Linux Security: Difference between revisions

From miki
Jump to navigation Jump to search
Line 77: Line 77:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT
</source>

Use the following script to test your new rules:
<source lang=bash>
#!/bin/bash

for i in `seq 1 5` ; do
echo 'exit' | nc 192.168.1.1 22 ;
done
</source>
</source>

Revision as of 09:31, 8 June 2016

Anything about security on linux. When topics are already covered in other pages, give links to them.

Setting umask

Default setting for umask on Ubuntu / Debian is 022, meaning all created files / folders are by default world readable.

To change the defaults (see [1]) to 027:

Add to /etc/sudoers:

Defaults umask = 0027
Defaults umask_override

Edit /etc/login.defs:

UMASK       027

Firewall

With UFW

TBC

With iptables

List the firewall rules

iptables -L

Stop the firewall:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Server hardening

Assume server name is myserver.org.

SSH

PasswordAuthentication

Disable password authentication since it is prone to brute-force attacks. Edit /etc/ssh/sshd_config:

PasswordAuthentication no
DebianBanner

Test if sshd sends a banner [2]:

nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
# ^C

Edit /etc/ssh/sshd_config, and add the line:

DebianBanner no

Restart and verify the banner:

service sshd restart
nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1
rate-limit incoming connections

Add the following rules to iptables [3],[]. Assuming that you have a default DROP rule on the INPUT chain, you must add these rules before the ACCEPT rule:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 5 -j DROP
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Use the following script to test your new rules:

#!/bin/bash

for i in `seq 1 5` ; do
echo 'exit' | nc 192.168.1.1 22 ;
done