This time we’re going to talk about security in context of Linux … that pesky topic everyone seems to be good at but then not quite good enough.
Problem with security is that you can never have enough of it but at the same time you need to NOT get it in your way. Also … there’s a thing called: “security by obscurity”, which is a personal favorite because you cannot hack / break into something that you never knew existed (this alone does not make it secure but buys more time for it before getting hacked into so make sure you hide BUT at same time secure systems).
If I had to summarize this I’d say security is all about reducing risk of being hacked or getting your services and data exposed. The lower the risk, the lower the chances of someone breaking in and stealing or destroying your things and data.
There are a number of things one needs to look at when dealing with security threats:
- software versions – making sure you’re always running the latest stable software that has no known security holes (which also includes older versions with custom security patches such as the CentOS 6 or 7 kernels or php versions which are old but not insecure)
- permissions – making sure only who / what needs to access to something has it (don’t just create a folder with chmod 777 and expect it not to be accessed by someone who should not be accessing it)
- monitoring (imagine a CCTV system for your Linux environment) – this would be the wonderful world of IPS (selinux for example) and IDS (tripwire for example)
- firewall – make sure only what needs to be publicly accessible is and what is publicly accessible should be further protected with stuff like fail2ban, mod_security, etc
- all services should be running on TLS if possible (which will prevent man in the middle attacks)
- remote access to local resources should be allowed via ipsec VPN (strong encryption)
- strong password policy, password rotation and two-factor authentication are your best friends
- full disk encryption would be ideal, encryption at rest for services that support it (ex. MySQL and friends) but which are not under your control (ex. running mysql on a dirt cheap container or VPS you got from some third party provider)
- if building an application / platform / service make sure you factor in security at both code level as well as access level as well as communication level (if you app needs to connect to a MySQL database, make sure it does so by using an encrypted connection, if you application has an api endpoint make sure you implement some form of access control for it, if you’re storing sensitive data make sure you do so using some form of encryption ,if you’re logging make sure you’re not logging actual data but rather relevant messages that help troubleshoot an issue, etc)
- centralized logging – make sure systems log to both local storage AND to a remote system – this will help in situations where attackers gain access to a machine and then clear all traces of their actions (this will ensure you have a trail saved elsewhere)
If we’re talking about security in general, there are more layers one needs to look at (like the physical layer for example which should be there to stop ppl from physically accessing your devices) BUT if you do things in a way in which you consider at least the list above then you have greatly reduced the security risk associated with running something on your Linux systems (I guess all of these apply to some extent to any other operating system but because I’m a Linux/UNIX fanatic I don’t really care about the alternatives).
Last thing that comes to mind right now is that you should also want to constantly test the security of your systems ( audit ) to validate that your data and infrastructure is safe enough for you to get some sleep at night and also find a way to stay up2date with the latest threats that are out there.
Stay safe ! (online that is)