Linux Security: Difference between revisions

From miki
Jump to navigation Jump to search
 
(11 intermediate revisions by the same user not shown)
Line 83: Line 83:
This will remove all rules and reset the firewall to accept all connections:
This will remove all rules and reset the firewall to accept all connections:
<source lang=bash>
<source lang=bash>
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -F
iptables -X
iptables -X
Line 89: Line 92:
iptables -t mangle -F
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
</source>
</source>


Line 112: Line 112:
== Server hardening ==
== Server hardening ==
Assume server name is ''myserver.org''.
Assume server name is ''myserver.org''.

=== Apache ===

;Prevent access to .git folder
Static web site are easily updated through git. However this means that the site contains a folder {{file|.git}}, whose access must be denied.

The recommended way is to update the apache site configuration file [https://stackoverflow.com/questions/5046100/prevent-access-to-files-in-a-certain-folder]:
<source lang="xml">
<Directory "/var/www/mysite">
Require all denied
</Directory>
</source>

Or add to {{file|.htaccess}} in the relevant directory:
<source lang="xml">
Require all denied
</source>


=== SSH ===
=== SSH ===
Line 158: Line 175:
done
done
</source>
</source>

;ssh-audit
Download [https://github.com/jtesta/ssh-audit ssh-audit] and run it against the server. Follow the recommendations.

=== Fail2ban ===
;References
* https://dee.underscore.world/blog/fail2ban-filters/
:Some explanations on the <code>NO-FAIL</code> tags and other...

'''fail2ban''' scans logs of internet services and automatically bans source IP addresses that generate too many unsuccessful login attempts in a given period of time.


First install {{deb|fail2ban}}:
<source lang=bash>
apt-get install fail2ban
</source>

To edit the configuration, make a copy of file {{file|/etc/fail2ban/jail.conf}} named {{file|/etc/fail2ban/jail.local}}, and edit the copy
<source lang=bash>
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local
</source>
Read the configuration file for more details or look at installation guides or manual. [https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04], [http://www.fail2ban.org/wiki/index.php/MANUAL_0_8]

My configuration:
<source lang=bash>
bantime = 600
findtime = 3600
maxretry = 3 # logchecks show lot of attempts with rate 5/hr. So we allow max 3/hr.
</source>

Jails I enable:
<source lang=bash>
[ssh]
enabled = true
maxretry = 3

[postfix]
enabled = true

[recidive]
enabled = true
maxretry = 3
</source>

Some frequently-used commands:
<source lang=bash>
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf
# To test a filter on a given log file
fail2ban-client reload # Reload a configuration
fail2ban-client status # Get overall jail status
fail2ban-client status postfix # Get status on 'postfix' jail (including banned IP)
fail2ban-client status ssh
fail2ban-client status recidive
</source>

;Restore bans on restart/reload
* On fail2ban 0.8.x, this can be customized by editing actions [46.148.27.30].
* Or install fail2ban 0.9.x.

=== Owncloud ===
TBC. See [https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/harden_server.html Owncloud 9.0 Server &mdash; Hardening and Security Guidance]

Relevant vulnerabilities and recommendations:
* https://owncloud.org/blog/imagetragick-dangerous-for-owncloud-users/

Latest revision as of 15:11, 20 July 2024

Anything about security on linux. When topics are already covered in other pages, give links to them.

Setting umask

Default setting for umask on Ubuntu / Debian is 022, meaning all created files / folders are by default world readable.

To change the defaults (see [1]) to 027:

Add to /etc/sudoers:

Defaults umask = 0027
Defaults umask_override

Edit /etc/login.defs:

UMASK       027

Firewall

With UFW

TBC

With iptables

Basic configuration

List current active rules

iptables -L
# Chain INPUT (policy ACCEPT)
# target     prot opt source               destination
# 
# Chain FORWARD (policy ACCEPT)
# target     prot opt source               destination
# 
# Chain OUTPUT (policy ACCEPT)
# target     prot opt source               destination

By default, there are 3 chains: INPUT, FORWARD, OUTPUT.

To authorise SSH (port 22) and HTTP (port 80):

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

See the result:

iptables -L
# Chain INPUT (policy ACCEPT)
#     target     prot opt source               destination         
#     ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
#     ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
# 
# Chain FORWARD (policy ACCEPT)
#     target     prot opt source               destination         
# 
# Chain OUTPUT (policy ACCEPT)

For the firewall to be effective, we must change the default policy from ACCEPT to DROP (or REJECT, but DROP is better). But before doing so, we need an additional rule:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

This rule tells the firewall to accept packets that are part of a connection that was already setup before via one of the opened ports. Now we can enable the firewall by changing the default policy:

iptables -A INPUT -i eth0 -j DROP
List, add, delete rules
iptables -L INPUT                # LIST INPUT rules
iptables -L                      # LIST ALL rules
iptables -I INPUT 2 _rule_...    # ADD a rule before 2nd rule
iptables -D INPUT 3              # DELETE 3rd rule
iptables -F INPUT                # FLUSH (delete) all INPUT rules
Some custom rules
iptables -I INPUT 1 -s _src_ip_ -j DROP        # Block a single source IP address
Stop and reset firewall

This will remove all rules and reset the firewall to accept all connections:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
Save and restore iptables rules

Use iptables-save and iptables-restore to query the iptables rules and save them in a readable format. Use iptables-restore to restore them later.

iptables-save > iptables.rules     # Save the rules
iptables-restore < iptables.rules  # Restore the rules

On Debian, firewall rules are restored at boot using iptables-restore. In file /etc/network/interfaces, we have:

# ...
post-up iptables-restore < /etc/iptables.up.rules
# ...

Server hardening

Assume server name is myserver.org.

Apache

Prevent access to .git folder

Static web site are easily updated through git. However this means that the site contains a folder .git, whose access must be denied.

The recommended way is to update the apache site configuration file [2]:

<Directory "/var/www/mysite">
    Require all denied
</Directory>

Or add to .htaccess in the relevant directory:

Require all denied

SSH

PasswordAuthentication

Disable password authentication since it is prone to brute-force attacks. Edit /etc/ssh/sshd_config:

PasswordAuthentication no
DebianBanner

Test if sshd sends a banner [3]:

nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
# ^C

Edit /etc/ssh/sshd_config, and add the line:

DebianBanner no

Restart and verify the banner:

service sshd restart
nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1
rate-limit incoming connections

Add the following rules to iptables [4],[]. Assuming that you have a default DROP rule on the INPUT chain, you must add these rules before the ACCEPT rule:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 5 -j DROP
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Use the following script to test your new rules:

#!/bin/bash

for i in `seq 1 5` ; do
echo 'exit' | nc myserver.org 22 ;
done
ssh-audit

Download ssh-audit and run it against the server. Follow the recommendations.

Fail2ban

References
Some explanations on the NO-FAIL tags and other...

fail2ban scans logs of internet services and automatically bans source IP addresses that generate too many unsuccessful login attempts in a given period of time.


First install fail2ban:

apt-get install fail2ban

To edit the configuration, make a copy of file /etc/fail2ban/jail.conf named /etc/fail2ban/jail.local, and edit the copy

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local

Read the configuration file for more details or look at installation guides or manual. [5], [6]

My configuration:

bantime  = 600
findtime = 3600
maxretry = 3             # logchecks show lot of attempts with rate 5/hr. So we allow max 3/hr.

Jails I enable:

[ssh]
enabled  = true
maxretry = 3

[postfix]
enabled  = true

[recidive]
enabled  = true
maxretry = 3

Some frequently-used commands:

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf 
                                    # To test a filter on a given log file
fail2ban-client reload              # Reload a configuration
fail2ban-client status              # Get overall jail status
fail2ban-client status postfix      # Get status on 'postfix' jail (including banned IP)
fail2ban-client status ssh
fail2ban-client status recidive
Restore bans on restart/reload
  • On fail2ban 0.8.x, this can be customized by editing actions [46.148.27.30].
  • Or install fail2ban 0.9.x.

Owncloud

TBC. See Owncloud 9.0 Server — Hardening and Security Guidance

Relevant vulnerabilities and recommendations: