linux · security · Server · tips and tricks · ubuntu server

Ubuntu Server: Security Tips

Ubuntu Server

Avoid Using FTP, Telnet, And Rlogin / Rsh Services

Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. The common solution to this problem is to use either SSH (Secure Shell), SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP.

Keep Linux Kernel and Software Up to Date

Applying security patches is an important part of maintaining Linux server. Linux provides all necessary tools to keep your system updated, and also allows for easy upgrades between versions. All security update should be reviewed and applied as soon as possible. Again, use apt-get and/or dpkg to apply all security updates.

Lockdown Cronjobs

Cron has it’s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ‘ALL‘ line to cron.deny file.

$ echo ALL | sudo tee /etc/cron.deny

Check Listening Network Ports (TCP)

With the help of netstat networking command you can view all open ports and associated programs:

$ sudo netstat -ltpn

Set Up A Firewall – Establish a Base Firewall

No secure server is complete without a firewall. Ubuntu provides UFW, which makes firewall management very easy. Run:

sudo ufw allow 22 # SSH
sudo ufw allow 80 # webserver http
sudo ufw allow 443 # webserver https
sudo ufw enable

This sets up a basic firewall and configures the server to accept traffic over port 22, 80 and 443. You may wish to add more ports depending on what your server is going to do.

Passwordless Login – Key based login

You can make it easier to ssh into your server via passwordless login (key based login) and add another layer of security by totally disabling password authentication. Just keep in mind that you will be able to log into your server only from that machine on which you generated the ssh keys.

Let’s generate the ssh key on your local system using the following command:

$ ssh-keygen -t rsa

It will ask some questions; you can leave the location of the key to default and provide it with a hard-to-guess passphrase [optional]. Next, you need to copy these keys to the server so that the two machines can communicate with each other using the keys.

$ cat ~/.ssh/id_rsa.pub | ssh -p 22 username@remote-ip-or-name-server ";mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Now try enter into the server from another terminal and, if everything is working fine, it will not ask you to enter the password.

This step was more about convenience than some real security. You can add some security by disabling password authentication for the server. Just open the sshd_config file and set the PasswordAuthentication to:

PasswordAuthentication No

Lock Down SSH

Configure ssh to prevent password & root logins and lock ssh to particular IPs:

$ sudo nano /etc/ssh/sshd_config

Add these lines to the file, inserting the ip address from where you will be connecting:

PermitRootLogin no                   # Disable root Login [essential]
PasswordAuthentication no     # CAREFUL!!! Check "Passwordless Login"
AllowUsers username@(ip-or-name) username # CAREFUL!!! allow only typed users to access

Now restart ssh:

$ sudo service ssh restart

Fail2ban –  Blocks SSH attacks

Fail2ban is a daemon that monitors login attempts to a server and blocks suspicious activity as it occurs. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).

To install enter the following:

$ sudo apt-get install fail2ban

You need create a new file with rule filters for the various services that you would like fail2ban to monitor that is not supplied by default:

$ sudo nano /etc/fail2ban/jail.local

Important: To avoid merges during upgrades DO NOT MODIFY the file /etc/fail2ban/jail.conf and rather provide your changes in /etc/fail2ban/jail.local

Put the content:

[sshd]
enabled = true
port = 
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address. Add this lines to end:

[DEFAULT]
destemail = myusername@mydomain.com
# will ban and send an email with the WhoIs report and all relevant lines in the log file:
action = %(action_mwl)s

Save the file, then restart the service:

$ sudo service fail2ban restart

For More read:
HOWTOs – Fail2ban
How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean
Using Fail2ban to Secure Your Server

Don’t expose MySQL to the Internet

No need to expose your MySQL server to the Internet. By default, in Ubuntu, the MySQL server listen only on localhost. Check /etc/mysql/my.cnf in the section “[mysqld]” for the parameter bind-address. It should be on 127.0.0.1 :

bind-address = 127.0.0.1

This makes sure that MySQL is not accepting connections from anywhere except for the local machine. This can have severe security implications and should be shut off unless you absolutely need it.

Consider connecting through SSH to do your database querying and administration locally and sending the results through the ssh tunnel.

Secure the MySQL Installation

Run the script called “mysql_secure_installation“. This will guide us through some procedures that will remove some defaults that are dangerous to use in a production environment:

$ sudo mysql_secure_installation -p

Ubuntu 14.04/Debian/Raspbian Jessie – Follow this script:

Enter current password for root (enter for none): <--[press enter]
Set root password? [Y/n] n
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y

Ubuntu 16.04 – Follow this script:

Enter password: <--[press enter]
VALIDATE PASSWORD PLUGIN [...]
Press y|Y for Yes, any other key for No: n
Please set the password for root here.
Enter password: needforbits [enter a new MySQL password for root]
Re-enter new password: needforbits [enter a new MySQL password for root]
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Reload privilege tables now? [Y/n] y

Protect su by limiting access only to admin group

To limit the use of su by admin users only we need to create an admin group, then add users and limit the use of su to the admin group. Add a admin group to the system and add your own admin username to the group by replacing below with your admin username:

$ sudo groupadd admin
$ sudo usermod -a -G admin 
$ sudo dpkg-statoverride --update --add root admin 4750 /bin/su

Check for rootkits – RKHunter and CHKRootKit

Both RKHunter and CHKRootkit basically do the same thing – check your system for rootkits. No harm in using both:

$ sudo apt-get install rkhunter chkrootkit

To run chkrootkit open a terminal window and enter :

$ sudo chkrootkit

To update and run RKHunter. Open a Terminal and enter the following :

$ sudo rkhunter --update
$ sudo rkhunter --propupd
$ sudo rkhunter --check

Install Logwatch To Keep An Eye On Things – Analyze system LOG files

Logwatch is a daemon that monitors your logs and emails them to you. This is useful for tracking and detecting intrusion. If someone were to access your server, the logs that are emailed to you will be helpful in determining what happened and when – as the logs on your server might have been compromised.

Install logwatch:

$ sudo apt-get install logwatch libdate-manip-perl

To view logwatch output use less :

$ sudo logwatch | less

Create a entry to send weekly email report for the past 7 days, enter the following and replace mymail@mydomain.com with the required email:

$ sudo nano /etc/cron.weekly/00-logwatch

Add this line:

/usr/sbin/logwatch --output mail --mailto mymail@mydomain.com --detail high --range 'between -7 days and today'

Set permissions:

$ sudo chmod +x /etc/cron.weekly/00-logwatch

 Review Logs Regularly

Move logs in dedicated log server, this may prevents intruders to easily modify local logs. Below are the Common Linux default log files name and their usage:

/var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s