6 ways to harden your Linux workstation security

Introduction

As I said before, safety is like driving on the highway - anyone who drives slower than you is an idiot, and anyone who drives faster than you is a lunatic. The guidelines presented in this article are just a basic set of core safety rules. They are not comprehensive and do not replace experience, caution, and common sense. You should slightly adjust these suggestions to fit the context of your organization.

For every system administrator, here are some necessary steps that should be taken:

• 1. Always disable Firewire and Thunderbolt modules.
• 2. Check the firewall to ensure that all inbound ports have been filtered.
• 3. Make sure root mail is forwarded to the account you verified.
• 4. Set up an automatic update schedule for the operating system, or update reminder content.

Additionally, you should also consider some of these best steps to take to further harden your system:

• 1. Check to make sure the sshd service is disabled by default.
• 2. Set the screen saver to automatically lock after a period of inactivity.
• 3. Install logwatch.
• 4. Install and use rkhunter
• 5. Install an intrusion detection system

1. Add relevant modules to the blacklist

To blacklist Firewire and Thunderbolt modules, add the following lines to the file in /etc/modprobe.d/blacklist-dma.conf:

blacklist firewire-core
blacklist thunderbolt

Once the system is restarted, the above modules will be blacklisted. Even if you don't have these ports, there's no harm in doing this.

2. root email

By default, root mail is stored entirely on the system and is often never read. Make sure you set up /etc/aliases to forward root mail to the mailbox you actually read, otherwise you risk missing important system notifications and reports:

# Person who should get root’s mail
root:           [email protected]

After editing this, run newaliases and test it to make sure the email was actually delivered, as some email providers will reject email from domain names that don't exist or cannot be routed. If this is the case, you'll need to adjust your mail forwarding configuration until this actually works.

3. Firewall, sshd and listening daemon

The default firewall settings will depend on your distribution, but many allow inbound sshd ports. Unless you have a good and valid reason to allow inbound ssh, this should be filtered out and the sshd daemon disabled.

systemctl disable sshd.service
systemctl stop sshd.service

You can always enable it temporarily if you need to use it.

Generally speaking, your system should not have any listening ports other than responding to pings. This will help you protect against zero-day vulnerabilities at the network level.

4. Automatic updates or notifications

It is recommended to turn on automatic updates unless you have a very good reason not to do so, such as worrying that automatic updates will render your system unusable (this has happened before, so this worry is not unfounded). At the very least, you should enable automatic notification of available updates. Most distributions already have this service run automatically for you, so you most likely won't have to do anything. Check your distribution's documentation to learn more.

5. View log

You should pay close attention to all activity that occurs on your system. For this reason, logwatch should be installed and configured to send nightly activity reports indicating everything that is happening on the system. This won't protect against dedicated attackers, but it's a good safety net feature that needs to be deployed.

Please note: Many systemd distributions no longer automatically install the syslog server required by logwatch (that is due to systemd relying on its own logs), so you need to install and enable rsyslog and make sure /var/log is not available before logwatch has any use empty.

6. rkhunter and IDS

Unless you actually understand how it works and have taken the necessary steps to set it up properly (such as placing the database on external media, running checks from a trusted environment, and remembering to update the hash database after performing system updates and configuration changes) , etc.), otherwise installing rkhunter and an intrusion detection system (IDS) like aide or tripwire is not very useful. If you're not willing to take these steps and adjust the way you perform tasks on your workstation, these tools will only cause trouble without any real security benefit.

We do recommend that you install rkhunter and run it at night. It's fairly easy to learn and use; while it won't catch clever attackers, it can help you catch your own mistakes.

Original title: 9 Ways to Harden Your Linux Workstation After Distro Installation, author: Konstantin Ryabitsev

The above is the detailed content of 6 ways to harden your Linux workstation security. For more information, please follow other related articles on the PHP Chinese website!