in the
Recursion no;
Version “Not disclosed”
To reboot the BIND server with the above changes, the below command should be entered in
the terminal:
sudo service bind9 restart
Strengthening security of PHP
Several vulnerabilities of PHP have been discovered. These can range from
mishandling the opcache access controls that were configured for using PHP-FPM to

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7SECURING LINUX BASED OS
incorrect handling of several multibyte sequences that were invalid among many others. To
strengthen the security of PHP, some lines in the ini file needs to be edited (Glaser 2014). To
open it the following command is used.
sudo vi /etc/php5/apache2/php.ini
In the ini file the below changes need to be added
disable_functions = exec, system, shell_exec, passthru
register_globals = off
expose_php = off
display_errors = off
track_errors = off
html_error = off
magic_quotes_gpc = off
mail.add_x_header = off
session.name = NEWSESSID
After saving the changes, the apache server must be restarted byentering the below command
in the terminal:
Sudo service apache2 restart
Security Tools for Ubuntu
Out of the methods of securing Linux based operating systems like Ubuntu studied
above, the most reliable and easy to implement technique comes in the form of security tools
like uncomplicated firewall (ufw), Rootkit scanners and PSAD for intrusion detection. These

8SECURING LINUX BASED OS
tools require minimum commands to set up and are readily available through the internet. A
mix of different security tools addressing different security aspects of the operating system is
the ideal security solution. The simplicity of working with these tools is an added advantage
that help users easily identify the root cause of any security breach taking place so that
appropriate action can be taken by the concerned user at the right time.
Uncomplicated firewall
Can easily be installed using the “sudo apt-get install” command