Security of the Server (SSH, firewall iptables, fail2ban...)
These steps are to study with care. They are not ultimate parade, but are a necessary first step. Check your choices before any implementation to avoid exclude you yourself by a too restrictive rule (it is recommended to do in testing phase when you can still reset your server completely).
The first precaution is to keep informed: there are mailing lists specialising in security, such as Debian Security Announce and carry out regular updates (via apt-get upgrade for example).
Change the root password
Feel free to change the password, especially if it has been assigned to you by default. Identify yourself first as root (see above) and enter the command:
passwd root
SSH configuration
In order to secure SSH access to the server, edit the file/etc/ssh/sshd_config. Let's change the default connection port to avoid a few attacks by bruteforce on port 22, who is well known for hosting this service. Be sure to specify this new port (in Putty or ssh in Linux command line) to the next connection.
vi /etc/ssh/sshd_config
Port 2222 # Changer le port par défaut (à retenir!)
PermitRootLogin no # Ne pas permettre de login en root
AllowUsers dew # N'autoriser qu'un utilisateur précis
Restart the SSH service after these changes:
/etc/init.d/ssh restart
Alert Root login
You can edit /root/.bashrc file that is run at the start of a session root to send a notification e-mail. In this way, you'll know when a login is performed.
vi /root/.bashrc
Add the line (by changing the email address of destination):
echo 'Accès Shell Root le ' `date` `who` | mail -s `hostname` Shell Root de `who | cut -d"(" -f2 | cut -d")" -f1` monitoring@test.com
Let's make it a bit of aesthetic customization with these lines:
alias ls='ls $LS_OPTIONS --color=auto'
alias ll='ls $LS_OPTIONS -al --color=auto'
alias vi='vim'
Unnecessary services
If you do not use nfs, portmap and inetd services (in the case of a server web you don't need not). There are others, depending on your distribution and the original installation choices. You can also save in RAM.
/etc/init.d/portmap stop
/etc/init.d/nfs-common stop
update-rc.d -f portmap remove
update-rc.d -f nfs-common remove
update-rc.d -f inetd remove
apt-get remove portmap
apt-get remove ppp
Various permissions
Do not allow compilers and installers for root (the version number is to adapt according to the freshness of your installation):
chmod o-x /usr/bin/gcc-4.1
chmod o-x /usr/bin/make
chmod o-x /usr/bin/apt-get
chmod o-x /usr/bin/aptitude
chmod o-x /usr/bin/dpkg
IPtables / Netfilter
IPtables (Netfilter associated) is one of the best firewalls for Linux, and certainly more widespread. You can find many scripts of configuration about him. And here's one to adapt to your configuration. At all times, use the
iptables -L -v
command to list the rules in place.
These include 3 channels: INPUT (as input), FORWARD (in the case of a network routing) and OUPUT (in output). Actions are ACCEPT (accept the package), DROP (throw it away), tail and RETURN.
Arguments used:
- i: input interface (input)
- i: interface output (output)
- t: table (default filter containing the INPUT, FORWARD, OUTPUT channels)
- j: rule to apply (Jump)
- A: adds the rule at the end of the string (Append)
- I: insert the rule at the beginning of the string (Insert)
- R: replaces a rule in the string (Replace)
- D: Deletes a rule (Delete)
- F: Clears all the rules (Flush)
- X: clears the string
- P: default rule (Policy)
- Lo: localhost (or 127.0.0.1, local machine)
We will create a script that will be launched every time you start to put in place the basic rules.
vi /etc/init.d/firewall
#!/bin/sh
# Vider les tables actuelles
iptables -t filter -F
# Vider les règles personnelles
iptables -t filter -X
# Interdire toute connexion entrante et sortante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
# ---
# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# ---
# SSH In
iptables -t filter -A INPUT -p tcp --dport 2222 -j ACCEPT
# SSH Out
iptables -t filter -A OUTPUT -p tcp --dport 2222 -j ACCEPT
# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
If you host a web sevreur (Apache):
# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
If you host an FTP server:
# FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
# FTP In
modprobe ip_conntrack_ftp # ligne facultative avec les serveurs OVH
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
If you host a mail with SMTP, POP3 and IMAP server:
# Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
# Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
# Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
# Mail POP3S:995
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
If you use the tool of monitoring Monit on port 1337 (change depending on your configuration) permit this connection:
# Monit
iptables -t filter -A INPUT -p tcp --dport 1337 -j ACCEPT
If you use a RPS of OVH server, the iSCSI disk requires network access that requires an additional rule to early filters. Without this, your server will become unusable:
iptables -A OUTPUT -p tcp --dport 3260 -m state --state NEW,ESTABLISHED -j ACCEPT
When you have defined all the rules, make it executable:
chmod +x /etc/init.d/firewall
You can test it by running directly in command line. Make sure you always have control of your machine (log in SSH, check the availability of web services, ftp, mail...). In case of error, restart the server, rules will be forgotten and will allow you to regain control. However, if the tests prove conclusive, add the script at startup so that this protects the server from the boot.
To add to the scripts called at startup:
update-rc.d firewall defaults
To remove it, you can use the following command:
update-rc.d -f firewall remove
Restart or run /etc/init.d/firewall to enable filtering.
You can use IPtables without going through a startup script and directly enter the instructions in console mode. To temporarily ban an IP address in case of need, use the command
iptables -A INPUT -s adresse_ip -j DROP
Fail2ban
Fail2ban is a script supervisor access network through the logs of servers. When it detects repeated authentication errors, it takes countermeasures by banning the IP address with iptables. This avoids many attacks bruteforce or dictionary.
Installation
apt-get install fail2ban
Configuration
vi /etc/fail2ban/fail2ban.conf
- loglevel
- Level of detail of the logs (default 3)
- LOGTARGET = /var/log/fail2ban.log
- Path to the log file (description of the actions taken by fail2ban)
Monitor services are stored in jail.conf. It is recommended to make a copy named jail.local that will be automatically used instead of the example file.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local
A few global settings:
- ignoreip = 127.0.0.1
- List of the IP addresses of confidence to ignore by fail2ban
- bantime = 600
- Time to ban in seconds
- maxretry = 3
- Number of tries allowed for a connection before being banned
- destmail monitoring@test.com
- E-mail notifications recipient address
- action
- Action to be taken in the event of positive detection (see etc/fail2ban/action.d/)
Each section has its own settings that take precedence over the overall if they are mentioned:
- enabled
- Monitoring enabled (true) or not (false)
- maxretry, bantime, ignoreip, destmail
- See above
- port
- Concerned IP port
- LogPath
- Log file analysis to detect abnormalities
- filter
- Filter used for analysis of the log
The default filters are stored in /etc/fail2ban/filter.d. They contain generally an failregex statement followed by a regular expression matching detection of wrong authentication. For example, the Courier service:
failregex = LOGIN FAILED, ip=[<HOST>]$
Note: This can be directly specified in jail.local to the appropriate section to get on filter directive.
Change the ports as appropriate in the ssh section if you have followed the above recommendation...
enabled = true
port = 2222
After changing the configuration, remember to restart fail2ban:
/etc/init.d/fail2ban restart
Rkhunter
Rootkit Hunter is a program of detection of rootkits. You can install it with:
apt-get install rkhunter
He will proceed to detections daily anti-rootkits and send notifications by e-mail if necessary. It is advisable to install it very early because it calculates the MD5 of the programs installed footprint in order to detect possible changes. Edit/etc/default/rkhunter to indicate the address of notification and daily execution:
vi /etc/default/rkhunter
REPORT_EMAIL="monitoring@test.com"
CRON_DAILY_RUN="yes"
In case of false positive detections on directories or existing and healthy files, edit /etc/rkhunter.conf to add them to the list of allowed items.
vi /etc/rkhunter.conf
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.static
You can also use chkrootkit which is an equivalent.
Post a Comment