meta data for this page
Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
digital:server:hardening [2018/11/16 14:16] natrius |
digital:server:hardening [2019/04/30 20:14] (current) natrius |
||
---|---|---|---|
Line 1: | Line 1: | ||
# Server hardening | # Server hardening | ||
- | * https:// | + | What i am doing or what i want to do to harden my server. |
- | * https://www.reddit.com/ | + | |
- | * https:// | + | ## Prerequisites |
+ | |||
+ | * A fresh Ubuntu 18.04 installation | ||
+ | * Root privileges | ||
## First minutes | ## First minutes | ||
The first steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach '' | The first steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach '' | ||
+ | |||
+ | ### What we will do | ||
+ | |||
+ | * Create a new user with sudo rights | ||
+ | * Test login with the new user | ||
+ | * Configure SSH (deactivate root login, password login, [optional] change Port) | ||
+ | * Install fail2ban (Configure short-term ban and a long-term ban) | ||
+ | * Update (Just in case) | ||
+ | * Install and configure UFW (Just allow used ports like ssh) | ||
+ | * BREAKTIME | ||
### Create a new user with sudo rights | ### Create a new user with sudo rights | ||
Line 35: | Line 48: | ||
sudo nano / | sudo nano / | ||
- | Disable root login: '' | + | * Disable root login: '' |
- | Disable password login: '' | + | |
- | Don't allow empty passwords: '' | + | |
#### change SSH Port | #### change SSH Port | ||
Line 117: | Line 129: | ||
### Install and configure UFW | ### Install and configure UFW | ||
- | Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80.] and for hosted websites port 80 and if you intend to use letsencrypt or somethinglike that port 443 too. | + | Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80.] and for hosted websites port 80 and if you intend to use letsencrypt or somethinglike that port 443 too. UFW does not play well with Docker, keep that in mind. |
Important commands for UFW | Important commands for UFW | ||
Line 133: | Line 145: | ||
### BREAKTIME | ### BREAKTIME | ||
+ | |||
+ | --- | ||
Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now has some basic security. | Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now has some basic security. | ||
+ | |||
+ | --- | ||
## After installing | ## After installing | ||
Line 142: | Line 158: | ||
#### Tools | #### Tools | ||
- | Install tools you want(vim, tmux, htop, nmap, sysstat, net-tools) | + | Install tools you want(vim, tmux, htop, nmap, sysstat, net-tools) |
#### Mailserver | #### Mailserver | ||
Line 167: | Line 183: | ||
Disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces. This reduces attack vectors. | Disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces. This reduces attack vectors. | ||
+ | |||
+ | #### Worth checking out | ||
+ | |||
+ | zsh (instead of bash), glances, rsync, debug tools (lsof, gdb, iotop, slurm, strace), Enable Byobu, etckeeper (etckeeper init, etckeeper commit -m initial), vnstat, linuxbrew, git and checkout the dot files from git, learn Ansible (install python-minimal for ansible), chef bootstrap | ||
+ | |||
+ | |||
+ | |||
### Check server | ### Check server | ||
Line 180: | Line 203: | ||
* https:// | * https:// | ||
* https:// | * https:// | ||
+ | |||
+ | #### Short introduction | ||
+ | |||
+ | Apparmor is one of the best tools you can possibly use for hardening security. Generally speaking "deny by default" | ||
+ | |||
+ | AppArmor ships by default with Ubuntu (probably debian too) along with profiles that secure notoriously insecure daemons like BIND. What's even better is that you can run everything as root and not have to put up with all the headaches of user permissions, | ||
+ | |||
+ | Here's a simple tutorial of the steps you can take to secure a system: | ||
+ | |||
+ | * See what profiles are installed and currently enabled: '' | ||
+ | * Find a list of server processes running that are insecured: '' | ||
+ | * Let's say you want to secure the program foobar. You can start by generating an initial profile: '' | ||
+ | * Set it to " | ||
+ | * Next you would run foobar and get it to do a bunch of stuff. You can now run the following program to generate a security profile automatically! '' | ||
+ | * You can also edit the new profile manually if you want: '' | ||
+ | * Once you're confident your security profile is correct, set it to enforce mode: '' | ||
+ | |||
+ | Enjoy. | ||
+ | |||
+ | Also when compiling programs you can set a bunch of security flags. On many systems like Ubuntu and Gentoo I think these are enabled by default. If not you can do the following: | ||
+ | |||
+ | < | ||
### su and sudo | ### su and sudo | ||
+ | |||
+ | FIXME | ||
Deactivate sudo for your account, check if login for root via ssh is deactivated | Deactivate sudo for your account, check if login for root via ssh is deactivated | ||
Line 190: | Line 237: | ||
The cult of "sudo all the things" | The cult of "sudo all the things" | ||
+ | |||
+ | ### Check file permissions | ||
+ | |||
+ | After this is done ensure your file permissions are correct by this command | ||
+ | |||
+ | find / -perm -2 ! -type l -ls | ||
+ | |||
+ | once this is done change permissions to remove world writable status from files that do no need this, see man chmod. | ||
+ | |||
+ | ### Check open ports | ||
+ | |||
+ | netstat -lntp | ||
## Stuff | ## Stuff | ||
Line 195: | Line 254: | ||
To integrate later | To integrate later | ||
+ | * https:// | ||
* DOD STIG checklists | * DOD STIG checklists | ||
* https:// | * https:// | ||
Line 201: | Line 261: | ||
* http:// | * http:// | ||
* https:// | * https:// | ||
- | * https:// | + | * https:// |
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
- | Worth taking a look at | ||
- | * https:// |