In this episode of Awesome Linux Tools, the spotlight is on Lynis – a really awesome utility you can use to get a better understanding of the overall security hygiene of your server. In this video, Jay will show you how to install it, and also how to run an audit.
Before anyone starts using Lynis to harden their servers, let me ask this question:
How much do you want your server hardened?
If you are using a VPS to host your website, do note that not all suggestions need apply.
Also, in Ubuntu-based distributions, removing any compilers such as GCC can break your system. For example, in Lynis:
In my case, the word
FOUND
is highlighted in red. Trying to remove gcc-10-base will result in the following:So it’s best to ignore the warning and not break your server in the process. Anyone remember Linus from Linux Tech Tips?
For SSH, it’s always better to create a unique username and password. Sure, a public key authentication can improve the security of your server until you leak your private/public key, so for me, I simply use a strong password in addition to unique username, disable root login, and change to a non-standard port number other than 22, 222, 2222, or 22222. The cybersecurity community’s mindset is that “security through obscurity” is bad; however, I would definitely choose obscurity whenever I have the chance in order to cut down on amount of noise in
/var/log/auth.log
file. Try to keep your port number secret to yourself, if you can. Of course, this will not stop a determined criminal hacker from trying to gain entry into your server, but every layer of security you can implement helps.Plus, Lynis will tell you to put /var, /var/log, etc. into separate partitions in VPS. If you use Digital Ocean or Linode, that hardening may be impossible. A dedicated server will cost you a lot more money, but at least you can setup your partitions however you like.
For my website, I have already hardened my web server even before I try out Lynis in my VPS.
Lynis will suggest that you disable USB storage. I could blacklist a module, but is there a reason why I need to do so in a VPS?
Here’s an example profile I have created for Lynis:
Then, if you setup a Lynis repository as detailed in the video, you can execute as follows:
You might want to customize the profile in order to suit your use-case.
The moral of the story is:
Oh yes, maybe I’m missing something, but I don’t think the video covers the dangers of using Lynis in order to harden a server. Again, just know what you are getting into before you harden your server.
Lynis control HRDN-7222: Permissions on installed compilers - CISOfy
Oh, yeah, that warning about the compilers killed me.
I have the compilers there for developing code, removing them or making them root-access-only sort of defeats the purpose of the machine.
For someone who is not a developer, how is anyone going to get rid of gcc-*-base package without breaking their server or desktop?
As we humans are the weakest link, I think we need to keep educating ourselves so that we do not fall victim to security issues. I think the only way a threat actor can execute code is by logging in through SSH or maybe exploit any vulnerabilities in websites.
Unless if anyone does have any ideas regarding how to solve the warning regarding the compiler, I think we should just ignore it and hope that we keep cybersecurity hygiene in good shape. Or should we not ignore the “compiler found” warning at all?
@jay, not every YouTuber who subscribes to your channel visits the forum. I think you should discuss the pitfalls of Lynis and/or any other hardening tools on YouTube before they try out Lynis. Because if they do not understand what they are doing, there’s a chance they can break their system(s). What are your thoughts?
Good thoughts in this thread for sure!
I think context is important to keep in mind too, as not every suggestion should be actioned. You can advise Lynis to ignore a particular item if it doesn’t apply to you or your use-case. Also, many of the suggestions are going to align to certification requirements (such as SOC/2) but not everyone will be going after such a thing.
I probably should’ve mentioned it in the video, but what I do is go through what’s relevant for me and then I ignore what doesn’t apply to me.
To play devil’s advocate though, I think it is the case that a lot of people don’t seem to take vulnerability chains seriously. For example, you might think that if vim has a security issue, what’s the big deal? After all, it’s not like the average person typically forwards an external port to an internal installation of vim. But hypothetically, if someone was to obtain access to a server but were only able to commandeer a non-root account, an exploit in vim might be just what they needed to elevate their access to root. Of course, you can argue that the fact they were able to access a non-root account means that there was a bigger security failure, but whether or not the individual items that Lynis finds matters to you depends on context, and sometimes it’s good to look at the results from a different angle.