Prerequisites
- A VPS running any of our available OS options.
- A non-root user account (commands requiring escalated privileges will use sudo).
Step 1: Installing Lynis
Downloading and “installing” Lynis is as simple as cloning the Github repository to your VPS. If you’re running a brand new VPS, you might not have Git installed yet. If you do, skip to the next step.
$ sudo apt-get install git # Ubuntu/Debian $ sudo yum install git # CentOS
Let’s clone the Lynis repository next:
$ git clone https://github.com/CISOfy/lynis
It’s recommended to run the script as the root user, so we’ll use chown to change the ownership of the script. If you run the command with sudo or su without changing ownership first, you’ll receive a security warning, which you can ignore by hitting Enter or cancel with Ctrl+C. And, if you try running the command using your normal users, you’ll get a warning that results will be incomplete due to some processing requiring higher privileges.
$ sudo chown -R 0:0 lynis $ cd lynis
Finally, we can simply execute the built-in script.
$ su - # ./lynis audit system
Interpreting the results
When Lynis completes, it will output warnings, suggestions, and some at-a-glance details of your security scan, such as a “hardening index” that you can use to score your efforts.
For example, here’s the output for a newly-rebuilt CentOS 7 server, set up using the Ansible playbook from a previous tutorial.
Lynis security scan details: Hardening index : 70 [############## ] Tests performed : 208 Plugins enabled : 2 Components: - Firewall [V] - Malware scanner [X] Lynis Modules: - Compliance Status [?] - Security Audit [V] - Vulnerability Scan [V] Files: - Test and debug information : /var/log/lynis.log - Report data : /var/log/lynis-report.dat
A hardening index of 70 is respectable, but with a wide margin for improvement. Fortunately, Lynis also outputs any warnings and suggestions that you can use to inform yourself about improvements that could make your server more hardened to potential attack.
The following is a sample of the output, with some entries removed because they simply can’t be fixed on a VPS, such as placing /var on a separate partition.
-[ Lynis 2.5.1 Results ]- Warnings (1): ---------------------------- ! iptables module(s) loaded, but no rules active [FIRE-4512] https://cisofy.com/controls/FIRE-4512/ Suggestions (30): ---------------------------- * Configure minimum password age in /etc/login.defs [AUTH-9286] https://cisofy.com/controls/AUTH-9286/ * Configure maximum password age in /etc/login.defs [AUTH-9286] https://cisofy.com/controls/AUTH-9286/ * Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027) [AUTH-9328] https://cisofy.com/controls/AUTH-9328/ [...] * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] https://cisofy.com/controls/STRG-1840/ * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] https://cisofy.com/controls/STRG-1846/ * Check DNS configuration for the dns domain name [NAME-4028] https://cisofy.com/controls/NAME-4028/ * Install package 'yum-utils' for better consistency checking of the package database [PKGS-7384] https://cisofy.com/controls/PKGS-7384/ * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] https://cisofy.com/controls/NETW-3032/ * Consider hardening SSH configuration [SSH-7408] - Details : AllowTcpForwarding (YES --> NO) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : ClientAliveCountMax (3 --> 2) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : Compression (DELAYED --> NO) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : LogLevel (INFO --> VERBOSE) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : MaxAuthTries (6 --> 2) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : MaxSessions (10 --> 2) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : Port (22 --> ) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : TCPKeepAlive (YES --> NO) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : UseDNS (YES --> NO) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : AllowAgentForwarding (YES --> NO) https://cisofy.com/controls/SSH-7408/ * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] https://cisofy.com/controls/BANN-7126/ * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] https://cisofy.com/controls/BANN-7130/ * Enable process accounting [ACCT-9622] https://cisofy.com/controls/ACCT-9622/ * Enable sysstat to collect accounting (no results) [ACCT-9626] https://cisofy.com/controls/ACCT-9626/ * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] https://cisofy.com/controls/FINT-4350/ * Determine if automation tools are present for system management [TOOL-5002] https://cisofy.com/controls/TOOL-5002/ * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] https://cisofy.com/controls/KRNL-6000/ * Harden compilers like restricting access to root user only [HRDN-7222] https://cisofy.com/controls/HRDN-7222/ * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] - Solution : Install a tool like rkhunter, chkrootkit, OSSEC https://cisofy.com/controls/HRDN-7230/
You can also examine the full log of your scan at /var/log/lynis.log.
Taking action on gaps in your security
As you can see, Lynis gave me one warning and 30 suggestions, all of which, when fixed, will help make my server more secure. Every warning and suggestion comes with a link to documentation that will help you understand the issue and example fixes, so be sure to take advantage of those resources.
Because all of us use ssh to connect to our VPSs, let’s walk through some basic fixes that will help reduce the number of warnings we get. Note: Your default sshd configuration might look slightly different depending on your OS, and any tweaks you might have already made.
$ sudo nano /etc/ssh/sshd_config
We can uncomment the lines about agent forwarding and TCP forwarding and explicitly disallow them.
#AllowAgentForwarding yes #AllowTcpForwarding yes --- AllowAgentForwarding no AllowTcpForwarding no
Same with ClientAliveCountMax:
#ClientAliveCountMax 3 --- ClientAliveCountMax 2
And the compression settings:
#Compression delayed --- Compression no
Let’s change the MaxAuthTries and MaxSessions at the same time:
#MaxAuthTries 6 #MaxSessions 10 --- MaxAuthTries 2 MaxSessions 2
Disabling TCPKeepAlive:
#TCPKeepAlive yes --- TCPKeepAlive no
And, finally, DNS:
#UseDNS yes --- UseDNS no
Now you can save the file and restart the sshd service to ensure that these changes are applied, then, you can try running Lynis again to see the results.
$ sudo systemctl restart sshd $ su - # sudo ./lynis audit system
After editing just a few lines in the ssh configuration, my hardening index score has jumped to 77, and I’m down to 1 warning/23 suggestions. Not bad for just a few minutes of work!
Now, most of these warnings and suggestions are beyond the scope of this tutorial, but the basic idea is to tackle them one or two at at time, re-run Lynis, and keep working to make your server as secure as possible.