meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
digital:server:hardening [2018/11/16 14:34]
natrius [AppArmor / SELinux] 		digital:server:hardening [2019/04/30 20:14] (current)
natrius
Line 1: Line 1:
 # Server hardening # Server hardening
  
-  https://www.reddit.com/r/netsec/comments/ikkey/linux_server_hardening/?sort=top+What i am doing or what i want to do to harden my server.  
 + 
 +## Prerequisites 
 + 
 +  A fresh Ubuntu 18.04 installation 
 +  * Root privileges
  
 ## First minutes ## First minutes
  
 The first steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach ''_BREAKTIME_''. That should not consume too much time and then you can think about what you want to install afterwards. The first steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach ''_BREAKTIME_''. That should not consume too much time and then you can think about what you want to install afterwards.
 +
 +### What we will do
 +
 +  * Create a new user with sudo rights
 +  * Test login with the new user
 +  * Configure SSH (deactivate root login, password login, [optional] change Port)
 +  * Install fail2ban (Configure short-term ban and a long-term ban)
 +  * Update (Just in case)
 +  * Install and configure UFW (Just allow used ports like ssh)
 +  * BREAKTIME
  
 ### Create a new user with sudo rights ### Create a new user with sudo rights
Line 33: Line 48:
     sudo nano /etc/ssh/sshd_config     sudo nano /etc/ssh/sshd_config
  
-Disable root login: ''PermitRootLogin no'' +  * Disable root login: ''PermitRootLogin no'' 
-Disable password login: ''ChallengeResponseAuthentication no'' or FIXME or ''PasswordAuthentication no'' +  Disable password login: ''ChallengeResponseAuthentication no'' and ''PasswordAuthentication no'' 
-Don't allow empty passwords: ''PermitEmptyPasswords no'' +  Don't allow empty passwords: ''PermitEmptyPasswords no''
  
 #### change SSH Port #### change SSH Port
Line 115: Line 129:
 ### Install and configure UFW ### Install and configure UFW
  
-Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80.] and for hosted websites port 80 and if you intend to use letsencrypt or somethinglike that port 443 too.+Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80.] and for hosted websites port 80 and if you intend to use letsencrypt or somethinglike that port 443 too. UFW does not play well with Docker, keep that in mind.
  
 Important commands for UFW Important commands for UFW
Line 131: Line 145:
  
 ### BREAKTIME ### BREAKTIME
 +
 +---
  
 Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now has some basic security.  Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now has some basic security. 
 +
 +---
  
 ## After installing ## After installing
Line 140: Line 158:
 #### Tools #### Tools
  
-Install tools you want(vim, tmux, htop, nmap, sysstat, net-tools)+Install tools you want(vim, tmux, htop, nmap, sysstat, net-tools) or / and take look at https://github.com/n1trux/awesome-sysadmin
  
 #### Mailserver #### Mailserver
Line 165: Line 183:
  
 Disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces. This reduces attack vectors. Disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces. This reduces attack vectors.
 +
 +#### Worth checking out
 +
 +zsh (instead of bash), glances, rsync, debug tools (lsof, gdb, iotop, slurm, strace), Enable Byobu, etckeeper (etckeeper init, etckeeper commit -m initial), vnstat, linuxbrew, git and checkout the dot files from git, learn Ansible (install python-minimal for ansible), chef bootstrap
 +
 +
 +
  
 ### Check server ### Check server
Line 202: Line 227:
  
 ### su and sudo ### su and sudo
 +
 +FIXME
  
 Deactivate sudo for your account, check if login for root via ssh is deactivated Deactivate sudo for your account, check if login for root via ssh is deactivated
Line 227: Line 254:
 To integrate later To integrate later
  
 +  * https://github.com/imthenachoman/How-To-Secure-A-Linux-Server
   * DOD STIG checklists   * DOD STIG checklists
   * https://www.cisecurity.org/cis-benchmarks/   * https://www.cisecurity.org/cis-benchmarks/
Line 233: Line 261:
   * http://greenfly.org/talks/security/simple_hardening.html   * http://greenfly.org/talks/security/simple_hardening.html
   * https://www.cyberciti.biz/tips/linux-security.html   * https://www.cyberciti.biz/tips/linux-security.html
-  * https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure/+  * https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure 
 +  * https://www.reddit.com/r/linuxadmin/comments/arx7xo/howtosecurealinuxserver_an_evolving_howto_guide/?sort=top 
 +  * https://github.com/imthenachoman/How-To-Secure-A-Linux-Server#custom-jails 
 +  * https://www.cisecurity.org/cis-benchmarks/
  
-Worth taking a look at 
  
-  * https://github.com/n1trux/awesome-sysadmin