Linux Security: Difference between revisions
(21 intermediate revisions by the same user not shown) | |||
Line 12: | Line 12: | ||
Edit {{file|/etc/login.defs}}: |
Edit {{file|/etc/login.defs}}: |
||
UMASK 027 |
UMASK 027 |
||
== Firewall == |
|||
=== With UFW === |
|||
TBC |
|||
=== With iptables === |
|||
;Basic configuration |
|||
List current active rules |
|||
<source lang=bash> |
|||
iptables -L |
|||
# Chain INPUT (policy ACCEPT) |
|||
# target prot opt source destination |
|||
# |
|||
# Chain FORWARD (policy ACCEPT) |
|||
# target prot opt source destination |
|||
# |
|||
# Chain OUTPUT (policy ACCEPT) |
|||
# target prot opt source destination |
|||
</source> |
|||
By default, there are 3 chains: '''INPUT''', '''FORWARD''', '''OUTPUT'''. |
|||
To authorise SSH (port 22) and HTTP (port 80): |
|||
<source lang=bash> |
|||
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT |
|||
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT |
|||
</source> |
|||
See the result: |
|||
<source lang=bash> |
|||
iptables -L |
|||
# Chain INPUT (policy ACCEPT) |
|||
# target prot opt source destination |
|||
# ACCEPT tcp -- anywhere anywhere tcp dpt:ssh |
|||
# ACCEPT tcp -- anywhere anywhere tcp dpt:http |
|||
# |
|||
# Chain FORWARD (policy ACCEPT) |
|||
# target prot opt source destination |
|||
# |
|||
# Chain OUTPUT (policy ACCEPT) |
|||
</source> |
|||
For the firewall to be effective, we must change the default policy from ''ACCEPT'' to '''DROP''' (or ''REJECT'', but ''DROP'' is better). But before doing so, we need an additional rule: |
|||
<source lang=bash> |
|||
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT |
|||
</source> |
|||
This rule tells the firewall to accept packets that are part of a connection that was already setup before via one of the opened ports. Now we can enable the firewall by changing the default policy: |
|||
<source lang=bash> |
|||
iptables -A INPUT -i eth0 -j DROP |
|||
</source> |
|||
;List, add, delete rules |
|||
<source lang=bash> |
|||
iptables -L INPUT # LIST INPUT rules |
|||
iptables -L # LIST ALL rules |
|||
iptables -I INPUT 2 _rule_... # ADD a rule before 2nd rule |
|||
iptables -D INPUT 3 # DELETE 3rd rule |
|||
iptables -F INPUT # FLUSH (delete) all INPUT rules |
|||
</source> |
|||
;Some custom rules |
|||
<source lang=bash> |
|||
iptables -I INPUT 1 -s _src_ip_ -j DROP # Block a single source IP address |
|||
</source> |
|||
; Stop and reset firewall |
|||
This will remove all rules and reset the firewall to accept all connections: |
|||
<source lang=bash> |
|||
iptables -P INPUT ACCEPT |
|||
iptables -P OUTPUT ACCEPT |
|||
iptables -P FORWARD ACCEPT |
|||
iptables -F |
|||
iptables -X |
|||
iptables -t nat -F |
|||
iptables -t nat -X |
|||
iptables -t mangle -F |
|||
iptables -t mangle -X |
|||
</source> |
|||
;Save and restore iptables rules |
|||
Use <code>iptables-save</code> and <code>iptables-restore</code> to query the iptables rules and save them in a readable format. |
|||
Use <code>iptables-restore</code> to restore them later. |
|||
<source lang=bash> |
|||
iptables-save > iptables.rules # Save the rules |
|||
iptables-restore < iptables.rules # Restore the rules |
|||
</source> |
|||
On Debian, firewall rules are restored at boot using <code>iptables-restore</code>. In file {{file|/etc/network/interfaces}}, we have: |
|||
<source lang=bash> |
|||
# ... |
|||
post-up iptables-restore < /etc/iptables.up.rules |
|||
# ... |
|||
</source> |
|||
== Server hardening == |
|||
Assume server name is ''myserver.org''. |
|||
=== Apache === |
|||
;Prevent access to .git folder |
|||
Static web site are easily updated through git. However this means that the site contains a folder {{file|.git}}, whose access must be denied. |
|||
The recommended way is to update the apache site configuration file [https://stackoverflow.com/questions/5046100/prevent-access-to-files-in-a-certain-folder]: |
|||
<source lang="xml"> |
|||
<Directory "/var/www/mysite"> |
|||
Require all denied |
|||
</Directory> |
|||
</source> |
|||
Or add to {{file|.htaccess}} in the relevant directory: |
|||
<source lang="xml"> |
|||
Require all denied |
|||
</source> |
|||
=== SSH === |
|||
;PasswordAuthentication |
|||
Disable password authentication since it is prone to brute-force attacks. Edit {{file|/etc/ssh/sshd_config}}: |
|||
<source lang=bash> |
|||
PasswordAuthentication no |
|||
</source> |
|||
;DebianBanner |
|||
Test if sshd sends a banner [https://scottlinux.com/2011/06/14/disable-debian-banner-suffix-on-ssh-server/]: |
|||
<source lang=bash> |
|||
nc myserver.org ssh |
|||
# SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2 |
|||
# ^C |
|||
</source> |
|||
Edit {{file|/etc/ssh/sshd_config}}, and add the line: |
|||
<source lang=bash> |
|||
DebianBanner no |
|||
</source> |
|||
Restart and verify the banner: |
|||
<source lang=bash> |
|||
service sshd restart |
|||
nc myserver.org ssh |
|||
# SSH-2.0-OpenSSH_6.7p1 |
|||
</source> |
|||
;rate-limit incoming connections |
|||
Add the following rules to iptables [https://debian-administration.org/article/187/Using_iptables_to_rate-limit_incoming_connections],[]. Assuming that you have a default <code>DROP</code> rule on the ''INPUT'' chain, you must add these rules before the <code>ACCEPT</code> rule: |
|||
<source lang=bash> |
|||
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set |
|||
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP |
|||
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT |
|||
</source> |
|||
Use the following script to test your new rules: |
|||
<source lang=bash> |
|||
#!/bin/bash |
|||
for i in `seq 1 5` ; do |
|||
echo 'exit' | nc myserver.org 22 ; |
|||
done |
|||
</source> |
|||
;ssh-audit |
|||
Download [https://github.com/jtesta/ssh-audit ssh-audit] and run it against the server. Follow the recommendations. |
|||
=== Fail2ban === |
|||
;References |
|||
* https://dee.underscore.world/blog/fail2ban-filters/ |
|||
:Some explanations on the <code>NO-FAIL</code> tags and other... |
|||
'''fail2ban''' scans logs of internet services and automatically bans source IP addresses that generate too many unsuccessful login attempts in a given period of time. |
|||
First install {{deb|fail2ban}}: |
|||
<source lang=bash> |
|||
apt-get install fail2ban |
|||
</source> |
|||
To edit the configuration, make a copy of file {{file|/etc/fail2ban/jail.conf}} named {{file|/etc/fail2ban/jail.local}}, and edit the copy |
|||
<source lang=bash> |
|||
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local |
|||
vi /etc/fail2ban/jail.local |
|||
</source> |
|||
Read the configuration file for more details or look at installation guides or manual. [https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04], [http://www.fail2ban.org/wiki/index.php/MANUAL_0_8] |
|||
My configuration: |
|||
<source lang=bash> |
|||
bantime = 600 |
|||
findtime = 3600 |
|||
maxretry = 3 # logchecks show lot of attempts with rate 5/hr. So we allow max 3/hr. |
|||
</source> |
|||
Jails I enable: |
|||
<source lang=bash> |
|||
[ssh] |
|||
enabled = true |
|||
maxretry = 3 |
|||
[postfix] |
|||
enabled = true |
|||
[recidive] |
|||
enabled = true |
|||
maxretry = 3 |
|||
</source> |
|||
Some frequently-used commands: |
|||
<source lang=bash> |
|||
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf |
|||
# To test a filter on a given log file |
|||
fail2ban-client reload # Reload a configuration |
|||
fail2ban-client status # Get overall jail status |
|||
fail2ban-client status postfix # Get status on 'postfix' jail (including banned IP) |
|||
fail2ban-client status ssh |
|||
fail2ban-client status recidive |
|||
</source> |
|||
;Restore bans on restart/reload |
|||
* On fail2ban 0.8.x, this can be customized by editing actions [46.148.27.30]. |
|||
* Or install fail2ban 0.9.x. |
|||
=== Owncloud === |
|||
TBC. See [https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/harden_server.html Owncloud 9.0 Server — Hardening and Security Guidance] |
|||
Relevant vulnerabilities and recommendations: |
|||
* https://owncloud.org/blog/imagetragick-dangerous-for-owncloud-users/ |
Latest revision as of 15:11, 20 July 2024
Anything about security on linux. When topics are already covered in other pages, give links to them.
Setting umask
Default setting for umask on Ubuntu / Debian is 022, meaning all created files / folders are by default world readable.
To change the defaults (see [1]) to 027:
Add to /etc/sudoers:
Defaults umask = 0027 Defaults umask_override
Edit /etc/login.defs:
UMASK 027
Firewall
With UFW
TBC
With iptables
- Basic configuration
List current active rules
iptables -L
# Chain INPUT (policy ACCEPT)
# target prot opt source destination
#
# Chain FORWARD (policy ACCEPT)
# target prot opt source destination
#
# Chain OUTPUT (policy ACCEPT)
# target prot opt source destination
By default, there are 3 chains: INPUT, FORWARD, OUTPUT.
To authorise SSH (port 22) and HTTP (port 80):
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
See the result:
iptables -L
# Chain INPUT (policy ACCEPT)
# target prot opt source destination
# ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
# ACCEPT tcp -- anywhere anywhere tcp dpt:http
#
# Chain FORWARD (policy ACCEPT)
# target prot opt source destination
#
# Chain OUTPUT (policy ACCEPT)
For the firewall to be effective, we must change the default policy from ACCEPT to DROP (or REJECT, but DROP is better). But before doing so, we need an additional rule:
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
This rule tells the firewall to accept packets that are part of a connection that was already setup before via one of the opened ports. Now we can enable the firewall by changing the default policy:
iptables -A INPUT -i eth0 -j DROP
- List, add, delete rules
iptables -L INPUT # LIST INPUT rules
iptables -L # LIST ALL rules
iptables -I INPUT 2 _rule_... # ADD a rule before 2nd rule
iptables -D INPUT 3 # DELETE 3rd rule
iptables -F INPUT # FLUSH (delete) all INPUT rules
- Some custom rules
iptables -I INPUT 1 -s _src_ip_ -j DROP # Block a single source IP address
- Stop and reset firewall
This will remove all rules and reset the firewall to accept all connections:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
- Save and restore iptables rules
Use iptables-save
and iptables-restore
to query the iptables rules and save them in a readable format.
Use iptables-restore
to restore them later.
iptables-save > iptables.rules # Save the rules
iptables-restore < iptables.rules # Restore the rules
On Debian, firewall rules are restored at boot using iptables-restore
. In file /etc/network/interfaces, we have:
# ...
post-up iptables-restore < /etc/iptables.up.rules
# ...
Server hardening
Assume server name is myserver.org.
Apache
- Prevent access to .git folder
Static web site are easily updated through git. However this means that the site contains a folder .git, whose access must be denied.
The recommended way is to update the apache site configuration file [2]:
<Directory "/var/www/mysite">
Require all denied
</Directory>
Or add to .htaccess in the relevant directory:
Require all denied
SSH
- PasswordAuthentication
Disable password authentication since it is prone to brute-force attacks. Edit /etc/ssh/sshd_config:
PasswordAuthentication no
- DebianBanner
Test if sshd sends a banner [3]:
nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
# ^C
Edit /etc/ssh/sshd_config, and add the line:
DebianBanner no
Restart and verify the banner:
service sshd restart
nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1
- rate-limit incoming connections
Add the following rules to iptables [4],[]. Assuming that you have a default DROP
rule on the INPUT chain, you must add these rules before the ACCEPT
rule:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT
Use the following script to test your new rules:
#!/bin/bash
for i in `seq 1 5` ; do
echo 'exit' | nc myserver.org 22 ;
done
- ssh-audit
Download ssh-audit and run it against the server. Follow the recommendations.
Fail2ban
- References
- Some explanations on the
NO-FAIL
tags and other...
fail2ban scans logs of internet services and automatically bans source IP addresses that generate too many unsuccessful login attempts in a given period of time.
First install fail2ban:
apt-get install fail2ban
To edit the configuration, make a copy of file /etc/fail2ban/jail.conf named /etc/fail2ban/jail.local, and edit the copy
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local
Read the configuration file for more details or look at installation guides or manual. [5], [6]
My configuration:
bantime = 600
findtime = 3600
maxretry = 3 # logchecks show lot of attempts with rate 5/hr. So we allow max 3/hr.
Jails I enable:
[ssh]
enabled = true
maxretry = 3
[postfix]
enabled = true
[recidive]
enabled = true
maxretry = 3
Some frequently-used commands:
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf
# To test a filter on a given log file
fail2ban-client reload # Reload a configuration
fail2ban-client status # Get overall jail status
fail2ban-client status postfix # Get status on 'postfix' jail (including banned IP)
fail2ban-client status ssh
fail2ban-client status recidive
- Restore bans on restart/reload
- On fail2ban 0.8.x, this can be customized by editing actions [46.148.27.30].
- Or install fail2ban 0.9.x.
Owncloud
TBC. See Owncloud 9.0 Server — Hardening and Security Guidance
Relevant vulnerabilities and recommendations: