Linux Security

From miki
Revision as of 23:41, 25 June 2016 by Mip (talk | contribs) (→‎Fail2ban)
Jump to navigation Jump to search

Anything about security on linux. When topics are already covered in other pages, give links to them.

Setting umask

Default setting for umask on Ubuntu / Debian is 022, meaning all created files / folders are by default world readable.

To change the defaults (see [1]) to 027:

Add to /etc/sudoers:

Defaults umask = 0027
Defaults umask_override

Edit /etc/login.defs:

UMASK       027

Firewall

With UFW

TBC

With iptables

Basic configuration

List current active rules

iptables -L
# Chain INPUT (policy ACCEPT)
# target     prot opt source               destination
# 
# Chain FORWARD (policy ACCEPT)
# target     prot opt source               destination
# 
# Chain OUTPUT (policy ACCEPT)
# target     prot opt source               destination

By default, there are 3 chains: INPUT, FORWARD, OUTPUT.

To authorise SSH (port 22) and HTTP (port 80):

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

See the result:

iptables -L
# Chain INPUT (policy ACCEPT)
#     target     prot opt source               destination         
#     ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
#     ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
# 
# Chain FORWARD (policy ACCEPT)
#     target     prot opt source               destination         
# 
# Chain OUTPUT (policy ACCEPT)

For the firewall to be effective, we must change the default policy from ACCEPT to DROP (or REJECT, but DROP is better). But before doing so, we need an additional rule:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

This rule tells the firewall to accept packets that are part of a connection that was already setup before via one of the opened ports. Now we can enable the firewall by changing the default policy:

iptables -A INPUT -i eth0 -j DROP
List, add, delete rules
iptables -L INPUT                # LIST INPUT rules
iptables -L                      # LIST ALL rules
iptables -I INPUT 2 _rule_...    # ADD a rule before 2nd rule
iptables -D INPUT 3              # DELETE 3rd rule
iptables -F INPUT                # FLUSH (delete) all INPUT rules
Some custom rules
iptables -I INPUT 1 -s _src_ip_ -j DROP        # Block a single source IP address
Stop and reset firewall

This will remove all rules and reset the firewall to accept all connections:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
Save and restore iptables rules

Use iptables-save and iptables-restore to query the iptables rules and save them in a readable format. Use iptables-restore to restore them later.

iptables-save > iptables.rules     # Save the rules
iptables-restore < iptables.rules  # Restore the rules

On Debian, firewall rules are restored at boot using iptables-restore. In file /etc/network/interfaces, we have:

# ...
post-up iptables-restore < /etc/iptables.up.rules
# ...

Server hardening

Assume server name is myserver.org.

SSH

PasswordAuthentication

Disable password authentication since it is prone to brute-force attacks. Edit /etc/ssh/sshd_config:

PasswordAuthentication no
DebianBanner

Test if sshd sends a banner [2]:

nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
# ^C

Edit /etc/ssh/sshd_config, and add the line:

DebianBanner no

Restart and verify the banner:

service sshd restart
nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1
rate-limit incoming connections

Add the following rules to iptables [3],[]. Assuming that you have a default DROP rule on the INPUT chain, you must add these rules before the ACCEPT rule:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 5 -j DROP
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Use the following script to test your new rules:

#!/bin/bash

for i in `seq 1 5` ; do
echo 'exit' | nc myserver.org 22 ;
done

Fail2ban

fail2ban scans logs of internet services and automatically bans source IP addresses that generate too many unsuccessful login attempts in a given period of time.


First install fail2ban:

apt-get install fail2ban

To edit the configuration, make a copy of file /etc/fail2ban/jail.conf named /etc/fail2ban/jail.local, and edit the copy

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local

Read the configuration file for more details or look at installation guides or manual. [4], [5]

My configuration:

bantime  = 600
findtime = 3600
maxretry = 3             # logchecks show lot of attempts with rate 5/hr. So we allow max 3/hr.

Jails I enable:

[ssh]
enabled  = true
maxretry = 3

[postfix]
enabled  = true

[recidive]
enabled  = true
maxretry = 3

Some frequently-used commands:

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf 
                                    # To test a filter on a given log file
fail2ban-client reload              # Reload a configuration
fail2ban-client status              # Get overall jail status
fail2ban-client status postfix      # Get status on 'postfix' jail (including banned IP)
fail2ban-client status ssh
fail2ban-client status recidive

Owncloud

TBC. See Owncloud 9.0 Server — Hardening and Security Guidance

Relevant vulnerabilities and recommendations: