Fear not, Linux admins: There are TOOLS to help you

No, we don't mean the PFY down the hall

Beginner's guide to SSL certificates

Sysadmin blog Most Linux distributions have a significant focus on security. This does not mean they are necessarily ready for production out of the box. Tools like SELinux, excellent firewall options, and robust access controls can make Linux exceptionally secure. Despite this, actually deploying a Linux system into production still requires that the systems administrator have some idea what they are doing.

Let's use my favourite distribution, CentOS, as an example. (CentOS is a near-identical repackaging of Red Hat Enterprise Linux.) By default, SELinux is turned on. In most situations, this is a great thing; SELinux provides a layer of sandboxing so that applications of a certain class can't impinge upon files belonging to applications or users of another class.

SELinux serves as a layer of security beyond the traditional access controls built into the rest of the distribution. In my experience, the primary use for SELinux is preventing a compromised web application from clobbering the rest of the server. Unfortunately, many packages and web applications are still outright incompatible with SELinux.

While an excellent default option, much of the advice a novice Linux administrator will encounter when trying to get something working involves simply disabling SELinux. In order to subsequently achieve the same level of security for the web applications that were the most likely reason to disable SELinux, they now have to know the ins and outs of various Apache extensions such as mod_security.

Unfortunately, tools to easily and comprehensively lock down Apache are not part of the default CentOS distribution. This often means tutorials, manuals and editing config files. None of it is particularly hard, but it can be intimidating to a rookie, particularly given the typical internet FUD surrounding the every-so-scary command line. For pain reduction, I recommend Webmin for experienced admins and first timers alike.

CentOS ships with the firewall on by default, configured to allow only DNS and SSH through. Unfortunately the SSH server is configured to run on the default port (22) and allow root to log in. SSH running on the default port is a bad plan. Toss a monitoring program on any external IP, and within minutes port 22 lights up like a Christmas tree.

Ideally, you never log on as root; you should have a non-administrative user handy. The SSH daemon needs to be configured to disallow root access and the port changed to something somewhere above 1024. Naturally the firewall opening will have to be changed as well.

Bizzarely, CentOS doesn't include Fail2Ban in the default repository. Fail2Ban scans the secure logfile to detect attempted brute force attacks and bans offending IP addresses. To gain access to this package, we must enable the EPEL repository, and do a little bit of work.

CentOS doesn't have any default activated anti-malware applications. Far from being immune to compromise, Linux systems, especially those hosting web servers while improperly configured, can indeed play host to some pretty nasty pieces of software. My preferred front line defences are the ever popular ClamAV and LMD. LMD is not in any of the basic CentOS repositories, and also requires a little bit of work to get installed.

DDOS Deflate is another favourite. A useful script run as a scheduled Cron job, DDOS Deflate helps to block denial of service attacks. Unfortunately, it is another tool not included in the default repositories.

In addition to the above basic precautions, there are the standard sorts of system hardening that apply to any operating system to consider. You will inevitably find services activated by default that probably have no use for your deployment.

Disabling these, as well as unnecessary users and even kernel modules for services - such as wireless or FCoE - can also help lower your attack surface with minimal effort. Certain scripts have been written to help ease the burden of system hardening. Most popular amongst these is Bastille. While Bastille can help with some of the basic hardening, there are always some elements of a secure deployment that are simply reliant on the systems administrator's experience.

As with Windows, OSX, or any other operating system, care and attention is still required before letting a Linux system loose into production. Fortunately for novice Linux admins, it isn't as hard as it is often made out to be, and the internet is filled with resources designed to help. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Fat fingered geo-block kept Aussies in the dark
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
729 teraflops, 71,000-core Super cost just US$5,500 to build
Cloud doubters, this isn't going to be your best day
Want to STUFF Facebook with blatant ADVERTISING? Fine! But you must PAY
Pony up or push off, Zuck tells social marketeers
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
SAVE ME, NASA system builder, from my DEAD WORKSTATION
Anal-retentive hardware nerd in paws-on workstation crisis
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story


Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.