Linux Security and Hardening
General Linux Security
Physical Security for Linux
Network Security in Linux
Additional Security Resources
In this section, you’ll take a deep dive into Linux security. You’ll build your knowledge and skills through a comprehensive overview of the key areas that you need to know to secure Linux systems.
You’ll begin with Linux security in general before moving on to physical security and the countermeasures you can employ to protect your hardware. From there, you’ll explore authentication systems and the various account types on a Linux system, and how to secure each one. You'll also learn how to enforce strong passwords and manage account and password expirations.
In the networking section, you'll learn how to secure network services that run on Linux systems. You'll also learn how the local firewall works in Linux and how to configure it. You’ll learn about file system security and how permissions work in detail, including special modes, file attributes, and ACLs. You'll also discover what rootkits are, how to detect them, and how to remove them.
You’ll also find several security resources you can use to continue your security education and stay on top of the latest security issues for Linux distributions.
There are several knowledge checks as you go through these resources. These will help you identify any areas that you might need or want to review. At the end you’ll find a final exam, where you can test yourself on what you’ve learnt.
- Get a general view of Linux security including roles, network services, encryption, accounts, and multifactor authentication
- Learn specific strategies for mitigating physical security risks and protecting your Linux systems against the most common physical attacks
- Learn about data encryption and how to implement it on new Linux systems, as well as those that are already in service
- Understand the different types of accounts you'll find on a Linux system and the special precautions you need to take with each account type
- Learn how to enforce good password security practices on your Linux systems
- Learn about multi-factor authentication and how it can be implemented in Linux
- Learn techniques and strategies to secure network services
- Learn how to secure your files and directories on Linux through permissions, data sharing, special modes, file attributes, ACLs, and rootkits
Okay, let's run through the manual process of using this device. First, we'll open it. We'll run sudo cryptsetup luksOpen/dev/sdb and opt here and that is the virtual block device name that will be created in /dev/mapper. Now it's asking for the passphrase for this device and we'll go ahead and supply that. Okay, it created our device file. So now we'll just go ahead and mount it, mount it on opt and then we can look and opt and you can see that the hello text file is there from earlier. Once you're done, you can go ahead and unmount the device. And finally, we need to close the encrypted device. We'll do this by running sudo cryptsetup luksClose and then we'll give the name of the device. And you can see that the virtual block device has been removed from /dev/mapper. We've been talking about using block devices that you have direct access to but what if you're in an environment where that's not the case, for example some cloud providers don't give you block level access to volumes. In this case, you would use a file as the device that you encrypt. Let's start off by creating a non sparse file. I'm going to run strings on that and that should pull out any string data from that file but it's really just an empty file at this point. So if you want to be more secure write random data to that file. So here's how to do that. I would use the dd command. if stands before input file, we'll use dev/urandom, of is output file. We'll use data/opt, bs is a bite size. We'll use a bite-size size of one megabyte, and then we'll just use a count of 100. So 100 times one megabyte would be 100 megabytes in size. So I'll run this command here and this command will take a little bit since the random data has to be generated before it could be written to the file. So now we'll go ahead and run the same command here on that file. And then now you can see that there's a lot of random data in that file. From here, the rest of the process is really the same. We'll go ahead and use LUKS format on this file just like it was a regular block device. Now that it's initialized, I'll go ahead and open it. Again, supplying the name that we want to use as the virtual block device. Go ahead and create a file system on that and now we can mount that. Let's go ahead and look at that mount point there and you can see that it's founded on /dev/mapper/opt and let's look at the block devices here and let's specifically look at the crypto one here. You can see that the file is being accessed through dev loop zero which is a loop back device that allows files to be treated like a block device.