Guide to Linux Security: SSH Hardening, SELinux, AppArmor, Firewalls, and Security Audits

As a Debian/Ubuntu Linux System Administrator, ensuring the security of your server is not just an optional task; it’s a critical responsibility.

The security landscape is evolving, and so are the attack vectors that malicious actors employ.

In this guide, I will cover practical steps to secure your Linux environment through SSH hardening, SELinux, AppArmor, firewall configuration (UFW/iptables), and performing regular security audits.

Whether you’re running a server for personal use or managing an enterprise-grade infrastructure, these practices will provide a robust foundation to protect your systems.

SSH Hardening in Debian/Ubuntu Best Practice

SSH (Secure Shell) is the most commonly used protocol for remote login and administration on Linux systems. However, it can also be a potential entry point for attackers if left improperly configured. Here are the key steps for hardening SSH on Debian/Ubuntu systems.

Disable Root Login

One of the first things you should do is disable root login over SSH. Allowing the root user to directly access the system via SSH is a significant security risk because the root account is well-known, and attackers can target it using brute force attacks.

sudo nano /etc/ssh/sshd_config

Find the following line and change its value to no:

PermitRootLogin no

Change Default SSH Port

By default, SSH listens on port 22, which is known to attackers. Changing the default SSH port to a non-standard port is a simple but effective method of reducing the number of brute-force attempts.

sudo nano /etc/ssh/sshd_config

Change the port number:

Port 2222

Make sure to configure your firewall to allow the new port:

sudo ufw allow 2222/tcp

Use SSH Key Authentication

Password-based authentication is vulnerable to brute-force attacks. Instead, SSH key authentication provides a much more secure method of logging in.

1. Generate an SSH key pair on your local machine:

   ssh-keygen -t rsa -b 4096

2. Copy the public key to the server:

   ssh-copy-id user@server_ip

3. Disable password authentication in /etc/ssh/sshd_config:

   PasswordAuthentication no

4. Restart the SSH service:

   sudo systemctl restart ssh

Enforce Strong Authentication Methods

To further secure SSH, you can enable multi-factor authentication (MFA). One common solution is integrating Google Authenticator for Time-based One-Time Password (TOTP).

1. Install Google Authenticator on your server:

   sudo apt-get install libpam-google-authenticator

2. Run the Google Authenticator setup:

   google-authenticator

3. Edit the PAM configuration for SSH:

   sudo nano /etc/pam.d/sshd

   Add the following line:

   auth required pam_google_authenticator.so

Rate Limiting with Fail2Ban

Fail2Ban is a service that helps protect your SSH server from brute-force attacks by blocking IP addresses that exhibit suspicious behavior.

1. Install Fail2Ban:

   sudo apt-get install fail2ban

2. Configure it by editing the jail file:

   sudo nano /etc/fail2ban/jail.local

   Under [sshd], set the appropriate values for bantime, findtime, and maxretry.

3. Restart Fail2Ban:

   sudo systemctl restart fail2ban

SSH Banner Warnings

Adding a warning banner can deter unauthorized access attempts and provide legal warning to intruders.

sudo nano /etc/issue.net

Add a warning message, e.g.:

Unauthorized access to this system is prohibited. All activity is monitored.

Then, configure SSH to display this banner by editing the SSH config:

Banner /etc/issue.net

SELinux Explained and Application

What is SELinux?

Security-Enhanced Linux (SELinux) is a security architecture integrated into the Linux kernel that enables fine-grained access control. SELinux enforces mandatory access control (MAC) policies that define how applications and users can access resources.

SELinux Modes

SELinux operates in three modes:

• Enforcing: SELinux policies are enforced, and violations are logged.
• Permissive: Violations are allowed but logged for auditing purposes.
• Disabled: SELinux is turned off.

To check the current status:

sestatus

To switch SELinux to enforcing mode:

sudo setenforce 1

Configuring SELinux Policies

SELinux uses policies to dictate what actions processes can perform on the system. For example, if you’re running an Apache web server, you can configure SELinux policies to restrict its access to certain files.

1. List current policies:

   sudo semanage fcontext -l

2. Apply custom policies as needed:

   sudo semanage fcontext -a -t httpd_sys_content_t '/var/www(/.*)?'

3. Restore file contexts:

   sudo restorecon -Rv /var/www

Troubleshooting with SELinux Logs

If an application is being blocked, SELinux logs it. You can view the logs at /var/log/audit/audit.log and use audit2why to analyze the log:

sudo cat /var/log/audit/audit.log | audit2why

AppArmor Installing and Activating

What is AppArmor?

AppArmor is a Linux security module that provides mandatory access control for applications. Unlike SELinux, which relies on complex policies, AppArmor uses easy-to-understand profiles to enforce security.

Enabling and Configuring AppArmor

1. Ensure AppArmor is installed:

   sudo apt-get install apparmor apparmor-utils

2. Enable AppArmor:

   sudo systemctl enable apparmor
   sudo systemctl start apparmor

Managing Profiles

AppArmor operates using profiles for individual applications, which can either be in enforcing or complain mode.

1. To enforce a profile:

   sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx

2. To switch a profile to complain mode (useful for debugging):

   sudo aa-complain /etc/apparmor.d/usr.sbin.nginx

Firewalls: UFW and iptables

UFW: Simple and Effective Firewall

1. Enable UFW:

   sudo ufw enable

2. Allow essential services:

   sudo ufw allow 22/tcp  # SSH
   sudo ufw allow 80/tcp  # HTTP
   sudo ufw allow 443/tcp # HTTPS

3. View the status:

   sudo ufw status

Configuring iptables for More Granular Control

1. List current rules:

   sudo iptables -L

2. Block a specific IP:

   sudo iptables -A INPUT -s 192.168.1.100 -j DROP

3. Allow incoming HTTP and HTTPS traffic:

   sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
   sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

4. Save the configuration:

   sudo iptables-save > /etc/iptables/rules.v4

Performing Security Audits

Audit Tools: Lynis, OpenVAS, and RKHunter

• Lynis: A powerful security auditing tool for Linux. Run a system scan with:

  sudo lynis audit system

• OpenVAS: A full-featured vulnerability scanner.
• RKHunter: Rootkit Hunter checks your system for rootkits and other security vulnerabilities.

  sudo rkhunter --check

Regular Log Monitoring

Logs provide invaluable information about potential breaches. Use journalctl to review logs:

sudo journalctl -xe

Tools like logwatch can help automate the process of log monitoring and send you email reports.

Vulnerability Scanning and Patch Management

Keep your system up to date by regularly applying security patches. Use apt to update packages:

sudo apt-get update
sudo apt-get upgrade

---

Conclusion

Securing a Debian/Ubuntu system requires a layered approach. By hardening SSH, using mandatory access controls like SELinux or AppArmor, properly configuring your firewall, and conducting regular security audits, you can significantly reduce your server’s attack surface.

Each of these tools and techniques offers different levels of protection, and when used together, they form a strong security posture.

Stay vigilant, keep your systems updated, and regularly audit your environment to ensure continuous security.

Feel free to share this article on your blog or LinkedIn, and don’t hesitate to reach out for more detailed discussions on specific Linux security practices.