How To Implement Zero-Trust Security in Linux Environments

Unlike traditional security models, zero trust assumes that threats can exist both inside and outside the network, requiring continuous verification of every access request regardless of its origin.

Grant Knoetze, Contributor

June 26, 2024

8 Min Read
pins with words zero trust on a cybernetic board
Alamy

As the global cyber threat landscape grows increasingly sophisticated and dangerous, traditional perimeter-based security models are no longer effective at protecting critical infrastructure. With Linux widely used in servers and critical systems, organizations need a more robust security framework to address the evolving threats. The zero-trust security model, which operates on the principle “never trust, always verify,” offers advanced protections for securing Linux environments.

This article examines the principles of zero-trust security and provides practical guidance on configuring Linux systems to align with these principles. We will cover several aspects of zero trust, including identity verification, micro-segmentation, and continuous monitoring.

Understanding the Zero-Trust Security Model

The zero-trust security model represents a paradigm shift from traditional security approaches. Instead of assuming that everything inside the network is safe, zero trust assumes that threats can exist inside and outside the network. Therefore, every access request is verified, regardless of its origins. Let’s explore some core principles of zero trust.

Continuous verification

Every access request is verified using multiple factors, including device identification, user identification, device location, and behavior patterns.

Related:Linux Security in the Cloud Era: Best Practices for Protecting Your Cloud Workloads

Least privilege access

Users and devices are granted only minimal access to perform their tasks. The approach often employs privileged access workstations, where an administrator uses a machine solely for administrative tasks. Once the task is completed, the administrator logs off. In a privileged access workstation environment, workstations are never used for administrative tasks, and servers are separated from administrative machines and workstations.

Micro-segmentation

Micro-segmentation involves dividing the network into smaller segments to limit the lateral movement of attackers who have breached the network.

Comprehensive monitoring

Monitoring visible sources, such as network traffic and user and machine logs (including access requests), is essential for detecting anomalies and threats. It allows security teams to respond to threats swiftly.

Configuring Linux Systems for Zero Trust

Implementing the zero-trust model in Linux environments typically involves the following steps:

  1. Properly manage secure shell (SSH) keys

  2. Implement user authentication and role-based access control

  3. Set up and manage micro-segmentation and network isolation

1. Properly manage SSH keys

SSH is a fundamental tool for managing Linux systems through remote access. Proper management of SSH keys is crucial for zero trust security. Best practices for managing SSH keys include:

Turn off password authentication: Password-based authentication is susceptible to brute force and dictionary attacks. Instead, implement SSH key-based authentication. If you don’t have sshd installed, you can install it using this command: sudo apt install openssh-server

#Open the SSH configuration file
sudo nano /etc/ssh/sshd_config
#Disable password authentication
PasswordAuthentication no
#Restart the SSH service
sudo systemctl restart sshd

screenshot showing how to locate the ssh_config file in the /etc/ directory

Figure 1. Here’s how to locate the ssh_config file in the /etc/ directory.

screenshot showing how to turn off password authentication by modifying the ssh_config file

Figure 2. Here’s how to turn off password authentication by modifying the ssh_config file in Nano. Use Ctrl + O to write out to disk and Ctrl + X to exit Nano.

screenshot showing how to restart the sshd service and check its status using systemctl

Figure 3. Here’s how to restart the sshd service and check its status using systemctl.  

Use strong and unique SSH keys: Generate and use strong SSH key pairs for each user. Ensure all SSH keys are unique.

#Generate an SSH key pair
sudo ssh-keygen -t rsa -b 4096 -C “[email protected]

screenshot showing how to generate a 4096-bit SSH key pair

Figure 4. Here’s how to generate a 4096-bit SSH key pair.

Deploy an SSH key management tool: Use tools such as ssh-keygen for managing SSH keys and automating key rotation.

Limit SSH access: Restrict SSH access to individual IP addresses. Use jump hosts to minimize the attack surface.

#Restrict SSH access to specific IP addresses
sudo nano /etc/hosts.allow
sshd: 192.168.1.0/24
sudo nano /etc/hosts.deny
sshd: ALL

screenshot showing how to open and modify the hosts.allow configuration file to enabled access to an IP address range

Figure 5. Open and modify the hosts.allow configuration file to enabled access to an IP address range.

screenshot showing how to open and modify the hosts.deny configuration file to reject all other SSH connections that do not belong to the allowed IP address range

Figure 6. Open and modify the hosts.deny configuration file to reject all other SSH connections that do not belong to the allowed IP address range.

2. Implement user authentication and role-based access control

You can implement multifactor authentication (MFA) and role-based access control (RBAC) as part of your zero-trust strategy.

Multifactor authentication: MFA adds a layer of security to your Linux system. You can implement MFA using tools such as Google Authenticator or Duo Security. To install Google Authenticator, use the following commands:

#Install Google Authenticator
sudo apt-get install libpam-google-authenticator

screenshot showing how to install Google Authenticator using APT

Figure 7. Here’s how to install Google Authenticator using APT.

#Configure MFA for SSH
sudo nano /etc/pam.d/sshd
auth required pam_google_authenticator.so

screenshot showing how to modify the sshd file to configure MFA for SSH

Figure 8. Here’s how to modify the sshd file to configure MFA for SSH.

  • Role-Based Access Control: Implement RBAC to ensure users access only the necessary resources. You can do this using tools like sudo and PolicyKit.

#Create a new sudoers file for a specific role
sudo visudo -f /etc/sudoers.d/developer
#Grant specific privileges to the role
developer ALL=(ALL) /usr/bin/git, /usr/bin/docker

screenshot showing how a new sudoers file is created in the /etc directory and modified to grant specific privileges to the role

Figure 9. A new sudoers file is created in the /etc directory and modified to grant specific privileges to the role.

3. Set up and manage micro-segmentation and network isolation

Micro-segmentation and network isolation are vital components of a zero-trust architecture. They help limit the lateral movement of attackers if they gain initial access to the network.

Configure iptables for network segmentation: iptables is a powerful tool for configuring network packet filtering rules in Linux. You can configure iptables to allow incoming SSH traffic from a specific IP range.

#Allow incoming traffic on port 22 (SSH) from a specific IP range
sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
#Block all other incoming traffic on port 22
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

screenshot showing how iptables allows SSH traffic from a specific IP address range

Figure 10. iptables allows SSH traffic from a specific IP address range.

Implement VLANS: Use VLANs (virtual local area networks) to segment network traffic logically. Tools such as Open vSwitch (download here) can help manage VLANs in Linux environments.

# Create a new VLAN
sudo ovs-vsctl add-br br0
sudo ovs-vsctl add-port br0 vlan10 tag=10 -- set interface vlan10 type=internal

Use firewalls and security groups: Tools like UFW (Uncomplicated Firewall) can simplify the management of firewalls.

#Enable UFW and allow specific traffic.
sudo ufw enable
sudo ufw allow from 192.168.1.0/24 to any port 22

image011.png

Figure 11. Here’s how to enable UFW, check the status of the UFW service, and allow SSH traffic over port 22 for a specific IP address range while blocking all other traffic over port 22.

Implement container security: Container orchestration tools like Kubernetes can manage micro-segmentation within containerized environments. You can then implement network policies to control traffic between different pods.

#Implement network policies to control traffic between different pods in yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
-Ingress
-Egress

Continuous Monitoring and Auditing Practices for Linux

Continuous monitoring and auditing practices are essential for detecting and responding to security incidents. Here are several tools and practices.

Centralized logging with syslog: You can use syslog for centralized logging from Linux systems. Tools such as rsyslog, syslog-ng, and the ELK stack (Elasticsearch, Logstash, and Kibana) assist with the aggregation and analysis of logs. Logs provide critical visibility for security teams.

     #Install and configure rsyslog
sudo apt install rsyslog
     sudo nano /etc/rsyslog.conf
     # Forward logs to a central server
 *.* @logserver:514

screenshot showing how to enable UFW, check the status of the UFW service, and allow SSH traffic over port 22 for a specific IP address range while blocking all other traffic over port 22

Figure 12. The rsyslog.conf file is modified to forward logs to a central server.

Auditd: Auditd is a powerful tool for monitoring and logging system calls and other user activities. You can configure audit rules to track specific events on the system.

#Install Auditd
sudo apt install auditd
#Configure audit rules
sudo nano /etc/audit/audit.rules
#Example rule to monitor changes to /etc/passwd
-w /etc/passwd -p wa -k passwd changes
#Restart Auditd
sudo systemctl restart auditd

screenshot showing how the rsyslog.conf file is modified to forward logs to a central server

Figure 13. Configure auditd.rules to log changes to the /etc/passwd file.

Intrusion detection systems (IDS): Deploy IDS tools like OSSEC, Snort, or Suricata to detect suspicious activities on the network and at the host level.

#Download and Install OSSEC using wget 
wget -U ossec <a href="https://github.com/ossec/ossec-hids/archive/master.zip"><strong>https://github.com/ossec/ossec-hids/archive/master.zip</strong></a>
unzip master.zip
cd ossec-hids-master
sudo ./install.sh

File integrity monitoring (FIM): Implement FIM to detect unauthorized modifications to critical system files. You can use open-source tools such as Tripwire and AIDE to implement FIM.

#Install AIDE
sudo apt install aide
#Initialize AIDE database
sudo aideinit
#Check for changes
sudo aide --check
Security information/incident and event monitoring/management (SIEM): SIEM technologies are helpful for log analysis. They allow logs to be aggregated, correlated, and analyzed from multiple sources. Excellent open-source and freemium SIEM tools include Splunk, the ELK stack, and IBM’s QRadar.
#Example: Configuring Logstash to forward logs to Elasticsearch
Input {
File {
 path => “/var/log/syslog”
 start_position = > “beginning”
 }
}

Main Takeaways

Implementing a zero-trust security model in a Linux environment significantly improves protection against sophisticated cyber threats. By adhering to zero-trust principles – such as continuous verification, least privilege access, privilege access workstations, micro-segmentation, and monitoring – you can create a resilient and secure environment capable of handling the complex and ever-evolving threat landscape.

ITPro Today Linux resources

About the Author

Grant Knoetze

Contributor

Grant Knoetze is a cybersecurity analyst with a special interest in DFIR, programming languages, incident response, red-teaming, and malware analysis. His full-time job includes teaching and instructing in various topics from basic Linux all the way through to malware incident response, and other advanced topics. He is also a speaker at various conferences worldwide.

www.grantknoetze.com

https://github.com/Grant-Knoetze

https://www.linkedin.com/in/grant-knoetze-563b0b1b6/

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like