meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
digital:server:hardening [2018/11/16 14:16]
natrius 		digital:server:hardening [2019/04/30 20:14] (current)
natrius
Line 1: Line 1:
 # Server hardening # Server hardening
  
-  * https://www.debian.org/doc/manuals/securing-debian-howto/ +What i am doing or what i want to do to harden my server 
-  * https://www.reddit.com/r/netsec/comments/ikkey/linux_server_hardening/?sort=top + 
-  * https://www.thomas-krenn.com/de/wiki/Absicherung_eines_Debian_Servers+## Prerequisites 
 + 
 +  * A fresh Ubuntu 18.04 installation 
 +  * Root privileges
  
 ## First minutes ## First minutes
  
 The first steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach ''_BREAKTIME_''. That should not consume too much time and then you can think about what you want to install afterwards. The first steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach ''_BREAKTIME_''. That should not consume too much time and then you can think about what you want to install afterwards.
 +
 +### What we will do
 +
 +  * Create a new user with sudo rights
 +  * Test login with the new user
 +  * Configure SSH (deactivate root login, password login, [optional] change Port)
 +  * Install fail2ban (Configure short-term ban and a long-term ban)
 +  * Update (Just in case)
 +  * Install and configure UFW (Just allow used ports like ssh)
 +  * BREAKTIME
  
 ### Create a new user with sudo rights ### Create a new user with sudo rights
Line 35: Line 48:
     sudo nano /etc/ssh/sshd_config     sudo nano /etc/ssh/sshd_config
  
-Disable root login: ''PermitRootLogin no'' +  * Disable root login: ''PermitRootLogin no'' 
-Disable password login: ''ChallengeResponseAuthentication no'' or FIXME or ''PasswordAuthentication no'' +  Disable password login: ''ChallengeResponseAuthentication no'' and ''PasswordAuthentication no'' 
-Don't allow empty passwords: ''PermitEmptyPasswords no'' +  Don't allow empty passwords: ''PermitEmptyPasswords no''
  
 #### change SSH Port #### change SSH Port
Line 117: Line 129:
 ### Install and configure UFW ### Install and configure UFW
  
-Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80.] and for hosted websites port 80 and if you intend to use letsencrypt or somethinglike that port 443 too.+Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80.] and for hosted websites port 80 and if you intend to use letsencrypt or somethinglike that port 443 too. UFW does not play well with Docker, keep that in mind.
  
 Important commands for UFW Important commands for UFW
Line 133: Line 145:
  
 ### BREAKTIME ### BREAKTIME
 +
 +---
  
 Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now has some basic security.  Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now has some basic security. 
 +
 +---
  
 ## After installing ## After installing
Line 142: Line 158:
 #### Tools #### Tools
  
-Install tools you want(vim, tmux, htop, nmap, sysstat, net-tools)+Install tools you want(vim, tmux, htop, nmap, sysstat, net-tools) or / and take look at https://github.com/n1trux/awesome-sysadmin
  
 #### Mailserver #### Mailserver
Line 167: Line 183:
  
 Disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces. This reduces attack vectors. Disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces. This reduces attack vectors.
 +
 +#### Worth checking out
 +
 +zsh (instead of bash), glances, rsync, debug tools (lsof, gdb, iotop, slurm, strace), Enable Byobu, etckeeper (etckeeper init, etckeeper commit -m initial), vnstat, linuxbrew, git and checkout the dot files from git, learn Ansible (install python-minimal for ansible), chef bootstrap
 +
 +
 +
  
 ### Check server ### Check server
Line 180: Line 203:
   * https://help.ubuntu.com/community/AppArmor   * https://help.ubuntu.com/community/AppArmor
   * https://www.kuketz-blog.de/apparmor-linux-haerten-teil3/   * https://www.kuketz-blog.de/apparmor-linux-haerten-teil3/
 +
 +#### Short introduction
 +
 +Apparmor is one of the best tools you can possibly use for hardening security. Generally speaking "deny by default" security policies where you explicitely state what a process can or can't do (all in one simple file) work very well and have less chance for human error. So what's the point? AppArmor offers a reasonably high level of assurance that any unpublished or future exploits in your server software won't be catastrophic. For instance if someone finds a 0day in Apache, a good AppArmor profile will prevent them from defacing your websites or rooting your box.
 +
 +AppArmor ships by default with Ubuntu (probably debian too) along with profiles that secure notoriously insecure daemons like BIND. What's even better is that you can run everything as root and not have to put up with all the headaches of user permissions, alternate users, and chrooting.
 +
 +Here's a simple tutorial of the steps you can take to secure a system:
 +
 +  * See what profiles are installed and currently enabled: ''sudo apparmor_status''
 +  * Find a list of server processes running that are insecured: ''sudo aa-unconfined''
 +  * Let's say you want to secure the program foobar. You can start by generating an initial profile: ''sudo aa-genprof /usr/bin/foobar''
 +  * Set it to "complain" mode (security is not yet enforced: ''sudo aa-complain /usr/bin/foobar''
 +  * Next you would run foobar and get it to do a bunch of stuff. You can now run the following program to generate a security profile automatically! ''sudo aa-logprof''
 +  * You can also edit the new profile manually if you want: ''sudo nano -w /etc/apparmor.d/usr.bin.foobar''
 +  * Once you're confident your security profile is correct, set it to enforce mode: ''sudo aa-enforce /usr/bin/foobar''
 +
 +Enjoy.
 +
 +Also when compiling programs you can set a bunch of security flags. On many systems like Ubuntu and Gentoo I think these are enabled by default. If not you can do the following:
 +
 +<code>./configure CFLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security" LDFLAGS="-rdynamic -Wl,-z,relro"</code>
  
 ### su and sudo ### su and sudo
 +
 +FIXME
  
 Deactivate sudo for your account, check if login for root via ssh is deactivated Deactivate sudo for your account, check if login for root via ssh is deactivated
Line 190: Line 237:
  
 The cult of "sudo all the things" is irresponsible. If you need root privileges, use root. Everything else should be covered under group policy. The cult of "sudo all the things" is irresponsible. If you need root privileges, use root. Everything else should be covered under group policy.
 +
 +### Check file permissions
 +
 +After this is done ensure your file permissions are correct by this command
 +
 +      find / -perm -2 ! -type l -ls
 +
 +once this is done change permissions to remove world writable status from files that do no need this, see man chmod.
 +
 +### Check open ports
 +
 +      netstat -lntp
  
 ## Stuff ## Stuff
Line 195: Line 254:
 To integrate later To integrate later
  
 +  * https://github.com/imthenachoman/How-To-Secure-A-Linux-Server
   * DOD STIG checklists   * DOD STIG checklists
   * https://www.cisecurity.org/cis-benchmarks/   * https://www.cisecurity.org/cis-benchmarks/
Line 201: Line 261:
   * http://greenfly.org/talks/security/simple_hardening.html   * http://greenfly.org/talks/security/simple_hardening.html
   * https://www.cyberciti.biz/tips/linux-security.html   * https://www.cyberciti.biz/tips/linux-security.html
-  * https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure/+  * https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure 
 +  * https://www.reddit.com/r/linuxadmin/comments/arx7xo/howtosecurealinuxserver_an_evolving_howto_guide/?sort=top 
 +  * https://github.com/imthenachoman/How-To-Secure-A-Linux-Server#custom-jails 
 +  * https://www.cisecurity.org/cis-benchmarks/
  
-Worth taking a look at 
  
-  * https://github.com/n1trux/awesome-sysadmin