Sunday, October 13, 2024

Linux server hardening | Secure Linux Servers

 Linux server hardening is the process of securing a Linux server by reducing its attack surface and mitigating security risks. The goal is to protect the system from unauthorized access, exploitation, and other security threats. Here's a comprehensive guide to Linux server hardening:


1. Regular Updates and Patching

   - Update packages regularly: Ensure the system and software are up-to-date with the latest security patches.

     - Commands:

       - For Debian/Ubuntu: `sudo apt update && sudo apt upgrade`

       - For RHEL/CentOS: `sudo yum update` or `sudo dnf update`

   - Automatic updates: Configure unattended upgrades for automatic security patching.

     - Debian/Ubuntu: `sudo apt install unattended-upgrades`


 2. Disable Unused Services

   - Check running services: Use `netstat`, `ss`, or `systemctl` to list active services.

     - Commands: 

       - `sudo systemctl list-unit-files --type=service`

       - `sudo netstat -tuln`

   - Stop and disable unnecessary services

     - `sudo systemctl stop <service>`

     - `sudo systemctl disable <service>`


3. Firewall Configuration

   - Use firewalls: Set up a firewall like `iptables`, `nftables`, or `ufw` to restrict network traffic.

     - `ufw` (for Ubuntu):

       - Enable: `sudo ufw enable`

       - Allow specific port: `sudo ufw allow <port>`

       - Deny all incoming traffic and allow only necessary ones: `sudo ufw default deny incoming`

     - `iptables`/`nftables` for advanced users.

   

4. SSH Hardening

   - Disable root login: 

     - Edit `/etc/ssh/sshd_config` and set `PermitRootLogin no`

   - Change default SSH port: Use a non-standard port to avoid automated attacks.

     - `Port 2222` (example)

   - Use SSH key-based authentication: Disable password authentication and enable public key authentication.

     - Set `PasswordAuthentication no` in `sshd_config`

   - Restrict SSH access: Limit SSH to specific IP addresses or networks.

     - Use `AllowUsers` or `AllowGroups` in `sshd_config`


 5. Intrusion Detection and Monitoring

   - Install intrusion detection tools like `AIDE`, `OSSEC`, or `Tripwire`.

     - Example: `sudo apt install aide`

     - Initialize: `sudo aideinit`

   - Log monitoring: Use tools like `Logwatch` or `GoAccess` to monitor logs.

     - Logwatch: `sudo apt install logwatch`

     - GoAccess: `sudo apt install goaccess`


6. File and Directory Permissions

   - Set correct file permissions: Ensure only authorized users can access sensitive files.

     - Use `chmod` to modify permissions, e.g., `chmod 600 /etc/ssh/sshd_config`

   - Use access control lists (ACL) for granular permissions:

     - `setfacl -m u:user:r /path/to/file`


7. Disable Unnecessary Network Ports

   - Check open ports: 

     - `sudo netstat -tuln` or `sudo ss -tuln`

   - Use `firewalld`, `iptables`, or `ufw` to block unnecessary ports.

   - Disable network services that aren't needed (like FTP, Telnet).


8. SELinux or AppArmor

   - Enable SELinux (for CentOS/RHEL) or AppArmor (for Ubuntu)** to add an additional layer of security by restricting what processes can do.

     - Check SELinux status: `sestatus`

     - Enforce SELinux: `sudo setenforce 1`

     - For AppArmor: `sudo systemctl enable apparmor`

   

 9. Secure Boot Configuration

   - Set a password on the bootloader (GRUB) to prevent unauthorized changes.

     - Edit `/etc/grub.d/40_custom` to add the password:

       ```bash

       set superusers="admin"

       password_pbkdf2 admin [hash]

       ```

     - Update GRUB: `sudo update-grub`


 10. Audit Logs

   - Enable auditing with `auditd` to track important system events.

     - Install: `sudo apt install auditd`

     - Start the service: `sudo systemctl start auditd`

   - Use `ausearch` or `auditctl` to query audit logs.


11. Security Tools

   - Fail2Ban: Protect against brute force attacks by blocking IPs after a certain number of failed login attempts.

     - Install: `sudo apt install fail2ban`

     - Configure jail: `/etc/fail2ban/jail.conf`

   -  Lynis: A security auditing tool for Linux.

     - Install: `sudo apt install lynis`

     - Run: `sudo lynis audit system`


12. Limit User Privileges

   - Use `sudo` instead of logging in as root. Restrict `sudo` privileges using `/etc/sudoers` or `sudo visudo`.

   - Avoid adding users to privileged groups unless necessary.


13. Backup Regularly

   - Use automated backup tools like `rsync`, `borg`, or cloud-based solutions to back up important files regularly.

   - Test backups for data integrity.


 14. Encryption

   - Encrypt sensitive data: Use `LUKS` for disk encryption or tools like `gpg` for file encryption.

   - Encrypt network traffic: Use VPNs, SSH tunnels, or tools like `stunnel`.


15. Disable IPv6 if Not Needed

   - If you don't need IPv6, disable it to reduce your attack surface.

     - Edit `/etc/sysctl.conf` and add:

       ```bash

       net.ipv6.conf.all.disable_ipv6 = 1

       net.ipv6.conf.default.disable_ipv6 = 1

       ```


 16. Use Centralized Authentication

   - If you have multiple servers, consider using centralized authentication methods like LDAP, FreeIPA, or Kerberos to simplify user management and enhance security.


17. Enforce Password Policies

   - Use `pam_pwquality` to enforce password complexity and expiration policies.

     - Configure in `/etc/security/pwquality.conf`


By following these steps, you'll significantly reduce the risk of vulnerabilities and strengthen your Linux server's security posture. Keep monitoring and revising your security measures as new threats emerge.

Thursday, October 3, 2024

How to reset MySql server root password in RHEL | Centos | Rocky Linux | Ubuntu

Step 1: Stop MySQL Service

To begin, stop the MySQL service:

#systemctl stop mysqld


Step 2: Set MySQL Environment Variable

Set the MySQL environment variable `MYSQLD_OPTS` to bypass the grant tables:

#systemctl set-environment MYSQLD_OPTS="--skip-grant-tables"


Step 3: Start MySQL Service

Start the MySQL service again:

#systemctl start mysqld


Step 4: Login to MySQL as Root

Once the service is running, you can log in to MySQL as the root user without a password:

#mysql -u root

Switch to the `mysql` database:

USE mysql;


Step 5: Update the Root Password

Run the following command to update the root user's password:

UPDATE user SET authentication_string=PASSWORD('myRootPassword') WHERE User='root';

Reload the privileges:

FLUSH PRIVILEGES;

Then, exit MySQL:

quit


Step 6: Stop MySQL Service and Unset Environment Variable

Stop the MySQL service again and unset the environment variable:

#systemctl stop mysqld
#systemctl unset-environment MYSQLD_OPTS


Step 7: Start MySQL Service Normally

Start the MySQL service normally:

#systemctl start mysqld

Now, you can log in to MySQL with the new root password:

#mysql -u root -p


This guide helps reset the MySQL root password by temporarily disabling the grant tables, updating the password, and restoring normal operation.

Sunday, May 5, 2024

Installing Jenkins on RHEL 8 is a straightforward process. Here's a step-by-step guide

Introduction 


Jenkins is an open-source automation server widely used for continuous integration (CI) and continuous delivery (CD) pipelines in software development. Originally developed as Hudson in 2004 and later forked into Jenkins in 2011, it has become a cornerstone tool for automating various stages of the software development lifecycle.

At its core, Jenkins allows developers to automate tasks such as building, testing, and deploying applications, thereby facilitating rapid and reliable software delivery. It achieves this through a vast ecosystem of plugins, enabling integration with a wide range of tools and technologies.

Jenkins provides a web-based interface for easy configuration and management of jobs, pipelines, and nodes, making it accessible to both developers and DevOps teams. With features like distributed builds, version control system integration, and extensive plugin support, Jenkins empowers teams to adopt agile practices, improve collaboration, and accelerate the delivery of high-quality software.


Prerequisites

Before installing Jenkins on RHEL, you need to ensure that you have the following:

A running instance of RHEL

A user account with sudo privileges

Java installed on your system


1: Install Java

Jenkins requires Java to be installed on the system.

You can install Java using the following command:


sudo yum install java-1.8.0-openjdk-devel


2. Update System Packages: Before installing any new software, it's a good practice to update your system's package repository and installed packages. Open a terminal and run the following commands:


   sudo yum update


3. Install Java: Jenkins requires Java to run. You can install OpenJDK, which is an open-source implementation of the Java Platform.

   sudo yum install java-11-openjdk-devel


4. Add Jenkins Repository: Jenkins is not available in the default RHEL repositories, so you need to add the Jenkins repository to your system.

   sudo wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo


5. Import Jenkins Repository Key:

   sudo rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key


6. Install Jenkins: Now, you can install Jenkins using yum.

   sudo yum install jenkins


7. Start Jenkins Service: Once Jenkins is installed, start the Jenkins service and enable it to start on boot.

   sudo systemctl start jenkins

   sudo systemctl enable jenkins


8. Configure Firewall: If your firewall is enabled, you need to allow traffic on port 8080, which is the default port for Jenkins.

   sudo firewall-cmd --zone=public --permanent --add-port=8080/tcp

   sudo firewall-cmd --reload


9. Access Jenkins: Jenkins should now be running on your server. You can access it by navigating to your server's IP address or domain name followed by port 8080 in a web browser:

   http://your_server_ip_or_domain:8080


10. Unlock Jenkins: On your first visit, Jenkins will ask you to unlock it by providing an initial password. This password can be found in the Jenkins server's filesystem. Use the following command to retrieve it:

   sudo cat /var/lib/jenkins/secrets/initialAdminPassword


11. Follow the Setup Wizard: Once you have entered the initial password, Jenkins will guide you through the setup process, including installing recommended plugins and creating an admin user.


12. Start Using Jenkins: After completing the setup wizard, Jenkins is ready for use. You can start creating your projects and automating your workflows.


That's it! You've successfully installed Jenkins on RHEL 8.

Saturday, February 17, 2024

Mastering Cron Jobs in Linux: A Comprehensive Guide with Examples

Introduction:

Cron jobs are an indispensable tool in the world of system administration and automation. They allow users to schedule tasks to run periodically at fixed intervals, making them essential for automating routine tasks, such as backups, log rotations, and system maintenance. In this blog post, we'll delve into the world of cron jobs, exploring what they are, how they work, and providing practical examples to help you harness their power effectively.


What are Cron Jobs?

Cron is a time-based job scheduler in Unix-like operating systems, including Linux and macOS. It enables users to schedule tasks (referred to as cron jobs) to run periodically at specified times or intervals. These tasks can range from simple commands to complex scripts and programs.


Syntax and Components:

Cron jobs are defined using a specific syntax that consists of five fields:

 

* * * * * command_to_execute

|   |  |  |  |

|   |  |  | +----- Day of week (0 - 7) (Sunday is 0 or 7)

|   |  | +------- Month (1 - 12)

|   |  +--------- Day of month (1 - 31)

|   +----------- Hour (0 - 23)

+------------- Minute (0 - 59)



Syntax Examples:

1. Run a Script Every Hour:

0 * * * * /path/to/script.sh

This cron job executes the script `/path/to/script.sh` every hour, on the hour.


2. Run a Command Daily at Midnight:

0 0 * * * command_to_run

This cron job executes `command_to_run` every day at midnight (00:00).

3. Run a Task Every 15 Minutes:

*/15 * * * * command_to_execute

This cron job runs `command_to_execute` every 15 minutes.

4. Run a Task Every Weekday at 8:00 AM:

0 8 * * 1-5 command_to_execute

This cron job executes `command_to_execute` at 8:00 AM from Monday to Friday.

5. Run a Job Monthly on the 1st at Noon:

0 12 1 * * command_to_execute

This cron job runs `command_to_execute` at noon on the 1st day of every month.


Command Examples:


1. Open Cron Configuration File:

   Start by editing the cron configuration file. Use your preferred text editor, such as nano or vim:

#sudo vim /etc/crontab

or

# crontab -e 

or

# crontab -e -u harry
This command you can use to set  the cron jobs for the harry user.


2. Adding a Cron Job:

   Suppose you want to schedule a script to run every day at 2:00 AM. You would add a line like this to the cron configuration file:

   0 2 * * * /path/to/your/script.sh

   Replace `/path/to/your/script.sh` with the actual path to your script.


3. Save and Exit:

   After adding your cron job, save the file and exit the text editor.


4 Verify the Cron Job:

   

To ensure that the cron job was added successfully, you can list the current cron jobs using the following command:

  sudo crontab -l

   This command will display all the cron jobs configured for the root user.


  sudo crontab -l -u harry

   This command will display all the cron jobs configured for the harry user.


5. Delete Cron jobs:

  sudo crontab -r -u harry

   This command will remove all the cron jobs configured for the harry user.


6. Restart the Cron Service:

   It's a good practice to restart the cron service to apply any changes made to the cron configuration file:

#sudo systemctl restart crond

7. Viewing Logs (Optional):

   If your cron job is not running as expected, you can check the cron logs to troubleshoot the issue. The cron logs are typically located at `/var/log/cron`.

#tail -f  /var/log/cron

That's it! You've now successfully set up a cron job on Linux. Your script will execute at the specified time according to the cron schedule you've configured.

Conclusion:

Cron jobs are an invaluable tool for automating repetitive tasks on Unix-like systems. By understanding the syntax and components of cron jobs and exploring practical examples, you can effectively leverage them to streamline your workflow and improve system efficiency. Experiment with different cron job configurations to tailor automation solutions to your specific needs and maximize productivity. With mastery of cron jobs, you'll unlock a powerful arsenal for automating tasks and managing your system with precision and ease.

A Step-by-Step Guide to Installing MongoDB on Oracle Linux 8 | How to install MongoDB on RedHat 8/ Rocky Linux 8

Introduction:
MongoDB is a powerful, open-source NoSQL database that provides flexibility and scalability for modern applications. In this guide, we'll walk through the process of installing MongoDB on Oracle Linux 8 and configuring it to ensure security best practices are followed.


Step 1: Prerequisites

Before we begin, make sure you have:

1. An instance of Oracle Linux 8 set up and running.

2. Root or sudo access to the server.


Step 2 – Install  MongoDB 

1. Open a terminal window on your Oracle Linux 8 server and update it.

#yum update

  After patch update make sure you reboot the server 


2. Add the MongoDB repository to your system:

#vim /etc/yum.repos.d/mongodb-org-4.4.repo

Add the following contents:

[mongodb-org-4.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc

Save and close the file once you are done.


3. Install MongoDB:

# sudo dnf install -y mongodb-org

4. Start the MongoDB service and enable it to start on boot:

# sudo systemctl start mongod

# sudo systemctl enable mongod

mongod --version

Step 3: Configure MongoDB

1. Open the MongoDB configuration file:

# sudo vim /etc/mongod.conf

2. Bind MongoDB to localhost or IP:

bindIp: 127.0.0.1

3. Enable authentication:

security:

  authorization: enabled


4. Save and close the file.


Step 4: Secure MongoDB

1. Create an administrative user:

First, connect to the MongoDB instance with the command 

mongo

Once you are connected, create a database named admin using the following command:

use admin

Next, create an admin user and set a password with the following command:

db.createUser(
  {
    user: "admin",
    pwd: passwordPrompt(),
    roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]

  }

)


You will be asked to set a password.


2. Exit the MongoDB shell:

exit

3. Restart MongoDB to apply the changes:

sudo systemctl restart mongod

Step 5: Test MongoDB Authentication

1. Open the MongoDB shell as the administrative user:

# mongo -u admin -p --authenticationDatabase admin

or 

#mongo --port 27017 --authenticationDatabase admin -u admin -p



2. You'll be prompted to enter the password for the admin user.

3. Once logged in, you can create additional users and databases as needed.


Step 6 – Create a Database in MongoDB

In this section, we will show you how to interact with the MongoDB database.

To create a database named testdb, run the following command:

use testdb

Next, add some data to the testdb database using the following command:

db.person.insertOne(
  { "Nirmal Singh" : "20",
   "Tom " : "18",
   "Harry" : "25"
  }
)

You can now list available databases using the following command db prompt:

db

You will get the following output:

testdb

To show documents in your database, run the following command:

show collections

You will get the following output:

person

To show the contents of your database collection, run the following command:

db.person.find()

You will get the output for all records:

To switch the database to admin, use the following command:

use admin

To list all users, run the following command:

db.getUsers()

You will get a list of all users in the following output formate:

[
	{
		"_id" : "admin.admin",
		"userId" : UUID("504b73he-aaed-4ad9-bb60-4fb8df334709"),
		"user" : "admin",
		"db" : "admin",
		"roles" : [
			{
				"role" : "userAdminAnyDatabase",
				"db" : "admin"
			},
			{
				"role" : "readWriteAnyDatabase",
				"db" : "admin"
			}
		],
		"mechanisms" : [
			"SCRAM-SHA-1",
			"SCRAM-SHA-256"
		]
	}
]


Step 7: Firewall Configuration (Optional)

If you have a firewall enabled on your server, you may need to open the MongoDB port (default is 27017) to allow external connections. Use the following command to open the port:


sudo firewall-cmd --zone=public --add-port=27017/tcp --permanent

# sudo firewall-cmd --reload


Conclusion:

Congratulations! You've successfully installed MongoDB on Oracle Linux 8 and configured it to ensure security. By following these steps, you can confidently deploy MongoDB for your applications while adhering to best practices for database security. Remember to regularly update MongoDB and review your security measures to protect your data effectively.

Sunday, January 28, 2024

A Comprehensive Guide to Linux Access Control Lists (ACLs)


Introduction:


Access Control Lists (ACL) in Linux provide a powerful and flexible way to manage permissions beyond the traditional read, write, and execute settings. ACLs enable fine-grained control over file and directory access, allowing administrators to grant or restrict permissions for specific users and groups. In this blog, we will delve into the world of ACLs in Linux, exploring their features, usage, and practical examples.


Understanding ACLs:

Linux file permissions are typically set using the user-owner, group-owner, and others' triplets, denoted by characters like "rwx" (read, write, execute). While this scheme is effective, it may lack the granularity needed in certain scenarios. ACLs address this limitation by providing a more nuanced approach to permissions.


The Linux filesystem gives us three types of permissions. Here is a simplified review:

  • User (or user owner)
  • Group (or owner group)
  • Other (everyone else)

With these permissions, we can grant three (actually five, but we’ll get to that in a minute) types of access:

  • Read
  • Write
  • eXecute

These levels of access are often adequate in many cases. Say that you have a directory where files from the accounting department live. You might set these permissions to:


Key Features of ACLs:


1. Granular Control:

   ACLs allow you to define specific permissions for individual users and groups, going beyond the traditional owner, group, and others model.


2. Default ACLs:

   Default ACLs determine the permissions set for new files and directories within a specific directory. This feature ensures consistent permissions across newly created items.


3. Mask and Effective Permissions:

   ACLs introduce the concept of a mask, which acts as a filter for the permissions assigned. The effective permissions are then determined by combining the permission bits and the mask.


4. Access Types:

   ACLs support various access types, including read (r), write (w), execute (x), delete (d), and more. This versatility allows administrators to tailor permissions based on specific requirements.


To begin working with ACLs, you need to be familiar with a set of commands that facilitate their management:


1 . Viewing the current ACL

    Use this command to display the ACLs of a file or directory.

  

#getfacl filename


2. Setting an ACL

   Apply this command to set or modify ACLs for a file or directory.
#setfacl -m u:user:permissions filename

   This command helps to remove specific ACL entries from a file or directory for particular user.
#setfacl -x u:user filename

    This command helps to set default ACL on directory.
#setfacl -d -m u:users:rwx /path/to/directory


Practical Examples:


1. Granting Additional Permissions:

  Apply this command to set or modify ACLs for a file or directory for specific user .

#setfacl -m u:john:rw file.txt

  Apply this command to set or modify ACLs for a file or directory for specific group .
#  setfacl -m g:groupname:rwx  /path/to/directory

  Apply this command to set or modify ACLs for a file or directory for specific user .
#setfacl -m  john:rw file.txt

Note: When we want to set a group ACL, we need to specify this by putting g: in front of the group’s name. For users, just change the g to a u, but setfacl will assume we are talking about a user if you don’t put anything in that spot.


2. Setting Default ACLs :


 Note: Only directories can have default ACLs  

  Apply this command to set default ACLs for  a directory for specific user .

#setfacl -d -m u:users:rwx /path/to/directory


  Apply this command to set default ACLs for  a directory for specific group.

# setfacl -d -m g:groupname:rwx /path/to/directory

3. Removing ACL Entries:

  Apply this command to remove ACLs for  a file or directory  for specific group .

#setfacl -x g:groupname /path/to/file

   Apply this command to remove ACLs for  a file or directory  for specific user   

#setfacl -x u:username  /path/to/file

  To remove all the ACLs entry from file or directory 

#setfacl -b   /path/to/file


Conclusion:


Access Control Lists in Linux offer a robust solution for managing permissions in a fine-grained manner. Understanding how to leverage ACLs empowers administrators to control access to files and directories with greater precision. By incorporating ACLs into your Linux system administration toolkit, you enhance security and flexibility, ensuring that resources are accessible only to those who truly need them.

Linux server hardening | Secure Linux Servers

 Linux server hardening is the process of securing a Linux server by reducing its attack surface and mitigating security risks. The goal is ...