How to verify Linux server security? How you can be sure that the system is fully secured? Bad news is that you can’t be sure, good news are that you can always do your best! This article is a general overview of tasks and utilities that are helpful for testing and maintaining secure environment.
The first thing to keep on mind is that majority of successful attacks are successful because of poor server administration. That’s correct, admin or someone else, left the door open by mistake or because of overlooked updates or for whatever reason, but the door was open, and intruder just knocked the door and walked in. Regardless of all the tools and utilities available admin needs to keep eye on everything, be vigilant, check checklists and stay updated about the threat landscape.
The only way to ensure server security is to test it. It needs to be examined, scanned, analyzed, audited, reverse engineered and pen tested & tested that it works as expected. Sounds lot of work? Sure, let’s discuss how to verify Linux server security effectively using the best methods. These tools helps greatly and automates a lot of required tasks.
Please remember, the next tools are good if not the best. However, tools are just as good as the user. To be able to effectively use them, you need to learn how to use them and understand what’s going under the hood.
Let’s take a look how to find out if your server is full of security holes, or if it’s properly configured.
Simple port scan can reveals ports that aren’t used and shouldn’t be therefore open. But all ports can’t just be closed, port can is useful also because of it reveals what’s between sender and target as well as possible attack vectors through open ports.
Nmap is useful tool to run active port scan on local and remote networks, it discovers open ports as well as identifies open hosts responding requests, does fingerprinting, finds operating system and application versions. Another good free & open source, feature rich port scanner is Angry IP known for it’s speed & web server & NetBIOS information detection capabilities.
Not my favorite as it just like security guard walking around and checking everything is order. However, intrusion detection is essential part of Linux server security and it needs to be done, and done continuously. System need to be monitored for malicious activity and policy violations, there needs to be intrusion detection system (IDS), and someone needs to take a look what it reports.
Intrusion detection gives good idea about potential attack vectors, that information is needed for setting up defenses as server admin is able to proactively identify possible threats. Properly adjusted IDS also alerts if something malicious happens.
Snort is free and open source intrusion prevention system which runs on three modes: intrusion detection mode, packet sniffer mode and packet logger mode. Snort can be also used as port scanner and for OS fingerprinting. We are using it analyze real-time traffic to find packets that match rules that define malicious network activity and generate alerts. It’s quite effective way stay alert what’s going on. Another good alternative is Suricata which is does real time intrusion detection as well intrusion prevention plus other tasks. It’s accepts Snort’s data structure, so Snort policies can be imported in Suricata.
No intrusion detection / prevention system is complete without honeypot! You want to show the honey and know they are there. Using Cowrie you can set up nice honeypot. Cowrie is medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction.
Most can agree keeping eye on server logs gets you easily headache. However, it’s essential task to maintain Linux server security. Logs will tell you quite much everything what’s going on, you need just to know what to look. You need to watch application logs, event logs, service logs and system logs. We can prevent the worst headache using tools that automates this neverending and essential task.
Logwatch parses through system’s logs and creates a report analyzing what you have instructed. It’s a customizable log analysis system, which sends reports to you pointing out possibly malicious activity such as failed SSH login attempts, IP-addresses generating errors as well as the number of sent emails. Another useful log monitoring tool is Fail2ban. It scans log files and bans IPs that show the malicious signs such as too many password failures, seeking for exploits etc. After that it can update firewall rules to reject the IP addresses for a specified amount of time and send email alerts etc. It gives also some basic protection against brute-force attacks.
Reverse Engineering and Malware Scanning
Server needs to be scanned routinely for Mallware. There are various utilities for malware scanning, such as Chkrootkit which scan rootkit and hidden security holes, Rkhunter which detects any potentially malicious software such as back doors, Lynis which performs an extensive health scan of server, LMD Linux Malware Detect is a malware scanner which is especially good scanning shared hosted environments. The latest on the list is quite interesting Project Freta, which analyzes captured VM snapshots on cloud.
Reverse engineering needs to be done to minimize security risks. It is the process of deconstructing system to gain insight into it’s architecture and code. That helps verifying security, and identify possible malware hiding in system and other vulnerabilities. It’s necessary step to analyze any unknown functionality or code identified as based on that information it’s possible to eliminate possible security risk and prevent future attacks.
REMnux – is a Linux toolkit for reverse-engineering and analyzing malicious software. It’s available as a distro, which you can download as a virtual machine in the OVA format. You can also install REMnux to an existing system, if it uses a compatible version of Ubuntu. Read REMnux documentation to get idea how it can be used, here are examples for their site:
- Examine static properties of a suspicious file.
- Statically analyze malicious code.
- Dynamically reverse-engineer malicious code.
- Perform memory forensics of an infected system.
- Explore network interactions for behavioral analysis.
- Investigate system-level interactions of malware.
- Analyze malicious documents.
- Gather and analyze threat data.
Pen testing is my favorite, it’s like adventure. What can be more fun than trying to hack your own systems? Regardless how entertaining it can be, it’s also very serious task as it can reveal in the best/worst case how to get straight in the system with root privileges or any other serious vulnerabilities. You need to use the same methods than attackers use, that’s the only way to test the system security. It’s time to call Kali.
Kali Linux is an industry standard, full Linux distribution containing over 600 hundreds of pentesting tools among other useful features. It is fully customizable and utilizes LUKS full-disk encryption. It’s intended for professional penetration testers and security specialists, so if you are serious about testing your Linux server security, you should probably pay some attention to Kali – if not yet done that. Seriously it’s huge collection of very useful security testing tools, and there are excellent tutorials available how to use them. You can start learning from Kali Linux Dojo offered by Kali developers.
in addition to Kali, there is quite much of ethical other hacking tools out there such as Parrot OS. You should find your favorites, and learn to use them. However, penetration testing is not only up to tools, it’s up to the user. That makes it quite rewarding task. You need to think black hat and figure out how system can be compromised, and test if that is really possible. Yes, in most cases it is. So, change your hat, turn of lights and start before they do it.
Auditing Linux system
Frequent system auditing is essential part of maintaining secure, stable and fully functional server. Linux Auditing System (AuditD) is useful tool which helps to discover security bugs, breaches and policy violations. It integrates with syslog, offering more monitoring capabilities like alerts and log archival.
AuditD is a native part of Kernel and in most Linux systems it is installed and running by default automatically with the system. AuditD daemon collects information about system activity at Kernel level giving it full view on all system processes. It monitors and logs system calls, file access and pre-configured auditable events. AuditD can be used to monitor authentications such as user logins, passwd file and SELinux modifications, for example changes to any file in the webserver directory, failed cryptographic operations, program execution and abnormal terminations etc.
However, AuditD is not perfect and needs to be configured carefully to provide useful information, also custom rules needs to be created. Here is good article about how to use it.
Follow the basic server security best practices
Maintaining server security is ongoing task. There are useful tools that make it a bit easier. However you need to know how to use these tolls and think out of the box.
Generally make sure the very basic steps are always followed while executing more complex verification of Linux server security.
- Keep OS updated.
- Keep Kernel updated.
- When updating, use only the trusted sources and tested versions (i.e. not necessary the latest ones).
- Utilize firewall and Fail2Ban, use web application firewall.
- If possible hide your server’s IP(s) behind the proxy.
- Generate an SSH Key Pair and use only it if possible.
- Use always strong and unique passwords and activate 2FA.
- Monitoring login authentication
- Get rid of unnecessary software.
- Close ports that are not needed, actually close all and open only necessary ports.
- Change standard SSH port.
- Disable root login over SSH and use SUDO when required.
- Encrypt communications.
- Scan for malware regularly.
- Implement Intrusion Detection System.
Learn more about Linux security
Laamanen.net is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.