Linux Security

From miki
Revision as of 09:31, 8 June 2016 by Mip (talk | contribs) (→‎SSH)
Jump to navigation Jump to search

Anything about security on linux. When topics are already covered in other pages, give links to them.

Setting umask

Default setting for umask on Ubuntu / Debian is 022, meaning all created files / folders are by default world readable.

To change the defaults (see [1]) to 027:

Add to /etc/sudoers:

Defaults umask = 0027
Defaults umask_override

Edit /etc/login.defs:

UMASK       027

Firewall

With UFW

TBC

With iptables

List the firewall rules

iptables -L

Stop the firewall:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Server hardening

Assume server name is myserver.org.

SSH

PasswordAuthentication

Disable password authentication since it is prone to brute-force attacks. Edit /etc/ssh/sshd_config:

PasswordAuthentication no
DebianBanner

Test if sshd sends a banner [2]:

nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
# ^C

Edit /etc/ssh/sshd_config, and add the line:

DebianBanner no

Restart and verify the banner:

service sshd restart
nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1
rate-limit incoming connections

Add the following rules to iptables [3],[]. Assuming that you have a default DROP rule on the INPUT chain, you must add these rules before the ACCEPT rule:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 5 -j DROP
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Use the following script to test your new rules:

#!/bin/bash

for i in `seq 1 5` ; do
echo 'exit' | nc 192.168.1.1 22 ;
done