essential security for linux servers
DESCRIPTION
Essential Security for Linux ServersTRANSCRIPT
Essential Security
for Linux Servers
UBUNTU BOX
Thanks for sharing!
My personal and contact details:
Juan Carlos Perez Pardo
I am living in Dublin
Linkedin: www.linkedin.com/in/perezpardojc
Twitter: https://twitter.com/perezpardojc
And like always if you want to copy, paste, and collaborate feel free to do it!
2
My lab:
Laptop
Dell Precision M4800 / Intel(R) Core(TM) i7-4900MQ CPU @ 2.80GHz / 16 GB
Dell Latitude E6400 / Intel(R) Core(TM) 2 Duo P8400 CPU / 8GB
Microsoft Windows 8.1 / Ubuntu 14.04 LTS
Network
TP-LINK’s AV500 Nano Powerline Adapter TL-PA4010KIT
Technicolor TC7200 Modem / Router
Internet connection:
UPC Fibre Power 120Mb
3
Security for Ubuntu Box
Machine:
UbuntuServerSecurity
Security for Ubuntu Box
Security for Ubuntu Box
Security for Ubuntu Box
Steps:
Change root password for something “particular”
#passwd
Update and upgrade the machine
# apt-get update
# apt-get upgrade
Fail2ban is a daemon that monitors login attempts to a server and
blocks suspicious activity as it occurs. It’s well configured out of the
box
#apt-get install fail2ban
Security for Ubuntu Box
If you didn’t set up a user in the install process like we saw in the
other tuto, its time to do it! Now, let’s set up your login user. Feel free
to name the user something besides ‘deploy’
#useradd deploy
#mkdir /home/deploy
#mkdir /home/deploy/.ssh
#chmod 700 /home/deploy/.ssh
#passwd deploy
Create Public key
# ssh-keygen
# cd ~/.ssh
First nothing… after …
$ ls
authorized_keys2 id_dsa known_hosts
config id_dsa.pub
Create Public key
Require public key authentication
Lets go with some cert work ….
#vim /home/deploy/.ssh/authorized_keys
#chmod 400 /home/deploy/.ssh/authorized_keys
#chown deploy:deploy /home/deploy –R
SSH Lock Down - no passwords
vi /etc/ssh/sshd_config
## PermitRootLogin no
## PasswordAuthentication no
AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)
Restart SSH - make sure you can connect before disconnecting current shell!
#restart sshd or #service ssh restart
Require public key authentication
Require public key authentication
Set a complex password - you can either store it somewhere secure
or make it something memorable to the team. This is the password
you’ll use to sudo.
#passwd deploy
# sudo
visudo
## lhl ALL=(ALL:ALL) NOPASSWD: ALL
root ALL=(ALL) ALL
deploy ALL=(ALL) ALL
Require public key authentication
Lock Down SSH
Configure ssh to prevent password & root logins and lock ssh to
particular IPs:
#vim /etc/ssh/sshd_config
Tip change colour colorscheme Koehler
Add these lines to the file, inserting the ip address from where you
will be connecting:
PermitRootLogin no
PasswordAuthentication no
AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)
Lock Down SSH
Now restart ssh:
service ssh restart
Set Up A Firewall
No secure server is complete without a firewall.
ufw allow from {your-ip} to any port 22
ufw allow 80
ufw allow 443
ufw enable
Set Up A Firewall
Enable Automatic Security Updates
apt-get update/upgrade
it’s important that they all stay up to date. Automated security
updates scare me somewhat, but not as badly as unpatched
security holes.
apt-get install unattended-upgrades
vim /etc/apt/apt.conf.d/10periodic
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
Enable Automatic Security Updates
Enable Automatic Security Updates
vim /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
"Ubuntu lucid-security";
// "Ubuntu lucid-updates";
};
Enable Automatic Security Updates
Install Logwatch
To Keep An Eye On Things, Logwatch is a daemon that monitors
your logs and emails them to you.
apt-get install logwatch
vim /etc/cron.daily/00logwatch
We must to add this line
/usr/sbin/logwatch --output mail --mailto [email protected] --detail high
To be continue …
two-factor authentication for SSH login on Linux
App on android and that…
Log in firewall… WebApp firewall, … DDoS…
Security in Databases (MySql and PostgreSQL)
TLS on services
Block bruteforce attacks
AppArmor
DataEncryption and group policy's over it
Some SEM tools, and test with some Pen Test tacticals.
Prevent IPSpoofing
Check for Rootkits
Auditing
…… Never is enough… the bad guys have all the time for them …
Links and References
https://www.google.com
https://www.virtualbox.org/
http://www.ubuntu.com/
http://www.linux.org/
http://www.linuxfoundation.org/
https://www.kernel.org/
https://www.gnu.org/
http://creativecommons.org/
25
Thanks for sharing!
My personal and contact details:
Juan Carlos Perez Pardo
I am living in Dublin
Linkedin: www.linkedin.com/in/perezpardojc
Twitter: https://twitter.com/perezpardojc
And like always if you want to copy, paste, and collaborate feel free to do it!
26
Thanks! 27