There are some very basic security ideas that can be easily implemented into linux-servers through the command line for initial security. These are so basic, that are mostly overlooked from new comers. Like the 7 accessible virtual consoles, just before we login, or even before, the grub boot-loader or the actual bios. You cannot lock these down actually, cause often a server for instance is remote, so after boot, you wouldn't be able to access it, unless someone physically bypasses the bios and grub passwd. Anyways, let's get started.
============================================
SECURITY GOALS:
- minimalism
- least privileges possible
- profound defense
1) Minimalism
- Reduce attack surface
- Reduce number of components (like unwanted installed software or services - remove them)
( this will also reduce unwanted updates and upgrades, reduce network congestion and compatibility issues)
- Easy and effective supervision
2) Least Privileges
- To make sure that there are no extra privileges and access for unwanted personal
- To avoid toxic mishaps, unwanted actions and deleting, and to avoid others taking control
3) Profound Defense
- Slow down the attackers
- Intrusion Detection
# Network Separation
# Obliged Manual Auth for all privileged actions
# Tracking procedure - centralized and secured (to see who did when, what, why, how...)
# Enclosure of exposed-processes
# updated components (firmware and drivers time to time, but software, services, security features for sure)
==========================================
For this Article I used CentOS but you can also use Fedora Server or better, Rocky Linux Server, as CentOS is over and out.
SECURITY of BOOTLOADER = Grub, KERNEL and DYNAMIC KERNEL MODULES
GRUB - Grand Unified Bootloader
(When our OS starts, we choose normal or secure boot mode, but using 'c' or 'tab' we can get into the grub terminal too and could do harmful actions if wanted. We must protect this Boot menu)
/boot/grub2/grub.cfg - principal bootloader file
etc/grub.d/ - updated dynamically from this space
# files in this directory should be accessible only for root !!!
01-users # contain info auth. what protects the shell access
Use these commands to add new superuser for shell-use
$ grub2-mkpasswd-pbkdf2 # passwd generator
# copy the passwd to clipboard
$ nano /etc/grub.d/01_users
# add these lines to the file
set superusers="admin"
password_pbkdf2 admin grub.pbkdf2.sha512.10000.5D.....
The 01-users should look sg like this
--------------------------------------
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
source \${prefix}/user.cfg
if [ -n "\${GRUB2_PASSWORD}" ]; then
set superusers="root admin"
export superusers
password_pbkdf2 root \${GRUB2_PASSWORD}
password_pbkdf2 admin grub.pbkdf2...
fi
fi
EOF
--------------------------------------
$ grub2-mkconfig -o /boot/grub2/grub.cfg
# to apply changes for next grub load
_dnhyper
No comments:
Post a Comment