Mar 26, 2013
Aaron Hutchens
harden-updates

Hardening Linux couldn't be easier

It is often said that the only manner in which a server can be secured would be to disconnect it and power it off. Kevin Mitnick, a rather well known Cyber Security Analyst, has gone so far as to add that all I/O devices should be removed from the hardware and the server should be buried in concrete. Such a solution is quite comprehensive to say the least, and will most certainly ensure that the data on your server is available to not even the most clever of attackers. Sadly however, this solution does not allow for such amenities as high availability or customers. To make matters all the more frightening, information security is an extremely expansive topic. So much so that for each application, programming language, operating system, or hardware device there exists entire volumes dedicated to known attack vectors and what you can do to prevent allowing them in your environment. Therefore, to keep matters concise and relevant the scope of this article is confined to web hosting, and more specifically (as other articles will be forthcoming) protecting root access in a Linux based web hosting environment.

It is not entirely uncommon to draw analogies between Chess and Information Security, and in Linux-based web hosting root level access is most aptly represented by the King. Furthering the analogy, how effectively you can protect your king is decided in no small part by how well you decide upon the first few moves. Attempting to retroactively add security to a live production environment is going to provide you with a plague of problems, so starting off right is absolutely crucial to protecting your interests.

Okay, so enough rhetoric; How do we do this? Starting off, let’s assume that we are on a brand new server with a fresh operating system and control panel installed. It is of no small note that all packages should be up to date, as a good deal of software updates serve to close off security gaps that were left open in previous versions. In RedHat based systems such as the exceptionally common CentOS, you can list ALL of your packages via the following command:

yum list

Of course, you are going to want to know who needs an update; Doing so will require adding but a single word:

yum list updates

This will show you the entire list of packages that have updates in their respective repositories. Once you gather this information, you can update everything at once with the following:

yum update

Although by far the quickest, this can be cause for trepidation considering that any bugs or issues that are introduced during a bulk update such as this can be quite a pain to track down. For a more granular approach, you can update individual packages like so:

yum update package_name

This allows you to check functionality between updates, reducing the possibility of a surprise bug being caused by any one of the 150 updates that you just performed in a single command. Debian based systems don’t use yum and rpm, but rather use apt-get and dpkg somewhat analogously. For instance, you can update all of your packages in Debian servers not unlike with yum:

apt-get update

For individual packages, you would just install them (which, if already installed, is the same as an update):

apt-get install package_name

There are many different *nix distributions, and many of them have unique package management systems. If you are using something less conventional such as Suse or BSD you will want to look into exactly what is required, however the point remains that all packages should be up to date to minimize potential attack vectors for your system.

Making sure that all of your server’s packages are up to date is a large portion of the process, but we are nowhere near complete. Next we will take a look at installing a SPI (Stateful Packet Inspection) Firewall program, namely CSF.

Read the rest of the Hardening Your Hosting Series
Comments

    Great post! and very useful.

    On my side, I’m more familiarized with Debian based distros. For other Debianers like me, here’s the how-to:

    # apt-get update
    for updating the packages lists

    # apt-get upgrade
    this will update all packages

    If you just want to update single packages, run:
    # apt-get install packagename1 packagename2…
    This will overwrite the old package but not the previously edited preferences, unless the new version is not compatible with your changes.

    For enabling or disabling package lists, edit the file /etc/apt/sources.list with your favorite editor.

    If you want to enhance the security of your system, it’s important to keep up-to-date with the latest versions of your files, document on security threats within all applications, bug fixes and new bugs coming in the updated packages as sometimes it’s better to stay with an old (stable) version of a package.

    Regards

    Posted by Mariano Gonzalez on May 7, 2013 Reply

Leave a Comment