How Do I Secure My Linux Server?

Reading Time: 6 minutes

Our last article on Ubuntu security suggestions touched on the importance of passwords, user roles, console security, and firewalls. We continue with our last article and while the recommendations below are not unique to Ubuntu specifically (nearly all discussed are considered best practice for any Linux server) but they should be an important consideration in securing your server. Continue reading “How Do I Secure My Linux Server?”

Best Practices for Security on Your New Ubuntu Server: AppArmor, Certs, eCryptfs, and Encrypted LVM

Reading Time: 5 minutes

When security is paramount to your business a few security implementations can go a long way.  In the first article of our Ubuntu security series you’ll find effective tactics that can be easily enforced.

We continue with our second article in our Ubuntu Security series, where we will be suggesting further options to consider.

 

What is AppArmor?

AppArmor is a Linux kernel security module which allows an administrator to implement program based restrictions (as opposed to user based restrictions) to limit resources and control access. It is installed and loaded by default and uses a profile of a program to determine what access and/or permissions it requires. To install the apparmor-profiles package from a terminal prompt:

apt install apparmor-profilesAppArmor profiles have two modes: enforcement and complain.

  • Enforcement mode: This profile enforces the policy defined in the profile and will report any policy violation attempts (either in the syslog or in auditd).
  • Complain mode: Profiles in this mode will not enforce policy, but instead simply report policy violation attempts. This model is mainly used for testing and development.

 

What are SSL Certificates?

When a web browser connects to a website, the HTTP protocol is used to communicate with the web server where the site is hosted at. Typically, this transmission of data is unguarded. This means that the data can be viewed by any interested third party. As you can imagine, if you’re sending any important personal or credit care information, having it out in the open is not ideal or secure at all. Because of this, SSL/TLS certificates are used on the server to ensure the communication between the browser and the server are secure.

According to Wikipedia:

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL) are cryptographic protocols designed to provide communications security over a computer networ.

To clarify, SSL’s provide a method to protect communications between a user and a server. This allows for private info to pass between the client and the website. Newer TLS encryptions version cover:

  • TLS v1.0
  • TLS v1.1
  • TLS v1.2
  • TLS v1.3

What is TLS?

TLS or Transport Layer Security is the newest offering that is paired with OpenSSL which provides improved security and stability for the current protocols. TLS is usually implemented on or alongside SSL via Nginx, Apache, Exim or other services on the server.

Ubuntu proves an easy way to implement this type of SSL/TLS security measures. If more info is needed, O’Reilly’s Network Security with OpenSSL is a very good in-depth reference.

 

What is eCryptfs?

eCryptfs is software which encrypts a file, folder or partition to secure its contents. It sounds a lot more complicated than it is, although the functionality can get deep, the usual focus is on creating a space which is protected and cannot be read unless specifically allowed by an admin.

The basic steps to use eCryptfs are:

  1. Mount an encrypted directory
  2. Add info to that directory
  3. Unmount the directory
  4. Profit! Data is secure…!

eCryptfs can be found in the standard Ubuntu repositories and can be installed with apt-get:

apt-get -y install ecryptfs-utilsNext, we will create a directory called brobdingnagian (…as in gigantic. Pulled from the name of a country in Jonathan Swift’s Gulliver’s Travels called Brobdingnag)

root@server:/home/david# mkdir /home/brobdingnagian

Afterward, let’s encrypt the directory /home/brobdingnagian/ by mounting it with the file system type eCryptfs:

mount -t ecryptfs /home/brobdingnagian /home/brobdingnagian

Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 <<<<<
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 3
Select key bytes:
1) 24
Selection [24]: 1
Enable plaintext passthrough (y/n) [n]: <-- Press ENTER
Enable filename encryption (y/n) [n]: <-- Press ENTER
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=24
ecryptfs_cipher=des3_ede
ecryptfs_sig=daab07b0664284a2
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [daab07b0664284a2] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs

Verify the secure folder is mounted.

mount |grep brobdingnagian
/home/brobdingnagian on /home/brobdingnagian type ecryptfs (rw,relatime,ecryptfs_sig=daab07b0664284a2,ecryptfs_cipher=des3_ede,ecryptfs_key_bytes=24,ecryptfs_unlink_sigs)
Add a file to the folder:

cp /home/david/Desktop/rsync.content.txt /home/brobdingnagian/rsync.content.txtIs the file actually in there? Yes!

ls /home/brobdingnagian/rsync.content.txt
/home/brobdingnagian/rsync.content.txt

Did it retain the content of the file?
cat /home/brobdingnagian/rsync.content.txt
Lorem ipsum dolor sit amet, nostro everti pri ad, eam saepe nemore in, id maiorum interesset vim. Ex voluptatum necessitatibus sit, augue aeterno vituperatoribus no mel. Ut possim percipitur definitionem qui, graeco corpora efficiantur id sit. Ex has nisl virtute eloquentiam. Pri cu veritus recusabo indoctum. Ut invenire referrentur pri, voluptaria sententiae vix at. In mel oblique imperdiet definiebas, salutandi constituam sadipscing at pri, ut eleifend cotidieque eam.
Yes!

Now, let’s unmount the folder…

umount /home/brobdingnagian/
umount: /home/brobdingnagian/: not mounted.
Again, let’s check to see if we can read the file

cat /home/brobdingnagian/rsync.content.txt
'1'C5'N''%"3DUfw`A_''&'?`'='''/'g'!>'_CONSOLEګ'fB'''''v'X''\''1''>AL]C'3L'''G''9x''~''3''''''e?'~'''H'''''~''')'x'Oj'\'_<''''''l╹'`c'q''''Z'''8+!o''vb'''&'mw','''<^<'GF&''''''I?'''!'>{%;'T'--'''''''i'Z''"J_B['''Xa''9'"'''''ă'm,l4=';}'''iUsG'&R;'*'4Fi''>'7"1j4'X''~'''a''_ۘ8,'o&A'_F'''_Cư<#v''s'b'}''5''1''d'c7'''ayZ6

(…and so on for another hundred lines)

So, the file is encrypted and unreadable in the folders unmounted state. The only way to review the encrypted file again is to remount the folder. This is accomplished in the same way as above. You will have to re-enter the passphrase you created to encrypt the folder in the first place, or the re-mount will fail with the error:
Could not unlink the key(s) from your keying. Please use `keyctl unlink` if you wish to remove the key(s). Proceeding with umount” Once you re-mount the drive, your data will be available again.

Since we’re talking about encryption, let’s discuss LVM for a minute.

 

What is LVM?

LVM stands for Logical Volume Management. The Ubuntu documentation describes LVM as

a system of managing logical volumes, or filesystems, that is much more advanced and flexible than the traditional method of partitioning a disk into one or more segments and formatting that partition with a filesystem.

All of the versions of Ubuntu from 12.10 forward include the ability to install Ubuntu onto an encrypted LVM, which allows all partitions in the logical volume, including swap, to be encrypted.

Some of the perks of LVM are:

  • You can create as many LVM’s as you want
  • Operations on the partition can be done live and
  • You can move, expand and shrink partitions as needed
  • You also have the ability to freeze an existing Logical Volume in time, at any moment, even while the system is running. You can then continue to work from the original volume as you would normally, but the snapshot will remain as a static image of the original, frozen in time at the moment it was created. (How cool is that?!)

See the Ubuntu wiki for more info on how to leverage these features.

This concludes our second article in our Ubuntu security series, on our next and last article we will be introducing other security options related to SSH keys, SELinux, 2-Factor Auth and IPv6.  If configuring these options is outside your wheelhouse, consider adding our Server Protection Package to your Linux environment. It comes at an affordable price with routine vulnerability scans, hardened server configurations, anti-virus and malware remediation. Keep yourself ahead of the game so you can get back to focusing on growing your business.

Best Practices for Security on Your New Ubuntu Server: Users, Console and Firewall

Reading Time: 4 minutes

Thank you for taking the time to review this important information. You will find this guide broken down into six major sections that coincide with Ubuntu’s security policy guide. The major topics we talk on throughout these articles are as follows:

User Management

User management is one of the most important aspects of any security plan. Balancing your users’ access requirements against their everyday needs, versus the overall security of the server will demand a clear view of those goals to ensure users have the tools they need to get the job done as well as protect the other users’ privacy and confidentiality. We have three types or levels of user access:

  1. Root: This is the main administrator of the server. The root account has full access to everything on the server.  The root user can lock down or, loosen users roles, set file permissions, and ownership, limit folder access, install and remove services or applications, repartition drives and essentially modify any area of the server’s infrastructure. The phrase “with great power comes great responsibility” comes to mind in reference to the root user.
  2. A sudoer (user): This is a user who has been granted special access to a Linux application called sudo.  The “sudoer” user has elevated rights to run a function or program as another user. This user will be included in a specific user group called the sudo group. The rules this user has access to are defined within the “visudo” file which defines and limits their access and can only be initially modified by the root user.
  3. A user: This is a regular user who has been set up using the adduser command, given access to and, who owns the files and folders within the user /home/user/ directory as defined by the basic settings in the /etc/skel/.profile file.

Linux can add an extreme level of granularity to defined user security levels. This allows for the server’s (root user) administrator to outline and delineate as many roles and user types as needed to meet the requirements set forth by the server owner and its assigned task.

 

Enforce Strong Passwords

Because passwords are one of the mainstays in the user’s security arsenal, enforcing strong passwords are a must. In order to enact this guideline, we can modify the file responsible for this setting located here:  /etc/pam.d/common-password.

To enact this guideline, we can modify the file responsible for this setting by using the ‘chage’ command:

chage -m 90 username

This command simply states that the user’s password must be changed every 90 days.

/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1

 

Restrict Use of Old Passwords

Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux Mint.
vi /etc/pam.d/common-passwordAdd the following line to ‘auth‘ section.

auth        sufficient  pam_unix.so likeauth nullok

Add the following line to ‘password‘ section to disallow a user from re-using last five of his or her passwords.

sufficient    pam_unix.so nullok use_authtok md5 shadow remember=5Only the last five passwords are remembered by the server. If you tried to use any of five old passwords, you would get an error like:
Password has been already used. Choose another.

 

Checking Accounts for Empty Passwords

Any account having an empty password means its opened for unauthorized access to anyone on the web and it’s a part of security within a Linux server. So, you must make sure all accounts have strong passwords, and no one has any authorized access. Empty password accounts are security risks, and that can be easily hackable. To check if there were any accounts with an empty password, use the following command.

cat /etc/shadow | awk -F: '($2==""){print $1}'

 

What is Console Security?

Console security simply implies that limiting access to the physical server itself is key to ensuring that only those with the proper access can reach the server. Anyone who has access to the server can gain entry to the server, reboot it, remove hard drives, disconnect cables or even power down the server! To curtail malicious actors with harmful intent, we can make sure that servers are kept in a secure location. Another step we can take is to disable the Ctrl+Alt+Delete function. To accomplish this run the following commands:

systemctl mask ctrl-alt-del.target
systemctl daemon-reload
This forces attackers to take more drastic measures to access the server and also limits accidental reboots.

What is UFW?

UFW is simply a front end for a program called iptables which is the actual firewall itself and, UFW provides an easy means to set up and design the needed protection. Ubuntu provides a default firewall frontend called UFW (Uncomplicated firewall). This is another line of defense to keep unwanted or malicious traffic from actually breaching the internal processes of the server.

 

Firewall Logs

The firewall log is a log file which creates and stores information about attempts and other connections to the server. Monitoring these logs for unusual activity and/or attempts to access the server maliciously will aid in securing the server.

When using UFW, you can enable logging by entering the following command in a terminal:

ufw logging on

To disable logging, simply run the following command:

ufw logging off

To learn more about firewalls, visit our Knowledge Base articles.

We’ve covered the importance of passwords, user roles, console security and firewalls all of which are imperative to protecting your Linux server. Let’s continue onto the next article where we’ll cover AppArmor, certificates, eCryptfs and Encrypted LVM.

 

Listing and Switching Databases in PostgreSQL

Reading Time: 1 minute

PostgreSQL (pronounced “post-gress-Q-L”) is a household name for open source relational database management systems. Its object-relational meaning that you’ll be able to use objects, classes in database schemas and the query language. As part of our PostgreSQL series, we’ll show you how to list and switch between databases quickly. Continue reading “Listing and Switching Databases in PostgreSQL”

MySQL Performance: InnoDB Buffers & Directives

Reading Time: 6 minutes

As discussed earlier in our MySQL Performance series, the InnoDB storage engine is designed to be a high-performance database for very large datasets. The row-locking technique it uses allows for many read and write requests to occur on a single table concurrently. This is a vast improvement in speed over traditional Continue reading “MySQL Performance: InnoDB Buffers & Directives”

MySQL Performance: System Configuration File & Routine Maintenance

Reading Time: 3 minutes

The majority of work needed when adjusting the MySQL server is editing the applicable directives within a MySQL configuration file. There are multiple, optional configuration files that MySQL looks for when starting up. They are read in the following order: Continue reading “MySQL Performance: System Configuration File & Routine Maintenance”

MySQL Performance: Converting MySQL to MariaDB

Reading Time: 16 minutes

As we explored in our previous article of our MySQL Perfomance Series: MySQL vs. MariaDB there are very few downsides to using MariaDB over standard MySQL. Our high-availbility MariaDBs have proven itself to be a worthy successor with easily migitated drawbacks.  As the last article in our series we will focus on upgrading to various MySQL and MariaDB version on the following servers:

CentOS 6/7

Ubuntu 14.04/16.04

Continue reading “MySQL Performance: Converting MySQL to MariaDB”