Security vulnerabilities and the miscreants who take advantage of them are everywhere. With the millions of lines of code contained within software running on a typical network, it's statistically impossible to ever be 100 percent secure from all possible threats. However, a good network administrator pays attention to current trends in network security and takes all the possible precautions to help ensure the network is as secure as it possibly can be. In this chapter, we will take a look at some of the things that can be done to increase the security of your network.
In this chapter, we will cover:
- Limiting the attack surface
- Securing SSH
- Configuring the iptables firewall
- Protecting system services with fail2ban
- Understanding SELinux
- Configuring Apache to utilize SSL
- Deploying security updates
The most important rule of network security is limiting your attack surface. In a nutshell, this means that the less software you have installed and/or the less services you have running, the less it can be used against you. If that wasn't bad enough, in some cases an unpatched flaw in server software could allow a miscreant to use your server to attack someone else. By limiting the number of packages in use on your system, you're lowering the possibility of something bad happening.
This sounds simple enough, and it is, but it's important to keep in mind that this isn't just a matter of installing only what you need. Many Linux distributions ship with software that you may never need to use. This isn't just true for servers either. Even your end-user workstations could have unnecessary services running that would be a treasure trove for an attacker to use. One common example of this is having a Mail Transfer Agent (MTA) running on your system. It's surprising that many Linux distributions ship with an MTA running by default. Unless you specifically need an MTA (for example, you have scripts installed that need to send e-mail messages to administrators), you should remove these packages from your systems.
When rolling out Linux on any network, the first thing you should do is find out what is installed and what is running, and then decide what to turn off and/or uninstall. This is what is referred to as limiting your attack surface. It is true that Linux is one of most secure systems there are, but nothing will help you if you aren't keeping an eye on what is running and listening for connections on your network. For the remainder of this section, I'll go over a few ways in which you can limit your attack surface.
First, let's print out a list of all the packages installed on our system. This will allow us to see what is installed, and then we can remove anything that stands out that we're sure we don't need. This list will likely be huge, as it will include everything; I do mean everything—even the libraries and various packages that allow our system to function. You definitely won't understand what each of them packages are for, but as you learn more about Linux, you'll make more sense of these and know what needs to be removed. For example, I know to remove exim or postfix packages from all of my installations, as I don't personally need them anywhere. Since you won't understand the purpose of all of the packages installed on your system, I recommend you to take a quick look and remove the ones you know for sure you don't need. To print a list of installed packages, run one of the following commands:
For Debian-based sytems, execute the following command:
# dpkg --get-selections > installed_packages.txt
For CentOS systems, execute the following command:
# rpm -qa > installed_packages.txt
In either case, you'll end up with a text file called installed_packages.txt in your current working directory. This text file will contain a list of all the packages installed on your system. Feel free to check it and see if anything stands out as something that you can remove. In addition, this file serves as a handy backup as well. If you ever need to decommission a server and set up a new one with a similar purpose, you can compare the packages from one server to another to ensure the proper packages are installed.
Another neat trick to find out what is running on your system is with the netstat command. While we'll discuss this command further in Chapter 10, Troubleshooting Network Issues, let's try this out now:
netstat -tulpn
You should see a list of services running on the local computer that are actually listening for network connections. These should be given major attention, as anything listening for outside connections is a possible point of entry into your system. If you see something here that's listening for connections and you don't need it to be, remove the package. You can always disable a service, but removing the underlying package is better as they can't be accidentally started. Packages can always be reinstalled if you find that you actually did need them.
The netstat command, listing running and listening services
In my case, I can see that I have Syncthing and Chrome listening for outside connections. This is expected. But in a production environment, such as a server, some things to watch out for would be the Apache web server (which would be a concern if the server is not actually a web server), postfix, or any file transfer utilities that shouldn't be installed.
Another useful tool is ShieldsUP, it is a service available on the Internet by GRC. This is not a Linux-specific tool by any means, but if you're using Linux on your router and want to ensure that you have it configured to be as stealthy as possible, this tool can be useful for testing. You can access this tool at the following URL:
To use it, click on Proceed and then click on All Service Ports. This service works by checking to see which ports answer to outside requests. If a port is open, it will show red, and you should be able to click on it to find out more information on what the port is typically used for. This will provide you clues on what to disable. In the event that the service doesn't contain information regarding a specific port, simply search on Google to look for clues.
Using ShieldsUP! to see which ports answer from outside requests
Finally, the systemctl command can also be used to see what services are currently installed on your machine:
systemctl list-units -t service
Using the list the previous command will print to your terminal, you'll be able to see which unit files are currently installed, and their state.
That pretty much sums up how to interrogate your system to find out what is running. As you learn the typical names of services you may need to do a bit of Google search in order to learn the purpose of each service, but it gets easier with time. If you're at all unsure about what can be disabled or not, do your research first before you actually work on tweaking your running services. In the worst case, if you disable a necessary service, your server may not start the next time. As always, ensure you have good backups before altering system services.