Linux security best practices

Penguin image for the Linux security best practices guide

Checklist

Introduction

Whenever you run a Raspberry Pi as a hobby project or a full mainframe, Linux security is around the corner. The unfortunate part is that the topic is very extensive. While it takes time to really master all aspects of Linux security, these so-called best practices help you to cover the basics.

Software

Install only what is needed

Adding software to a system is usually an easy task. Keeping the system clean and tidy, that is the real challenge. To reduce the chance to have software vulnerabilities, only install and activate those software components that are really needed. This should be based on the goal of the system.

For servers, it is typically not needed to have X11 or any graphical components installed. Yet for a desktop or workstation, it totally makes sense. For small devices like Raspberry Pi and IoT, reducing the number of software components can improve the performance of the device.

Apply updates

Most software components will fall to bugs sooner or later. If a flaw in the software can introduce a weakness that can be misused, this is called a software vulnerability. Totally preventing vulnerabilities is impossible. What is possible is the installing regular software updates. This resolves known issues and reduces the risk that a vulnerability is misused on your system.

  • yum update
  • apt upgrade

Services

Stop unneeded services

Any process that has no clear benefit from the system, should not be running in the first place. A good start might be to gather all processes that are listening on a network port. If you run a web server, then it makes sense to have Apache or Nginx running. But is that running database engine also really used?

  • Save a copy of the processes after initial installation or system hardening
  • Compare the process list output from multiple systems
  • Discover what happens when disabling a process on a test system

Users

Limit the number of users

Adding a new user is typically done in a matter of minutes, or even seconds when automated. Too often, user accounts that are no longer used, stay on the system. Reduce the access to a system and only allow active administrators.

Use key-based authentication

System management is typically done via SSH. It can be used to do remote administration or copy files between systems. Disable password-based authentication and set up SSH keys.

Networking

Use a firewall

Connectivity has an important part in the role of a system. It is almost impossible to think of systems that are no longer connected. For that reason, traffic filtering is a first defense mechanism to protect the system. This can be achieved with a firewall like iptables, firewalld, ufw, or nftables.

  • Use a 'default deny' policy
  • Only allow used protocols
  • Limit by IP address when possible

IPv6

Depending on the type of system, the network gets a dynamic or static IP address to communicate on the network. If the system is publically available, then it makes sense to enable IPv6. Ensure that support is enabled in the related daemons and that they are listening both on IPv4 and IPv6 addresses.

Many systems still use iptables. When enabling IPv6 support, use ip6tables to also restrict traffic streams for IPv6 connectivity.

  • Check if the firewall filters IPv6 traffic
  • Test incoming and outgoing connectivity