Applying Product Launch Formula from Jeff Walker to launch a membership based website for a mission-based organization.
jQuery, Python, Django, Flash, ActionScript 3, are applied to software as a service educational website.
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics
Submitted by The Fan Club on
This
guide is based on various community forum posts and webpages. Special
thanks to all. All comments and improvements are very welcome as this is
purely a personal experimental project at this point and must be
considered a work in progress. This guide is intended as a relatively easy step by step guide to:
Harden the security on an Ubuntu 12.04 LTS server by installing and configuring the following:
Install and configure Firewall - ufw
Secure shared memory - fstab
SSH - Key based login, disable root login and change port
Protect su by limiting access only to admin group
Harden network with sysctl settings
Disable Open DNS Recursion and Remove Version Info - Bind9 DNS
Prevent IP Spoofing
Harden PHP for security
Restrict Apache Information Leakage
Install and configure Apache application firewall - ModSecurity
Protect from DDOS (Denial of Service) attacks with ModEvasive
Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban
Ubuntu 12.04 LTS server with a standard LAMP stack installed.
1. Firewall - UFW
A good place to start is to install a Firewall.
UFW - Uncomplicated Firewall is a basic firewall that works very well
and easy to configure with its Firewall configuration tool - gufw, or
use Shorewall, fwbuilder, or Firestarter.
Install UFW and enable, open a terminal window and enter :
sudo apt-get install ufw
Allow SSH and Http services.
sudo ufw allow ssh
sudo ufw allow http
Enable the firewall.
sudo ufw enable
Check the status of the firewall.
sudo ufw status verbose
2.Secure shared memory.
Shared memory can be used in an attack against a running service. Modify /etc/fstab to make it more secure.
Open a Terminal Window and enter the following :
sudo vi /etc/fstab
Add the following line and save. You will need to reboot for this setting to take effect :
Note : This only is works in Ubuntu 12.04 - For later Ubuntu versions replace /dev/shm with /run/shm
Save and Reboot when done
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
3. SSH Hardening - key based login, disable root login and change port.
The best way to secure SSH is to use public/private key based login. See SSH/OpenSSH/Keys
If you have to use password authentication, the easiest way to secure
SSH is to disable root login and change the SSH port to something
different than the standard port 22.
Before disabling the root login create a new SSH user and make sure the user belongs to the admin group (see step 4. below regarding the admin group).
if you change the SSH port keep the port number below 1024 as these
are priviledged ports that can only be opened by root or processes
running as root.
If you change the SSH port also open the new port you have chosen on the firewall and close port 22.
Open a Terminal Window and enter :
sudo vi /etc/ssh/sshd_config
Change or add the following and save.
Port
Protocol 2
PermitRootLogin no
DebianBanner no
Restart SSH server, open a Terminal Window and enter :
sudo /etc/init.d/ssh restart
4. Protect su by limiting access only to admin group.
To limit the use of su by admin users only we need to create an admin group, then add users and limit the use of su to the admin group.
Add a admin group to the system and add your own admin username to the
group by replacing below with your admin
username.
6.Disable Open DNS Recursion and Remove Version Info - BIND DNS Server.
Open a Terminal and enter the following :
sudo vi /etc/bind/named.conf.options
Add the following to the Options section :
recursion no;
version "Not Disclosed";
Restart BIND DNS server. Open a Terminal and enter the following :
sudo /etc/init.d/bind9 restart
7. Prevent IP Spoofing.
Open a Terminal and enter the following :
sudo vi /etc/host.conf
Add or edit the following lines :
order bind,hosts
nospoof on
8. Harden PHP for security.
Edit the php.ini file :
sudo vi /etc/php5/apache2/php.ini
Add or edit the following lines an save :
disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off
Restart Apache server. Open a Terminal and enter the following :
sudo /etc/init.d/apache2 restart
9. Restrict Apache Information Leakage.
Edit the Apache2 configuration security file :
sudo vi /etc/apache2/conf.d/security
Add or edit the following lines and save :
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header unset ETag
FileETag None
Restart Apache server. Open a Terminal and enter the following :
12. Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban.
DenyHosts is a python program that automatically blocks SSH attacks
by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux
administrators about offending hosts, attacked users and suspicious
logins.
Open a Terminal and enter the following :
sudo apt-get install denyhosts
After installation edit the configuration file /etc/denyhosts.conf and change the email, and other settings as required.
To edit the admin email settings open a terminal window and enter:
sudo vi /etc/denyhosts.conf
Change the following values as required on your server :
Fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.
Fail2ban scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.
Generally Fail2Ban then used to update firewall rules to reject the IP
addresses for a specified amount of time, although any arbitrary other
action could also be configured.
Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).
Open a Terminal and enter the following :
sudo apt-get install fail2ban
After installation edit the configuration file /etc/fail2ban/jail.local and create the filter rules as required.
To edit the settings open a terminal window and enter:
sudo vi /etc/fail2ban/jail.conf
Activate all the services you would like fail2ban to monitor by changing enabled = false to enabled = true
For example if you would like to enable the SSH monitoring and banning jail, find the line below and change enabled from false to true. Thats it.
If you have selected a non-standard SSH port in step 3 then you need to change the port setting in fail2ban from ssh which by default is port 22, to your new port number, for example if you have chosen 1234 then port = 1234
When done with the configuration of Fail2Ban restart the service with :
sudo /etc/init.d/fail2ban restart
You can also check the status with.
sudo fail2ban-client status
13. Intrusion Detection - PSAD.
Cipherdyne PSAD
is a collection of three lightweight system daemons that run on Linux
machines and analyze iptables log messages to detect port scans and
other suspicious traffic.
Currently version 2.1 causes errors during install on Ubuntu 12.04,
but apparently does work. Version 2.2 resolves these issues but is not
yet available on the Ubuntu software repositories. It is recommended to
manually compile and install version 2.2 from the source files available
on the Ciperdyne website.
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.
Open a Terminal and enter the following :
sudo apt-get install nmap
Scan your system for open ports with :
nmap -v -sT localhost
SYN scanning with the following :
sudo nmap -v -sS localhost
16.Analyse system LOG files - LogWatch.
Logwatch
is a customizable log analysis system. Logwatch parses through your
system's logs and creates a report analyzing areas that you specify.
Logwatch is easy to use and will work right out of the package on most
systems.
Open a Terminal and enter the following :
sudo apt-get install logwatch libdate-manip-perl
To view logwatch output use less :
sudo logwatch | less
To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :
sudo logwatch --mailto mail@domain.com --output mail --format html --range 'between -7 days and today'
17. SELinux - Apparmor.
National Security Agency
(NSA) has taken Linux to the next level with the introduction of
Security-Enhanced Linux (SELinux). SELinux takes the existing GNU/Linux
operating system and extends it with kernel and user-space modifications
to make it bullet-proof.
Tiger is a security tool that can be use both as a security audit and intrusion detection system.
Open a Terminal and enter the following :
sudo apt-get install tiger
To run tiger enter :
sudo tiger
All Tiger output can be found in the /var/log/tiger
To view the tiger security reports, open a Terminal and enter the following :
sudo less /var/log/tiger/security.report.*
How to secure an Ubuntu 12.04 LTS server - Part 2 The GUI installer script
Submitted by The Fan Club on
This
guide is based on various community forum posts and webpages. Special
thanks to all. All comments and improvements are very welcome as this is
purely a personal experimental project at this point and must be
considered a work in progress. The Ubuntu Server Secure script:
The Ubuntu Server Secure script is set of GUI
security administration tools to harden and audit the security on an
Ubuntu 12.04 LTS server by using a GUI shell script to install and
configure various security features found in How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics.
This script was done as an experiment in using Zenity to create a interactive Gnome Gtk+ GUI installer.
Zenity is a great tool for creating a simple yet powerful GUI user interface on top of bash like shell script very quickly.
Requirements:
Ubuntu 12.04 LTS server with a standard LAMP stack installed.
Unity or Gnome Desktop installed.
Zenity installed. (Zenity installed by default in Ubuntu 12.04 LTS Desktop)
1. Ubuntu Server Secure - Screenshots
2. Ubuntu Server Secure - The Shell Script Code
Below is the contents of the ubuntu-server-secure.sh file.
3. Ubuntu Server Secure - Log File
Complete log can be found at: /var/log/uss_YYYY-MM-DD.log (replace YYYY-MM-DD with current date)
4. Ubuntu Server Secure - Installation Instructions
Install zenity if not already installed by default on Ubuntu: sudo apt-get install zenity
Download the Ubuntu Server Secure script from the links at the bottom of this page
Change Directory to the downloaded file : cd /path/to/download
To extract, open a terminal window and enter :
sudo tar -zxvf ubuntu-server-secure.tar.gz
cd ubuntu-server-secure
sudo chmod +x ubuntu-server-secure.sh
No comments:
Post a Comment