Webux Lab

By Studio Webux

Home / Security / Linux hardening

Linux hardening

TG
Tommy Gingras Studio Webux 2024-04-07

Linux Hardening

All these steps are not in any particuliar order

I’m using Rocky Linux 9

Update system

sudo dns update -y

Install RKHunter

sudo dnf install -y epel-release
sudo dnf install -y rkhunter

Setup RKHunter

sed -i -e 's/#MAIL-ON-WARNING=me@mydomain   root@mydomain/MAIL-ON-WARNING=tommy@studiowebux.com   root@webuxlab-blog/' /etc/rkhunter.conf
sed -i -e 's/#MAIL_CMD=mail -s "\[rkhunter\] Warnings found for \${HOST_NAME}"/MAIL_CMD=mail -s "\[rkhunter\] Warnings found for \${HOST_NAME}"/' /etc/rkhunter.conf

cat /etc/rkhunter.conf | grep "MAIL-ON-WARNING"
cat /etc/rkhunter.conf | grep "MAIL_CMD"

Test the setup:

rkhunter --check

Once ready:

rkhunter --propupd

Setup Firewall

sudo dnf install firewalld -y

sudo systemctl enable firewalld
sudo systemctl start firewalld

sudo firewall-cmd --state

sudo firewall-cmd --get-default-zone
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --list-all

sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --add-service=https
sudo firewall-cmd --zone=public --add-service=ssh

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent
sudo firewall-cmd --zone=public --add-service=ssh --permanent

Setup Linux User

USER_NAME="your_username"

sudo useradd -m -s /bin/bash $USER_NAME
sudo passwd $USER_NAME
sudo usermod -aG wheel $USER_NAME

Disable root account

sudo passwd -l root

Setup SSH

On your operator machine, generate a new keypair and assign it to the created user,

REMOTE_IP="1.2.3.4"

ssh-keygen
ssh-copy-id -i ~/.ssh/{KEY_NAME}.pub $USER_NAME@$REMOTE_IP

If you get the Permission denied error, it means that the SSH Server is already enforcing the PubKeyAuthentication

I had to comment out the line in this file: sudo vi /etc/ssh/sshd_config.d/50-cloud-init.conf (generated by hetzner installer)

sudo systemctl restart sshd

Secure SSH

echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/10-hardening.conf
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config.d/10-hardening.conf
echo "PermitRootLogin prohibit-password" >> /etc/ssh/sshd_config.d/10-hardening.conf
echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config.d/10-hardening.conf

You should also use Hetzner firewall to limit the access to port 22 (or change the default port) and configure the fail2ban service.

sudo dnf install fail2ban -y

sudo sed -i -e 's/destemail = root@localhost/destemail = tommy@studiowebux.com/' /etc/fail2ban/jail.conf
sudo sed -i -e 's/sender = root@<fq-hostname>/sender = root@webuxlab.com/' /etc/fail2ban/jail.conf
sudo sed -i -e 's/mta = sendmail/mta = mail/' /etc/fail2ban/jail.conf

echo "[sshd]" > /etc/fail2ban/jail.d/sshd.conf
echo "bantime = 10m" >> /etc/fail2ban/jail.d/sshd.conf
echo "findtime = 10m" >> /etc/fail2ban/jail.d/sshd.conf
echo "maxretry = 3" >> /etc/fail2ban/jail.d/sshd.conf
echo "action = %(action_)s" >> /etc/fail2ban/jail.d/sshd.conf
echo "enabled = true" >> /etc/fail2ban/jail.d/sshd.conf
echo "port = 22" >> /etc/fail2ban/jail.d/sshd.conf
echo "filter = sshd" >> /etc/fail2ban/jail.d/sshd.conf
echo "logpath = %(sshd_log)s" >> /etc/fail2ban/jail.d/sshd.conf
echo "backend = %(sshd_backend)s" >> /etc/fail2ban/jail.d/sshd.conf

sudo systemctl enable fail2ban
sudo systemctl restart fail2ban

sudo fail2ban-client status
sudo fail2ban-client status sshd

Secure shared memory

echo "tmpfs	/run/shm	tmpfs	ro,noexec,nosuid	0 0" | sudo tee -a /etc/fstab

Setup selinux

sestatus
sudo sed -i -e 's/SELINUX=\(disabled\|permissive\)/SELINUX=enforcing/' /etc/selinux/config
sudo setenforce Enforcing

Setup mail service

Seems to be blocked on hetzner :/

Before trying this, be sure that the cloud provider or ISP allow port 25 (or you might need to contact or setup their supported configuration.)  if this command does not work : telnet mail.protonmail.ch 25 you probably are blocked.

sudo dnf install -y telnet postfix

sudo systemctl start postfix
sudo systemctl enable postfix

echo "myhostname = mail.webuxlab.com" | sudo tee -a /etc/postfix/main.cf
echo "mydomain = webuxlab.com" | sudo tee -a /etc/postfix/main.cf
echo "myorigin = \$mydomain" | sudo tee -a /etc/postfix/main.cf
sudo cat /etc/postfix/main.cf
sudo systemctl restart postfix

echo "Test Email" | mail -s "Test Subject" tommy@studiowebux.com

Using sendgrid

sudo dnf install -y cyrus-sasl-plain
export SENDGRID_API_KEY="YOUR_API_KEY"

echo "smtp_sasl_auth_enable = yes" | sudo tee -a /etc/postfix/main.cf
echo "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" | sudo tee -a /etc/postfix/main.cf
echo "smtp_sasl_security_options = noanonymous" | sudo tee -a /etc/postfix/main.cf
echo "smtp_sasl_tls_security_options = noanonymous" | sudo tee -a /etc/postfix/main.cf
echo "smtp_tls_security_level = encrypt" | sudo tee -a /etc/postfix/main.cf
echo "header_size_limit = 4096000" | sudo tee -a /etc/postfix/main.cf
echo "relayhost = [smtp.sendgrid.net]:587" | sudo tee -a /etc/postfix/main.cf
sudo sed -i -e 's/smtp_tls_security_level = may/#smtp_tls_security_level = may/' /etc/postfix/main.cf

echo "[smtp.sendgrid.net]:587 apikey:$SENDGRID_API_KEY" | sudo tee -a /etc/postfix/sasl_passwd
sudo chmod 600 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd

sudo systemctl restart postfix

unset SENDGRID_API_KEY
clear
history -c


echo "Test Email" | mail -s "Test Subject using sendgrid as relay" tommy@studiowebux.com

Troubleshooting

This command will show you why it is broken.

sudo journalctl -u postfix

VPN

You can use something like wireguard as it is easy to configure. Not covered in this article.

Search