Bob Implements Linux Security Best Practices on AlmaLinux

Secure Linux systems by following best practices for system security.
By İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

Bob’s next adventure was to secure his Linux systems by following best practices for system security. With growing threats and vulnerabilities, he aimed to strengthen AlmaLinux against unauthorized access, malware, and data breaches.

“A secure system is a reliable system—time to lock it down!” Bob said, determined to ensure maximum protection.

Chapter Outline: “Bob Implements Linux Security Best Practices”

  1. Introduction: Why Security Best Practices Matter

    • The importance of securing Linux systems.
    • Overview of common threats and vulnerabilities.

  2. Securing User Accounts and Authentication

    • Enforcing password policies.
    • Setting up multi-factor authentication (MFA).

  3. Hardening the System

    • Disabling unused services and ports.
    • Implementing SELinux and AppArmor.

  4. Protecting Network Communications

    • Configuring firewalls with firewalld.
    • Using SSH securely with key-based authentication.

  5. Monitoring and Logging

    • Using auditd for system auditing.
    • Analyzing logs with tools like Logwatch and Grafana.

  6. Keeping the System Updated

    • Automating updates and patch management.
    • Monitoring for vulnerabilities with OpenSCAP.

  7. Conclusion: Bob Reflects on Security Mastery

Part 1: Why Security Best Practices Matter

Bob learned that Linux security involves multiple layers of protection to defend against evolving threats like unauthorized access, malware, and data theft.

Common Threats

  • Weak or reused passwords.
  • Unpatched software vulnerabilities.
  • Unsecured network connections.

“Security is a continuous process—not a one-time setup!” Bob noted.

Part 2: Securing User Accounts and Authentication

Step 1: Enforcing Password Policies

  • Configure password complexity:

    sudo nano /etc/security/pwquality.conf

    Add:

    minlen = 12
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1

  • Set password expiration policies:

    sudo nano /etc/login.defs

    Update:

    PASS_MAX_DAYS   90
PASS_MIN_DAYS   1
PASS_WARN_AGE   7

Step 2: Setting Up Multi-Factor Authentication

  • Install MFA tools:

    sudo dnf install -y google-authenticator

  • Configure MFA for SSH:

    google-authenticator
sudo nano /etc/ssh/sshd_config

    Add:

    AuthenticationMethods publickey,keyboard-interactive

  • Restart SSH:

    sudo systemctl restart sshd

“Strong passwords and MFA significantly enhance account security!” Bob said.

Part 3: Hardening the System

Step 1: Disabling Unused Services

  • List and stop unnecessary services:

    sudo systemctl list-unit-files --type=service
sudo systemctl disable cups

  • Close unused ports:

    sudo firewall-cmd --remove-service=samba --permanent
sudo firewall-cmd --reload

Step 2: Implementing SELinux

  • Enable SELinux:

    sudo setenforce 1

  • Check SELinux status:

    sestatus

  • Configure SELinux policies:

    sudo semanage permissive -a httpd_t

“Disabling unused features reduces the system’s attack surface!” Bob noted.

Part 4: Protecting Network Communications

Step 1: Configuring Firewalls

  • Enable and configure firewalld:

    sudo systemctl enable firewalld --now
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload

Step 2: Securing SSH

  • Disable root login:

    sudo nano /etc/ssh/sshd_config

    Update:

    PermitRootLogin no

  • Use key-based authentication:

    ssh-keygen -t rsa -b 4096
ssh-copy-id user@remote-server

“A properly configured firewall and SSH setup are essential for secure communication!” Bob said.

Part 5: Monitoring and Logging

Step 1: Using auditd for System Auditing

  • Install and enable auditd:

    sudo dnf install -y audit audit-libs
sudo systemctl enable auditd --now

  • Add rules to monitor changes:

    sudo nano /etc/audit/audit.rules

    Add:

    -w /etc/passwd -p wa -k user_changes
-w /var/log/secure -p wa -k login_attempts

Step 2: Analyzing Logs

  • Install and configure Logwatch:

    sudo dnf install -y logwatch
sudo logwatch --detail High --service sshd --range today

  • Visualize logs with Grafana:

    sudo grafana-cli plugins install grafana-piechart-panel
sudo systemctl restart grafana-server

“Auditing and monitoring help detect potential security issues early!” Bob noted.

Part 6: Keeping the System Updated

Step 1: Automating Updates

  • Enable automatic updates:

    sudo dnf install -y dnf-automatic
sudo systemctl enable dnf-automatic.timer --now

Step 2: Monitoring Vulnerabilities with OpenSCAP

  • Install OpenSCAP:

    sudo dnf install -y openscap-scanner scap-security-guide

  • Perform a security scan:

    sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-almalinux.xml

“Regular updates and vulnerability scans keep the system secure!” Bob said.

Conclusion: Bob Reflects on Security Mastery

Bob successfully implemented Linux security best practices on AlmaLinux, including securing accounts, hardening the system, protecting network communications, and setting up robust monitoring and update mechanisms. With these measures in place, he was confident his systems were well-protected against threats.

Next, Bob plans to explore Linux Performance Tuning, optimizing systems for speed and efficiency.

Last modified 09.01.2025: msfconsoel translations ongoing... (f7e18da)