Author: Ruwantha Nissanka

Cyber-attacks are becoming increasingly ubiquitous and difficult to deal with and Hackers relentlessly try to exploit common weak passwords. As a result, organizations have to safeguard themselves by using strong password criteria to secure their systems. In this article, we’ll take a look at the mechanics of enforcing strong password criteria on a Linux system.   Installing and configuring pwquality   We’ll be using the pwquality module for the Pluggable Authentication Module (PAM). This is a newer technology that has replaced the old cracklib module and this provides a way to configure the default password quality requirements for the system passwords.   1. Install the libpam-pwquality package:   #apt install libpam-pwquality 2. Open the /etc/security/pwquality.conf file in your preferred text editor.     When you open this file in your text editor, you’ll see that everything is commented out, which means that no password complexity criteria are in effect. You can set password complexity criteria however you want just by uncommenting the appropriate lines and setting the appropriate values. 3. Set minimum password length. Users can not set their password length less than this parameter.     4. Set minimum number of required classes of characters for the new password. (kinds ⇒ UpperCase / LowerCase / Digits / Others)     5. Set maximum number of allowed consecutive same characters in the new password.     6. Set maximum number of...

Now that we’ve looked at the basics of setting up a good sudo configuration in this article, we’re confronted with a bit of a paradox. That is, even though sudo is a security tool, certain things that you can do with it can make your system even more insecure than it was. Let’s see how to avoid that. The sudo timer By default, the sudo timer is set for five minutes. This means that once a user performs one sudo command and enters a password, he or she can perform another sudo command within five minutes without having to enter the password again. Although this is obviously handy, it can also be problematic if users were to walk away from their desks with a command terminal still open. If you need to leave your desk for a moment, your best action would be to log out of the server first. Short of that, you could just reset the sudo timer by running this command: #sudo -k This is one of the few sudo actions you can do without entering a password. But the next time you do a sudo command, you will have to enter your password, even if it has been less than five minutes since you entered your password previously. You can easily disable this timer by adding a line to the Defaults section of the sudoers...

Lynis is a open-source application that we can use to audit the security posture of a Linux and other UNIX-like systems. In this guide, you will learn how to install lynis and how to run a security audit on your Linux system. Lynis will give suggestions on how to fix the identified issues so it will be helpful for you to do the suggested security hardenings by yourself. Step 1 — Installing Lynis on Your Server Use the following command to install lynis # apt-get install lynis Step 2 – Performing an Audit After the installation is completed, you can see the list of actions that you can perform with lynis by issuing the following command # lynis show commands You’ll see the following output Execute the following command to run an audit # lynis audit system It will take a bit of time to complete the audit and once it is done, the results will be shown as follows When Lynis performs an audit, it goes through a number of tests, divided into categories. After each audit, test results, debug information, and suggestions for hardening the system are written to standard output (the screen). More detailed information is logged to /var/log/lynis.log , while report data is saved to /var/log/lynis-report.dat The report data contains general information about the server and the application itself, so the file you’ll need to pay...