Linux Security
Anything about security on linux. When topics are already covered in other pages, give links to them.
Setting umask
Default setting for umask on Ubuntu / Debian is 022, meaning all created files / folders are by default world readable.
To change the defaults (see [1]) to 027:
Add to /etc/sudoers:
Defaults umask = 0027 Defaults umask_override
Edit /etc/login.defs:
UMASK 027
Firewall
With UFW
TBC
With iptables
- Basic configuration
List current active rules
iptables -L
# Chain INPUT (policy ACCEPT)
# target prot opt source destination
#
# Chain FORWARD (policy ACCEPT)
# target prot opt source destination
#
# Chain OUTPUT (policy ACCEPT)
# target prot opt source destination
By default, there are 3 chains: INPUT, FORWARD, OUTPUT.
To authorise SSH (port 22) and HTTP (port 80):
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
See the result:
iptables -L
# Chain INPUT (policy ACCEPT)
# target prot opt source destination
# ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
# ACCEPT tcp -- anywhere anywhere tcp dpt:http
#
# Chain FORWARD (policy ACCEPT)
# target prot opt source destination
#
# Chain OUTPUT (policy ACCEPT)
For the firewall to be effective, we must change the default policy from ACCEPT to DROP (or REJECT, but DROP is better). But before doing so, we need an additional rule:
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
This rule tells the firewall to accept packets that are part of a connection that was already setup before via one of the opened ports. Now we can enable the firewall by changing the default policy:
iptables -A INPUT -i eth0 -j DROP
- List, add, delete rules
iptables -L INPUT # LIST INPUT rules
iptables -L # LIST ALL rules
iptables -I INPUT 2 _rule_... # ADD a rule before 2nd rule
iptables -D INPUT 3 # DELETE 3rd rule
iptables -F INPUT # FLUSH (delete) all INPUT rules
- Some custom rules
iptables -I INPUT 1 -s _src_ip_ -j DROP # Block a single source IP address
- Stop and reset firewall
This will remove all rules and reset the firewall to accept all connections:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
- Save and restore iptables rules
Use iptables-save and iptables-restore to query the iptables rules and save them in a readable format.
Use iptables-restore to restore them later.
iptables-save > iptables.rules # Save the rules
iptables-restore < iptables.rules # Restore the rules
On Debian, firewall rules are restored at boot using iptables-restore. In file /etc/network/interfaces, we have:
# ...
post-up iptables-restore < /etc/iptables.up.rules
# ...
Server hardening
Assume server name is myserver.org.
Apache
- Prevent access to .git folder
Static web site are easily updated through git. However this means that the site contains a folder .git, whose access must be denied.
The recommended way is to update the apache site configuration file [2]:
<Directory "/var/www/mysite">
Require all denied
</Directory>
Or add to .htaccess in the relevant directory:
Require all denied
SSH
- PasswordAuthentication
Disable password authentication since it is prone to brute-force attacks. Edit /etc/ssh/sshd_config:
PasswordAuthentication no
- DebianBanner
Test if sshd sends a banner [3]:
nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
# ^C
Edit /etc/ssh/sshd_config, and add the line:
DebianBanner no
Restart and verify the banner:
service sshd restart
nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1
- rate-limit incoming connections
Add the following rules to iptables [4],[]. Assuming that you have a default DROP rule on the INPUT chain, you must add these rules before the ACCEPT rule:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT
Use the following script to test your new rules:
#!/bin/bash
for i in `seq 1 5` ; do
echo 'exit' | nc myserver.org 22 ;
done
- ssh-audit
Download ssh-audit and run it against the server. Follow the recommendations.
Fail2ban
- References
- Some explanations on the
NO-FAILtags and other...
fail2ban scans logs of internet services and automatically bans source IP addresses that generate too many unsuccessful login attempts in a given period of time.
First install fail2ban:
apt-get install fail2ban
To edit the configuration, make a copy of file /etc/fail2ban/jail.conf named /etc/fail2ban/jail.local, and edit the copy
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local
Read the configuration file for more details or look at installation guides or manual. [5], [6]
My configuration:
bantime = 600
findtime = 3600
maxretry = 3 # logchecks show lot of attempts with rate 5/hr. So we allow max 3/hr.
Jails I enable:
[ssh]
enabled = true
maxretry = 3
[postfix]
enabled = true
[recidive]
enabled = true
maxretry = 3
Some frequently-used commands:
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf
# To test a filter on a given log file
fail2ban-client reload # Reload a configuration
fail2ban-client status # Get overall jail status
fail2ban-client status postfix # Get status on 'postfix' jail (including banned IP)
fail2ban-client status ssh
fail2ban-client status recidive
- Restore bans on restart/reload
- On fail2ban 0.8.x, this can be customized by editing actions [46.148.27.30].
- Or install fail2ban 0.9.x.
Owncloud
TBC. See Owncloud 9.0 Server — Hardening and Security Guidance
Relevant vulnerabilities and recommendations: