Avoid Using FTP, Telnet, And Rlogin / Rsh Services
Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. The common solution to this problem is to use either SSH (Secure Shell), SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP.
Keep Linux Kernel and Software Up to Date
Applying security patches is an important part of maintaining Linux server. Linux provides all necessary tools to keep your system updated, and also allows for easy upgrades between versions. All security update should be reviewed and applied as soon as possible. Again, use apt-get and/or dpkg to apply all security updates.
Cron has it’s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ‘ALL‘ line to cron.deny file.
$ echo ALL | sudo tee /etc/cron.deny
Check Listening Network Ports (TCP)
With the help of netstat networking command you can view all open ports and associated programs:
$ sudo netstat -ltpn
Set Up A Firewall – Establish a Base Firewall
No secure server is complete without a firewall. Ubuntu provides UFW, which makes firewall management very easy. Run:
sudo ufw allow 22 # SSH sudo ufw allow 80 # webserver http sudo ufw allow 443 # webserver https sudo ufw enable
This sets up a basic firewall and configures the server to accept traffic over port 22, 80 and 443. You may wish to add more ports depending on what your server is going to do.
Passwordless Login – Key based login
You can make it easier to ssh into your server via passwordless login (key based login) and add another layer of security by totally disabling password authentication. Just keep in mind that you will be able to log into your server only from that machine on which you generated the ssh keys.
Let’s generate the ssh key on your local system using the following command:
$ ssh-keygen -t rsa
It will ask some questions; you can leave the location of the key to default and provide it with a hard-to-guess passphrase [optional]. Next, you need to copy these keys to the server so that the two machines can communicate with each other using the keys.
$ cat ~/.ssh/id_rsa.pub | ssh -p 22 username@remote-ip-or-name-server ";mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Now try enter into the server from another terminal and, if everything is working fine, it will not ask you to enter the password.
This step was more about convenience than some real security. You can add some security by disabling password authentication for the server. Just open the sshd_config file and set the PasswordAuthentication to:
Lock Down SSH
Configure ssh to prevent password & root logins and lock ssh to particular IPs:
$ sudo nano /etc/ssh/sshd_config
Add these lines to the file, inserting the ip address from where you will be connecting:
PermitRootLogin no # Disable root Login [essential] PasswordAuthentication no # CAREFUL!!! Check "Passwordless Login" AllowUsers username@(ip-or-name) username # CAREFUL!!! allow only typed users to access
Now restart ssh:
$ sudo service ssh restart
Fail2ban – Blocks SSH attacks
Fail2ban is a daemon that monitors login attempts to a server and blocks suspicious activity as it occurs. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).
To install enter the following:
$ sudo apt-get install fail2ban
You need create a new file with rule filters for the various services that you would like fail2ban to monitor that is not supplied by default:
$ sudo nano /etc/fail2ban/jail.local
Important: To avoid merges during upgrades DO NOT MODIFY the file /etc/fail2ban/jail.conf and rather provide your changes in /etc/fail2ban/jail.local
Put the content:
[sshd] enabled = true port = filter = sshd logpath = /var/log/auth.log maxretry = 3
If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address. Add this lines to end:
[DEFAULT] destemail = firstname.lastname@example.org # will ban and send an email with the WhoIs report and all relevant lines in the log file: action = %(action_mwl)s
Save the file, then restart the service:
$ sudo service fail2ban restart
Don’t expose MySQL to the Internet
No need to expose your MySQL server to the Internet. By default, in Ubuntu, the MySQL server listen only on localhost. Check /etc/mysql/my.cnf in the section “[mysqld]” for the parameter bind-address. It should be on 127.0.0.1 :
bind-address = 127.0.0.1
This makes sure that MySQL is not accepting connections from anywhere except for the local machine. This can have severe security implications and should be shut off unless you absolutely need it.
Consider connecting through SSH to do your database querying and administration locally and sending the results through the ssh tunnel.
Secure the MySQL Installation
Run the script called “mysql_secure_installation“. This will guide us through some procedures that will remove some defaults that are dangerous to use in a production environment:
$ sudo mysql_secure_installation -p
Ubuntu 14.04/Debian/Raspbian Jessie – Follow this script:
Enter current password for root (enter for none): <--[press enter] Set root password? [Y/n] n Disallow root login remotely? [Y/n] y Remove test database and access to it? [Y/n] y Reload privilege tables now? [Y/n] y
Ubuntu 16.04 – Follow this script:
Enter password: <--[press enter] VALIDATE PASSWORD PLUGIN [...] Press y|Y for Yes, any other key for No: n Please set the password for root here. Enter password: needforbits [enter a new MySQL password for root] Re-enter new password: needforbits [enter a new MySQL password for root] Remove anonymous users? [Y/n] y Disallow root login remotely? [Y/n] y Reload privilege tables now? [Y/n] y
Protect su by limiting access only to admin group
To limit the use of su by admin users only we need to create an admin group, then add users and limit the use of su to the admin group. Add a admin group to the system and add your own admin username to the group by replacing below with your admin username:
$ sudo groupadd admin $ sudo usermod -a -G admin $ sudo dpkg-statoverride --update --add root admin 4750 /bin/su
Check for rootkits – RKHunter and CHKRootKit
Both RKHunter and CHKRootkit basically do the same thing – check your system for rootkits. No harm in using both:
$ sudo apt-get install rkhunter chkrootkit
To run chkrootkit open a terminal window and enter :
$ sudo chkrootkit
To update and run RKHunter. Open a Terminal and enter the following :
$ sudo rkhunter --update $ sudo rkhunter --propupd $ sudo rkhunter --check
Install Logwatch To Keep An Eye On Things – Analyze system LOG files
Logwatch is a daemon that monitors your logs and emails them to you. This is useful for tracking and detecting intrusion. If someone were to access your server, the logs that are emailed to you will be helpful in determining what happened and when – as the logs on your server might have been compromised.
$ sudo apt-get install logwatch libdate-manip-perl
To view logwatch output use less :
$ sudo logwatch | less
Create a entry to send weekly email report for the past 7 days, enter the following and replace email@example.com with the required email:
$ sudo nano /etc/cron.weekly/00-logwatch
Add this line:
/usr/sbin/logwatch --output mail --mailto firstname.lastname@example.org --detail high --range 'between -7 days and today'
$ sudo chmod +x /etc/cron.weekly/00-logwatch
Review Logs Regularly
Move logs in dedicated log server, this may prevents intruders to easily modify local logs. Below are the Common Linux default log files name and their usage:
/var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.