[
  {
    "path": "README.md",
    "content": "<h2 align=\"center\"><code>Linux Security and Hardening Security Guide</code></h2>\n\n@r0x000000000033\n\n### Table of Contents:\n\n- [Password Bootloader GRUB](#password-bootloader-grub)\n- [Disable reboot using Ctrl-Alt-Del Keys](#disable-reboot-using-ctrl-alt-del-keys)\n- [DNSCrypt](#dnscrypt)\n- [Sandboxing](#sandboxing)\n- [Lockdown Cronjobs](#lockdown-cronjobs)\n- [HidePID](#hidepid)\n- [MAC (Mandatory Access Control)](#mac-mandatory-access-control)\n  - [Exemples of implementations](#exemples-of-implementations)\n- [Security SSH](#security-ssh)\n  - [Change default port](#change-default-port)\n  - [Blocking root login](#blocking-root-login)\n  - [Define unique users to login](#define-unique-users-to-login)\n  - [Authentication via RSA public key](#authentication-via-rsa-public-key)\n  - [TCP Wrappers: Allowing connections from specific hosts](#tcp-wrappers-allowing-connections-from-specific-hosts)\n- [Pam_Tally2](#pam_tally2-block-user-after-n-number-of-incorrect-login-attempts)\n- [Port Knocking](#port-knocking)\n- [RootKits and Malwares Analyzis](#rootkits-and-malwares-analyzis)\n- [FireWall](#firewall)\n- [Full Disk Encryption](#full-disk-encryption)\n- [Security Server Apache](#security-server-apache)\n  - [Apache modules](#apache-modules)\n  - [Disable Directory Listing](#disable-directory-listing)\n  - [TRACE Method](#trace-method)\n  - [Mod_Security](#mod_security)\n- [Security FTP](#security-ftp-file-transfer-protocol)\n  - [ProFTPD + TLS](#proftpd--tls)\n  - [Creating Shellless User Login](#creating-shellless-user-login)\n  - [ProFTPD: Allow only specific users to login](#proftpd-allow-only-specific-users-to-login)\n- [Listening Ports](#listening-ports)\n- [Security Auditing Tools Open Source](#security-auditing-tools-open-source)\n  - [NIDS/IPS](#nids-network-intrusion-detection-system-and-ips-intrusion-prevention-systems)\n  - [HIDS](#hids-host-based-intrusion-detection-system)\n\n### Introduction\n\n> Hardening is a process of mapping threats, mitigating risks and executing corrective activities, focusing on infrastructure and the main objective of making it prepared to face attack attempts.\n> This documentation presents a series of tips and recommendations to improve the security of any Linux distribution.\n\n### Password Bootloader GRUB\n\n1. Using `grub2-setpassword`:\n\n- [x] RHEL8/CentOS8\n- [ ] Debian\n\n```shell\n# Set Password:\ngrub2-setpassword\n\n# File containing the password hash:\ncat /boot/grub2/user.cfg \nGRUB2_PASSWORD=grub.pbkdf2.sha512.10000.[...]\n\n# Remove –unrestricted from the main CLASS= declaration in /etc/grub.d/10_linux file:\nsed -i \"/^CLASS=/s/ --unrestricted//\" /etc/grub.d/10_linux\n\n# Recreate the grub config with grub2-mkconfig and reboot:\ngrub2-mkconfig -o /boot/grub2/grub.cfg\nreboot\n```\n\n2. Using `grub2-mkpasswd-pbkdf2`:\n\n- [x] RHEL8/CentOS8\n- [x] Debian\n\n```shell\n# Set password and copy the encrypted password hash:\n\n# RHEL8/CentOS8\ngrub2-mkpasswd-pbkdf2\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.[...]\n\n# Debian-based:\ngrub-mkpasswd-pbkdf2\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.[...]\n\n# It is not recommended to edit the grub.cfg file directly (/boot/grub2/grub.cfg).\n# We can configure GRUB2 Bootloader by modifying the files in the /etc/grub.d/ directory without having to modify the main file.\n# Edit the file /etc/grub.d/40_custom and add:\nset superusers=\"root\"\npassword_pbkdf2 root <password-hash>\n\n# Recreate the grub config with grub2-mkconfig and reboot:\n\n# RHEL8/CentOS8:\ngrub2-mkconfig -o /boot/grub2/grub.cfg\n\n# Debian-based:\ngrub-mkconfig -o /boot/grub/grub.cfg\n\nreboot\n```\nRemove GRUB password:\n```shell\n# RHEL8/CentOS8:\nrm -f /boot/grub2/user.cfg\n\n# Debian-based:\ngrub-mkconfig -o /boot/grub/grub.cfg\n```\n\n### Disable reboot using Ctrl-Alt-Del Keys\n\n- [x] RHEL8/CentOS8\n- [x] Debian\n\n[masking](https://fedoramagazine.org/systemd-masking-units/) is a feature of systemd to prevent service activation\n\n```shell\nsystemctl mask ctrl-alt-del.target\n\n# or:\nln -s /dev/null /usr/lib/systemd/system/ctrl-alt-del.target\n\n# Check if it's masked:\nsystemctl list-unit-files --type target | grep ctrl\n\n# Removed mask:\nsystemctl unmask ctrl-alt-del.target\n```\n\n### DNSCrypt\n\n- [x] Installation OS-specific: https://github.com/jedisct1/dnscrypt-proxy/wiki/installation\n\nProtocol created by OpenBSD that authenticates communications between a client and a DNS resolver. It encapsulates through a secure channel to improve security and prevent DNS spoofing. Uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and have not been tampered with.\n\n```Shell\napt install dnscrypt-proxy\n```\n\nEnter your preferred DNS Server, below a list of supported servers.\n- [Public DNS Servers](https://dnscrypt.info/public-servers)\n\nAnother way to check DNS servers:\n```Shell\nLocal: /var/cache/dnscrypt-proxy/public-resolvers.md\n```\n\nEdit dnscrypt-proxy.toml and add the server of your choice:\n```Shell\n# Edit the file /etc/dnscrypt-proxy/dnscrypt-proxy.toml:\nserver_names = ['cloudflare']\n```\n\nFor dnscrypt-proxy to work, you need to configure DNS locally for - 127.0.0.1 or 127.0.2.1 (Debian/Ubuntu).\n\nTo know which one to use, check which listen the socket is using:\n```Shell\ncat /lib/systemd/system/dnscrypt-proxy.socket | grep ListenDatagram\n```\n\nThen add localhost:\n```Shel\n# Edit the file /etc/resolv.conf:\nnameserver 127.0.2.1\n```\n\nStarted dnscrypt-proxy:\n```Shell\nsystemctl start dnscrypt-proxy.service\n```\n\nChecking active service:\n```Shell\nss -lp 'sport = :domain'\n```\n\n### Sandboxing\n\nSecurity mechanism to separate running programs from an end of supply to a highly controlled and secure environment.\n\n- Exemples of implementations:\n\n  - [Firejail](https://firejail.wordpress.com/)\n  - [Bubblewrap](https://github.com/containers/bubblewrap)\n  - [Namespaces](https://man7.org/linux/man-pages/man7/namespaces.7.html)\n  - [Seccomp](https://man7.org/linux/man-pages/man2/seccomp.2.html)\n\n### Lockdown Cronjobs\n\n- [x] RHEL8/CentOS8\n- [x] Debian-based\n\n```shell\n# Block all users:\necho ALL >> /etc/cron.deny\n\n# Release specific users to access cron:\necho \"<user>\" >> /etc/cron.allow\n```\n\n### HidePID\n\n- [x] RHEL8/CentOS8\n- [x] Debian-based\n\n>By default, all local users are allowed to have access to other users' PID and process information.\n```\nhidepid=0: Allowed for all users\nhidepid=1: Remain visible but not accessible for all users.\nhidepid=2: hidden to all users.\n```\n```Shell\n# Add in /etc/fstab:\nproc\t/proc\tproc\tdefaults,hidepid=2  0   0\n\n# Checking:\nls -ld /proc/[0-9]*\nps -aux\ntop\n```\n\n### MAC (Mandatory Access Control)\n\nMAC is based on a hierarchical model. The hierarchy is based on security level. All users are assigned a security or clearance level. All objects are assigned a security label. Users can only access resources that correspond to a security level equal to or lower than theirs in the hierarchy.\n\nIn a MAC model, access is controlled strictly by the administrator. The administrator sets all permissions. Users cannot set their own permissions, even if they own the object. Because of this, MAC systems are considered very secure. This is because of the centralized administration. Centralized administration makes it easier for the administrator to control who has access to what. The administrator doesn’t have to worry about someone else setting permissions improperly. Because of the high-level security in MAC systems, MAC access models are often used in government systems.\n\n#### Exemples of implementations:\n  - [SELinux](https://selinuxproject.org/page/Main_Page)\n  - [Tomoyo](https://tomoyo.osdn.jp/)\n  - [AppArmor](https://apparmor.net/)\n\n### Security SSH\n\n- [x] RHEL8/CentOS8\n- [x] Debian-based\n\n#### Change default port\n>By default, SSH listens on port 22, it is recommended to switch to a high port to make discovering ssh difficult with portscanner.\nThe maximum value given to a door is 65536\n```Shell\n# Edit the file /etc/ssh/sshd_config:\n[...]\n  Port 2222\n[...]\n```\n\n#### Blocking root login\n```\n# Edit the file /etc/ssh/sshd_config:\n[...]\n  # Authentication:\n  Permitrootlogin no\n[...]\n```\n\n#### Define unique users to login\n```\n# Edit the file /etc/ssh/sshd_config:\n[...]\n  AllowUsers <user>\n[...]\n```\n\n#### Authentication via RSA public key\n>RSA (Rivest-Shamir-Adleman) is the algorithm used for the SSH protocol version 2.\n```Shell\n# generating the key\nssh-keygen -t rsa\n\n# Copy key to customers:\nssh-copy-id <user>@<host>\n\n# Enable key authentication:\n/etc/ssh/sshd_config\n[...]\n  PubkeyAuthentication yes\n[...]\n```\n\n#### TCP Wrappers: Allowing connections from specific hosts\n\n> By default, TCP Wrappers first consult the /etc/hosts.deny file to see which hosts cannot access which service. Then, consult the /etc/hosts.allow file to see if there are any rules that allow certain hosts to connect to specific services.\n```Shell\n# Edit the file /etc/hosts.deny and add:\nsshd: ALL\n\n# This means that, by default, all hosts are prohibited from accessing the SSH service.\n# Create rule to authorize only specific hosts:\n# Edit the file /etc/hosts.deny and add:\nsshd: 192.168.1.2\n```\n\n#### [pam_tally2](https://man7.org/linux/man-pages/man8/pam_tally2.8.html): Block user after N number of incorrect login attempts\n\nunlock_time: Blocking time.\neven_deny_root: Policy is also apply to root user.\ndeny: Block by N number of retries.\nfile: failure logs\n\n\n- [x] RHEL8/CentOS8\n```Shell\n# Edit the file /etc/pam.d/system-auth\n[...]\n\tauth        required      pam_tally2.so deny=2 unlock_time=60\n[...]\n\taccount     required      pam_tally2.so\n```\n\n- [x] Debian-based\n```Shell\n# Edit the file /etc/pam.d/common-auth.\n# add the following line before the start of the configuration blockto make it the first configuration item.\nauth          required      pam_tally2.so file=/var/log/tallylog even_deny_root deny=2 unlock_time=900\n```\n\nCheck if SSH daemon is using PAM module:\n```Shell\nsshd -T | grep -E \"(challenge|pam)\"\n\nusepam yes\nchallengeresponseauthentication no\n```\n\nRestart service `ssh`:\n```Shell\nsystemctl restart sshd\n```\n\nView the count of login attempts:\n```Shell\npam_tally2 --user <user>\n\nLogin           Failures Latest failure     From\n<user>          6    yy/xx/ww 00:00:00  <IP-Address>\n```\nUnblock user:\n```Shell:\npam_tally2 --reset --user <user>\n```\n\n### Port Knocking\n  - [FWKnop](https://www.cipherdyne.org/fwknop/) (FireWall KNock OPerator): implements [SPA (Single Packet Authorization)](https://www.cipherdyne.org/fwknop/docs/SPA.html)\n  - [Knockd](https://linux.die.net/man/1/knockd)\n\n### RootKits and Malwares Analyzis\n  - [CHKRootKit](http://www.chkrootkit.org/)\n  - [Rkhunter](http://rkhunter.sourceforge.net/)\n  - [Lynis](https://cisofy.com/lynis/)\n  - [ClamAV](https://www.clamav.net/)\n  - [LMD](https://www.rfxn.com/projects/linux-malware-detect/) (Linux Malware Detect)\n\n### FireWall\n  - [IPTables](https://ipset.netfilter.org/iptables.man.html)\n  - [FirewallD](https://firewalld.org/)\n  - [NFTables](https://wiki.nftables.org/wiki-nftables/index.php/Main_Page)\n\n### Full Disk Encryption\n\n```Shell\n# Benchmark Encryption:\ncryptsetup benchmark\n```\n- [Cryptsetup](https://gitlab.com/cryptsetup/cryptsetup/): LUKS(Linux Unified Key Setup) + DM-Crypt(Back-end)\n\n### Security Server Apache\n\n#### Apache modules\n\nMinimalize your apache web server, disabling unnecessary modules\n\n- [x] RHEL8/CentOS8\n```Shell\n# List all modules:\nhttpd -t -D DUMP_MODULES\napachectl -M\n\n# Directory of all modules:\nls /etc/httpd/modules\nls /usr/lib64/httpd/modules\n```\n\nEnable/Disable Modules:\n```Shell\n# Comment the lines 'LoadModule':\n/etc/httpd/conf.modules.d/00-base.conf\n[...]\n  #LoadModule buffer_module modules/mod_buffer.so\n  #LoadModule watchdog_module modules/mod_watchdog.so\n[...]\n# Checking:\napachectl restart\napachectl -M | grep <module>\n```\n\n- [x] Debian-based\n```Shell\n# List all modules:\napachectl -M\napachectl -t -D DUMP_MODULES\na2query -m\n\n# Directory of all modules:\n/etc/apache2/mods-available/\n/etc/apache2/mods-available/enabled/\n```\n\nEnable/Disable Modules:\n\n```Shell\n# Enabled:\na2enmod <module>\n\n# Disabled:\na2dismod <module>\n\n# Check modules status:\na2query -m rewrite\n```\n\n#### Disable Directory Listing:\n>List of directories activated on websites can leave important files to the public\nWith dorks it is possible to search for sites with this setting enabled in apache.\n\n`:.com.br \"index of\"`\n\n`:.gov.br \"index of\"`\n\nDisabled:\n```Shell\n# Remove 'Indexes' to disable.\n\n# RHEL8/CentOS8\n# Edit the file /etc/httpd/conf/httpd.conf:\n\n# Debian-based:\n# Edit the file /etc/apache2/apache2.conf:\n\n[...]\n<Directory \"/var/www/html\">\n       \t\tOptions FollowSymLinks\n</Directory>\n[...]\n```\n\n#### TRACE Method\n[Cross-Site Tracing (XST)](https://owasp.org/www-community/attacks/Cross_Site_Tracing) attacks, can steal sensitive header and cookie information on any domain with support for the [HTTP TRACE](https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Methods/TRACE) method.\n\nTest the TRACE Method on the web server:\n```Shell\ncurl -i -X TRACE http://<IP>/\n```\nDisabled\n```\n# RHEL8/CentOS8\n# Edit the file /etc/httpd/conf/httpd.conf\n\n# Debian-based:\n# Edit the file /etc/apache2/conf-enabled/security.conf:\n\nTraceEnable off\n```\n\n#### [Mod_Security](https://modsecurity.org/)\n\n- [x] RHEL8/CentOS8\n\n```\nConfig:/etc/httpd/conf.d/mod_security.conf\nDebug Log: /var/log/httpd/modsec_debug.log\nAudit log: /var/log/httpd/modsec_audit.log\nRules: /etc/httpd/modsecurity.d/activated_rules\n```\n\n> mod_security_crs: Provide basic rules for mod_security\n```Shell\ndnf install httpd mod_security mod_security_crs\n```\n\n- [x] Debian-based:\n```Shell\napt install libapache2-mod-security2 -y\n```\n\nConfigure ModSecurity:\n```Shell\ncp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf\n\n# Edit the file /etc/modsecurity/modsecurity.conf:\nSecRuleEngine On\n```\n\n[OWASP ModSecurity Core Rule Set (CRS)](https://github.com/coreruleset/coreruleset):\n\n```Shell\ngit clone https://github.com/coreruleset/coreruleset\ncd coreruleset/\nmv rules/ /etc/modsecurity/\n```\n\nRestart service apache:\n```Shell\n# RHEL8/CentOS8\nsystemctl restart httpd\n\n# Debian-based:\nsystemctl restart apache2\n```\n\nCheck if the ModSecurity module was loaded in Apache:\n```Shell\n# Verify that the firewall is working:\n# RHEL8/CentOS8\ntail /var/log/httpd/error.log | grep ModSecurity\n\n# Debian-based:\ntail /var/log/apache2/error.log | grep ModSecurity\n\n[:notice] [pid 1601] ModSecurity: APR compiled version=\"1.4.8\"; loaded version=\"1.4.8\"\n[:notice] [pid 1601] ModSecurity: PCRE compiled version=\"8.32 \"; loaded version=\"8.32 2012-11-30\"\n[:notice] [pid 1601] ModSecurity: LUA compiled version=\"Lua 5.1\"\n[:notice] [pid 1601] ModSecurity: LIBXML compiled version=\"2.9.1\"\n[:notice] [pid 1601] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.\n```\n\n### Security FTP (File Transfer Protocol)\n\n- [x] RHEL8/CentOS8\n- [x] Debian-based\n\n#### ProFTPD + TLS\n```Shell\n# RHEL8/CentOS8\ndnf install -y openssl\n\n# Debian-based\napt install -y openssl\n```\nGenerating certificate:\n```Shell\nopenssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem\n\n# Edit the file /etc/sysconfig/proftpd for enabled:\nPROFTPD_OPTIONS=\"-DTLS\"\n```\n\n#### Creating Shellless User Login\n```Shell\n# Edit the file /etc/shells and add:\n/bin/false\n\n# Create user:\nuseradd <user> -s /bin/false\npasswd <user>\n```\n\n#### ProFTPD: Allow only specific users to login\n\n> AllowUser: User permission\nDenyAll: Deny all\n\n```Shell\n# Edit the file /etc/proftpd.conf\n\n<Limit LOGIN>\n    AllowUser <user>\n    DenyAll\n</Limit>\n```\n\n### Listening Ports\n\n- [x] RHEL8/CentOS8\n- [x] Debian-based\n\n>It is important to check for open ports to identify system intruders that open doors for backdoor, malware or to receive outside input\n\nChecking with [netstat](https://man7.org/linux/man-pages/man8/netstat.8.html):\n```Shell\nnetstat -tulpn\nnetstat -anp | grep <ip>\n```\nChecking with [ss](https://man7.org/linux/man-pages/man8/ss.8.html)\n```Shell\nss -tulpn\n```\nChecking with [nmap](https://nmap.org/):\n```Shell\nnmap -sT -O localhost\n```\nIdentify ports:\n```Shell\ncat /etc/services | grep <port>\n```\nInformation about a port with [lsof](https://man7.org/linux/man-pages/man8/lsof.8.html):\n```Shell\nlsof -i | grep <port>\n```\n\n### Security Auditing Tools Open Source\n\n  - [Lynis](https://cisofy.com/lynis/)\n  \n#### NIDS (Network Intrusion Detection System) and IPS (Intrusion Prevention Systems):\n \n  - [Snort](https://www.snort.org/)\n  - [Suricata](https://suricata-ids.org/)\n  - [Sguil](http://bammv.github.io/sguil/index.html)\n  - [OpenWIPS-ng](https://openwips-ng.org/)\n  - [Zeek](https://zeek.org/)\n \n#### HIDS (Host-Based Intrusion Detection System):\n\n  - [OSSEC](https://www.ossec.net/)\n  - [Tripwire](https://www.tripwire.com/)\n  - [wazuh](https://wazuh.com/)\n  - [Samhain](https://www.la-samhna.de/samhain/)\n\n"
  }
]