applied linux.

Chapter 4 of 9

Security Configuration

On this page

Every band needs security to protect their instruments and avoid interruptions from unruly fans. Similarly, setting up security on your Linux system protects your vital data and maintain system integrity.

What is a firewall?

A firewall is a system that provides network security by filtering incoming and outgoing network packets based on a set of user-defined rules. It serves as a protective barrier, ensuring that only authorized traffic can pass through while blocking malicious or unwanted connections. The firewall operates at the network layer and can manage traffic between different network interfaces, subnets, and even specific services or applications running on the Linux system.

Key Components of a Linux Firewall

Packet Filtering

  • Packet filtering is the core function of a firewall. It involves examining each packet that passes through the firewall and determining whether to allow or block it based on predefined rules. These rules are based on various attributes of the packet, such as the source and destination IP addresses, ports, and protocol types (e.g., TCP, UDP, ICMP).

Stateful Inspection

  • Linux firewalls typically perform stateful inspection, meaning they keep track of the state of active connections and make decisions based on the context of the traffic. For example, a stateful firewall can allow a response to an outgoing request while blocking unsolicited incoming traffic.

Zones and Interfaces

  • A Linux firewall can segregate traffic into different security zones, each with its own set of rules. For example, the “public” zone might have stricter rules compared to a “home” or “internal” zone. These zones are associated with different network interfaces or IP ranges.

Logging and Auditing

  • Linux firewalls can log traffic that matches (or does not match) certain rules, allowing administrators to audit network activity. This is crucial for identifying and responding to potential security incidents.

Configuring UFW (Uncomplicated Firewall)

UFW

  • UFW is a frontend for managing iptables firewall rules, designed to make firewall configuration simple and straightforward for users.

Rule Structure

  • UFW allows you to create rules based on both IP address and port. For example:

    bash sudo ufw allow from 192.168.1.0/24 to any port 22 - This command allows SSH traffic from the specified subnet.

Default Policies

  • UFW sets default policies to either allow or deny traffic that does not match any rules. A common configuration is to deny all incoming traffic and allow all outgoing traffic:

    bash sudo ufw default deny incoming sudo ufw default allow outgoing

Application Profiles

  • UFW includes predefined profiles for common applications, making it easy to allow or deny traffic for those services without manually specifying ports. For example:

    bash sudo ufw allow 'Apache Full'

IP Blocking and Rate Limiting

  • UFW can block specific IP addresses or ranges, and it also supports rate limiting to prevent brute-force attacks:

    bash sudo ufw deny from 203.0.113.0/24 sudo ufw limit ssh

Configuring firewalld

firewalld is a more advanced and flexible firewall management tool compared to UFW, offering dynamic rule management, zones, and support for IPv4, IPv6, ethernet bridges, and more.

Zones

  • firewalld organizes rules into zones, each representing a different trust level for the networks or connections assigned to it. The default zones include “public,” “home,” “internal,” etc. You assign network interfaces to zones based on their level of trust.

  • To assign an interface to a zone:

    bash sudo firewall-cmd --zone=home --change-interface=eth0 --permanent

Permanent vs. Runtime Rules

  • firewalld allows you to add rules either permanently or just for the current runtime session. Runtime rules do not persist after a reboot, making them useful for testing:

    bash sudo firewall-cmd --zone=public --add-port=443/tcp sudo firewall-cmd --zone=public --add-port=443/tcp --permanent

Service Management

  • firewalld simplifies the management of services by using predefined service definitions. To allow or block services:

    bash sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --remove-service=http --permanent

Configuring your firewall is like setting up security at your concert venue to ensure only authorized personnel can access the stage.

User Permissions

User permissions refer to the rights and privileges assigned to users or groups that determine what actions they can perform on a system. These permissions control access to files, directories, and resources, ensuring that only authorized users can view, modify, or execute specific operations.

Principle of Least Privilege

  • The principle of least privilege (PoLP) is a key security concept that dictates users should only have the minimum permissions necessary to perform their tasks. By limiting access, you reduce the risk of accidental or intentional misuse of system resources. For instance, regular users should not have administrative rights unless absolutely necessary. Which is why we use sudo for privilege elevation.

Role-Based Access Control (RBAC)

  • RBAC is a method of managing user permissions by assigning roles to users. Each role has a specific set of permissions, allowing for more organized and scalable management of access rights. For example, in a company, an “Admin” role might have full access to all resources, while a “User” role has limited access.

File and Directory Permissions

  • In Linux systems, file and directory permissions are managed using three basic types of access: read (r), write (w), and execute (x). These permissions can be set for three categories: the owner of the file, the group associated with the file, and all other users. Properly configuring these permissions helps protect sensitive files from unauthorized access or alteration.

Basic Types of Access

Linux file and directory permissions are categorized into three types of access:

  • Read (r): This permission allows the user to view the contents of a file or, in the case of a directory, to list its contents.
  • Write (w): This permission allows the user to modify the contents of a file or, for a directory, to create, delete, or rename files within it.
  • Execute (x): This permission allows the user to run a file as a program (if it is executable) or, in the case of a directory, to access its contents and traverse it.

Categories of Users

Permissions are assigned separately for three categories of users:

  • Owner: The user who owns the file.
  • Group: A set of users who share access rights to the file.
  • Other*: All other users on the system who do not own the file and are not in the group associated with the file.

Symbolic (Flag) Representation of Permissions

Permissions are typically represented in a symbolic format, where each permission type is indicated by a specific letter:

  • r for read
  • w for write
  • x for execute
  • - for no permission

These letters are displayed in a string format representing the permissions for the owner, group, and others, respectively. For example, the string rwxr-xr-- can be broken down as follows:

  • rwx: The owner has read, write, and execute permissions.
  • r-x: The group has read and execute permissions, but not write permission.
  • r--: Others have only read permission.

Numerical (Octal) Representation of Permissions

Permissions can also be represented numerically using octal (base-8) notation. Each permission type is assigned a specific value:

  • Read (r) = 4
  • Write (w) = 2
  • Execute (x) = 1

To calculate the octal representation, you sum the values for each permission type:

  • No permission (---): 0
  • Execute only (--x): 1
  • Write only (-w-): 2
  • Write and execute (-wx): 3 (2 + 1)
  • Read only (r--): 4
  • Read and execute (r-x): 5 (4 + 1)
  • Read and write (rw-): 6 (4 + 2)
  • Read, write, and execute (rwx): 7 (4 + 2 + 1)

To represent the full set of permissions for a file or directory, you write three digits in sequence: the first digit represents the owner’s permissions, the second digit represents the group’s permissions, and the third digit represents others’ permissions.

For example, consider the permissions rwxr-xr--:

  • Owner (rwx): 4 (read) + 2 (write) + 1 (execute) = 7
  • Group (r-x): 4 (read) + 0 (write) + 1 (execute) = 5
  • Others (r--): 4 (read) + 0 (write) + 0 (execute) = 4

So, the octal representation of rwxr-xr-- is 754.

Changing Permissions with chmod

The chmod command is used to change the permissions of a file or directory. You can use either the symbolic or octal notation to set permissions.

  • Symbolic notation: chmod u=rwx,g=rx,o=r file.txt sets the owner’s permissions to rwx, the group’s permissions to rx, and others’ permissions to r.
  • Octal notation: chmod 754 file.txt sets the same permissions as above.

Special Permissions: SUID, SGID, and Sticky Bit

In addition to the basic permissions, Linux also supports special permissions that provide additional security features:

  • SUID (Set User ID): When set on an executable file, this permission allows the file to be executed with the privileges of the file’s owner rather than the user who runs it. The SUID permission is represented by an s in the owner’s execute position (e.g., rwsr-xr-x). The octal value for SUID is 4, added as a prefix to the normal octal permission (e.g., 4754).

  • SGID (Set Group ID): When set on a file, this permission allows the file to be executed with the group privileges of the file’s group. When set on a directory, it ensures that new files created within the directory inherit the group of the directory rather than the group of the user who creates the file. SGID is represented by an s in the group’s execute position (e.g., rwxr-sr-x). The octal value for SGID is 2, added as a prefix to the normal octal permission (e.g., 2754).

  • Sticky Bit: When set on a directory, this permission ensures that only the owner of a file can delete or rename it, even if other users have write access to the directory. It is commonly used on directories like /tmp where many users have write access. The sticky bit is represented by a t in the others’ execute position (e.g., rwxr-xr-t). The octal value for the sticky bit is 1, added as a prefix to the normal octal permission (e.g., 1754).

Example: Calculating Special Permissions

Consider a directory with the following permissions: rwxr-sr-t. Let’s calculate the octal value:

  • Owner (rwx): 7 (4 + 2 + 1)
  • Group (r-s): 5 (4 + 0 + 1)
  • Others (r-t): 5 (4 + 0 + 1)
  • SGID: 2 (SGID set)
  • Sticky Bit: 1 (Sticky bit set)

So, the full octal representation would be 2755.

Understanding how to calculate and manage file and directory permissions is a key skill in Linux system administration. Proper configuration of these permissions is essential for ensuring that your system is secure, efficient, and functioning as expected.

Authentication and Authorization in Linux

Managing authentication and authorization is crucial for ensuring that only authorized users can access system resources. This involves configuring user authentication mechanisms, setting up secure access methods, and managing user privileges effectively.

Pluggable Authentication Modules (PAM)

PAM (Pluggable Authentication Modules) is a flexible and modular system for authenticating users in Linux. It allows system administrators to define how users are authenticated, authorized, and managed across different services.

Key Features of PAM

  • Modularity: PAM is designed around a modular approach, enabling administrators to stack multiple authentication modules. Each module handles a specific aspect of the authentication process, such as password verification, access control, or session management. This modularity allows for highly customizable and secure authentication setups.

  • Configuration: PAM configurations are stored in the /etc/pam.d/ directory, where each file corresponds to a specific service, like login or sshd. These files define how authentication should be processed for each service, giving administrators fine-grained control over security.

Configuring PAM

PAM configurations are powerful and need careful management to ensure security and functionality across the system.

  • Common Configuration Files: Some files, like common-auth, common-account, common-password, and common-session, define standard rules applied to multiple services. These files are included in the configuration of individual services.

For example, a typical entry in the common-auth file might look like this:

bash auth required pam_unix.so

This line specifies that the pam_unix module, which handles standard Unix authentication (like checking passwords), is required during the authentication process.

LDAP (Lightweight Directory Access Protocol)

LDAP is a protocol used for accessing and managing directory information services over a network. It is commonly employed for centralized authentication, especially in enterprise environments where managing numerous users and groups across many systems is necessary.

Key Features of LDAP

  • Centralized Management: LDAP allows for centralized user and group management. This centralization simplifies tasks like adding new users, modifying user information, and managing group memberships across multiple systems. It ensures consistency and simplifies administration in large organizations.

  • Scalability: LDAP is designed to handle a large number of queries and updates efficiently. This makes it suitable for large-scale environments where rapid user authentication and data retrieval are required.

Configuring LDAP

To use LDAP for authentication and user management, you need to configure the LDAP client and adjust system settings to integrate LDAP with the system’s user and group management.

  • LDAP Client Configuration: The LDAP client is configured by editing the /etc/ldap/ldap.conf file, where you specify the base domain and the LDAP server’s URI.

Example configuration: bash BASE dc=example,dc=com URI ldap://ldap.example.com

  • BASE specifies the base domain components for LDAP searches.

  • URI specifies the address of the LDAP server.

  • nsswitch Configuration: To ensure that LDAP is used for user and group lookups, you need to modify the /etc/nsswitch.conf file to include LDAP.

Example configuration: bash passwd: files ldap group: files ldap

This tells the system to first check local files (such as /etc/passwd) and then query the LDAP directory for user and group information.

Secure Shell (SSH)

SSH (Secure Shell) is a widely used protocol for securely logging into remote systems and executing commands. It is a critical tool for managing Linux servers securely over a network.

Key Features of SSH

  • Encryption: SSH encrypts all data transmitted between the client and the server, ensuring that sensitive information, such as passwords and commands, is protected from interception. This encryption makes SSH a secure alternative to older, less secure protocols like Telnet.

  • Public Key Authentication: SSH supports public key authentication, which enhances security by eliminating the need to send passwords over the network. Instead, users authenticate using a private key that corresponds to a public key stored on the server. This method is not only more secure but also more convenient for automated processes.

Configuring SSH

SSH can be configured on both the server and client sides to enhance security and customize its behavior.

  • Server Configuration: The SSH server’s settings are configured in the /etc/ssh/sshd_config file. This file controls various aspects of how the server behaves.

Example configurations: bash PermitRootLogin no PubkeyAuthentication yes

  • PermitRootLogin no: Disables direct root logins over SSH, which is a common security best practice to prevent unauthorized access.

  • PubkeyAuthentication yes: Enables public key authentication, which is more secure than traditional password-based authentication.

  • Client Configuration: To connect to a remote server using SSH, you can use the ssh command from your terminal.

Example usage: bash ssh user@hostname

  • user: The username on the remote system.
  • hostname: The domain name or IP address of the remote server.

Access Control Lists (ACLs)

  • ACLs provide a more granular level of control than traditional file permissions by allowing specific permissions for individual users or groups. This flexibility is useful in complex environments where multiple users require different levels of access to the same resource.

Security Updates

Security updates are patches or fixes released by software vendors to address vulnerabilities in their products. Regularly updating your system is crucial for protecting against newly discovered threats and ensuring your software remains secure.

Regular Patching

  • Security patches are updates specifically designed to fix security vulnerabilities. Failing to apply these patches promptly can leave your system exposed to exploits that attackers can use to gain unauthorized access or disrupt services. It’s important to have a regular schedule for checking and applying patches.

Automated Updates

  • Many systems allow for automated security updates, ensuring that patches are applied as soon as they become available. Enabling automatic updates can help reduce the risk of human error or delays in applying critical security fixes.

Monitoring and Notifications

  • It’s essential to monitor your systems for available updates and set up notifications for when new patches are released. Staying informed about the latest security vulnerabilities and patches allows you to respond quickly and effectively.

Test Before Deployment

  • In some environments, especially in enterprise settings, it’s prudent to test updates on a staging environment before deploying them to production systems. This practice helps ensure that updates do not inadvertently cause compatibility issues or system instability.

Applying security updates and permissions is like making sure only the band members have access to their instruments and music sheets.

Exercises

In Linux systems, the sudo command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. To grant a user administrative privileges, you can add them to the sudo group. This allows the user to perform tasks that require elevated permissions, such as installing software, modifying system files, or managing services.

Steps to Add a User to the Sudo Group

  • To switch to the root account:

    bash su - - Or, if you are already a sudo user, simply use sudo in front of your commands.

Add the User to the Sudo Group

  • To add an existing user to the sudo group, use the usermod command. Replace username with the actual username of the user you wish to add.

  • Command:

    bash sudo usermod -aG sudo username - Explanation - -aG: The -a flag appends the user to the specified group(s), and -G specifies the group. This ensures the user is added to the sudo group without being removed from any other groups they are part of.

Verify the User’s Membership in the Sudo Group

  • After adding the user, you can verify that they have been successfully added to the sudo group by using the groups command:

  • Command:

    bash groups username - The output should list sudo among the groups the user belongs to.

Test the User’s Sudo Access

  • To ensure that the user has the correct sudo privileges, log in as the user or switch to their account using the su command, and then try running a command with sudo.

  • Command:

    bash sudo whoami - If the user is correctly added to the sudo group, the output should be root, indicating that the command was executed with superuser privileges.

Additional Considerations

  • Sudoers File Configuration

  • The /etc/sudoers file controls the configuration of sudo privileges. Typically, users in the sudo group are allowed to use sudo by a line in the sudoers file that looks like this:

    bash %sudo ALL=(ALL:ALL) ALL - You can edit the sudoers file using visudo, which ensures syntax errors do not cause configuration issues:

    bash sudo visudo

  • Security Implications

  • Granting sudo access gives the user administrative control over the system, which includes the ability to make critical changes. Ensure that only trusted users are added to the sudo group to prevent unauthorized or accidental system modifications.

  • Removing a User from the Sudo Group

  • If you need to remove a user from the sudo group, you can use the following command:

    bash sudo deluser username sudo - This command ensures the user no longer has administrative privileges.

$ try it — a real Linux shell, running in your browser

Boots a Buildroot Linux kernel client-side with v86, a 32-bit x86 emulator compiled to WebAssembly. Nothing you type leaves this tab. First boot fetches a ~10 MB kernel; it then runs offline.