├── linux-kernel-sysctl-hardening.md
├── LICENSE.txt
└── README.md
/linux-kernel-sysctl-hardening.md:
--------------------------------------------------------------------------------
1 | # Linux Kernel `sysctl` Hardening
2 |
3 | ## Table of Contents
4 |
5 | - [Overview](#overview)
6 | - [Documentation](#documentation)
7 | - [Disclaimer](#disclaimer)
8 | - [Keys](#keys)
9 |
10 | ## Overview
11 |
12 | This is a combined list of all the `sysctl` hardening recommendations I could find across multiple sites:
13 |
14 | - https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
15 | - https://geektnt.com/sysctl-conf-hardening.html
16 | - https://linoxide.com/how-tos/linux-server-protection/
17 | - https://cloudpro.zone/index.php/2018/01/30/debian-9-3-server-setup-guide-part-5/
18 | - https://github.com/klaver/sysctl/blob/master/sysctl.conf
19 |
20 | ## Documentation
21 |
22 | Documentation for **most** of these keys can be found at https://github.com/torvalds/linux/blob/master/Documentation. However, the documentation seems to be for the 2.2 kernel. I cannot find any newer documentation. If you know where I can find newer documentation please submit a [new issue](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/new).
23 |
24 | ## Disclaimer
25 |
26 | I do not know what most of these settings do. This list is being provided just as reference material. I take no responsibility for anything.
27 |
28 | ## Keys
29 |
30 | |`key=value`|Note|[Documentation|
31 | |--|--|--|
32 | |`fs.file-max = 65535`||[/sysctl/fs.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/fs.txt)|
33 | |`fs.protected_hardlinks = 1`||[/sysctl/fs.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/fs.txt)|
34 | |`fs.protected_symlinks = 1`||[/sysctl/fs.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/fs.txt)|
35 | |`fs.suid_dumpable = 0`||[/sysctl/fs.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/fs.txt)|
36 | |`kernel.core_uses_pid = 1`||[/sysctl/kernel.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/kernel.txt)|
37 | |`kernel.ctrl-alt-del = 0`||[/sysctl/kernel.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/kernel.txt)|
38 | |`kernel.kptr_restrict = 2`||[/sysctl/kernel.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/kernel.txt)|
39 | |`kernel.maps_protect = 1`|||
40 | |`kernel.msgmax = 65535`||[/sysctl/kernel.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/kernel.txt)|
41 | |`kernel.msgmnb = 65535`||[/sysctl/kernel.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/kernel.txt)|
42 | |`kernel.pid_max = 65535`||[/sysctl/kernel.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/kernel.txt)|
43 | |`kernel.randomize_va_space = 2`||[/sysctl/kernel.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/kernel.txt)|
44 | |`kernel.shmall = 268435456`||[/sysctl/kernel.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/kernel.txt)|
45 | |`kernel.shmmax = 268435456`||[/sysctl/kernel.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/kernel.txt)|
46 | |`kernel.sysrq = 0`||[/sysctl/kernel.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/kernel.txt)|
47 | |`net.core.default_qdisc = fq`||[/sysctl/net.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/net.txt)|
48 | |`net.core.dev_weight = 64`||[/sysctl/net.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/net.txt)|
49 | |`net.core.netdev_max_backlog = 16384`||[/sysctl/net.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/net.txt)|
50 | |`net.core.optmem_max = 65535`||[/sysctl/net.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/net.txt)|
51 | |`net.core.rmem_default = 262144`||[/sysctl/net.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/net.txt)|
52 | |`net.core.rmem_max = 16777216`||[/sysctl/net.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/net.txt)|
53 | |`net.core.somaxconn = 32768`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
54 | |`net.core.wmem_default = 262144`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
55 | |`net.core.wmem_max = 16777216`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
56 | |`net.ipv4.conf.all.accept_redirects = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
57 | |`net.ipv4.conf.all.accept_source_route = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
58 | |`net.ipv4.conf.all.bootp_relay = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
59 | |`net.ipv4.conf.all.forwarding = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
60 | |`net.ipv4.conf.all.log_martians = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
61 | |`net.ipv4.conf.all.proxy_arp = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
62 | |`net.ipv4.conf.all.rp_filter = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
63 | |`net.ipv4.conf.all.secure_redirects = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
64 | |`net.ipv4.conf.all.send_redirects = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
65 | |`net.ipv4.conf.default.accept_redirects = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
66 | |`net.ipv4.conf.default.accept_source_route = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
67 | |`net.ipv4.conf.default.forwarding = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
68 | |`net.ipv4.conf.default.log_martians = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
69 | |`net.ipv4.conf.default.rp_filter = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
70 | |`net.ipv4.conf.default.secure_redirects = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
71 | |`net.ipv4.conf.default.send_redirects = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
72 | |`net.ipv4.conf.eth0.accept_redirects = 0`|change `eth0` to your network interface|[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
73 | |`net.ipv4.conf.eth0.accept_source_route = 0`|change `eth0` to your network interface|[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
74 | |`net.ipv4.conf.eth0.log_martians = 0`|change `eth0` to your network interface|[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
75 | |`net.ipv4.conf.eth0.rp_filter = 1`|change `eth0` to your network interface|[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
76 | |`net.ipv4.conf.lo.accept_redirects = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
77 | |`net.ipv4.conf.lo.accept_source_route = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
78 | |`net.ipv4.conf.lo.log_martians = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
79 | |`net.ipv4.conf.lo.rp_filter = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
80 | |`net.ipv4.icmp_echo_ignore_all = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
81 | |`net.ipv4.icmp_echo_ignore_broadcasts = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
82 | |`net.ipv4.icmp_ignore_bogus_error_responses = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
83 | |`net.ipv4.ip_forward = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
84 | |`net.ipv4.ip_local_port_range = 2000 65000`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
85 | |`net.ipv4.ipfrag_high_thresh = 262144`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
86 | |`net.ipv4.ipfrag_low_thresh = 196608`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
87 | |`net.ipv4.neigh.default.gc_interval = 30`|||
88 | |`net.ipv4.neigh.default.gc_thresh1 = 32`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
89 | |`net.ipv4.neigh.default.gc_thresh2 = 1024`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
90 | |`net.ipv4.neigh.default.gc_thresh3 = 2048`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
91 | |`net.ipv4.neigh.default.proxy_qlen = 96`|||
92 | |`net.ipv4.neigh.default.unres_qlen = 6`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
93 | |`net.ipv4.route.flush = 1`|||
94 | |`net.ipv4.tcp_congestion_control = htcp`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
95 | |`net.ipv4.tcp_ecn = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
96 | |`net.ipv4.tcp_fastopen = 3`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
97 | |`net.ipv4.tcp_fin_timeout = 15`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
98 | |`net.ipv4.tcp_keepalive_intvl = 15`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
99 | |`net.ipv4.tcp_keepalive_probes = 5`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
100 | |`net.ipv4.tcp_keepalive_time = 1800`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
101 | |`net.ipv4.tcp_max_orphans = 16384`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
102 | |`net.ipv4.tcp_max_syn_backlog = 2048`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
103 | |`net.ipv4.tcp_max_tw_buckets = 1440000`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
104 | |`net.ipv4.tcp_moderate_rcvbuf = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
105 | |`net.ipv4.tcp_no_metrics_save = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
106 | |`net.ipv4.tcp_orphan_retries = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
107 | |`net.ipv4.tcp_reordering = 3`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
108 | |`net.ipv4.tcp_retries1 = 3`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
109 | |`net.ipv4.tcp_retries2 = 15`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
110 | |`net.ipv4.tcp_rfc1337 = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
111 | |`net.ipv4.tcp_rmem = 8192 87380 16777216`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
112 | |`net.ipv4.tcp_sack = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
113 | |`net.ipv4.tcp_slow_start_after_idle = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
114 | |`net.ipv4.tcp_syn_retries = 5`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
115 | |`net.ipv4.tcp_synack_retries = 2`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
116 | |`net.ipv4.tcp_syncookies = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
117 | |`net.ipv4.tcp_timestamps = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
118 | |`net.ipv4.tcp_tw_recycle = 0`|||
119 | |`net.ipv4.tcp_tw_reuse = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
120 | |`net.ipv4.tcp_window_scaling = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
121 | |`net.ipv4.tcp_wmem = 8192 65536 16777216`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
122 | |`net.ipv4.udp_rmem_min = 16384`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
123 | |`net.ipv4.udp_wmem_min = 16384`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
124 | |`net.ipv6.conf.all.accept_ra=0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
125 | |`net.ipv6.conf.all.accept_redirects = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
126 | |`net.ipv6.conf.all.accept_source_route = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
127 | |`net.ipv6.conf.all.autoconf = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
128 | |`net.ipv6.conf.all.forwarding = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
129 | |`net.ipv6.conf.default.accept_ra_defrtr = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
130 | |`net.ipv6.conf.default.accept_ra_pinfo = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
131 | |`net.ipv6.conf.default.accept_ra_rtr_pref = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
132 | |`net.ipv6.conf.default.accept_ra=0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
133 | |`net.ipv6.conf.default.accept_redirects = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
134 | |`net.ipv6.conf.default.accept_source_route = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
135 | |`net.ipv6.conf.default.autoconf = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
136 | |`net.ipv6.conf.default.dad_transmits = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
137 | |`net.ipv6.conf.default.forwarding = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
138 | |`net.ipv6.conf.default.max_addresses = 1`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
139 | |`net.ipv6.conf.default.router_solicitations = 0`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
140 | |`net.ipv6.conf.eth0.accept_ra=0`|change `eth0` to your network interface|[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
141 | |`net.ipv6.conf.eth0.autoconf = 0`|change `eth0` to your network interface|[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
142 | |`net.ipv6.ip6frag_high_thresh = 262144`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
143 | |`net.ipv6.ip6frag_low_thresh = 196608`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
144 | |`net.ipv6.route.flush = 1`|||
145 | |`net.unix.max_dgram_qlen = 50`||[/networking/ip-sysctl.txt](https://github.com/torvalds/linux/blob/master/Documentation/networking/ip-sysctl.txt)|
146 | |`vm.dirty_background_ratio = 5`||[/sysctl/vm.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/vm.txt)|
147 | |`vm.dirty_ratio = 30`||[/sysctl/vm.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/vm.txt)|
148 | |`vm.min_free_kbytes = 65535`||[/sysctl/vm.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/vm.txt)|
149 | |`vm.mmap_min_addr = 4096`||[/sysctl/vm.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/vm.txt)|
150 | |`vm.overcommit_memory = 0`||[/sysctl/vm.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/vm.txt)|
151 | |`vm.overcommit_ratio = 50`||[/sysctl/vm.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/vm.txt)|
152 | |`vm.swappiness = 30`||[/sysctl/vm.txt](https://github.com/torvalds/linux/blob/master/Documentation/sysctl/vm.txt)|
153 |
--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
1 | Attribution-ShareAlike 4.0 International
2 |
3 | =======================================================================
4 |
5 | Creative Commons Corporation ("Creative Commons") is not a law firm and
6 | does not provide legal services or legal advice. Distribution of
7 | Creative Commons public licenses does not create a lawyer-client or
8 | other relationship. Creative Commons makes its licenses and related
9 | information available on an "as-is" basis. Creative Commons gives no
10 | warranties regarding its licenses, any material licensed under their
11 | terms and conditions, or any related information. Creative Commons
12 | disclaims all liability for damages resulting from their use to the
13 | fullest extent possible.
14 |
15 | Using Creative Commons Public Licenses
16 |
17 | Creative Commons public licenses provide a standard set of terms and
18 | conditions that creators and other rights holders may use to share
19 | original works of authorship and other material subject to copyright
20 | and certain other rights specified in the public license below. The
21 | following considerations are for informational purposes only, are not
22 | exhaustive, and do not form part of our licenses.
23 |
24 | Considerations for licensors: Our public licenses are
25 | intended for use by those authorized to give the public
26 | permission to use material in ways otherwise restricted by
27 | copyright and certain other rights. Our licenses are
28 | irrevocable. Licensors should read and understand the terms
29 | and conditions of the license they choose before applying it.
30 | Licensors should also secure all rights necessary before
31 | applying our licenses so that the public can reuse the
32 | material as expected. Licensors should clearly mark any
33 | material not subject to the license. This includes other CC-
34 | licensed material, or material used under an exception or
35 | limitation to copyright. More considerations for licensors:
36 | wiki.creativecommons.org/Considerations_for_licensors
37 |
38 | Considerations for the public: By using one of our public
39 | licenses, a licensor grants the public permission to use the
40 | licensed material under specified terms and conditions. If
41 | the licensor's permission is not necessary for any reason--for
42 | example, because of any applicable exception or limitation to
43 | copyright--then that use is not regulated by the license. Our
44 | licenses grant only permissions under copyright and certain
45 | other rights that a licensor has authority to grant. Use of
46 | the licensed material may still be restricted for other
47 | reasons, including because others have copyright or other
48 | rights in the material. A licensor may make special requests,
49 | such as asking that all changes be marked or described.
50 | Although not required by our licenses, you are encouraged to
51 | respect those requests where reasonable. More considerations
52 | for the public:
53 | wiki.creativecommons.org/Considerations_for_licensees
54 |
55 | =======================================================================
56 |
57 | Creative Commons Attribution-ShareAlike 4.0 International Public
58 | License
59 |
60 | By exercising the Licensed Rights (defined below), You accept and agree
61 | to be bound by the terms and conditions of this Creative Commons
62 | Attribution-ShareAlike 4.0 International Public License ("Public
63 | License"). To the extent this Public License may be interpreted as a
64 | contract, You are granted the Licensed Rights in consideration of Your
65 | acceptance of these terms and conditions, and the Licensor grants You
66 | such rights in consideration of benefits the Licensor receives from
67 | making the Licensed Material available under these terms and
68 | conditions.
69 |
70 |
71 | Section 1 -- Definitions.
72 |
73 | a. Adapted Material means material subject to Copyright and Similar
74 | Rights that is derived from or based upon the Licensed Material
75 | and in which the Licensed Material is translated, altered,
76 | arranged, transformed, or otherwise modified in a manner requiring
77 | permission under the Copyright and Similar Rights held by the
78 | Licensor. For purposes of this Public License, where the Licensed
79 | Material is a musical work, performance, or sound recording,
80 | Adapted Material is always produced where the Licensed Material is
81 | synched in timed relation with a moving image.
82 |
83 | b. Adapter's License means the license You apply to Your Copyright
84 | and Similar Rights in Your contributions to Adapted Material in
85 | accordance with the terms and conditions of this Public License.
86 |
87 | c. BY-SA Compatible License means a license listed at
88 | creativecommons.org/compatiblelicenses, approved by Creative
89 | Commons as essentially the equivalent of this Public License.
90 |
91 | d. Copyright and Similar Rights means copyright and/or similar rights
92 | closely related to copyright including, without limitation,
93 | performance, broadcast, sound recording, and Sui Generis Database
94 | Rights, without regard to how the rights are labeled or
95 | categorized. For purposes of this Public License, the rights
96 | specified in Section 2(b)(1)-(2) are not Copyright and Similar
97 | Rights.
98 |
99 | e. Effective Technological Measures means those measures that, in the
100 | absence of proper authority, may not be circumvented under laws
101 | fulfilling obligations under Article 11 of the WIPO Copyright
102 | Treaty adopted on December 20, 1996, and/or similar international
103 | agreements.
104 |
105 | f. Exceptions and Limitations means fair use, fair dealing, and/or
106 | any other exception or limitation to Copyright and Similar Rights
107 | that applies to Your use of the Licensed Material.
108 |
109 | g. License Elements means the license attributes listed in the name
110 | of a Creative Commons Public License. The License Elements of this
111 | Public License are Attribution and ShareAlike.
112 |
113 | h. Licensed Material means the artistic or literary work, database,
114 | or other material to which the Licensor applied this Public
115 | License.
116 |
117 | i. Licensed Rights means the rights granted to You subject to the
118 | terms and conditions of this Public License, which are limited to
119 | all Copyright and Similar Rights that apply to Your use of the
120 | Licensed Material and that the Licensor has authority to license.
121 |
122 | j. Licensor means the individual(s) or entity(ies) granting rights
123 | under this Public License.
124 |
125 | k. Share means to provide material to the public by any means or
126 | process that requires permission under the Licensed Rights, such
127 | as reproduction, public display, public performance, distribution,
128 | dissemination, communication, or importation, and to make material
129 | available to the public including in ways that members of the
130 | public may access the material from a place and at a time
131 | individually chosen by them.
132 |
133 | l. Sui Generis Database Rights means rights other than copyright
134 | resulting from Directive 96/9/EC of the European Parliament and of
135 | the Council of 11 March 1996 on the legal protection of databases,
136 | as amended and/or succeeded, as well as other essentially
137 | equivalent rights anywhere in the world.
138 |
139 | m. You means the individual or entity exercising the Licensed Rights
140 | under this Public License. Your has a corresponding meaning.
141 |
142 |
143 | Section 2 -- Scope.
144 |
145 | a. License grant.
146 |
147 | 1. Subject to the terms and conditions of this Public License,
148 | the Licensor hereby grants You a worldwide, royalty-free,
149 | non-sublicensable, non-exclusive, irrevocable license to
150 | exercise the Licensed Rights in the Licensed Material to:
151 |
152 | a. reproduce and Share the Licensed Material, in whole or
153 | in part; and
154 |
155 | b. produce, reproduce, and Share Adapted Material.
156 |
157 | 2. Exceptions and Limitations. For the avoidance of doubt, where
158 | Exceptions and Limitations apply to Your use, this Public
159 | License does not apply, and You do not need to comply with
160 | its terms and conditions.
161 |
162 | 3. Term. The term of this Public License is specified in Section
163 | 6(a).
164 |
165 | 4. Media and formats; technical modifications allowed. The
166 | Licensor authorizes You to exercise the Licensed Rights in
167 | all media and formats whether now known or hereafter created,
168 | and to make technical modifications necessary to do so. The
169 | Licensor waives and/or agrees not to assert any right or
170 | authority to forbid You from making technical modifications
171 | necessary to exercise the Licensed Rights, including
172 | technical modifications necessary to circumvent Effective
173 | Technological Measures. For purposes of this Public License,
174 | simply making modifications authorized by this Section 2(a)
175 | (4) never produces Adapted Material.
176 |
177 | 5. Downstream recipients.
178 |
179 | a. Offer from the Licensor -- Licensed Material. Every
180 | recipient of the Licensed Material automatically
181 | receives an offer from the Licensor to exercise the
182 | Licensed Rights under the terms and conditions of this
183 | Public License.
184 |
185 | b. Additional offer from the Licensor -- Adapted Material.
186 | Every recipient of Adapted Material from You
187 | automatically receives an offer from the Licensor to
188 | exercise the Licensed Rights in the Adapted Material
189 | under the conditions of the Adapter's License You apply.
190 |
191 | c. No downstream restrictions. You may not offer or impose
192 | any additional or different terms or conditions on, or
193 | apply any Effective Technological Measures to, the
194 | Licensed Material if doing so restricts exercise of the
195 | Licensed Rights by any recipient of the Licensed
196 | Material.
197 |
198 | 6. No endorsement. Nothing in this Public License constitutes or
199 | may be construed as permission to assert or imply that You
200 | are, or that Your use of the Licensed Material is, connected
201 | with, or sponsored, endorsed, or granted official status by,
202 | the Licensor or others designated to receive attribution as
203 | provided in Section 3(a)(1)(A)(i).
204 |
205 | b. Other rights.
206 |
207 | 1. Moral rights, such as the right of integrity, are not
208 | licensed under this Public License, nor are publicity,
209 | privacy, and/or other similar personality rights; however, to
210 | the extent possible, the Licensor waives and/or agrees not to
211 | assert any such rights held by the Licensor to the limited
212 | extent necessary to allow You to exercise the Licensed
213 | Rights, but not otherwise.
214 |
215 | 2. Patent and trademark rights are not licensed under this
216 | Public License.
217 |
218 | 3. To the extent possible, the Licensor waives any right to
219 | collect royalties from You for the exercise of the Licensed
220 | Rights, whether directly or through a collecting society
221 | under any voluntary or waivable statutory or compulsory
222 | licensing scheme. In all other cases the Licensor expressly
223 | reserves any right to collect such royalties.
224 |
225 |
226 | Section 3 -- License Conditions.
227 |
228 | Your exercise of the Licensed Rights is expressly made subject to the
229 | following conditions.
230 |
231 | a. Attribution.
232 |
233 | 1. If You Share the Licensed Material (including in modified
234 | form), You must:
235 |
236 | a. retain the following if it is supplied by the Licensor
237 | with the Licensed Material:
238 |
239 | i. identification of the creator(s) of the Licensed
240 | Material and any others designated to receive
241 | attribution, in any reasonable manner requested by
242 | the Licensor (including by pseudonym if
243 | designated);
244 |
245 | ii. a copyright notice;
246 |
247 | iii. a notice that refers to this Public License;
248 |
249 | iv. a notice that refers to the disclaimer of
250 | warranties;
251 |
252 | v. a URI or hyperlink to the Licensed Material to the
253 | extent reasonably practicable;
254 |
255 | b. indicate if You modified the Licensed Material and
256 | retain an indication of any previous modifications; and
257 |
258 | c. indicate the Licensed Material is licensed under this
259 | Public License, and include the text of, or the URI or
260 | hyperlink to, this Public License.
261 |
262 | 2. You may satisfy the conditions in Section 3(a)(1) in any
263 | reasonable manner based on the medium, means, and context in
264 | which You Share the Licensed Material. For example, it may be
265 | reasonable to satisfy the conditions by providing a URI or
266 | hyperlink to a resource that includes the required
267 | information.
268 |
269 | 3. If requested by the Licensor, You must remove any of the
270 | information required by Section 3(a)(1)(A) to the extent
271 | reasonably practicable.
272 |
273 | b. ShareAlike.
274 |
275 | In addition to the conditions in Section 3(a), if You Share
276 | Adapted Material You produce, the following conditions also apply.
277 |
278 | 1. The Adapter's License You apply must be a Creative Commons
279 | license with the same License Elements, this version or
280 | later, or a BY-SA Compatible License.
281 |
282 | 2. You must include the text of, or the URI or hyperlink to, the
283 | Adapter's License You apply. You may satisfy this condition
284 | in any reasonable manner based on the medium, means, and
285 | context in which You Share Adapted Material.
286 |
287 | 3. You may not offer or impose any additional or different terms
288 | or conditions on, or apply any Effective Technological
289 | Measures to, Adapted Material that restrict exercise of the
290 | rights granted under the Adapter's License You apply.
291 |
292 |
293 | Section 4 -- Sui Generis Database Rights.
294 |
295 | Where the Licensed Rights include Sui Generis Database Rights that
296 | apply to Your use of the Licensed Material:
297 |
298 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right
299 | to extract, reuse, reproduce, and Share all or a substantial
300 | portion of the contents of the database;
301 |
302 | b. if You include all or a substantial portion of the database
303 | contents in a database in which You have Sui Generis Database
304 | Rights, then the database in which You have Sui Generis Database
305 | Rights (but not its individual contents) is Adapted Material,
306 |
307 | including for purposes of Section 3(b); and
308 | c. You must comply with the conditions in Section 3(a) if You Share
309 | all or a substantial portion of the contents of the database.
310 |
311 | For the avoidance of doubt, this Section 4 supplements and does not
312 | replace Your obligations under this Public License where the Licensed
313 | Rights include other Copyright and Similar Rights.
314 |
315 |
316 | Section 5 -- Disclaimer of Warranties and Limitation of Liability.
317 |
318 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
319 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
320 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
321 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
322 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
323 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
324 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
325 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
326 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
327 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
328 |
329 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
330 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
331 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
332 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
333 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
334 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
335 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
336 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
337 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
338 |
339 | c. The disclaimer of warranties and limitation of liability provided
340 | above shall be interpreted in a manner that, to the extent
341 | possible, most closely approximates an absolute disclaimer and
342 | waiver of all liability.
343 |
344 |
345 | Section 6 -- Term and Termination.
346 |
347 | a. This Public License applies for the term of the Copyright and
348 | Similar Rights licensed here. However, if You fail to comply with
349 | this Public License, then Your rights under this Public License
350 | terminate automatically.
351 |
352 | b. Where Your right to use the Licensed Material has terminated under
353 | Section 6(a), it reinstates:
354 |
355 | 1. automatically as of the date the violation is cured, provided
356 | it is cured within 30 days of Your discovery of the
357 | violation; or
358 |
359 | 2. upon express reinstatement by the Licensor.
360 |
361 | For the avoidance of doubt, this Section 6(b) does not affect any
362 | right the Licensor may have to seek remedies for Your violations
363 | of this Public License.
364 |
365 | c. For the avoidance of doubt, the Licensor may also offer the
366 | Licensed Material under separate terms or conditions or stop
367 | distributing the Licensed Material at any time; however, doing so
368 | will not terminate this Public License.
369 |
370 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
371 | License.
372 |
373 |
374 | Section 7 -- Other Terms and Conditions.
375 |
376 | a. The Licensor shall not be bound by any additional or different
377 | terms or conditions communicated by You unless expressly agreed.
378 |
379 | b. Any arrangements, understandings, or agreements regarding the
380 | Licensed Material not stated herein are separate from and
381 | independent of the terms and conditions of this Public License.
382 |
383 |
384 | Section 8 -- Interpretation.
385 |
386 | a. For the avoidance of doubt, this Public License does not, and
387 | shall not be interpreted to, reduce, limit, restrict, or impose
388 | conditions on any use of the Licensed Material that could lawfully
389 | be made without permission under this Public License.
390 |
391 | b. To the extent possible, if any provision of this Public License is
392 | deemed unenforceable, it shall be automatically reformed to the
393 | minimum extent necessary to make it enforceable. If the provision
394 | cannot be reformed, it shall be severed from this Public License
395 | without affecting the enforceability of the remaining terms and
396 | conditions.
397 |
398 | c. No term or condition of this Public License will be waived and no
399 | failure to comply consented to unless expressly agreed to by the
400 | Licensor.
401 |
402 | d. Nothing in this Public License constitutes or may be interpreted
403 | as a limitation upon, or waiver of, any privileges and immunities
404 | that apply to the Licensor or You, including from the legal
405 | processes of any jurisdiction or authority.
406 |
407 |
408 | =======================================================================
409 |
410 | Creative Commons is not a party to its public
411 | licenses. Notwithstanding, Creative Commons may elect to apply one of
412 | its public licenses to material it publishes and in those instances
413 | will be considered the “Licensor.” The text of the Creative Commons
414 | public licenses is dedicated to the public domain under the CC0 Public
415 | Domain Dedication. Except for the limited purpose of indicating that
416 | material is shared under a Creative Commons public license or as
417 | otherwise permitted by the Creative Commons policies published at
418 | creativecommons.org/policies, Creative Commons does not authorize the
419 | use of the trademark "Creative Commons" or any other trademark or logo
420 | of Creative Commons without its prior written consent including,
421 | without limitation, in connection with any unauthorized modifications
422 | to any of its public licenses or any other arrangements,
423 | understandings, or agreements concerning use of licensed material. For
424 | the avoidance of doubt, this paragraph does not form part of the
425 | public licenses.
426 |
427 | Creative Commons may be contacted at creativecommons.org.
428 |
429 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # How To Secure A Linux Server
2 |
3 | An evolving how-to guide for securing a Linux server that, hopefully, also teaches you a little about security and why it matters.
4 |
5 | [](#license)
6 |
7 | ## Table of Contents
8 |
9 | - [Introduction](#introduction)
10 | - [Guide Objective](#guide-objective)
11 | - [Why Secure Your Server](#why-secure-your-server)
12 | - [Why Yet Another Guide](#why-yet-another-guide)
13 | - [Other Guides](#other-guides)
14 | - [To Do / To Add](#to-do--to-add)
15 | - [Guide Overview](#guide-overview)
16 | - [About This Guide](#about-this-guide)
17 | - [My Use-Case](#my-use-case)
18 | - [Editing Configuration Files - For The Lazy](#editing-configuration-files---for-the-lazy)
19 | - [Contributing](#contributing)
20 | - [Before You Start](#before-you-start)
21 | - [Identify Your Principles](#identify-your-principles)
22 | - [Picking A Linux Distribution](#picking-a-linux-distribution)
23 | - [Installing Linux](#installing-linux)
24 | - [Pre/Post Installation Requirements](#prepost-installation-requirements)
25 | - [Other Important Notes](#other-important-notes)
26 | - [The SSH Server](#the-ssh-server)
27 | - [SSH Public/Private Keys](#ssh-publicprivate-keys)
28 | - [Create SSH Group For AllowGroups](#create-ssh-group-for-allowgroups)
29 | - [Secure `/etc/ssh/sshd_config`](#secure-etcsshsshd_config)
30 | - [Remove Short Diffie-Hellman Keys](#remove-short-diffie-hellman-keys)
31 | - [2FA/MFA for SSH](#2famfa-for-ssh)
32 | - [The Basics](#the-basics)
33 | - [Limit Who Can Use sudo](#limit-who-can-use-sudo)
34 | - [NTP Client](#ntp-client)
35 | - [Securing /proc](#securing-proc)
36 | - [Force Accounts To Use Secure Passwords](#force-accounts-to-use-secure-passwords)
37 | - [Automatic Security Updates and Alerts](#automatic-security-updates-and-alerts)
38 | - [More Secure Random Entropy Pool (WIP)](#more-secure-random-entropy-pool-wip)
39 | - [The Network](#the-network)
40 | - [Firewall With UFW (Uncomplicated Firewall)](#firewall-with-ufw-uncomplicated-firewall)
41 | - [iptables Intrusion Detection And Prevention with PSAD](#iptables-intrusion-detection-and-prevention-with-psad)
42 | - [Application Intrusion Detection And Prevention With Fail2Ban](#application-intrusion-detection-and-prevention-with-fail2ban)
43 | - [The Auditing](#the-auditing)
44 | - [File/Folder Integrity Monitoring With AIDE (WIP)](#filefolder-integrity-monitoring-with-aide-wip)
45 | - [Anti-Virus Scanning With ClamAV (WIP)](#anti-virus-scanning-with-clamav-wip)
46 | - [Rootkit Detection With Rkhunter (WIP)](#rootkit-detection-with-rkhunter-wip)
47 | - [Rootkit Detection With chrootkit (WIP)](#rootkit-detection-with-chrootkit-wip)
48 | - [logwatch - system log analyzer and reporter](#logwatch---system-log-analyzer-and-reporter)
49 | - [ss - Seeing Ports Your Server Is Listening On](#ss---seeing-ports-your-server-is-listening-on)
50 | - [Lynis - Linux Security Auditing](#lynis---linux-security-auditing)
51 | - [The Danger Zone](#the-danger-zone)
52 | - [The Miscellaneous](#the-miscellaneous)
53 | - [Gmail and Exim4 As MTA With Implicit TLS](#gmail-and-exim4-as-mta-with-implicit-tls)
54 | - [Separate iptables Log File](#separate-iptables-log-file)
55 | - [Left Over](#left-over)
56 | - [Contacting Me](#contacting-me)
57 | - [Helpful Links](#helpful-links)
58 | - [Acknowledgments](#acknowledgments)
59 | - [License and Copyright](#license-and-copyright)
60 |
61 | (TOC made with [nGitHubTOC](https://imthenachoman.github.io/nGitHubTOC/))
62 |
63 | ## Introduction
64 |
65 | ### Guide Objective
66 |
67 | This guides purpose is to teach you how to secure a Linux server.
68 |
69 | There are a lot of things you can do to secure a Linux server and this guide will attempt to cover as many of them as possible. More topics/material will be added as I learn, or as folks [contribute](#contributing).
70 |
71 | ([Table of Contents](#table-of-contents))
72 |
73 | ### Why Secure Your Server
74 |
75 | I assume you're using this guide because you, hopefully, already understand why good security is important. That is a heavy topic onto itself and breaking it down is out-of-scope for this guide. If you don't know the answer to that question, I advise you research it first.
76 |
77 | At a high level, the second a device, like a server, is in the public domain -- i.e visible to the outside world -- it becomes a target for bad-actors. An unsecured device is a playground for bad-actors who want access to your data, or to use your server as another node for their large-scale DDOS attacks.
78 |
79 | What's worse is, without good security, you may never know if your server has been compromised. A bad-actor may have gained unauthorized access to your server and copied your data without changing anything so you'd never know. Or your server may have been part of a DDOS attack and you wouldn't know. Look at many of the large scale data breaches in the news -- the companies often did not discover the data leak or intrusion until long after the bad-actors were gone.
80 |
81 | Contrary to popular belief, bad-actors don't always want to change something or [lock you out of your data for money](https://en.wikipedia.org/wiki/Ransomware). Sometimes they just want the data on your server for their data warehouses (there is big money in big data) or to covertly use your server for their nefarious purposes.
82 |
83 | ([Table of Contents](#table-of-contents))
84 |
85 | ### Why Yet Another Guide
86 |
87 | This guide may appear duplicative/unnecessary because there are countless articles online that tell you [how to secure Linux](https://duckduckgo.com/?q=how+to+secure+linux&t=ffab&atb=v151-7&ia=web), but the information is spread across different articles, that cover different things, and in different ways. Who has time to scour through hundreds of articles?
88 |
89 | As I was going through research for my Debian build, I kept notes. At the end I realized that, along with what I already knew, and what I was learning, I had the makings of a how-to guide. I figured I'd put it online to hopefully help others **learn**, and **save time**.
90 |
91 | I've never found one guide that covers everything -- this guide is my attempt.
92 |
93 | Many of the things covered in this guide may be rather basic/trivial, but most of us do not install Linux every day and it is easy to forget those basic things.
94 |
95 | IT automation tools like [Ansible](https://www.ansible.com/), [Chef](https://www.chef.io/), [Jenkins](https://jenkins.io/), [Puppet](https://puppet.com/), etc. help with the tedious task of installing/configuring a server but IMHO they are better suited for multiple or large scale deployments. IMHO, the overhead required to use those kinds of automation tools is wholly unnecessary for a one-time single server install for home use.
96 |
97 | ([Table of Contents](#table-of-contents))
98 |
99 | ### Other Guides
100 |
101 | There are many guides provided by experts, industry leaders, and the distributions themselves. It is not practical, and sometimes against copyright, to include everything from those guides. I recommend you check them out before starting with this guide.
102 |
103 | - The [Center for Internet Security (CIS)](https://www.cisecurity.org/) provides [benchmarks](https://www.cisecurity.org/cis-benchmarks/) that are exhaustive, industry trusted, step-by-step instructions for securing many flavors of Linux. Check their [About Us](https://www.cisecurity.org/about-us/) page for details. My recommendation is to go through this guide first and then CIS's guide. That way their recommendations will trump anything in this guide.
104 | - For distribution specific hardening/security guides, check your distributions documentation.
105 | - https://security.utexas.edu/os-hardening-checklist/linux-7 - Red Hat Enterprise Linux 7 Hardening Checklist
106 | - https://cloudpro.zone/index.php/2018/01/18/debian-9-3-server-setup-guide-part-1/ - # Debian 9.3 server setup guide
107 | - https://blog.vigilcode.com/2011/04/ubuntu-server-initial-security-quick-secure-setup-part-i/ - Ubuntu Server Initial Security guide
108 | - https://www.tldp.org/LDP/sag/html/index.html
109 | - https://seifried.org/lasg/
110 | - https://news.ycombinator.com/item?id=19178964
111 | - https://wiki.archlinux.org/index.php/Security - many folks have also recommended this one
112 | - https://securecompliance.co/linux-server-hardening-checklist/
113 |
114 | ([Table of Contents](#table-of-contents))
115 |
116 | ### To Do / To Add
117 |
118 | - [ ] [Custom Jails for Fail2ban](#custom-jails)
119 | - [ ] MAC (Mandatory Access Control) and Linux Security Modules (LSMs)
120 | - https://wiki.archlinux.org/index.php/security#Mandatory_access_control
121 | - Security-Enhanced Linux / SELinux
122 | - https://en.wikipedia.org/wiki/Security-Enhanced_Linux
123 | - https://linuxtechlab.com/beginners-guide-to-selinux/
124 | - https://linuxtechlab.com/replicate-selinux-policies-among-linux-machines/
125 | - https://teamignition.us/how-to-stop-being-a-scrub-and-learn-to-use-selinux.html
126 | - AppArmor
127 | - https://wiki.archlinux.org/index.php/AppArmor
128 | - https://security.stackexchange.com/questions/29378/comparison-between-apparmor-and-selinux
129 | - http://www.insanitybit.com/2012/06/01/why-i-like-apparmor-more-than-selinux-5/
130 | - [ ] disk encryption
131 | - [ ] Rkhunter and chrootkit
132 | - http://www.chkrootkit.org/
133 | - http://rkhunter.sourceforge.net/
134 | - https://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/
135 | - https://www.tecmint.com/install-rootkit-hunter-scan-for-rootkits-backdoors-in-linux/
136 | - [ ] shipping/backing up logs - https://news.ycombinator.com/item?id=19178681
137 | - [ ] CIS-CAT - https://learn.cisecurity.org/cis-cat-landing-page
138 | - [ ] debsums - https://blog.sleeplessbeastie.eu/2015/03/02/how-to-verify-installed-packages/
139 |
140 | ([Table of Contents](#table-of-contents))
141 |
142 | ## Guide Overview
143 |
144 | ### About This Guide
145 |
146 | This guide...
147 |
148 | - ...**is** a work in progress.
149 | - ...**is** focused on **at-home** Linux servers. All of the concepts/recommendations here apply to larger/professional environments but those use-cases call for more advanced and specialized configurations that are out-of-scope for this guide.
150 | - ...**does not** teach you about Linux, how to [install Linux](#installing-linux), or how to use it. Check https://linuxjourney.com/ if you're new to Linux.
151 | - ...**is** meant to be [Linux distribution agnostic](#picking-a-linux-distribution).
152 | - ...**does not** teach you everything you need to know about security nor does it get into all aspects of system/server security. For example, physical security is out of scope for this guide.
153 | - ...**does not** talk about how programs/tools work, nor does it delve into their nook and crannies. Most of the programs/tools this guide references are very powerful and highly configurable. The goal is to cover the bare necessities -- enough to whet your appetite and make you hungry enough to want to go and learn more.
154 | - ...**aims** to make it easy by providing code you can copy-and-paste. You might need to modify the commands before you paste so keep your favorite [text editor](https://notepad-plus-plus.org/) handy.
155 | - ...**is** organized in an order that makes logical sense to me -- i.e. securing SSH before installing a firewall. As such, this guide is intended to be followed in the order it is presented but it is not necessary to do so. Just be careful if you do things in a different order -- some sections require previous sections to be completed.
156 |
157 | ([Table of Contents](#table-of-contents))
158 |
159 | ### My Use-Case
160 |
161 | There are many types of servers and different use-cases. While I want this guide to be as generic as possible, there will be some things that may not apply to all/other use-cases. Use your best judgement when going through this guide.
162 |
163 | To help put context to many of the topics covered in this guide, my use-case/configuration is:
164 |
165 | - A desktop class computer...
166 | - With a single NIC...
167 | - Connected to a consumer grade router...
168 | - Getting a dynamic WAN IP provided by the ISP...
169 | - With WAN+LAN on IPV4...
170 | - And LAN using [NAT](https://en.wikipedia.org/wiki/Network_address_translation)...
171 | - That I want to be able to SSH to remotely from unknown computers and unknown locations (i.e. a friend's house).
172 |
173 | ([Table of Contents](#table-of-contents))
174 |
175 | ### Editing Configuration Files - For The Lazy
176 |
177 | I am very lazy and do not like to edit files by hand if I don't need to. I also assume everyone else is just like me. :)
178 |
179 | So, when and where possible, I have provided `code` snippets to quickly do what is needed, like add or change a line in a configuration file.
180 |
181 | The `code` snippets use basic commands like `echo`, `cat`, `sed`, `awk`, and `grep`. How the `code` snippets work, like what each command/part does, is out of scope for this guide -- the `man` pages are your friend.
182 |
183 | **Note**: The `code` snippets do not validate/verify the change went through -- i.e. the line was actually added or changed. I'll leave the verifying part in your capable hands. The steps in this guide do include taking backups of all files that will be changed.
184 |
185 | Not all changes can be automated with `code` snippets. Those changes need good, old fashioned, manual editing. For example, you can't just append a line to an [INI](https://en.wikipedia.org/wiki/INI_file) type file. Use your [favorite](https://en.wikipedia.org/wiki/Vi) Linux text editor.
186 |
187 | ([Table of Contents](#table-of-contents))
188 |
189 | ### Contributing
190 |
191 | I wanted to put this guide on [GitHub](http://www.github.com) to make it easy to collaborate. The more folks that contribute, the better and more complete this guide will become.
192 |
193 | To contribute you can fork and submit a pull request or submit a [new issue](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/new).
194 |
195 | ([Table of Contents](#table-of-contents))
196 |
197 | ## Before You Start
198 |
199 | ### Identify Your Principles
200 |
201 | Before you start you will want to identify what your Principles are. What is your [threat model](https://en.wikipedia.org/wiki/Threat_model)? Some things to think about:
202 |
203 | - Why do you want to secure your server?
204 | - How much security do you want or not want?
205 | - How much convenience are you willing to compromise for security and vice-versa?
206 | - What are the threats you want to protect against? What are the specifics to your situation? For example:
207 | - Is physical access to your server/network a possible attack vector?
208 | - Will you be opening ports on your router so you can access your server from outside your home?
209 | - Will you be hosting a file share on your server that will be mounted on a desktop class machine? What is the possibility of the desktop machine getting infected and, in turn, infecting the server?
210 | - Do you have a means of recovering if your security implementation locks you out of your own server? For example, you [disabled root login](#disable-root-login) or [password protected GRUB](#password-protect-grub).
211 |
212 | These are just **a few things** to think about. Before you start securing your server you will want to understand what you're trying to protect against and why so you know what you need to do.
213 |
214 | ([Table of Contents](#table-of-contents))
215 |
216 | ### Picking A Linux Distribution
217 |
218 | This guide is intended to be distribution agnostic so users can use [any distribution](https://distrowatch.com/) they want. With that said, there are a few things to keep in mind:
219 |
220 | You want a distribution that...
221 |
222 | - ...**is stable**. Unless you like debugging issues at 2 AM, you don't want an [unattended upgrade](#automatic-security-updates-and-alerts), or a manual package/system update, to render your server inoperable. But this also means you're okay with not running the latest, greatest, bleeding edge software.
223 | - ...**stays up-to-date with security patches**. You can secure everything on your server, but if the core OS or applications you're running have known vulnerabilities, you'll never be safe.
224 | - ...**you're familiar with.** If you don't know Linux, I would advise you play around with one before you try to secure it. You should be comfortable with it and know your way around, like how to install software, where configuration files are, etc...
225 | - ...**is well supported.** Even the most seasoned admin needs help every now and then. Having a place to go for help will save your sanity.
226 |
227 | ([Table of Contents](#table-of-contents))
228 |
229 | ### Installing Linux
230 |
231 | Installing Linux is out-of-scope for this guide because each distribution does it differently and the installation instructions are usually well documented. If you need help, start with your distribution's documentation. Regardless of the distribution, the high-level process usually goes like so:
232 |
233 | 1. download the ISO
234 | 1. burn/copy/transfer it to your install medium (e.g. a CD or USB stick)
235 | 1. boot your server from your install medium
236 | 1. follow the prompts to install
237 |
238 | Where applicable, use the expert install option so you have tighter control of what is running on your server. **Only install what you absolutely need.** I, personally, do not install anything other than SSH.
239 |
240 | ([Table of Contents](#table-of-contents))
241 |
242 | ### Pre/Post Installation Requirements
243 |
244 | - If you're opening ports on your router so you can access your server from the outside, disable the port forwarding until your system is up and secured.
245 | - Unless you're doing everything physically connected to your server, you'll need remote access so be sure SSH works.
246 | - Keep your system up-to-date (i.e. `sudo apt update && sudo apt upgrade` on Debian based systems).
247 | - Make sure you perform any tasks specific to your setup like:
248 | - Configuring network
249 | - Configuring mount points in `/etc/fstab`
250 | - Creating the initial user accounts
251 | - Installing core software you'll want like `man`
252 | - Etc...
253 | - Your server will need to be able to send e-mails so you can get important security alerts. If you're not setting up a mail server check [Gmail and Exim4 As MTA With Implicit TLS](#gmail-and-exim4-as-mta-with-implicit-tls).
254 | - I would also recommend you go through the [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/) before you start with this guide.
255 |
256 | ([Table of Contents](#table-of-contents))
257 |
258 | ### Other Important Notes
259 |
260 | - This guide is being written and tested on Debian. Most things below should work on other distributions. If you find something that does not, please [contact me](#contacting-me). The main thing that separates each distribution will be its package management system. Since I use Debian, I will provide the appropriate `apt` commands that should work on all [Debian based distributions](https://www.debian.org/derivatives/). If someone is willing to [provide](#contributing) the respective commands for other distributions, I will add them.
261 | - File paths and settings also may differ slightly -- check with your distribution's documentation if you have issues.
262 | - Read the whole guide before you start. Your use-case and/or principals may call for not doing something or for changing the order.
263 | - Do not **blindly** copy-and-paste without understanding what you're pasting. Some commands will need to be modified for your needs before they'll work -- usernames for example.
264 |
265 | ([Table of Contents](#table-of-contents))
266 |
267 | ## The SSH Server
268 |
269 | ### SSH Public/Private Keys
270 |
271 | #### Why
272 |
273 | Using SSH public/private keys is more secure than using a password. It also makes it easier and faster, to connect to our server because you don't have to enter a password.
274 |
275 | #### How It Works
276 |
277 | Check the references below for more details but, at a high level, public/private keys work by using a pair of keys to verify identity.
278 |
279 | 1. One key, the **public** key, **can only encrypt data**, not decrypt it
280 | 1. The other key, the **private** key, can decrypt the data
281 |
282 | For SSH, a public and private key is created on the client. You want to keep both keys secure, especially the private key. Even though the public key is meant to be public, it is wise to make sure neither keys fall in the wrong hands.
283 |
284 | When you connect to an SSH server, SSH will look for a public key that matches the client you're connecting from in the file `~/.ssh/authorized_keys` on the server you're connecting to. Notice the file is in the **home folder** of the ID you're trying to connect to. So, after creating the public key, you need to append it to `~/.ssh/authorized_keys`. One approach is to copy it to a USB stick and physically transfer it to the server. Anther approach is to use use [`ssh-copy-id`](https://www.ssh.com/ssh/copy-id) to transfer and append the public key.
285 |
286 | After the keys have been created and the public key has been appended to `~/.ssh/authorized_keys` on the host, SSH uses the public and private keys to verify identity and then establish a secure connection. How identity is verified is a complicated process but [Digital Ocean](https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process) has a very nice write-up of how it works. At a high level, identity is verified by the server encrypting a challenge message with the public key, then sending it to the client. If the client cannot decrypt the challenge message with the private key, the identity can't be verified and a connection will not be established.
287 |
288 | They are considered more secure because you need the private key to establish an SSH connection. If you set [`PasswordAuthentication no` in `/etc/ssh/sshd_config`](#PasswordAuthentication), then SSH won't let you connect without the private key.
289 |
290 | You can also set a pass-phrase for the keys which would require you to enter the key pass-phrase when connecting using public/private keys. Keep in mind doing this means you can't use the key for automation because you'll have no way to send the passphrase in your scripts. `ssh-agent` is a program that is shipped in many Linux distros (and usually already running) that will allow you to hold your unencrypted private key in memory for a configurable duration. Simply run `ssh-add` and it will prompt you for your passphrase. You will not be prompted for your passphrase again until the configurable duration has passed.
291 |
292 | We will be using Ed25519 keys which, according to [https://linux-audit.com/](https://linux-audit.com/using-ed25519-openssh-keys-instead-of-dsa-rsa-ecdsa/):
293 |
294 | > It is using an elliptic curve signature scheme, which offers better security than ECDSA and DSA. At the same time, it also has good performance.
295 |
296 | #### Goals
297 |
298 | - Ed25519 public/private SSH keys:
299 | - private key on your client
300 | - public key on your server
301 |
302 | #### Notes
303 |
304 | - You'll need to do this step for every computer and account you'll be connecting to your server from/as.
305 |
306 | #### References
307 |
308 | - https://www.ssh.com/ssh/public-key-authentication
309 | - https://help.ubuntu.com/community/SSH/OpenSSH/Keys
310 | - https://linux-audit.com/using-ed25519-openssh-keys-instead-of-dsa-rsa-ecdsa/
311 | - https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process
312 | - https://wiki.archlinux.org/index.php/SSH_Keys
313 | - https://www.ssh.com/ssh/copy-id
314 | - `man ssh-keygen`
315 | - `man ssh-copy-id`
316 | - `man ssh-add`
317 |
318 | #### Steps
319 |
320 | 1. From the computer you're going to use to connect to your server, **the client**, not the server itself, create an [Ed25519](https://linux-audit.com/using-ed25519-openssh-keys-instead-of-dsa-rsa-ecdsa/) key with `ssh-keygen`:
321 |
322 | ``` bash
323 | ssh-keygen -t ed25519
324 | ```
325 |
326 | > ```
327 | > Generating public/private ed25519 key pair.
328 | > Enter file in which to save the key (/home/user/.ssh/id_ed25519):
329 | > Created directory '/home/user/.ssh'.
330 | > Enter passphrase (empty for no passphrase):
331 | > Enter same passphrase again:
332 | > Your identification has been saved in /home/user/.ssh/id_ed25519.
333 | > Your public key has been saved in /home/user/.ssh/id_ed25519.pub.
334 | > The key fingerprint is:
335 | > SHA256:F44D4dr2zoHqgj0i2iVIHQ32uk/Lx4P+raayEAQjlcs user@client
336 | > The key's randomart image is:
337 | > +--[ED25519 256]--+
338 | > |xxxx x |
339 | > |o.o +. . |
340 | > | o o oo . |
341 | > |. E oo . o . |
342 | > | o o. o S o |
343 | > |... .. o o |
344 | > |.+....+ o |
345 | > |+.=++o.B.. |
346 | > |+..=**=o=. |
347 | > +----[SHA256]-----+
348 | > ```
349 |
350 | **Note**: If you set a passphrase, you'll need to enter it every time you connect to your server using this key, unless you're using `ssh-agent`.
351 |
352 | 1. Now you need to **append** the public key `~/.ssh/id_ed25519.pub` from your client to the `~/.ssh/authorized_keys` file on your server. Since we're presumable still at home on the LAN, we're probably safe from [MIM](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attacks, so we will use `ssh-copy-id` to transfer and append the public key:
353 |
354 | ``` bash
355 | ssh-copy-id user@server
356 | ```
357 |
358 | > ```
359 | > /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/id_ed25519.pub"
360 | > The authenticity of host 'host (192.168.1.96)' can't be established.
361 | > ECDSA key fingerprint is SHA256:QaDQb/X0XyVlogh87sDXE7MR8YIK7ko4wS5hXjRySJE.
362 | > Are you sure you want to continue connecting (yes/no)? yes
363 | > /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
364 | > /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
365 | > user@host's password:
366 | >
367 | > Number of key(s) added: 1
368 | >
369 | > Now try logging into the machine, with: "ssh 'user@host'"
370 | > and check to make sure that only the key(s) you wanted were added.
371 | > ```
372 |
373 | Now would be a good time to [perform any tasks specific to your setup](#prepost-installation-requirements).
374 |
375 | ([Table of Contents](#table-of-contents))
376 |
377 | ### Create SSH Group For AllowGroups
378 |
379 | #### Why
380 |
381 | To make it easy to control who can SSH to the server. By using a group, we can quickly add/remove accounts to the group to quickly allow or not allow SSH access to the server.
382 |
383 | #### How It Works
384 |
385 | We will use the [AllowGroups option](#AllowGroups) in SSH's configuration file [`/etc/ssh/sshd_config`](#secure-etcsshsshd_config). to tell the SSH server to only allow users to SSH in if they are a member of a certain UNIX group. Anyone not in the group will not be able to SSH in.
386 |
387 | #### Goals
388 |
389 | - a UNIX group that we'll use in [Secure `/etc/ssh/sshd_config`](#secure-etcsshsshd_config) to limit who can SSH to the server
390 |
391 | #### Notes
392 |
393 | - This is a per-requisite step to support the `AllowGroup` setting set in [Secure `/etc/ssh/sshd_config`](#secure-etcsshsshd_config).
394 |
395 | #### References
396 |
397 | - `man groupadd`
398 | - `man usermod`
399 |
400 | #### Steps
401 |
402 | 1. Create a group:
403 |
404 | ``` bash
405 | sudo groupadd sshusers
406 | ```
407 |
408 | 1. Add account(s) to the group:
409 |
410 | ``` bash
411 | sudo usermod -a -G sshusers user1
412 | sudo usermod -a -G sshusers user2
413 | sudo usermod -a -G sshusers ...
414 | ```
415 |
416 | You'll need to do this for every account on your server that needs SSH access.
417 |
418 | ([Table of Contents](#table-of-contents))
419 |
420 | ### Secure `/etc/ssh/sshd_config`
421 |
422 | #### Why
423 |
424 | SSH is a door into your server. This is especially true if you are opening ports on your router so you can SSH to your server from outside your home network. If it is not secured properly, a bad-actor could use it to gain unauthorized access to your system.
425 |
426 | #### How It Works
427 |
428 | `/etc/ssh/sshd_config` is the default configuration file that the SSH server uses. We will use this file to tell what options the SSH server should use.
429 |
430 | #### Goals
431 |
432 | - a secure SSH configuration
433 |
434 | #### Notes
435 |
436 | - Make sure you've completed [Create SSH Group For AllowGroups](#create-ssh-group-for-allowgroups) first.
437 |
438 | #### References
439 |
440 | - Mozilla's OpenSSH guidelines for OpenSSH 6.7+ at https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
441 | - https://linux-audit.com/audit-and-harden-your-ssh-configuration/
442 | - https://www.ssh.com/ssh/sshd_config/
443 | - https://www.techbrown.com/harden-ssh-secure-linux-vps-server/
444 | - https://serverfault.com/questions/660160/openssh-difference-between-internal-sftp-and-sftp-server/660325
445 | - `man sshd_config`
446 |
447 | #### Steps
448 |
449 | 1. Make a backup of OpenSSH server's configuration file `/etc/ssh/sshd_config` and remove comments to make it easier to read:
450 |
451 | ``` bash
452 | sudo cp --preserve /etc/ssh/sshd_config /etc/ssh/sshd_config.$(date +"%Y%m%d%H%M%S")
453 | sudo sed -i -r -e '/^#|^$/ d' /etc/ssh/sshd_config
454 | ```
455 |
456 | 1. Edit `/etc/ssh/sshd_config` then find and edit or add these settings that should be applied regardless of your configuration/setup:
457 |
458 | **Note**: SSH does not like duplicate contradicting settings. For example, if you have `ChallengeResponseAuthentication no` and then `ChallengeResponseAuthentication yes`, SSH will respect the first one and ignore the second. Your `/etc/ssh/sshd_config` file may already have some of the settings/lines below. To avoid issues you will need to manually go through your `/etc/ssh/sshd_config` file and address any duplicate contradicting settings. (If anyone knows a way to programatically do this I would [love to hear how](#contacting-me).)
459 |
460 | ```
461 | ########################################################################################################
462 | # start settings from https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 as of 2019-01-01
463 | ########################################################################################################
464 |
465 | # Supported HostKey algorithms by order of preference.
466 | HostKey /etc/ssh/ssh_host_ed25519_key
467 | HostKey /etc/ssh/ssh_host_rsa_key
468 | HostKey /etc/ssh/ssh_host_ecdsa_key
469 |
470 | KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
471 |
472 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
473 |
474 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
475 |
476 | # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
477 | LogLevel VERBOSE
478 |
479 | # Use kernel sandbox mechanisms where possible in unprivileged processes
480 | # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
481 | # Note: This setting is deprecated in OpenSSH 7.5 (https://www.openssh.com/txt/release-7.5)
482 | UsePrivilegeSeparation sandbox
483 |
484 | ########################################################################################################
485 | # end settings from https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 as of 2019-01-01
486 | ########################################################################################################
487 |
488 | # don't let users set environment variables
489 | PermitUserEnvironment no
490 |
491 | # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
492 | Subsystem sftp internal-sftp -f AUTHPRIV -l INFO
493 |
494 | # only use the newer, more secure protocol
495 | Protocol 2
496 |
497 | # disable X11 forwarding as X11 is very insecure
498 | # you really shouldn't be running X on a server anyway
499 | X11Forwarding no
500 |
501 | # disable port forwarding
502 | AllowTcpForwarding no
503 | AllowStreamLocalForwarding no
504 | GatewayPorts no
505 | PermitTunnel no
506 |
507 | # don't allow login if the account has an empty password
508 | PermitEmptyPasswords no
509 |
510 | # ignore .rhosts and .shosts
511 | IgnoreRhosts yes
512 |
513 | # verify hostname matches IP
514 | UseDNS no
515 |
516 | Compression no
517 | TCPKeepAlive no
518 | AllowAgentForwarding no
519 | PermitRootLogin no
520 |
521 | # don't allow .rhosts or /etc/hosts.equiv
522 | HostbasedAuthentication no
523 | ```
524 |
525 | 1. Then **find and edit or add** these settings, and set values as per your requirements:
526 |
527 | |Setting|Valid Values|Example|Description|Notes|
528 | |--|--|--|--|--|
529 | |**AllowGroups**|local UNIX group name|`AllowGroups sshusers`|group to allow SSH access to||
530 | |**ClientAliveCountMax**|number|`ClientAliveCountMax 0`|maximum number of client alive messages sent without response||
531 | |**ClientAliveInterval**|number of seconds|`ClientAliveInterval 300`|timeout in seconds before a response request||
532 | |**ListenAddress**|space separated list of local addresses|- `ListenAddress 0.0.0.0`
- `ListenAddress 192.168.1.100`
|local addresses `sshd` should listen on|See [Issue #1](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/1) for important details.|
533 | |**LoginGraceTime**|number of seconds|`LoginGraceTime 30`|time in seconds before login times-out||
534 | |**MaxAuthTries**|number|`MaxAuthTries 2`|maximum allowed attempts to login||
535 | |**MaxSessions**|number|`MaxSessions 2`|maximum number of open sessions||
536 | |**MaxStartups**|number|`MaxStartups 2`|maximum number of login sessions||
537 | |**PasswordAuthentication**|`yes` or `no`|`PasswordAuthentication no`|if login with a password is allowed||
538 | |**Port**|any open/available port number|`Port 22`|port that `sshd` should listen on||
539 |
540 | Check `man sshd_config` for more details what these settings mean.
541 |
542 | 1. Restart ssh:
543 |
544 | ``` bash
545 | sudo service sshd restart
546 | ```
547 |
548 | 1. You can check verify the configurations worked with `sshd -T` and verify the output:
549 |
550 | ``` bash
551 | sudo sshd -T
552 | ```
553 |
554 | > ```
555 | > port 22
556 | > addressfamily any
557 | > listenaddress [::]:22
558 | > listenaddress 0.0.0.0:22
559 | > usepam yes
560 | > logingracetime 30
561 | > x11displayoffset 10
562 | > maxauthtries 2
563 | > maxsessions 2
564 | > clientaliveinterval 300
565 | > clientalivecountmax 0
566 | > streamlocalbindmask 0177
567 | > permitrootlogin no
568 | > ignorerhosts yes
569 | > ignoreuserknownhosts no
570 | > hostbasedauthentication no
571 | > ...
572 | > subsystem sftp internal-sftp -f AUTHPRIV -l INFO
573 | > maxstartups 2:30:2
574 | > permittunnel no
575 | > ipqos lowdelay throughput
576 | > rekeylimit 0 0
577 | > permitopen any
578 | > ```
579 |
580 | ([Table of Contents](#table-of-contents))
581 |
582 | ### Remove Short Diffie-Hellman Keys
583 |
584 | #### Why
585 |
586 | Per [Mozilla's OpenSSH guidelines for OpenSSH 6.7+](https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67), "all Diffie-Hellman moduli in use should be at least 3072-bit-long".
587 |
588 | The Diffie-Hellman algorithm is used by SSH to establish a secure connection. The larger the moduli (key size) the stronger the encryption.
589 |
590 | #### Goals
591 |
592 | - remove all Diffie-Hellman keys that are less than 3072 bits long
593 |
594 | #### References
595 |
596 | - Mozilla's OpenSSH guidelines for OpenSSH 6.7+ at https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
597 | - https://infosec.mozilla.org/guidelines/key_management
598 | - `man moduli`
599 |
600 | #### Steps
601 |
602 | 1. Make a backup of SSH's moduli file `/etc/ssh/moduli`:
603 |
604 | ``` bash
605 | sudo cp --preserve /etc/ssh/moduli /etc/ssh/moduli.$(date +"%Y%m%d%H%M%S")
606 | ```
607 |
608 | 1. Remove short moduli:
609 |
610 | ``` bash
611 | sudo awk '$5 >= 3071' /etc/ssh/moduli | sudo tee /etc/ssh/moduli.tmp
612 | sudo mv /etc/ssh/moduli.tmp /etc/ssh/moduli
613 | ````
614 |
615 | ([Table of Contents](#table-of-contents))
616 |
617 | ### 2FA/MFA for SSH
618 |
619 | #### Why
620 |
621 | Even though SSH is a pretty good security guard for your doors and windows, it is still a visible door that bad-actors can see and try to brute-force in. [Fail2ban](#fail2ban-application-intrusion-detection-and-prevention) will monitor for these brute-force attempts but there is no such thing as being too secure. Requiring two factors adds an extra layer of security.
622 |
623 | Using Two Factor Authentication (2FA) / Multi Factor Authentication (MFA) requires anyone entering to have **two** keys to enter which makes it harder for bad actors. The two keys are:
624 |
625 | 1. Their password
626 | 1. A 6 digit token that changes every 30 seconds
627 |
628 | Without both keys, they won't be able to get in.
629 |
630 | #### Why Not
631 |
632 | Many folks might find the experience cumbersome or annoying. And, access to your system is dependent on the accompanying authenticator app that generates the code.
633 |
634 | #### How It Works
635 |
636 | On Linux, PAM is responsible for authentication. There are four tasks to PAM that you can read about at https://en.wikipedia.org/wiki/Linux_PAM. This section talks about the authentication task.
637 |
638 | When you log into a server, be it directly from the console or via SSH, the door you came through will send the request to the authentication task of PAM and PAM will ask for and verify your password. You can customize the rules each doors use. For example, you could have one set of rules when logging in directly from the console and another set of rules for when logging in via SSH.
639 |
640 | This section will alter the authentication rules for when logging in via SSH to require both a password and a 6 digit code.
641 |
642 | We will use Google's libpam-google-authenticator PAM module to create and verify a [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) key. https://fastmail.blog/2016/07/22/how-totp-authenticator-apps-work/ and https://jemurai.com/2018/10/11/how-it-works-totp-based-mfa/ have very good writeups of how TOTP works.
643 |
644 | What we will do is tell the server's SSH PAM configuration to ask the user for their password and then their numeric token. PAM will then verify the user's password and, if it is correct, then it will route the authentication request to libpam-google-authenticator which will ask for and verify your 6 digit token. If, and only if, everything is good will the authentication succeed and user be allowed to log in.
645 |
646 | #### Goals
647 |
648 | - 2FA/MFA enabled for all SSH connections
649 |
650 | #### Notes
651 |
652 | - Before you do this, you should have an idea of how 2FA/MFA works and you'll need an authenticator app on your phone to continue.
653 | - We'll use [google-authenticator-libpam](https://github.com/google/google-authenticator-libpam).
654 | - With the below configuration, a user will only need to enter their 2FA/MFA code if they are logging on with their password but **not** if they are using [SSH public/private keys](#ssh-publicprivate-keys). Check the documentation on how to change this behavior to suite your requirements.
655 |
656 | #### References
657 |
658 | - https://github.com/google/google-authenticator-libpam
659 | - https://en.wikipedia.org/wiki/Linux_PAM
660 | - https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm
661 | - https://fastmail.blog/2016/07/22/how-totp-authenticator-apps-work/
662 | - https://jemurai.com/2018/10/11/how-it-works-totp-based-mfa/
663 |
664 | #### Steps
665 |
666 | 1. Install it libpam-google-authenticator.
667 |
668 | On Debian based systems:
669 |
670 | ``` bash
671 | sudo apt install libpam-google-authenticator
672 | ```
673 |
674 | 1. **Make sure you're logged in as the ID you want to enable 2FA/MFA for** and **execute** `google-authenticator` to create the necessary token data:
675 |
676 | ``` bash
677 | google-authenticator
678 | ```
679 |
680 | > ```
681 | > Do you want authentication tokens to be time-based (y/n) y
682 | > https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@host%3Fsecret%3DR4ZWX34FQKZROVX7AGLJ64684Y%26issuer%3Dhost
683 | >
684 | > ...
685 | >
686 | > Your new secret key is: R3NVX3FFQKZROVX7AGLJUGGESY
687 | > Your verification code is 751419
688 | > Your emergency scratch codes are:
689 | > 12345678
690 | > 90123456
691 | > 78901234
692 | > 56789012
693 | > 34567890
694 | >
695 | > Do you want me to update your "/home/user/.google_authenticator" file (y/n) y
696 | >
697 | > Do you want to disallow multiple uses of the same authentication
698 | > token? This restricts you to one login about every 30s, but it increases
699 | > your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication
700 | > token? This restricts you to one login about every 30s, but it increases
701 | > your chances to notice or even prevent man-in-the-middle attacks (y/n) y
702 | >
703 | > By default, tokens are good for 30 seconds. In order to compensate for
704 | > possible time-skew between the client and the server, we allow an extra
705 | > token before and after the current time. If you experience problems with
706 | > poor time synchronization, you can increase the window from its default
707 | > size of +-1min (window size of 3) to about +-4min (window size of
708 | > 17 acceptable tokens).
709 | > Do you want to do so? (y/n) y
710 | >
711 | > If the computer that you are logging into isn't hardened against brute-force
712 | > login attempts, you can enable rate-limiting for the authentication module.
713 | > By default, this limits attackers to no more than 3 login attempts every 30s.
714 | > Do you want to enable rate-limiting (y/n) y
715 | > ```
716 |
717 | Notice this is **not run as root**.
718 |
719 | Select default option (y in most cases) for all the questions it asks and remember to save the emergency scratch codes.
720 |
721 | 1. Make a backup of PAM's SSH configuration file `/etc/pam.d/sshd`:
722 |
723 | ``` bash
724 | sudo cp --preserve /etc/pam.d/sshd /etc/pam.d/sshd.$(date +"%Y%m%d%H%M%S")
725 | ```
726 |
727 | 1. Now we need to enable it as an authentication method for SSH by adding this line to `/etc/pam.d/sshd`:
728 |
729 | ```
730 | auth required pam_google_authenticator.so nullok
731 | ```
732 |
733 | **Note**: Check [here](https://github.com/google/google-authenticator-libpam/blob/master/README.md#nullok) for what `nullok` means.
734 |
735 | [For the lazy](#editing-configuration-files---for-the-lazy):
736 |
737 | ``` bash
738 | echo -e "\nauth required pam_google_authenticator.so nullok # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /etc/pam.d/sshd
739 | ```
740 |
741 | 1. Tell SSH to leverage it by adding or editing this line in `/etc/ssh/sshd_config`:
742 |
743 | ```
744 | ChallengeResponseAuthentication yes
745 | ```
746 |
747 | [For the lazy](#editing-configuration-files---for-the-lazy):
748 |
749 | ``` bash
750 | sudo sed -i -r -e "s/^(challengeresponseauthentication .*)$/# \1 # commented by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")/I" /etc/ssh/sshd_config
751 | echo -e "\nChallengeResponseAuthentication yes # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /etc/ssh/sshd_config
752 | ```
753 |
754 | 1. Restart ssh:
755 |
756 | ``` bash
757 | sudo service sshd restart
758 | ```
759 |
760 | ([Table of Contents](#table-of-contents))
761 |
762 | ## The Basics
763 |
764 | ### Limit Who Can Use sudo
765 |
766 | #### Why
767 |
768 | sudo lets accounts run commands as other accounts, including **root**. We want to make sure that only the accounts we want can use sudo.
769 |
770 | #### Goals
771 |
772 | - sudo privileges limited to those who are in a group we specify
773 |
774 | #### Notes
775 |
776 | - Your installation may have already done this, or may already have a special group intended for this purpose so check first.
777 | - Debian creates the sudo group
778 | - RedHat creates the wheel group
779 |
780 | #### Steps
781 |
782 | 1. Create a group:
783 |
784 | ``` bash
785 | sudo groupadd sudousers
786 | ```
787 |
788 | 1. Add account(s) to the group:
789 |
790 | ``` bash
791 | sudo usermod -a -G sudousers user1
792 | sudo usermod -a -G sudousers user2
793 | sudo usermod -a -G sudousers ...
794 | ```
795 |
796 | You'll need to do this for every account on your server that needs sudo privileges.
797 |
798 | 1. Make a backup of the sudo's configuration file `/etc/sudoers`:
799 |
800 | ``` bash
801 | sudo cp --preserve /etc/sudoers /etc/sudoers.$(date +"%Y%m%d%H%M%S")
802 | ```
803 |
804 | 1. Edit sudo's configuration file `/etc/sudoers`:
805 |
806 | ``` bash
807 | sudo visudo
808 | ```
809 |
810 | 1. Tell sudo to only allow users in the `sudousers` group to use sudo by adding this line if it is not already there:
811 |
812 | ```
813 | %sudousers ALL=(ALL:ALL) ALL
814 | ```
815 |
816 | ([Table of Contents](#table-of-contents))
817 |
818 | ### NTP Client
819 |
820 | #### Why
821 |
822 | Many security protocols leverage the time. If your system time is incorrect, it could have negative impacts to your server. An NTP client can solve that problem by keeping your system time in-sync with [global NTP servers](https://en.wikipedia.org/wiki/Network_Time_Protocol)
823 |
824 | #### How It Works
825 |
826 | NTP stands for Network Time Protocol. In the context of this guide, an NTP client on the server is used to update the server time with the official time pulled from official servers. Check https://www.pool.ntp.org/en/ for all of the public NTP servers.
827 |
828 | #### Goals
829 |
830 | - NTP client installed and keeping server time in-sync
831 |
832 | #### References
833 |
834 | - https://cloudpro.zone/index.php/2018/01/27/debian-9-3-server-setup-guide-part-4/
835 | - https://en.wikipedia.org/wiki/Network_Time_Protocol
836 | - https://www.pool.ntp.org/en/
837 | - https://serverfault.com/questions/957302/securing-hardening-ntp-client-on-linux-servers-config-file/957450#957450
838 | - https://tf.nist.gov/tf-cgi/servers.cgi
839 |
840 | #### Steps
841 |
842 | 1. Install ntp.
843 |
844 | On Debian based systems:
845 |
846 | ``` bash
847 | sudo apt install ntp
848 | ```
849 |
850 | 1. Make a backup of the NTP client's configuration file `/etc/ntp.conf`:
851 |
852 | ``` bash
853 | sudo cp --preserve /etc/ntp.conf /etc/ntp.conf.$(date +"%Y%m%d%H%M%S")
854 | ```
855 |
856 | 1. The default configuration, at least on Debian, is already pretty secure. The only thing we'll want to make sure is we're the `pool` directive and not any `server` directives. The `pool` directive allows the NTP client to stop using a server if it is unresponsive or serving bad time. Do this by commenting out all `server` directives and adding the below to `/etc/ntp.conf`.
857 |
858 | ```
859 | pool pool.ntp.org iburst
860 | ```
861 |
862 | [For the lazy](#editing-configuration-files---for-the-lazy):
863 |
864 | ``` bash
865 | sudo sed -i -r -e "s/^((server|pool).*)/# \1 # commented by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")/" /etc/ntp.conf
866 | echo -e "\npool pool.ntp.org iburst # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /etc/ntp.conf
867 | ```
868 |
869 | **Example `/etc/ntp.conf`**:
870 |
871 | > ```
872 | > driftfile /var/lib/ntp/ntp.drift
873 | > statistics loopstats peerstats clockstats
874 | > filegen loopstats file loopstats type day enable
875 | > filegen peerstats file peerstats type day enable
876 | > filegen clockstats file clockstats type day enable
877 | > restrict -4 default kod notrap nomodify nopeer noquery limited
878 | > restrict -6 default kod notrap nomodify nopeer noquery limited
879 | > restrict 127.0.0.1
880 | > restrict ::1
881 | > restrict source notrap nomodify noquery
882 | > pool pool.ntp.org iburst # added by user on 2019-03-09 @ 10:23:35
883 | > ```
884 |
885 | 1. Restart ntp:
886 |
887 | ``` bash
888 | sudo service ntp restart
889 | ```
890 |
891 | 1. Check the status of the ntp service:
892 |
893 | ``` bash
894 | sudo systemctl status ntp
895 | ```
896 |
897 | > ```
898 | > ● ntp.service - LSB: Start NTP daemon
899 | > Loaded: loaded (/etc/init.d/ntp; generated; vendor preset: enabled)
900 | > Active: active (running) since Sat 2019-03-09 15:19:46 EST; 4s ago
901 | > Docs: man:systemd-sysv-generator(8)
902 | > Process: 1016 ExecStop=/etc/init.d/ntp stop (code=exited, status=0/SUCCESS)
903 | > Process: 1028 ExecStart=/etc/init.d/ntp start (code=exited, status=0/SUCCESS)
904 | > Tasks: 2 (limit: 4915)
905 | > CGroup: /system.slice/ntp.service
906 | > └─1038 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 108:113
907 | >
908 | > Mar 09 15:19:46 host ntpd[1038]: Listen and drop on 0 v6wildcard [::]:123
909 | > Mar 09 15:19:46 host ntpd[1038]: Listen and drop on 1 v4wildcard 0.0.0.0:123
910 | > Mar 09 15:19:46 host ntpd[1038]: Listen normally on 2 lo 127.0.0.1:123
911 | > Mar 09 15:19:46 host ntpd[1038]: Listen normally on 3 enp0s3 10.10.20.96:123
912 | > Mar 09 15:19:46 host ntpd[1038]: Listen normally on 4 lo [::1]:123
913 | > Mar 09 15:19:46 host ntpd[1038]: Listen normally on 5 enp0s3 [fe80::a00:27ff:feb6:ed8e%2]:123
914 | > Mar 09 15:19:46 host ntpd[1038]: Listening on routing socket on fd #22 for interface updates
915 | > Mar 09 15:19:47 host ntpd[1038]: Soliciting pool server 108.61.56.35
916 | > Mar 09 15:19:48 host ntpd[1038]: Soliciting pool server 69.89.207.199
917 | > Mar 09 15:19:49 host ntpd[1038]: Soliciting pool server 45.79.111.114
918 | > ```
919 |
920 | 1. Check ntp's status:
921 |
922 | ``` bash
923 | sudo ntpq -p
924 | ```
925 |
926 | > ```
927 | > remote refid st t when poll reach delay offset jitter
928 | > ==============================================================================
929 | > pool.ntp.org .POOL. 16 p - 64 0 0.000 0.000 0.000
930 | > *lithium.constan 198.30.92.2 2 u - 64 1 19.900 4.894 3.951
931 | > ntp2.wiktel.com 212.215.1.157 2 u 2 64 1 48.061 -0.431 0.104
932 | > ```
933 |
934 | ([Table of Contents](#table-of-contents))
935 |
936 | ### Securing /proc
937 |
938 | #### Why
939 |
940 | To quote https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/:
941 |
942 | > When looking in `/proc` you will discover a lot of files and directories. Many of them are just numbers, which represent the information about a particular process ID (PID). By default, Linux systems are deployed to allow all local users to see this all information. This includes process information from other users. This could include sensitive details that you may not want to share with other users. By applying some filesystem configuration tweaks, we can change this behavior and improve the security of the system.
943 |
944 | #### Goals
945 |
946 | - `/proc` mounted with `hidepid=2` so users can only see information about their processes
947 |
948 | #### References
949 |
950 | - https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/
951 | - https://likegeeks.com/secure-linux-server-hardening-best-practices/#Hardening-proc-Directory
952 | - https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
953 |
954 | #### Steps
955 |
956 | 1. Make a backup of `/etc/fstab`:
957 |
958 | ``` bash
959 | sudo cp --preserve /etc/fstab /etc/fstab.$(date +"%Y%m%d%H%M%S")
960 | ```
961 |
962 | 1. Add this line to `/etc/fstab` to have `/proc` mounted with `hidepid=2`:
963 |
964 | ```
965 | proc /proc proc defaults,hidepid=2 0 0
966 | ```
967 |
968 | [For the lazy](#editing-configuration-files---for-the-lazy):
969 |
970 | ``` bash
971 | echo -e "\nproc /proc proc defaults,hidepid=2 0 0 # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /etc/fstab
972 | ```
973 |
974 | 1. Reboot the system:
975 |
976 | ``` bash
977 | sudo reboot now
978 | ```
979 |
980 | **Note**: Alternatively, you can remount `/proc` without rebooting with `sudo mount -o remount,hidepid=2 /proc`
981 |
982 | ([Table of Contents](#table-of-contents))
983 |
984 | ### Force Accounts To Use Secure Passwords
985 |
986 | #### Why
987 |
988 | By default, accounts can use any password they want, including bad ones. [pwquality](https://linux.die.net/man/5/pwquality.conf)/[pam_pwquality](https://linux.die.net/man/8/pam_pwquality) addresses this security gap by providing "a way to configure the default password quality requirements for the system passwords" and checking "its strength against a system dictionary and a set of rules for identifying poor choices."
989 |
990 | #### How It Works
991 |
992 | On Linux, PAM is responsible for authentication. There are four tasks to PAM that you can read about at https://en.wikipedia.org/wiki/Linux_PAM. This section talks about the password task.
993 |
994 | When there is a need to set or change an account password, the password task of PAM handles the request. In this section we will tell PAM's password task to pass the requested new password to libpam-pwquality to make sure it meets our requirements. If the requirements are met it is used/set; if it does not meet the requirements it errors and lets the user know.
995 |
996 | #### Goals
997 |
998 | - enforced strong passwords
999 |
1000 | #### Steps
1001 |
1002 | 1. Install libpam-pwquality.
1003 |
1004 | On Debian based systems:
1005 |
1006 | ``` bash
1007 | sudo apt install libpam-pwquality
1008 | ```
1009 |
1010 | 1. Make a backup of PAM's password configuration file `/etc/pam.d/common-password`:
1011 |
1012 | ``` bash
1013 | sudo cp --preserve /etc/pam.d/common-password /etc/pam.d/common-password.$(date +"%Y%m%d%H%M%S")
1014 | ```
1015 |
1016 | 1. Tell PAM to use libpam-pwquality to enforce strong passwords by editing the file `/etc/pam.d/common-password` and change the line that starts like this:
1017 |
1018 | ```
1019 | password requisite pam_pwquality.so
1020 | ```
1021 |
1022 | to this:
1023 |
1024 | ```
1025 | password requisite pam_pwquality.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 maxrepeat=3 gecoschec
1026 | ```
1027 |
1028 | The above options are:
1029 |
1030 | - `retry=3` = prompt user 3 times before returning with error.
1031 | - `minlen=10` = the minimum length of the password, factoring in any credits (or debits) from these:
1032 | - `dcredit=-1` = must have at least **one digit**
1033 | - `ucredit=-1` = must have at least **one upper case letter**
1034 | - `lcredit=-1` = must have at least **one lower case letter**
1035 | - `ocredit=-1` = must have at least **one non-alphanumeric character**
1036 | - `difok=3` = at least 3 characters from the new password cannot have been in the old password
1037 | - `maxrepeat=3` = allow a maximum of 3 repeated characters
1038 | - `gecoschec` = do not allow passwords with the account's name
1039 |
1040 |
1041 | [For the lazy](#editing-configuration-files---for-the-lazy):
1042 |
1043 | ``` bash
1044 | sudo sed -i -r -e "s/^(password\s+requisite\s+pam_pwquality.so)(.*)$/# \1\2 # commented by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")\n\1 retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 maxrepeat=3 gecoschec # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")/" /etc/pam.d/common-password
1045 | ```
1046 |
1047 | ([Table of Contents](#table-of-contents))
1048 |
1049 | ### Automatic Security Updates and Alerts
1050 |
1051 | #### Why
1052 |
1053 | It is important to keep a server updated with the latest **critical security patches and updates**. Otherwise you're at risk of known security vulnerabilities that bad-actors could use to gain unauthorized access to your server.
1054 |
1055 | Unless you plan on checking your server every day, you'll want a way to automatically update the system and/or get emails about available updates.
1056 |
1057 | You don't want to do all updates because with every update there is a risk of something breaking. It is important to do the critical updates but everything else can wait until you have time to do it manually.
1058 |
1059 | #### Why Not
1060 |
1061 | Automatic and unattended updates may break your system and you may not be near your server to fix it. This would be especially problematic if it broke your SSH access.
1062 |
1063 | #### Notes
1064 |
1065 | - Each distribution manages packages and updates differently. So far I only have steps for Debian based systems.
1066 | - Your server will need a way to send e-mails for this to work
1067 |
1068 | #### Goals
1069 |
1070 | - Automatic, unattended, updates of critical security patches
1071 | - Automatic emails of remaining pending updates
1072 |
1073 | #### Debian Based Systems
1074 |
1075 | ##### How It Works
1076 |
1077 | On Debian based systems you can use:
1078 |
1079 | - unattended-upgrades to automatically do system updates you want (i.e. critical security updates)
1080 | - apt-listchanges to get details about package changes before they are installed/upgraded
1081 | - apticron to get emails for pending package updates
1082 |
1083 | We will use unattended-upgrades to apply **critical security patches**. We can also apply stable updates since they've already been thoroughly tested by the Debian community.
1084 |
1085 | ##### References
1086 |
1087 | - https://wiki.debian.org/UnattendedUpgrades
1088 | - https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
1089 | - https://blog.sleeplessbeastie.eu/2015/01/02/how-to-perform-unattended-upgrades/
1090 | - https://www.vultr.com/docs/how-to-set-up-unattended-upgrades-on-debian-9-stretch
1091 | - https://github.com/mvo5/unattended-upgrades
1092 | - https://wiki.debian.org/UnattendedUpgrades#apt-listchanges
1093 | - https://www.cyberciti.biz/faq/apt-get-apticron-send-email-upgrades-available/
1094 | - https://www.unixmen.com/how-to-get-email-notifications-for-new-updates-on-debianubuntu/
1095 | - `/etc/apt/apt.conf.d/50unattended-upgrades`
1096 |
1097 | ##### Steps
1098 |
1099 | 1. Install unattended-upgrades, apt-listchanges, and apticron:
1100 |
1101 | ``` bash
1102 | sudo apt install unattended-upgrades apt-listchanges apticron
1103 | ```
1104 |
1105 | 1. Now we need to configure unattended-upgrades to automatically apply the updates. This is typically done by editing the files `/etc/apt/apt.conf.d/20auto-upgrades` and `/etc/apt/apt.conf.d/50unattended-upgrades` that were created by the packages. However, because these file may get overwritten with a future update, we'll create a new file instead. Create the file `/etc/apt/apt.conf.d/51myunattended-upgrades` and add this:
1106 |
1107 | ```
1108 | // Enable the update/upgrade script (0=disable)
1109 | APT::Periodic::Enable "1";
1110 |
1111 | // Do "apt-get update" automatically every n-days (0=disable)
1112 | APT::Periodic::Update-Package-Lists "1";
1113 |
1114 | // Do "apt-get upgrade --download-only" every n-days (0=disable)
1115 | APT::Periodic::Download-Upgradeable-Packages "1";
1116 |
1117 | // Do "apt-get autoclean" every n-days (0=disable)
1118 | APT::Periodic::AutocleanInterval "7";
1119 |
1120 | // Send report mail to root
1121 | // 0: no report (or null string)
1122 | // 1: progress report (actually any string)
1123 | // 2: + command outputs (remove -qq, remove 2>/dev/null, add -d)
1124 | // 3: + trace on APT::Periodic::Verbose "2";
1125 | APT::Periodic::Unattended-Upgrade "1";
1126 |
1127 | // Automatically upgrade packages from these
1128 | Unattended-Upgrade::Origins-Pattern {
1129 | "o=Debian,a=stable";
1130 | "o=Debian,a=stable-updates";
1131 | "origin=Debian,codename=${distro_codename},label=Debian-Security";
1132 | };
1133 |
1134 | // You can specify your own packages to NOT automatically upgrade here
1135 | Unattended-Upgrade::Package-Blacklist {
1136 | };
1137 |
1138 | // Run dpkg --force-confold --configure -a if a unclean dpkg state is detected to true to ensure that updates get installed even when the system got interrupted during a previous run
1139 | Unattended-Upgrade::AutoFixInterruptedDpkg "true";
1140 |
1141 | //Perform the upgrade when the machine is running because we wont be shutting our server down often
1142 | Unattended-Upgrade::InstallOnShutdown "false";
1143 |
1144 | // Send an email to this address with information about the packages upgraded.
1145 | Unattended-Upgrade::Mail "root";
1146 |
1147 | // Always send an e-mail
1148 | Unattended-Upgrade::MailOnlyOnError "false";
1149 |
1150 | // Remove all unused dependencies after the upgrade has finished
1151 | Unattended-Upgrade::Remove-Unused-Dependencies "true";
1152 |
1153 | // Remove any new unused dependencies after the upgrade has finished
1154 | Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
1155 |
1156 | // Automatically reboot WITHOUT CONFIRMATION if the file /var/run/reboot-required is found after the upgrade.
1157 | Unattended-Upgrade::Automatic-Reboot "true";
1158 |
1159 | // Automatically reboot even if users are logged in.
1160 | Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
1161 | ```
1162 |
1163 | **Notes**:
1164 | - Check `/usr/lib/apt/apt.systemd.daily` for details on the `APT::Periodic` options
1165 | - Check https://github.com/mvo5/unattended-upgrades for details on the `Unattended-Upgrade` options
1166 |
1167 | 1. Run a dry-run of unattended-upgrades to make sure your configuration file is okay:
1168 |
1169 | ``` bash
1170 | sudo unattended-upgrade -d --dry-run
1171 | ```
1172 |
1173 | If everything is okay, you can let it run whenever it's scheduled to or force a run with `unattended-upgrade -d`.
1174 |
1175 | 1. Configure apt-listchanges to your liking:
1176 |
1177 | ``` bash
1178 | sudo dpkg-reconfigure apt-listchanges
1179 | ```
1180 |
1181 | 1. For apticron, the default settings are good enough but you can check them in `/etc/apticron/apticron.conf` if you want to change them. For example, my configuration looks like this:
1182 |
1183 | > ```
1184 | > EMAIL="root"
1185 | > NOTIFY_NO_UPDATES="1"
1186 | > ```
1187 |
1188 | ([Table of Contents](#table-of-contents))
1189 |
1190 | ### More Secure Random Entropy Pool (WIP)
1191 |
1192 | #### Why
1193 |
1194 | WIP
1195 |
1196 | #### How It Works
1197 |
1198 | WIP
1199 |
1200 | #### Goals
1201 |
1202 | WIP
1203 |
1204 | #### References
1205 |
1206 | - Thanks to [branneman](https://github.com/branneman) for this idea as submitted in [issue #33](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/33).
1207 | - https://hackaday.com/2017/11/02/what-is-entropy-and-how-do-i-get-more-of-it/
1208 | - https://www.2uo.de/myths-about-urandom
1209 | - https://www.gnu.org/software/hurd/user/tlecarrour/rng-tools.html
1210 | - https://wiki.archlinux.org/index.php/Rng-tools
1211 |
1212 | #### Steps
1213 |
1214 | 1. Install rng-tools.
1215 |
1216 | On Debian based systems:
1217 |
1218 | ``` bash
1219 | sudo apt-get install rng-tools
1220 | ```
1221 |
1222 | ([Table of Contents](#table-of-contents))
1223 |
1224 | ## The Network
1225 |
1226 | ### Firewall With UFW (Uncomplicated Firewall)
1227 |
1228 | #### Why
1229 |
1230 | Call me paranoid, and you don't have to agree, but I want to deny all traffic in and out of my server except what I explicitly allow. Why would my server be sending traffic out that I don't know about? And why would external traffic be trying to access my server if I don't know who or what it is? When it comes to good security, my opinion is to reject/deny by default, and allow by exception.
1231 |
1232 | Of course, if you disagree, that is totally fine and can configure UFW to suit your needs.
1233 |
1234 | Either way, ensuring that only traffic we explicitly allow is the job of a firewall.
1235 |
1236 | #### How It Works
1237 |
1238 | The Linux kernel provides capabilities to monitor and control network traffic. These capabilities are exposed to the end-user through firewall utilities. On Linux, the most common firewall is [iptables](https://en.wikipedia.org/wiki/Iptables). However, iptables is rather complicated and confusing (IMHO). This is where UFW comes in. Think of UFW as a front-end to iptables. It simplifies the process of managing the iptables rules that tell the Linux kernel what to do with network traffic.
1239 |
1240 | **UFW** works by letting you configure rules that:
1241 |
1242 | - **allow** or **deny**
1243 | - **input** or **output** traffic
1244 | - **to** or **from** ports
1245 |
1246 | You can create rules by explicitly specifying the ports or with application configurations that specify the ports.
1247 |
1248 | #### Goals
1249 |
1250 | - all network traffic, input and output, blocked except those we explicitly allow
1251 |
1252 | #### Notes
1253 |
1254 | - As you install other programs, you'll need to enable the necessary ports/applications.
1255 |
1256 | #### References
1257 |
1258 | - https://launchpad.net/ufw
1259 |
1260 | #### Steps
1261 |
1262 | 1. Install ufw.
1263 |
1264 | On Debian based systems:
1265 |
1266 | ``` bash
1267 | sudo apt install ufw
1268 | ```
1269 |
1270 | 1. Deny all outgoing traffic:
1271 |
1272 | ``` bash
1273 | sudo ufw default deny outgoing comment 'deny all outgoing traffic'
1274 | ```
1275 |
1276 | > ```
1277 | > Default outgoing policy changed to 'deny'
1278 | > (be sure to update your rules accordingly)
1279 | > ```
1280 |
1281 | If you are not as paranoid as me, and don't want to deny all outgoing traffic, you can allow it instead:
1282 |
1283 | ``` bash
1284 | sudo ufw default allow outgoing comment 'allow all outgoing traffic'
1285 | ```
1286 |
1287 | 1. Deny all incoming traffic:
1288 |
1289 | ``` bash
1290 | sudo ufw default deny incoming comment 'deny all incoming traffic'
1291 | ```
1292 |
1293 | 1. Obviously we want SSH connections in:
1294 |
1295 | ``` bash
1296 | sudo ufw limit in ssh comment 'allow SSH connections in'
1297 | ```
1298 |
1299 | > ```
1300 | > Rules updated
1301 | > Rules updated (v6)
1302 | > ```
1303 |
1304 | 1. Allow additional traffic as per your needs. Some common use-cases:
1305 |
1306 | ``` bash
1307 | # allow traffic out on port 53 -- DNS
1308 | sudo ufw allow out 53 comment 'allow DNS calls out'
1309 |
1310 | # allow traffic out on port 123 -- NTP
1311 | sudo ufw allow out 123 comment 'allow NTP out'
1312 |
1313 | # allow traffic out for HTTP, HTTPS, or FTP
1314 | # apt might needs these depending on which sources you're using
1315 | sudo ufw allow out http comment 'allow HTTP traffic out'
1316 | sudo ufw allow out https comment 'allow HTTPS traffic out'
1317 | sudo ufw allow out ftp comment 'allow FTP traffic out'
1318 |
1319 | # allow whois
1320 | sudo ufw allow out whois comment 'allow whois'
1321 |
1322 | # allow traffic out on port 68 -- the DHCP client
1323 | # you only need this if you're using DHCP
1324 | sudo ufw allow out 68 comment 'allow the DHCP client to update'
1325 | ```
1326 |
1327 | 1. Start ufw:
1328 |
1329 | ``` bash
1330 | sudo ufw enable
1331 | ```
1332 |
1333 | > ```
1334 | > Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
1335 | > Firewall is active and enabled on system startup
1336 | > ```
1337 |
1338 | 1. If you want to see a status:
1339 |
1340 | ``` bash
1341 | sudo ufw status
1342 | ```
1343 |
1344 | > ```
1345 | > Status: active
1346 | >
1347 | > To Action From
1348 | > -- ------ ----
1349 | > 22/tcp LIMIT Anywhere # allow SSH connections in
1350 | > 22/tcp (v6) LIMIT Anywhere (v6) # allow SSH connections in
1351 | >
1352 | > 53 ALLOW OUT Anywhere # allow DNS calls out
1353 | > 123 ALLOW OUT Anywhere # allow NTP out
1354 | > 80/tcp ALLOW OUT Anywhere # allow HTTP traffic out
1355 | > 443/tcp ALLOW OUT Anywhere # allow HTTPS traffic out
1356 | > 21/tcp ALLOW OUT Anywhere # allow FTP traffic out
1357 | > Mail submission ALLOW OUT Anywhere # allow mail out
1358 | > 43/tcp ALLOW OUT Anywhere # allow whois
1359 | > 53 (v6) ALLOW OUT Anywhere (v6) # allow DNS calls out
1360 | > 123 (v6) ALLOW OUT Anywhere (v6) # allow NTP out
1361 | > 80/tcp (v6) ALLOW OUT Anywhere (v6) # allow HTTP traffic out
1362 | > 443/tcp (v6) ALLOW OUT Anywhere (v6) # allow HTTPS traffic out
1363 | > 21/tcp (v6) ALLOW OUT Anywhere (v6) # allow FTP traffic out
1364 | > Mail submission (v6) ALLOW OUT Anywhere (v6) # allow mail out
1365 | > 43/tcp (v6) ALLOW OUT Anywhere (v6) # allow whois
1366 | > ```
1367 |
1368 | or
1369 |
1370 | ``` bash
1371 | sudo ufw status verbose
1372 | ```
1373 |
1374 | > ```
1375 | > Status: active
1376 | > Logging: on (low)
1377 | > Default: deny (incoming), deny (outgoing), disabled (routed)
1378 | > New profiles: skip
1379 | >
1380 | > To Action From
1381 | > -- ------ ----
1382 | > 22/tcp LIMIT IN Anywhere # allow SSH connections in
1383 | > 22/tcp (v6) LIMIT IN Anywhere (v6) # allow SSH connections in
1384 | >
1385 | > 53 ALLOW OUT Anywhere # allow DNS calls out
1386 | > 123 ALLOW OUT Anywhere # allow NTP out
1387 | > 80/tcp ALLOW OUT Anywhere # allow HTTP traffic out
1388 | > 443/tcp ALLOW OUT Anywhere # allow HTTPS traffic out
1389 | > 21/tcp ALLOW OUT Anywhere # allow FTP traffic out
1390 | > 587/tcp (Mail submission) ALLOW OUT Anywhere # allow mail out
1391 | > 43/tcp ALLOW OUT Anywhere # allow whois
1392 | > 53 (v6) ALLOW OUT Anywhere (v6) # allow DNS calls out
1393 | > 123 (v6) ALLOW OUT Anywhere (v6) # allow NTP out
1394 | > 80/tcp (v6) ALLOW OUT Anywhere (v6) # allow HTTP traffic out
1395 | > 443/tcp (v6) ALLOW OUT Anywhere (v6) # allow HTTPS traffic out
1396 | > 21/tcp (v6) ALLOW OUT Anywhere (v6) # allow FTP traffic out
1397 | > 587/tcp (Mail submission (v6)) ALLOW OUT Anywhere (v6) # allow mail out
1398 | > 43/tcp (v6) ALLOW OUT Anywhere (v6) # allow whois
1399 | > ```
1400 |
1401 | #### Default Applications
1402 |
1403 | ufw ships with some default applications. You can see them with:
1404 |
1405 | ``` bash
1406 | sudo ufw app list
1407 | ```
1408 |
1409 | > ```
1410 | > Available applications:
1411 | > AIM
1412 | > Bonjour
1413 | > CIFS
1414 | > DNS
1415 | > Deluge
1416 | > IMAP
1417 | > IMAPS
1418 | > IPP
1419 | > KTorrent
1420 | > Kerberos Admin
1421 | > Kerberos Full
1422 | > Kerberos KDC
1423 | > Kerberos Password
1424 | > LDAP
1425 | > LDAPS
1426 | > LPD
1427 | > MSN
1428 | > MSN SSL
1429 | > Mail submission
1430 | > NFS
1431 | > OpenSSH
1432 | > POP3
1433 | > POP3S
1434 | > PeopleNearby
1435 | > SMTP
1436 | > SSH
1437 | > Socks
1438 | > Telnet
1439 | > Transmission
1440 | > Transparent Proxy
1441 | > VNC
1442 | > WWW
1443 | > WWW Cache
1444 | > WWW Full
1445 | > WWW Secure
1446 | > XMPP
1447 | > Yahoo
1448 | > qBittorrent
1449 | > svnserve
1450 | > ```
1451 |
1452 | To get details about the app, like which ports it includes, type:
1453 |
1454 | ``` bash
1455 | sudo ufw app info [app name]
1456 | ```
1457 |
1458 | > ``` bash
1459 | > sudo ufw app info DNS
1460 | > ```
1461 | >
1462 | > ```
1463 | > Profile: DNS
1464 | > Title: Internet Domain Name Server
1465 | > Description: Internet Domain Name Server
1466 | >
1467 | > Port:
1468 | > 53
1469 | > ```
1470 |
1471 | #### Custom Application
1472 |
1473 | If you don't want to create rules by explicitly providing the port number(s), you can create your own application configurations. To do this, create a file in `/etc/ufw/applications.d`.
1474 |
1475 | For example, here is what you would use for [Plex](https://support.plex.tv/articles/201543147-what-network-ports-do-i-need-to-allow-through-my-firewall/):
1476 |
1477 | ``` bash
1478 | cat /etc/ufw/applications.d/plexmediaserver
1479 | ```
1480 |
1481 | > ```
1482 | > [PlexMediaServer]
1483 | > title=Plex Media Server
1484 | > description=This opens up PlexMediaServer for http (32400), upnp, and autodiscovery.
1485 | > ports=32469/tcp|32413/udp|1900/udp|32400/tcp|32412/udp|32410/udp|32414/udp|32400/udp
1486 | > ```
1487 |
1488 | Then you can enable it like any other app:
1489 |
1490 | ```bash
1491 | sudo ufw allow plexmediaserver
1492 | ```
1493 |
1494 | ([Table of Contents](#table-of-contents))
1495 |
1496 | ### iptables Intrusion Detection And Prevention with PSAD
1497 |
1498 | #### Why
1499 |
1500 | Even if you have a firewall to guard your doors, it is possible to try brute-forcing your way in any of the guarded doors. We want to monitor all network activity to detect potential intrusion attempts, such has repeated attempts to get in, and block them.
1501 |
1502 | #### How It Works
1503 |
1504 | I can't explain it any better than user [FINESEC](https://serverfault.com/users/143961/finesec) from https://serverfault.com/ did at: https://serverfault.com/a/447604/289829.
1505 |
1506 | > Fail2BAN scans log files of various applications such as apache, ssh or ftp and automatically bans IPs that show the malicious signs such as automated login attempts. PSAD on the other hand scans iptables and ip6tables log messages (typically /var/log/messages) to detect and optionally block scans and other types of suspect traffic such as DDoS or OS fingerprinting attempts. It's ok to use both programs at the same time because they operate on different level.
1507 |
1508 | And, since we're already using [UFW](#ufw-uncomplicated-firewall) so we'll follow the awesome instructions by [netson](https://gist.github.com/netson) at https://gist.github.com/netson/c45b2dc4e835761fbccc to make PSAD work with UFW.
1509 |
1510 | #### References
1511 |
1512 | - http://www.cipherdyne.org/psad/
1513 | - http://www.cipherdyne.org/psad/docs/config.html
1514 | - https://www.thefanclub.co.za/how-to/how-install-psad-intrusion-detection-ubuntu-1204-lts-server
1515 | - https://serverfault.com/a/447604/289829
1516 | - https://serverfault.com/a/770424/289829
1517 | - https://gist.github.com/netson/c45b2dc4e835761fbccc-
1518 |
1519 | #### Steps
1520 |
1521 | 1. Install psad.
1522 |
1523 | On Debian based systems:
1524 |
1525 | ``` bash
1526 | sudo apt install psad
1527 | ```
1528 |
1529 | 1. Make a backup of psad's configuration file `/etc/psad/psad.conf`:
1530 |
1531 | ``` bash
1532 | sudo cp --preserve /etc/psad/psad.conf /etc/psad/psad.conf.$(date +"%Y%m%d%H%M%S")
1533 | ```
1534 |
1535 | 1. Review and update configuration options in `/etc/psad/psad.conf`. Pay special attention to these:
1536 |
1537 | |Setting|Set To
1538 | |--|--|
1539 | |[`EMAIL_ADDRESSES`](http://www.cipherdyne.org/psad/docs/config.html#EMAIL_ADDRESSES)|your email address(s)|
1540 | |`HOSTNAME`|your server's hostname|
1541 | |[`ENABLE_AUTO_IDS`](http://www.cipherdyne.org/psad/docs/config.html#ENABLE_AUTO_IDS)|`ENABLE_AUTO_IDS Y;`|
1542 | |`ENABLE_AUTO_IDS_EMAILS`|`ENABLE_AUTO_IDS_EMAILS Y;`|
1543 | |`EXPECT_TCP_OPTIONS`|`EXPECT_TCP_OPTIONS Y;`|
1544 |
1545 | Check the configuration file psad's documentation at http://www.cipherdyne.org/psad/docs/config.html for more details.
1546 |
1547 | 1. Now we need to make some changes to ufw so it works with psad by telling ufw to log all traffic so psad can analyze it. Do this by editing **two files** and adding these lines **at the end but before the COMMIT line**.
1548 |
1549 | Make backups:
1550 |
1551 | ``` bash
1552 | sudo cp --preserve /etc/ufw/before.rules /etc/ufw/before.rules.$(date +"%Y%m%d%H%M%S")
1553 | sudo cp --preserve /etc/ufw/before6.rules /etc/ufw/before6.rules.$(date +"%Y%m%d%H%M%S")
1554 | ```
1555 |
1556 | Edit the files:
1557 |
1558 | - `/etc/ufw/before.rules`
1559 | - `/etc/ufw/before6.rules`
1560 |
1561 | And add add this **at the end but before the COMMIT line**:
1562 |
1563 | ```
1564 | # log all traffic so psad can analyze
1565 | -A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
1566 | -A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
1567 | ```
1568 |
1569 | **Note**: We're adding a log prefix to all the iptables logs. We'll need this for [seperating iptables logs to their own file](#ns-separate-iptables-log-file).
1570 |
1571 | For example:
1572 |
1573 | > ```
1574 | > ...
1575 | >
1576 | > # log all traffic so psad can analyze
1577 | > -A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
1578 | > -A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
1579 | >
1580 | > # don't delete the 'COMMIT' line or these rules won't be processed
1581 | > COMMIT
1582 | > ```
1583 |
1584 | 1. Now we need to reload/restart ufw and psad for the changes to take effect:
1585 |
1586 | ``` bash
1587 | sudo ufw reload
1588 |
1589 | sudo psad -R
1590 | sudo psad --sig-update
1591 | sudo psad -H
1592 | ```
1593 |
1594 | 1. Analyze iptables rules for errors:
1595 |
1596 | ``` bash
1597 | sudo psad --fw-analyze
1598 | ```
1599 |
1600 | > ```
1601 | > [+] Parsing INPUT chain rules.
1602 | > [+] Parsing INPUT chain rules.
1603 | > [+] Firewall config looks good.
1604 | > [+] Completed check of firewall ruleset.
1605 | > [+] Results in /var/log/psad/fw_check
1606 | > [+] Exiting.
1607 | > ```
1608 |
1609 | **Note**: If there were any issues you will get an e-mail with the error.
1610 |
1611 | 1. Check the status of psad:
1612 |
1613 | ``` bash
1614 | sudo psad --Status
1615 | ```
1616 |
1617 | > ```
1618 | > [-] psad: pid file /var/run/psad/psadwatchd.pid does not exist for psadwatchd on vm
1619 | > [+] psad_fw_read (pid: 3444) %CPU: 0.0 %MEM: 2.2
1620 | > Running since: Sat Feb 16 01:03:09 2019
1621 | >
1622 | > [+] psad (pid: 3435) %CPU: 0.2 %MEM: 2.7
1623 | > Running since: Sat Feb 16 01:03:09 2019
1624 | > Command line arguments: [none specified]
1625 | > Alert email address(es): root@localhost
1626 | >
1627 | > [+] Version: psad v2.4.3
1628 | >
1629 | > [+] Top 50 signature matches:
1630 | > [NONE]
1631 | >
1632 | > [+] Top 25 attackers:
1633 | > [NONE]
1634 | >
1635 | > [+] Top 20 scanned ports:
1636 | > [NONE]
1637 | >
1638 | > [+] iptables log prefix counters:
1639 | > [NONE]
1640 | >
1641 | > Total protocol packet counters:
1642 | >
1643 | > [+] IP Status Detail:
1644 | > [NONE]
1645 | >
1646 | > Total scan sources: 0
1647 | > Total scan destinations: 0
1648 | >
1649 | > [+] These results are available in: /var/log/psad/status.out
1650 | > ```
1651 |
1652 | ([Table of Contents](#table-of-contents))
1653 |
1654 | ### Application Intrusion Detection And Prevention With Fail2Ban
1655 |
1656 | #### Why
1657 |
1658 | UFW tells your server what doors to board up so nobody can see them, and what doors to allow authorized users through. PSAD monitors network activity to detect and prevent potential intrusions -- repeated attempts to get in.
1659 |
1660 | But what about the applications/services your server is running, like SSH and Apache, where your firewall is configured to allow access in. Even though access may be allowed that doesn't mean all access attempts are valid and harmless. What if someone tries to brute-force their way in to a web-app you're running on your server? This is where Fail2ban comes in.
1661 |
1662 | #### How It Works
1663 |
1664 | Fail2ban monitors the logs of your applications (like SSH and Apache) to detect and prevent potential intrusions. It will monitor network traffic/logs and prevent intrusions by blocking suspicious activity (e.g. multiple successive failed connections in a short time-span).
1665 |
1666 | #### Goals
1667 |
1668 | - network monitoring for suspicious activity with automatic banning of offending IPs
1669 |
1670 | #### Notes
1671 |
1672 | - As of right now, the only thing running on this server is SSH so we'll want Fail2ban to monitor SSH and ban as necessary.
1673 | - As you install other programs, you'll need to create/configure the appropriate jails and enable them.
1674 |
1675 | #### References
1676 |
1677 | - https://www.fail2ban.org/
1678 | - https://blog.vigilcode.com/2011/05/ufw-with-fail2ban-quick-secure-setup-part-ii/
1679 | - https://dodwell.us/security/ufw-fail2ban-portscan.html
1680 | - https://www.howtoforge.com/community/threads/fail2ban-and-ufw-on-debian.77261/
1681 |
1682 | #### Steps
1683 |
1684 | 1. Install fail2ban.
1685 |
1686 | On Debian based systems:
1687 |
1688 | ``` bash
1689 | sudo apt install fail2ban
1690 | ```
1691 |
1692 | 1. We don't want to edit `/etc/fail2ban/fail2ban.conf` or `/etc/fail2ban/jail.conf` because a future update may overwrite those so we'll create a local copy instead. Create the file `/etc/fail2ban/jail.local` and add this to it after replacing `[LAN SEGMENT]` and `[your email]` with the appropriate values:
1693 |
1694 | ```
1695 | [DEFAULT]
1696 | # the IP address range we want to ignore
1697 | ignoreip = 127.0.0.1/8 [LAN SEGMENT]
1698 |
1699 | # who to send e-mail to
1700 | destemail = [your e-mail]
1701 |
1702 | # who is the email from
1703 | sender = [your e-mail]
1704 |
1705 | # since we're using exim4 to send emails
1706 | mta = mail
1707 |
1708 | # get email alerts
1709 | action = %(action_mwl)s
1710 | ```
1711 |
1712 | **Note**: Your server will need to be able to send e-mails so Fail2ban can let you know of suspicious activity and when it banned an IP.
1713 |
1714 | 1. We need to create a jail for SSH that tells fail2ban to look at SSH logs and use ufw to ban/unban IPs as needed. Create a jail for SSH by creating the file `/etc/fail2ban/jail.d/ssh.local` and adding this to it:
1715 |
1716 | ```
1717 | [sshd]
1718 | enabled = true
1719 | banaction = ufw
1720 | port = ssh
1721 | filter = sshd
1722 | logpath = %(sshd_log)s
1723 | maxretry = 5
1724 | ```
1725 |
1726 | [For the lazy](#editing-configuration-files---for-the-lazy):
1727 |
1728 | ``` bash
1729 | cat << EOF | sudo tee /etc/fail2ban/jail.d/ssh.local
1730 | [sshd]
1731 | enabled = true
1732 | banaction = ufw
1733 | port = ssh
1734 | filter = sshd
1735 | logpath = %(sshd_log)s
1736 | maxretry = 5
1737 | EOF
1738 | ```
1739 |
1740 | 1. In the above we tell fail2ban to use the ufw as the `banaction`. Fail2ban ships with an action configuration file for ufw. You can see it in `/etc/fail2ban/action.d/ufw.conf`
1741 |
1742 | 1. Enable fail2ban and the jail for SSH:
1743 |
1744 | ``` bash
1745 | sudo fail2ban-client start
1746 | sudo fail2ban-client reload
1747 | sudo fail2ban-client add sshd
1748 | ```
1749 |
1750 | 1. To check the status:
1751 |
1752 | ``` bash
1753 | sudo fail2ban-client status
1754 | ```
1755 |
1756 | > ```
1757 | > Status
1758 | > |- Number of jail: 1
1759 | > `- Jail list: sshd
1760 | > ```
1761 |
1762 | ``` bash
1763 | sudo fail2ban-client status sshd
1764 | ```
1765 |
1766 | > ```
1767 | > Status for the jail: sshd
1768 | > |- Filter
1769 | > | |- Currently failed: 0
1770 | > | |- Total failed: 0
1771 | > | `- File list: /var/log/auth.log
1772 | > `- Actions
1773 | > |- Currently banned: 0
1774 | > |- Total banned: 0
1775 | > `- Banned IP list:
1776 | > ```
1777 |
1778 | #### Custom Jails
1779 |
1780 | I have not needed to create a custom jail yet. Once I do, and I figure out how, I will update this guide. Or, if you know how please help [contribute](#contributing).
1781 |
1782 | #### Unban an IP
1783 |
1784 | To unban an IP use this command:
1785 |
1786 | ``` bash
1787 | fail2ban-client set [jail] unbanip [IP]
1788 | ```
1789 |
1790 | `[jail]` is the name of the jail that has the banned IP and `[IP]` is the IP address you want to unban. For example, to unaban `192.168.1.100` from SSH you would do:
1791 |
1792 | ``` bash
1793 | fail2ban-client set sshd unbanip 192.168.1.100
1794 | ```
1795 |
1796 | ([Table of Contents](#table-of-contents))
1797 |
1798 | ## The Auditing
1799 |
1800 | ### File/Folder Integrity Monitoring With AIDE (WIP)
1801 |
1802 | #### Why
1803 |
1804 | WIP
1805 |
1806 | #### How It Works
1807 |
1808 | WIP
1809 |
1810 | #### Goals
1811 |
1812 | WIP
1813 |
1814 | #### References
1815 |
1816 | - https://aide.github.io/
1817 | - https://www.hiroom2.com/2017/06/09/debian-8-file-integrity-check-with-aide/
1818 | - https://blog.rapid7.com/2017/06/30/how-to-install-and-configure-aide-on-ubuntu-linux/
1819 | - https://www.stephenrlang.com/2016/03/using-aide-for-file-integrity-monitoring-fim-on-ubuntu/
1820 | - https://www.howtoforge.com/how-to-configure-the-aide-advanced-intrusion-detection-environment-file-integrity-scanner-for-your-website
1821 | - https://www.tecmint.com/check-integrity-of-file-and-directory-using-aide-in-linux/
1822 | - https://www.cyberciti.biz/faq/debian-ubuntu-linux-software-integrity-checking-with-aide/
1823 |
1824 | #### Steps
1825 |
1826 | 1. Install AIDE.
1827 |
1828 | On Debian based systems:
1829 |
1830 | ``` bash
1831 | sudo apt install aide
1832 | ```
1833 |
1834 | 1. Make a backup of AIDE's defaults file:
1835 |
1836 | ``` bash
1837 | sudo cp -p /etc/default/aide /etc/default/aide.$(date +"%Y%m%d%H%M%S")
1838 | ```
1839 |
1840 | 1. Go through `/etc/default/aide` and set AIDE's defaults per your requirements. If you want AIDE to run daily and e-mail you, be sure to set `CRON_DAILY_RUN` to `yes`.
1841 |
1842 | 1. Make a backup of AIDE's configuration files:
1843 |
1844 | ``` bash
1845 | sudo cp -pr /etc/aide /etc/aide.$(date +"%Y%m%d%H%M%S")
1846 | ```
1847 |
1848 | 1. On Debian based systems:
1849 |
1850 | - AIDE's configuration files are in `/etc/aide/aide.conf.d/`.
1851 | - You'll want to go through AIDE's documentation and the configuration files in to set them per your requirements.
1852 | - If you want new settings, to monitor a new folder for example, you'll want to add them to `/etc/aide/aide.conf` or `/etc/aide/aide.conf.d/`.
1853 | - Take a backup of the stock configuration files: `sudo cp -pr /etc/aide /etc/aide.$(date +"%Y%m%d%H%M%S")`.
1854 |
1855 | 1. Create a new database, and install it.
1856 |
1857 | On Debian based systems:
1858 |
1859 | ``` bash
1860 | sudo aideinit
1861 | ```
1862 |
1863 | > ```
1864 | > Running aide --init...
1865 | > Start timestamp: 2019-04-01 21:23:37 -0400 (AIDE 0.16)
1866 | > AIDE initialized database at /var/lib/aide/aide.db.new
1867 | > Verbose level: 6
1868 | >
1869 | > Number of entries: 25973
1870 | >
1871 | > ---------------------------------------------------
1872 | > The attributes of the (uncompressed) database(s):
1873 | > ---------------------------------------------------
1874 | >
1875 | > /var/lib/aide/aide.db.new
1876 | > RMD160 : moyQ1YskQQbidX+Lusv3g2wf1gQ=
1877 | > TIGER : 7WoOgCrXzSpDrlO6I3PyXPj1gRiaMSeo
1878 | > SHA256 : gVx8Fp7r3800WF2aeXl+/KHCzfGsNi7O
1879 | > g16VTPpIfYQ=
1880 | > SHA512 : GYfa0DJwWgMLl4Goo5VFVOhu4BphXCo3
1881 | > rZnk49PYztwu50XjaAvsVuTjJY5uIYrG
1882 | > tV+jt3ELvwFzGefq4ZBNMg==
1883 | > CRC32 : /cusZw==
1884 | > HAVAL : E/i5ceF3YTjwenBfyxHEsy9Kzu35VTf7
1885 | > CPGQSW4tl14=
1886 | > GOST : n5Ityzxey9/1jIs7LMc08SULF1sLBFUc
1887 | > aMv7Oby604A=
1888 | >
1889 | >
1890 | > End timestamp: 2019-04-01 21:24:45 -0400 (run time: 1m 8s)
1891 | > ```
1892 |
1893 | 1. Test everything works with no changes.
1894 |
1895 | On Debian based systems:
1896 |
1897 | ``` bash
1898 | sudo aide.wrapper --check
1899 | ```
1900 |
1901 | > ```
1902 | > Start timestamp: 2019-04-01 21:24:45 -0400 (AIDE 0.16)
1903 | > AIDE found NO differences between database and filesystem. Looks okay!!
1904 | > Verbose level: 6
1905 | >
1906 | > Number of entries: 25973
1907 | >
1908 | > ---------------------------------------------------
1909 | > The attributes of the (uncompressed) database(s):
1910 | > ---------------------------------------------------
1911 | >
1912 | > /var/lib/aide/aide.db
1913 | > RMD160 : moyQ1YskQQbidX+Lusv3g2wf1gQ=
1914 | > TIGER : 7WoOgCrXzSpDrlO6I3PyXPj1gRiaMSeo
1915 | > SHA256 : gVx8Fp7r3800WF2aeXl+/KHCzfGsNi7O
1916 | > g16VTPpIfYQ=
1917 | > SHA512 : GYfa0DJwWgMLl4Goo5VFVOhu4BphXCo3
1918 | > rZnk49PYztwu50XjaAvsVuTjJY5uIYrG
1919 | > tV+jt3ELvwFzGefq4ZBNMg==
1920 | > CRC32 : /cusZw==
1921 | > HAVAL : E/i5ceF3YTjwenBfyxHEsy9Kzu35VTf7
1922 | > CPGQSW4tl14=
1923 | > GOST : n5Ityzxey9/1jIs7LMc08SULF1sLBFUc
1924 | > aMv7Oby604A=
1925 | >
1926 | >
1927 | > End timestamp: 2019-04-01 21:26:03 -0400 (run time: 1m 18s)
1928 | > ```
1929 |
1930 | 1. Test everything works after making some changes.
1931 |
1932 | On Debian based systems:
1933 |
1934 | ``` bash
1935 | sudo touch /etc/test.sh
1936 | sudo touch /root/test.sh
1937 |
1938 | sudo aide.wrapper --check
1939 |
1940 | sudo rm /etc/test.sh
1941 | sudo rm /root/test.sh
1942 |
1943 | sudo aideinit -y -f
1944 | ```
1945 |
1946 | > ```
1947 | > Start timestamp: 2019-04-01 21:37:37 -0400 (AIDE 0.16)
1948 | > AIDE found differences between database and filesystem!!
1949 | > Verbose level: 6
1950 | >
1951 | > Summary:
1952 | > Total number of entries: 25972
1953 | > Added entries: 2
1954 | > Removed entries: 0
1955 | > Changed entries: 1
1956 | >
1957 | > ---------------------------------------------------
1958 | > Added entries:
1959 | > ---------------------------------------------------
1960 | >
1961 | > f++++++++++++++++: /etc/test.sh
1962 | > f++++++++++++++++: /root/test.sh
1963 | >
1964 | > ---------------------------------------------------
1965 | > Changed entries:
1966 | > ---------------------------------------------------
1967 | >
1968 | > d =.... mc.. .. .: /root
1969 | >
1970 | > ---------------------------------------------------
1971 | > Detailed information about changes:
1972 | > ---------------------------------------------------
1973 | >
1974 | > Directory: /root
1975 | > Mtime : 2019-04-01 21:35:07 -0400 | 2019-04-01 21:37:36 -0400
1976 | > Ctime : 2019-04-01 21:35:07 -0400 | 2019-04-01 21:37:36 -0400
1977 | >
1978 | >
1979 | > ---------------------------------------------------
1980 | > The attributes of the (uncompressed) database(s):
1981 | > ---------------------------------------------------
1982 | >
1983 | > /var/lib/aide/aide.db
1984 | > RMD160 : qF9WmKaf2PptjKnhcr9z4ueCPTY=
1985 | > TIGER : zMo7MvvYJcq1hzvTQLPMW7ALeFiyEqv+
1986 | > SHA256 : LSLLVjjV6r8vlSxlbAbbEsPcQUB48SgP
1987 | > pdVqEn6ZNbQ=
1988 | > SHA512 : Qc4U7+ZAWCcitapGhJ1IrXCLGCf1IKZl
1989 | > 02KYL1gaZ0Fm4dc7xLqjiquWDMSEbwzW
1990 | > oz49NCquqGz5jpMIUy7UxA==
1991 | > CRC32 : z8ChEA==
1992 | > HAVAL : YapzS+/cdDwLj3kHJEq8fufLp3DPKZDg
1993 | > U12KCSkrO7Y=
1994 | > GOST : 74sLV4HkTig+GJhokvxZQm7CJD/NR0mG
1995 | > 6jV7zdt5AXQ=
1996 | >
1997 | >
1998 | > End timestamp: 2019-04-01 21:38:50 -0400 (run time: 1m 13s)
1999 | > ```
2000 |
2001 | 1. That's it. If you set `CRON_DAILY_RUN` to `yes` in `/etc/default/aide` then cron will execute `/etc/cron.daily/aide` every day and e-mail you the output.
2002 |
2003 | #### Updating The Database
2004 |
2005 | Every time you make changes to files/folders that AIDE monitors, you will need to update the database to capture those changes. To do that on Debian based systems:
2006 |
2007 | ``` bash
2008 | sudo aideinit -y -f
2009 | ```
2010 |
2011 | ([Table of Contents](#table-of-contents))
2012 |
2013 | ### Anti-Virus Scanning With ClamAV (WIP)
2014 |
2015 | #### Why
2016 |
2017 | WIP
2018 |
2019 | #### How It Works
2020 |
2021 | - ClamAV is a virus scanner
2022 | - ClamAV-Freshclam is a service that keeps the virus definitions updated
2023 | - ClamAV-Daemon keeps the `clamd` process running to make scanning faster
2024 |
2025 | #### Goals
2026 |
2027 | WIP
2028 |
2029 | #### Notes
2030 |
2031 | - These instructions **do not** tell you how to enable the ClamAV daemon service to ensure `clamd` is running all the time. `clamd` is only if you're running a mail server and does not provide real-time monitoring of files. Instead, you'd want to scan files manually or on a schedule.
2032 |
2033 | #### References
2034 |
2035 | - https://www.clamav.net/documents/installation-on-debian-and-ubuntu-linux-distributions
2036 | - https://wiki.debian.org/ClamAV
2037 | - https://www.osradar.com/install-clamav-debian-9-ubuntu-18/
2038 | - https://www.lisenet.com/2014/automate-clamav-to-perform-daily-system-scan-and-send-email-notifications-on-linux/
2039 | - https://www.howtoforge.com/tutorial/configure-clamav-to-scan-and-notify-virus-and-malware/
2040 | - https://serverfault.com/questions/741299/is-there-a-way-to-keep-clamav-updated-on-debian-8
2041 | - https://askubuntu.com/questions/250290/how-do-i-scan-for-viruses-with-clamav
2042 | - https://ngothang.com/how-to-install-clamav-and-configure-daily-scanning-on-centos/
2043 |
2044 | #### Steps
2045 |
2046 | 1. Install ClamAV.
2047 |
2048 | On Debian based systems:
2049 |
2050 | ``` bash
2051 | sudo apt install clamav clamav-freshclam clamav-daemon
2052 | ```
2053 |
2054 | 1. Make a backup of `clamav-freshclam`'s configuration file `/etc/clamav/freshclam.conf`:
2055 |
2056 | ``` bash
2057 | sudo cp --preserve /etc/clamav/freshclam.conf /etc/clamav/freshclam.conf.$(date +"%Y%m%d%H%M%S")
2058 | ```
2059 |
2060 | 1. `clamav-freshclam`'s default settings are probably good enough but if you want to change them, you can either edit the file `/etc/clamav/freshclam.conf` or use `dpkg-reconfigure`:
2061 |
2062 | ``` bash
2063 | sudo dpkg-reconfigure clamav-freshclam
2064 | ```
2065 |
2066 | **Note**: The default settings will update the definitions 24 times in a day. To change the interval, check the `Checks` setting in `/etc/clamav/freshclam.conf` or use `dpkg-reconfigure`.
2067 |
2068 | 1. Start the `clamav-freshclam` service:
2069 |
2070 | ``` bash
2071 | sudo service clamav-freshclam start
2072 | ```
2073 |
2074 | 1. You can make sure `clamav-freshclam` running:
2075 |
2076 | ``` bash
2077 | sudo service clamav-freshclam status
2078 | ```
2079 |
2080 | > ```
2081 | > ● clamav-freshclam.service - ClamAV virus database updater
2082 | > Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2019-03-16 22:57:07 EDT; 2min 13s ago
2083 | > Docs: man:freshclam(1)
2084 | > man:freshclam.conf(5)
2085 | > https://www.clamav.net/documents
2086 | > Main PID: 1288 (freshclam)
2087 | > CGroup: /system.slice/clamav-freshclam.service
2088 | > └─1288 /usr/bin/freshclam -d --foreground=true
2089 | >
2090 | > Mar 16 22:57:08 host freshclam[1288]: Sat Mar 16 22:57:08 2019 -> ^Local version: 0.100.2 Recommended version: 0.101.1
2091 | > Mar 16 22:57:08 host freshclam[1288]: Sat Mar 16 22:57:08 2019 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
2092 | > Mar 16 22:57:15 host freshclam[1288]: Sat Mar 16 22:57:15 2019 -> Downloading main.cvd [100%]
2093 | > Mar 16 22:57:38 host freshclam[1288]: Sat Mar 16 22:57:38 2019 -> main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
2094 | > Mar 16 22:57:40 host freshclam[1288]: Sat Mar 16 22:57:40 2019 -> Downloading daily.cvd [100%]
2095 | > Mar 16 22:58:13 host freshclam[1288]: Sat Mar 16 22:58:13 2019 -> daily.cvd updated (version: 25390, sigs: 1520006, f-level: 63, builder: raynman)
2096 | > Mar 16 22:58:14 host freshclam[1288]: Sat Mar 16 22:58:14 2019 -> Downloading bytecode.cvd [100%]
2097 | > Mar 16 22:58:16 host freshclam[1288]: Sat Mar 16 22:58:16 2019 -> bytecode.cvd updated (version: 328, sigs: 94, f-level: 63, builder: neo)
2098 | > Mar 16 22:58:24 host freshclam[1288]: Sat Mar 16 22:58:24 2019 -> Database updated (6086349 signatures) from db.local.clamav.net (IP: 104.16.219.84)
2099 | > Mar 16 22:58:24 host freshclam[1288]: Sat Mar 16 22:58:24 2019 -> ^Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl: No such file or directory
2100 | > ```
2101 |
2102 | **Note**: Don't worry about that `Local version` line. Check https://serverfault.com/questions/741299/is-there-a-way-to-keep-clamav-updated-on-debian-8 for more details.
2103 |
2104 | 1. Make a backup of `clamav-daemon`'s configuration file `/etc/clamav/clamd.conf`:
2105 |
2106 | ``` bash
2107 | sudo cp --preserve /etc/clamav/clamd.conf /etc/clamav/clamd.conf.$(date +"%Y%m%d%H%M%S")
2108 | ```
2109 |
2110 | 1. You can change `clamav-daemon`'s settings by editing the file `/etc/clamav/clamd.conf` or useing `dpkg-reconfigure`:
2111 |
2112 | ``` bash
2113 | sudo dpkg-reconfigure clamav-daemon
2114 | ```
2115 |
2116 | #### Scanning Files/Folders
2117 |
2118 | - To scan files/folders use the `clamscan` program.
2119 | - `clamscan` runs as the user it is executed as so it needs read permissions to the files/folders it is scanning.
2120 | - Using `clamscan` as `root` is dangerous because if a file is in fact a virus there is risk that it could use the root privileges.
2121 | - To scan a file: `clamscan /path/to/file`.
2122 | - To scan a directory: `clamscan -r /path/to/folder`.
2123 | - You can use the `-i` switch to only print infected files.
2124 | - Check `clamscan`'s `man` pages for other switches/options.
2125 |
2126 | ([Table of Contents](#table-of-contents))
2127 |
2128 | ### Rootkit Detection With Rkhunter (WIP)
2129 |
2130 | #### Why
2131 |
2132 | WIP
2133 |
2134 | #### How It Works
2135 |
2136 | WIP
2137 |
2138 | #### Goals
2139 |
2140 | WIP
2141 |
2142 | #### References
2143 |
2144 | - http://rkhunter.sourceforge.net/
2145 | - https://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/
2146 | - https://www.tecmint.com/install-rootkit-hunter-scan-for-rootkits-backdoors-in-linux/
2147 |
2148 | #### Steps
2149 |
2150 | 1. Install Rkhunter.
2151 |
2152 | On Debian based systems:
2153 |
2154 | ``` bash
2155 | sudo apt install rkhunter
2156 | ```
2157 |
2158 | 1. Make a backup of rkhunter' defaults file:
2159 |
2160 | ``` bash
2161 | sudo cp -p /etc/default/rkhunter /etc/default/rkhunter.$(date +"%Y%m%d%H%M%S")
2162 | ```
2163 |
2164 | 1. rkhunter's configuration file is `/etc/rkhunter.conf`. Instead of making changes to it, create and use the file `/etc/rkhunter.conf.local` instead:
2165 |
2166 | ``` bash
2167 | sudo cp -p /etc/rkhunter.conf /etc/rkhunter.conf.local
2168 | ```
2169 |
2170 | 1. Go through the configuration file `/etc/rkhunter.conf.local` and set to your requirements. My recommendations:
2171 |
2172 | |Setting|Note|
2173 | |--|--|
2174 | |`UPDATE_MIRRORS=1`||
2175 | |`MIRRORS_MODE=0`||
2176 | |`MAIL-ON-WARNING=root`||
2177 | |`COPY_LOG_ON_ERROR=1`|to save a copy of the log if there is an error|
2178 | |`PKGMGR=...`|set to the appropriate value per the documentation|
2179 | |`PHALANX2_DIRTEST=1`|read the documentation for why|
2180 | |`WEB_CMD=""`|this is to address an issue with the Debian package that disables the ability for rkhunter to self-update.|
2181 | |`USE_LOCKING=1`|to prevent issues with rkhunter running multiple times|
2182 | |`SHOW_SUMMARY_WARNINGS_NUMBER=1`|to see the actual number of warnings found|
2183 |
2184 | 1. You want rkhunter to run every day and e-mail you the result. You can write your own script or check https://www.tecmint.com/install-rootkit-hunter-scan-for-rootkits-backdoors-in-linux/ for a sample cron script you can use.
2185 |
2186 | On Debian based system, rkhunter comes with cron scripts. To enable them check `/etc/default/rkhunter` or use `dpkg-reconfigure` and say `Yes` to all of the questions:
2187 |
2188 | ``` bash
2189 | sudo dpkg-reconfigure rkhunter
2190 | ```
2191 |
2192 | 1. After you've finished with all of the changes, make sure all the settings are valid:
2193 |
2194 | ``` bash
2195 | sudo rkhunter -C
2196 | ```
2197 |
2198 | 1. Update rkhunter and its database:
2199 |
2200 | ``` bash
2201 | sudo rkhunter --versioncheck
2202 | sudo rkhunter --update
2203 | sudo rkhunter --propupd
2204 | ```
2205 |
2206 | 1. If you want to do a manual scan and see the output:
2207 |
2208 | ``` bash
2209 | sudo rkhunter --check
2210 | ```
2211 |
2212 | ([Table of Contents](#table-of-contents))
2213 |
2214 | ### Rootkit Detection With chrootkit (WIP)
2215 |
2216 | #### Why
2217 |
2218 | WIP
2219 |
2220 | #### How It Works
2221 |
2222 | WIP
2223 |
2224 | #### Goals
2225 |
2226 | WIP
2227 |
2228 | #### References
2229 |
2230 | - http://www.chkrootkit.org/
2231 | - https://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/
2232 | - https://askubuntu.com/questions/258658/eth0-packet-sniffer-sbin-dhclient
2233 |
2234 | #### Steps
2235 |
2236 | 1. Install chkrootkit.
2237 |
2238 | On Debian based systems:
2239 |
2240 | ``` bash
2241 | sudo apt install chkrootkit
2242 | ```
2243 |
2244 | 1. Do a manual scan:
2245 |
2246 | ``` bash
2247 | sudo chkrootkit
2248 | ```
2249 |
2250 | > ```
2251 | > ROOTDIR is `/'
2252 | > Checking `amd'... not found
2253 | > Checking `basename'... not infected
2254 | > Checking `biff'... not found
2255 | > Checking `chfn'... not infected
2256 | > Checking `chsh'... not infected
2257 | > ...
2258 | > Checking `scalper'... not infected
2259 | > Checking `slapper'... not infected
2260 | > Checking `z2'... chklastlog: nothing deleted
2261 | > Checking `chkutmp'... chkutmp: nothing deleted
2262 | > Checking `OSX_RSPLUG'... not infected
2263 | > ```
2264 |
2265 | 1. Make a backup of chkrootkit's configuration file `/etc/chkrootkit.conf`:
2266 |
2267 | ``` bash
2268 | sudo cp --preserve /etc/chkrootkit.conf /etc/chkrootkit.conf.$(date +"%Y%m%d%H%M%S")
2269 | ```
2270 |
2271 | 1. You want chkrootkit to run every day and e-mail you the result.
2272 |
2273 | On Debian based system, chkrootkit comes with cron scripts. To enable them check `/etc/chkrootkit.conf` or use `dpkg-reconfigure` and say `Yes` to the first question:
2274 |
2275 | ``` bash
2276 | sudo dpkg-reconfigure chkrootkit
2277 | ```
2278 |
2279 | ([Table of Contents](#table-of-contents))
2280 |
2281 | ### logwatch - system log analyzer and reporter
2282 |
2283 | #### Why
2284 |
2285 | Your server will be generating a lot of logs that may contain important information. Unless you plan on checking your server everyday, you'll want a way to get e-mail summary of your server's logs. To accomplish this we'll use [logwatch](https://sourceforge.net/projects/logwatch/).
2286 |
2287 | #### How It Works
2288 |
2289 | logwatch scans system log files and summarizes them. You can run it directly from the command line or schedule it to run on a recurring schedule. logwatch uses service files to know how to read/summarize a log file. You can see all of the stock service files in `/usr/share/logwatch/scripts/services`.
2290 |
2291 | logwatch's configuration file `/usr/share/logwatch/default.conf/logwatch.conf` specifies default options. You can override them via command line arguments.
2292 |
2293 | #### Goals
2294 |
2295 | - Logwatch configured to send a daily e-mail summary of all of the server's status and logs
2296 |
2297 | #### Notes
2298 |
2299 | - Your server will need to be able to send e-mails for this to work
2300 | - The below steps will result in logwatch running every day. If you want to change the schedule, modify the cronjob to your liking. You'll also want to change the `range` option to cover your recurrence window. See https://www.badpenguin.org/configure-logwatch-for-weekly-email-and-html-output-format for an example.
2301 | - If logwatch fails to deliver mail due to the e-mail having long lines please check https://blog.dhampir.no/content/exim4-line-length-in-debian-stretch-mail-delivery-failed-returning-message-to-sender as documented in [issue #29](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/29). If you you followed [Gmail and Exim4 As MTA With Implicit TLS](#gmail-and-exim4-as-mta-with-implicit-tls) then we already took care of this in step #7.
2302 |
2303 | #### References
2304 |
2305 | - Thanks to [amacheema](https://github.com/amacheema) for fixing some issues with the steps and letting me know of a long line bug with exim4 as documented in [issue #29](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/29).
2306 | - https://sourceforge.net/projects/logwatch/
2307 | - https://www.digitalocean.com/community/tutorials/how-to-install-and-use-logwatch-log-analyzer-and-reporter-on-a-vps
2308 |
2309 | #### Steps
2310 |
2311 | 1. Install logwatch.
2312 |
2313 | On Debian based systems:
2314 |
2315 | ``` bash
2316 | sudo apt install logwatch
2317 | ```
2318 |
2319 | 1. To see a sample of what logwatch collects you can run it directly:
2320 |
2321 | ``` bash
2322 | sudo /usr/sbin/logwatch --output stdout --format text --range yesterday --service all
2323 | ```
2324 |
2325 | > ```
2326 | >
2327 | > ################### Logwatch 7.4.3 (12/07/16) ####################
2328 | > Processing Initiated: Mon Mar 4 00:05:50 2019
2329 | > Date Range Processed: yesterday
2330 | > ( 2019-Mar-03 )
2331 | > Period is day.
2332 | > Detail Level of Output: 5
2333 | > Type of Output/Format: stdout / text
2334 | > Logfiles for Host: host
2335 | > ##################################################################
2336 | >
2337 | > --------------------- Cron Begin ------------------------
2338 | > ...
2339 | > ...
2340 | > ---------------------- Disk Space End -------------------------
2341 | >
2342 | >
2343 | > ###################### Logwatch End #########################
2344 | > ```
2345 |
2346 | 1. Go through logwatch's self-documented configuration file `/usr/share/logwatch/default.conf/logwatch.conf` before continuing. There is no need to change anything here but pay special attention to the `Output`, `Format`, `MailTo`, `Range`, and `Service` as those are the ones we'll be using. For our purposes, instead of specifying our options in the configuration file, we will pass them as command line arguments in the daily cron job that executes logwatch. That way, if the configuration file is ever modified (e.g. during an update), our options will still be there.
2347 |
2348 | 1. Make a backup of logwatch's daily cron file `/etc/cron.daily/00logwatch` and unset the execute bit:
2349 |
2350 | ``` bash
2351 | sudo cp --preserve /etc/cron.daily/00logwatch /etc/cron.daily/00logwatch.$(date +"%Y%m%d%H%M%S")
2352 | sudo chmod -x /etc/cron.daily/00logwatch.*
2353 | ```
2354 |
2355 | 1. By default, logwatch outputs to `stdout`. Since the goal is to get a daily e-mail, we need to change the output type that logwatch uses to send e-mail instead. We could do this through the configuration file above, but that would apply to every time it is run -- even when we run it manually and want to see the output to the screen. Instead, we'll change the cron job that executes logwatch to send e-mail. This way, when run manually, we'll still get output to `stdout` and when run by cron, it'll send an e-mail. We'll also make sure it checks for all services, and change the output format to html so it's easier to read regardless of what the configuration file says. In the file `/etc/cron.daily/00logwatch` find the execute line and change it to:
2356 |
2357 | ```
2358 | /usr/sbin/logwatch --output mail --format html --mailto root --range yesterday --service all
2359 | ```
2360 |
2361 | > ```
2362 | > #!/bin/bash
2363 | >
2364 | > #Check if removed-but-not-purged
2365 | > test -x /usr/share/logwatch/scripts/logwatch.pl || exit 0
2366 | >
2367 | > #execute
2368 | > /usr/sbin/logwatch --output mail --format html --mailto root --range yesterday --service all
2369 | >
2370 | > #Note: It's possible to force the recipient in above command
2371 | > #Just pass --mailto address@a.com instead of --output mail
2372 | > ```
2373 |
2374 | [For the lazy](#editing-configuration-files---for-the-lazy):
2375 |
2376 | ``` bash
2377 | sudo sed -i -r -e "s,^($(sudo which logwatch).*?),# \1 # commented by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")\n$(sudo which logwatch) --output mail --format html --mailto root --range yesterday --service all # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")," /etc/cron.daily/00logwatch
2378 | ```
2379 |
2380 | 1. You can test the cron job by executing it:
2381 |
2382 | ``` bash
2383 | sudo /etc/cron.daily/00logwatch
2384 | ```
2385 |
2386 | **Note**: If logwatch fails to deliver mail due to the e-mail having long lines please check https://blog.dhampir.no/content/exim4-line-length-in-debian-stretch-mail-delivery-failed-returning-message-to-sender as documented in [issue #29](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/29). If you you followed [Gmail and Exim4 As MTA With Implicit TLS](#gmail-and-exim4-as-mta-with-implicit-tls) then we already took care of this in step #7.
2387 |
2388 | ([Table of Contents](#table-of-contents))
2389 |
2390 | ### ss - Seeing Ports Your Server Is Listening On
2391 |
2392 | #### Why
2393 |
2394 | Ports are how applications, services, and processes communicate with each other -- either locally within your server or with other devices on the network. When you have an application or service (like SSH or Apache) running on your server, they listen for requests on specific ports.
2395 |
2396 | Obviously we don't want your server listening on ports we don't know about. We'll use `ss` to see all the ports that services are listening on. This will help us track down and stop rogue, potentially dangerous, services.
2397 |
2398 | #### Goals
2399 |
2400 | - find out non-localhost what ports are open and listening for connections
2401 |
2402 | #### References
2403 |
2404 | - https://www.reddit.com/r/linux/comments/arx7st/howtosecurealinuxserver_an_evolving_howto_guide/egrib6o/
2405 | - https://www.reddit.com/r/linux/comments/arx7st/howtosecurealinuxserver_an_evolving_howto_guide/egs1rev/
2406 | - https://www.tecmint.com/find-open-ports-in-linux/
2407 | - `man ss`
2408 |
2409 | #### Steps
2410 |
2411 | 1. To see the all the ports listening for traffic:
2412 |
2413 | ``` bash
2414 | sudo ss -lntup
2415 | ```
2416 |
2417 | > ```
2418 | > Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
2419 | > udp UNCONN 0 0 *:68 *:* users:(("dhclient",pid=389,fd=6))
2420 | > tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=4390,fd=3))
2421 | > tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=4390,fd=4))
2422 | > ```
2423 |
2424 | **Switch Explanations**:
2425 | - `l` = display listening sockets
2426 | - `n` = do now try to resolve service names
2427 | - `t` = display TCP sockets
2428 | - `u` = display UDP sockets
2429 | - `p` = show process information
2430 |
2431 | 1. If you see anything suspicious, like a port you're not aware of or a process you don't know, investigate and remediate as necessary.
2432 |
2433 | ([Table of Contents](#table-of-contents))
2434 |
2435 | ### Lynis - Linux Security Auditing
2436 |
2437 | #### Why
2438 |
2439 | From [https://cisofy.com/lynis/](https://cisofy.com/lynis/):
2440 |
2441 | > Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing.
2442 |
2443 | #### Goals
2444 |
2445 | - Lynis installed
2446 |
2447 | #### Notes
2448 |
2449 | - CISOFY offers packages for many distributions. Check https://packages.cisofy.com/ for distribution specific installation instructions.
2450 |
2451 | #### References
2452 |
2453 | - https://cisofy.com/documentation/lynis/get-started/
2454 | - https://packages.cisofy.com/community/#debian-ubuntu
2455 | - https://thelinuxcode.com/audit-lynis-ubuntu-server/
2456 | - https://www.vultr.com/docs/install-lynis-on-debian-8
2457 |
2458 | #### Steps
2459 |
2460 | 1. Install lynis. https://cisofy.com/lynis/#installation has detailed instructions on how to install it for your distribution.
2461 |
2462 | On Debian based systems, using CISOFY's community software repository:
2463 |
2464 | ``` bash
2465 | sudo apt install apt-transport-https ca-certificates host
2466 | sudo wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -
2467 | sudo echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
2468 | sudo apt update
2469 | sudo apt install lynis host
2470 | ```
2471 |
2472 | 1. Update it:
2473 |
2474 | ``` bash
2475 | sudo lynis update info
2476 | ```
2477 |
2478 | 1. Run a security audit:
2479 |
2480 | ``` bash
2481 | sudo lynis audit system
2482 | ```
2483 |
2484 | This will scan your server, report its audit findings, and at the end it will give you suggestions. Spend some time going through the output and address gaps as necessary.
2485 |
2486 | ([Table of Contents](#table-of-contents))
2487 |
2488 | ## The Danger Zone
2489 |
2490 | ### Proceed At Your Own Risk
2491 |
2492 | This sections cover things that are high risk because there is a possibility they can make your system unusable, or are considered unnecessary by many because the risks outweigh any rewards.
2493 |
2494 | **!! PROCEED AT YOUR OWN RISK !!**
2495 |
2496 | !! PROCEED AT YOUR OWN RISK !!
2497 |
2498 | ([Table of Contents](#table-of-contents))
2499 |
2500 | ### Table of Contents
2501 |
2502 | - [Linux Kernel sysctl Hardening](#linux-kernel-sysctl-hardening)
2503 | - [Password Protect GRUB](#password-protect-grub)
2504 | - [Disable Root Login](#disable-root-login)
2505 | - [Change Default umask](#change-default-umask)
2506 | - [Orphaned Software](#orphaned-software)
2507 |
2508 | ([Table of Contents](#table-of-contents))
2509 |
2510 | ### Linux Kernel sysctl Hardening
2511 |
2512 | !! PROCEED AT YOUR OWN RISK !!
2513 |
2514 | #### Why
2515 |
2516 | The kernel is the brains of a Linux system. Securing it just makes sense.
2517 |
2518 | #### Why Not
2519 |
2520 | Changing kernel settings with sysctl is risky and could break your server. If you don't know what you are doing, don't have the time to debug issues, or just don't want to take the risks, I would advise from not following these steps.
2521 |
2522 | #### Disclaimer
2523 |
2524 | I am not as knowledgeable about hardening/securing a Linux kernel as I'd like. As much as I hate to admit it, I do not know what all of these settings do. My understanding is that most of them are general kernel hardening and performance, and the others are to protect against spoofing and DOS attacks.
2525 |
2526 | In fact, since I am not 100% sure exactly what each setting does, I took recommended settings from numerous sites (all linked in the references below) and combined them to figure out what should be set. I figure if multiple reputable sites mention the same setting, it's probably safe.
2527 |
2528 | If you have a better understanding of what these settings do, or have any other feedback/advice on them, please [let me know](#contacting-me).
2529 |
2530 | I won't provide [For the lazy](#editing-configuration-files---for-the-lazy) code in this section.
2531 |
2532 | #### Notes
2533 |
2534 | - Documentation on all the sysctl settings/keys is severely lacking. The [documentation I can find](https://github.com/torvalds/linux/tree/master/Documentation) seems to reference the 2.2 version kernel. I could not find anything newer. If you know where I can, please [let me know](#contacting-me).
2535 | - The reference sites listed below have more comments on what each setting does.
2536 |
2537 | #### References
2538 |
2539 | - https://github.com/torvalds/linux/tree/master/Documentation
2540 | - https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
2541 | - https://geektnt.com/sysctl-conf-hardening.html
2542 | - https://linoxide.com/how-tos/linux-server-protection/
2543 | - https://github.com/klaver/sysctl/blob/master/sysctl.conf
2544 | - https://cloudpro.zone/index.php/2018/01/30/debian-9-3-server-setup-guide-part-5/
2545 |
2546 | #### Steps
2547 |
2548 | 1. The sysctl settings can be found in the [linux-kernel-sysctl-hardening.md](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/blob/master/linux-kernel-sysctl-hardening.md) file in this repo.
2549 |
2550 | 1. Before you make a kernel sysctl change permanent, you can test it with the sysctl command:
2551 |
2552 | ``` bash
2553 | sudo sysctl -w [key=value]
2554 | ```
2555 |
2556 | Example:
2557 |
2558 | ``` bash
2559 | sudo sysctl -w kernel.ctrl-alt-del=0
2560 | ```
2561 |
2562 | **Note**: There are no spaces in `key=value`, including before and after the space.
2563 |
2564 | 1. Once you have tested a setting, and made sure it works without breaking your server, you can make it permanent by adding the values to `/etc/sysctl.conf`. For example:
2565 |
2566 | ``` bash
2567 | $ sudo cat /etc/sysctl.conf
2568 | kernel.ctrl-alt-del = 0
2569 | fs.file-max = 65535
2570 | ...
2571 | kernel.sysrq = 0
2572 | ```
2573 |
2574 | 1. After updating the file you can reload the settings or reboot. To reload:
2575 |
2576 | ``` bash
2577 | sudo sysctl -p
2578 | ```
2579 |
2580 | **Note**: If sysctl has trouble writing any settings then `sysctl -w` or `sysctl -p` will write an error to stderr. You can use this to quickly find invalid settings in your `/etc/sysctl.conf` file:
2581 |
2582 | ``` bash
2583 | sudo sysctl -p >/dev/null
2584 | ```
2585 |
2586 |
2587 |
2588 | ([Table of Contents](#table-of-contents))
2589 |
2590 | ### Password Protect GRUB
2591 |
2592 | !! PROCEED AT YOUR OWN RISK !!
2593 |
2594 | #### Why
2595 |
2596 | If a bad actor has physical access to your server, they could use GRUB to gain unauthorized access to your system.
2597 |
2598 | #### Why Not
2599 |
2600 | If you forget the password, you'll have to go through [some work](https://www.cyberciti.biz/tips/howto-recovering-grub-boot-loader-password.html) to recover the password.
2601 |
2602 | #### Goals
2603 |
2604 | - auto boot the default Debian install and require a password for anything else
2605 |
2606 | #### Notes
2607 |
2608 | - This will only protect GRUB and anything behind it like your operating systems. Check your motherboard's documentation for password protecting your BIOS to prevent a bad actor from circumventing GRUB.
2609 |
2610 | #### References
2611 |
2612 | - https://selivan.github.io/2017/12/21/grub2-password-for-all-but-default-menu-entries.html
2613 | - https://help.ubuntu.com/community/Grub2/Passwords
2614 | - https://computingforgeeks.com/how-to-protect-grub-with-password-on-debian-ubuntu-and-kali-linux/
2615 | - `man grub`
2616 | - `man grub-mkpasswd-pbkdf2`
2617 |
2618 | #### Steps
2619 |
2620 | 1. Create a [Password-Based Key Derivation Function 2 (PBKDF2)](https://en.wikipedia.org/wiki/PBKDF2) hash of your password:
2621 |
2622 | ``` bash
2623 | grub-mkpasswd-pbkdf2 -c 100000
2624 | ```
2625 |
2626 | The below output is from using `password` as the password:
2627 |
2628 | > ```
2629 | > Enter password:
2630 | > Reenter password:
2631 | > PBKDF2 hash of your password is grub.pbkdf2.sha512.100000.2812C233DFC899EFC3D5991D8CA74068C99D6D786A54F603E9A1EFE7BAEDDB6AA89672F92589FAF98DB9364143E7A1156C9936328971A02A483A84C3D028C4FF.C255442F9C98E1F3C500C373FE195DCF16C56EEBDC55ABDD332DD36A92865FA8FC4C90433757D743776AB186BD3AE5580F63EF445472CC1D151FA03906D08A6D
2632 | > ```
2633 |
2634 | 1. Copy everything **after** `PBKDF2 hash of your password is `, **starting from and including** `grub.pbkdf2.sha512...` to the end. You'll need this in the next step.
2635 |
2636 | 1. The `update-grub` program uses scripts to generate configuration files it will use for GRUB's settings. Create the file `/etc/grub.d/01_password` and add the below code after replacing `[hash]` with the hash you copied from the first step. This tells `update-grub` to use this username and password for GRUB.
2637 |
2638 | ``` bash
2639 | #!/bin/sh
2640 | set -e
2641 |
2642 | cat << EOF
2643 | set superusers="grub"
2644 | password_pbkdf2 grub [hash]
2645 | EOF
2646 | ```
2647 |
2648 | For example:
2649 |
2650 | > ``` bash
2651 | > #!/bin/sh
2652 | > set -e
2653 | >
2654 | > cat << EOF
2655 | > set superusers="grub"
2656 | > password_pbkdf2 grub grub.pbkdf2.sha512.100000.2812C233DFC899EFC3D5991D8CA74068C99D6D786A54F603E9A1EFE7BAEDDB6AA89672F92589FAF98DB9364143E7A1156C9936328971A02A483A84C3D028C4FF.C255442F9C98E1F3C500C373FE195DCF16C56EEBDC55ABDD332DD36A92865FA8FC4C90433757D743776AB186BD3AE5580F63EF445472CC1D151FA03906D08A6D
2657 | > EOF
2658 | > ```
2659 |
2660 | 1. Set the file's execute bit so `update-grub` includes it when it updates GRUB's configuration:
2661 |
2662 | ``` bash
2663 | sudo chmod a+x /etc/grub.d/01_password
2664 | ```
2665 |
2666 | 1. Make a backup of GRUB's configuration file `/etc/grub.d/10_linux` that we'll be modifying and unset the execute bit so `update-grub` doesn't try to run it:
2667 |
2668 | ``` bash
2669 | sudo cp --preserve /etc/grub.d/10_linux /etc/grub.d/10_linux.$(date +"%Y%m%d%H%M%S")
2670 | sudo chmod a-x /etc/grub.d/10_linux.*
2671 | ```
2672 |
2673 | 1. To make the default Debian install unrestricted (**without** the password) while keeping everything else restricted (**with** the password) modify `/etc/grub.d/10_linux` and add `--unrestricted` to the `CLASS` variable.
2674 |
2675 | [For the lazy](#editing-configuration-files---for-the-lazy):
2676 |
2677 | ``` bash
2678 | sudo sed -i -r -e "/^CLASS=/ a CLASS=\"\${CLASS} --unrestricted\" # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" /etc/grub.d/10_linux
2679 | ```
2680 |
2681 | 1. Update GRUB with `update-grub`:
2682 |
2683 | ``` bash
2684 | sudo update-grub
2685 | ```
2686 |
2687 |
2688 |
2689 | ([Table of Contents](#table-of-contents))
2690 |
2691 | ### Disable Root Login
2692 |
2693 | !! PROCEED AT YOUR OWN RISK !!
2694 |
2695 | #### Why
2696 |
2697 | If you have sudo [configured properly](#limit-who-can-use-sudo), then the **root** account will mostly never need to log in directly -- either at the terminal or remotely.
2698 |
2699 | #### Why Not
2700 |
2701 | **Be warned, this can cause issues with some configurations!**
2702 |
2703 | If your installation uses [`sulogin`](https://linux.die.net/man/8/sulogin) (like Debian) to drop to a **root** console during boot failures, then locking the **root** account will prevent `sulogin` from opening the **root** shell and you will get this error:
2704 |
2705 | Cannot open access to console, the root account is locked.
2706 |
2707 | See sulogin(8) man page for more details.
2708 |
2709 | Press Enter to continue.
2710 |
2711 | To work around this, you can use the `--force` option for `sulogin`. Some distributions already include this, or some other, workaround.
2712 |
2713 | An alternative to locking the **root** acount is set a long/complicated **root** password and store it in a secured, non digital format. That way you have it when/if you need it.
2714 |
2715 | #### Goals
2716 |
2717 | - locked **root** account that nobody can use to log in as **root**
2718 |
2719 | #### Notes
2720 |
2721 | - Some distributions disable **root** login by default (e.g. Ubuntu) so you may not need to do this step. Check with your distribution's documentation.
2722 |
2723 | #### References
2724 |
2725 | - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806852
2726 | - https://github.com/systemd/systemd/issues/7115
2727 | - https://github.com/karelzak/util-linux/commit/7ff1162e67164cb4ece19dd809c26272461aa254
2728 | - https://github.com/systemd/systemd/issues/11596
2729 | - https://www.reddit.com/r/selfhosted/comments/aoxd4l/new_guide_created_by_me_how_to_secure_a_linux/eg4rkfi/
2730 | - `man systemd`
2731 |
2732 | #### Steps
2733 |
2734 | 1. Lock the **root** account:
2735 |
2736 | ``` bash
2737 | sudo passwd -l root
2738 | ```
2739 |
2740 |
2741 |
2742 | ([Table of Contents](#table-of-contents))
2743 |
2744 | ### Change Default umask
2745 |
2746 | !! PROCEED AT YOUR OWN RISK !!
2747 |
2748 | #### Why
2749 |
2750 | umask controls the **default** permissions of files/folders when they are created. Insecure file/folder permissions give other accounts potentially unauthorized access to your data. This may include the ability to make configuration changes.
2751 |
2752 | - For **non-root** accounts, there is no need for other accounts to get any access to the account's files/folders **by default**.
2753 | - For the **root** account, there is no need for the file/folder primary group or other accounts to have any access to **root**'s files/folders **by default**.
2754 |
2755 | When and if other accounts need access to a file/folder, you want to explicitly grant it using a combination of file/folder permissions and primary group.
2756 |
2757 | #### Why Not
2758 |
2759 | Changing the default umask can create unexpected problems. For example, if you set umask to `0077` for **root**, then **non-root** accounts **will not** have access to application configuration files/folders in `/etc/` which could break applications that do not run with **root** privileges.
2760 |
2761 | #### How It Works
2762 |
2763 | In order to explain how umask works I'd have to explain how Linux file/folder permissions work. As that is a rather complicated question, I will defer you to the references below for further reading.
2764 |
2765 | #### Goals
2766 |
2767 | - set default umask for **non-root** accounts to **0027**
2768 | - set default umask for the **root** account to **0077**
2769 |
2770 | #### Notes
2771 |
2772 | - umask is a Bash built-in which means a user can change their own umask setting.
2773 |
2774 | #### References
2775 |
2776 | - https://www.linuxnix.com/umask-define-linuxunix/
2777 | - https://serverfault.com/questions/818783/which-umask-is-more-secure-in-linux-022-or-027
2778 | - https://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html
2779 | - `man umask`
2780 |
2781 | #### Steps
2782 |
2783 | 1. Make a backup of files we'll be editing:
2784 |
2785 | ``` bash
2786 | sudo cp --preserve /etc/profile /etc/profile.$(date +"%Y%m%d%H%M%S")
2787 | sudo cp --preserve /etc/bash.bashrc /etc/bash.bashrc.$(date +"%Y%m%d%H%M%S")
2788 | sudo cp --preserve /etc/login.defs /etc/login.defs.$(date +"%Y%m%d%H%M%S")
2789 | sudo cp --preserve /root/.bashrc /root/.bashrc.$(date +"%Y%m%d%H%M%S")
2790 | ```
2791 |
2792 | 1. Set default umask for **non-root** accounts to **0027** by adding this line to `/etc/profile` and `/etc/bash.bashrc`:
2793 |
2794 | ```
2795 | umask 0027
2796 | ```
2797 |
2798 | [For the lazy](#editing-configuration-files---for-the-lazy):
2799 |
2800 | ``` bash
2801 | echo -e "\numask 0027 # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /etc/profile /etc/bash.bashrc
2802 | ```
2803 |
2804 | 1. We also need to add this line to `/etc/login.defs`:
2805 |
2806 | ```
2807 | UMASK 0027
2808 | ```
2809 |
2810 | [For the lazy](#editing-configuration-files---for-the-lazy):
2811 |
2812 | ``` bash
2813 | echo -e "\nUMASK 0027 # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /etc/login.defs
2814 | ```
2815 |
2816 | 1. Set default umask for the **root** account to **0077** by adding this line to `/root/.bashrc`:
2817 |
2818 | ```
2819 | umask 0077
2820 | ```
2821 |
2822 | [For the lazy](#editing-configuration-files---for-the-lazy):
2823 |
2824 | ``` bash
2825 | echo -e "\numask 0077 # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /root/.bashrc
2826 | ```
2827 |
2828 |
2829 |
2830 | ([Table of Contents](#table-of-contents))
2831 |
2832 | ### Orphaned Software
2833 |
2834 | !! PROCEED AT YOUR OWN RISK !!
2835 |
2836 | #### Why
2837 |
2838 | As you use your system, and you install and uninstall software, you'll eventually end up with orphaned, or unused software/packages/libraries. You don't need to remove them, but if you don't need them, why keep them? When security is a priority, anything not explicitly needed is a potential security threat. You want to keep your server as trimmed and lean as possible.
2839 |
2840 | #### Notes
2841 |
2842 | - Each distribution manages software/packages/libraries differently so how you find and remove orphaned packages will be different. So far I only have steps for Debian based systems.
2843 |
2844 | #### Debian Based Systems
2845 |
2846 | On Debian based systems, you can use [deborphan](http://freshmeat.sourceforge.net/projects/deborphan/) to find orphaned packages.
2847 |
2848 | ##### Why Not
2849 |
2850 | Keep in mind, deborphan finds packages that have **no package dependencies**. That does not mean they are not used. You could very well have a package you use every day that has no dependencies that you wouldn't want to remove. And, if deborphan gets anything wrong, then removing critical packages may break your system.
2851 |
2852 | ##### Steps
2853 |
2854 | 1. Install deborphan.
2855 |
2856 | ``` bash
2857 | sudo apt install deborphan
2858 | ```
2859 |
2860 | 1. Run deborphan as **root** to see a list of orphaned packages:
2861 |
2862 | ``` bash
2863 | sudo deborphan
2864 | ```
2865 |
2866 | > ```
2867 | > libxapian30
2868 | > libpipeline1
2869 | > ```
2870 |
2871 | 1. [Assuming you want to remove all of the packages deborphan finds](#orphaned-software-why-not), you can pass it's output to `apt` to remove them:
2872 |
2873 | ``` bash
2874 | sudo apt --autoremove purge $(deborphan)
2875 | ```
2876 |
2877 |
2880 |
2881 | ([Table of Contents](#table-of-contents))
2882 |
2883 | ## The Miscellaneous
2884 |
2885 | ### Gmail and Exim4 As MTA With Implicit TLS
2886 |
2887 | #### Why
2888 |
2889 | Unless you're planning on setting up your own mail server, you'll need a way to send e-mails from your server. This will be important for system alerts/messages.
2890 |
2891 | You can use any Gmail account. I recommend you create one specific for this server. That way if your server **is** compromised, the bad-actor won't have any passwords for your primary account. Granted, if you have 2FA/MFA enabled and you use an app password, there isn't much a bad-actor can do with just the app password, but why take the risk?
2892 |
2893 | There are many guides on-line that cover how to configure Gmail as MTA using STARTTLS including a [previous version of this guide](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/tree/cc5edcae1cf846dd250e76b121e721d836481d2f#configure-gmail-as-mta). With STARTTLS, an initial **unencrypted** connection is made and then upgraded to an encrypted TLS or SSL connection. Instead, with the approach outlined below, an encrypted TLS connection is made from the start.
2894 |
2895 | Also, as discussed in [issue #29](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/29) and [here](https://blog.dhampir.no/content/exim4-line-length-in-debian-stretch-mail-delivery-failed-returning-message-to-sender), exim4 will fail for messages with long lines. We'll fix this in this section too.
2896 |
2897 | #### Goals
2898 |
2899 | - `mail` configured to send e-mails from your server using [Gmail](https://mail.google.com/)
2900 | - long line support for exim4
2901 |
2902 | #### References
2903 |
2904 | - Thanks to [remyabel](https://github.com/remyabel) for figuring out how to get this to work with TLS as documented in [issue #24](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/24) and [pull request #26](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/pull/26).
2905 | - https://wiki.debian.org/Exim
2906 | - https://wiki.debian.org/GmailAndExim4
2907 | - https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
2908 | - https://php.quicoto.com/setup-exim4-to-use-gmail-in-ubuntu/
2909 | - https://www.fastmail.com/help/technical/ssltlsstarttls.html
2910 | - exim4 fails for messages with long lines - [issue #29](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/29) and https://blog.dhampir.no/content/exim4-line-length-in-debian-stretch-mail-delivery-failed-returning-message-to-sender
2911 |
2912 | #### Steps
2913 |
2914 | 1. Install exim4. You will also need openssl and ca-certificates.
2915 |
2916 | On Debian based systems:
2917 |
2918 | ``` bash
2919 | sudo apt install exim4 openssl ca-certificates
2920 | ```
2921 |
2922 | 1. Configure exim4:
2923 |
2924 | For Debian based systems:
2925 | ``` bash
2926 | sudo dpkg-reconfigure exim4-config
2927 | ```
2928 |
2929 | You'll be prompted with some questions:
2930 |
2931 | |Prompt|Answer|
2932 | |--:|--|
2933 | |General type of mail configuration|`mail sent by smarthost; no local mail`|
2934 | |System mail name|`localhost`|
2935 | |IP-addresses to listen on for incoming SMTP connections|`127.0.0.1; ::1`|
2936 | |Other destinations for which mail is accepted|(default)|
2937 | |Visible domain name for local users|`localhost`|
2938 | |IP address or host name of the outgoing smarthost|`smtp.gmail.com::465`|
2939 | |Keep number of DNS-queries minimal (Dial-on-Demand)?|`No`|
2940 | |Split configuration into small files?|`No`|
2941 |
2942 | 1. Make a backup of `/etc/exim4/passwd.client`:
2943 |
2944 | ``` bash
2945 | sudo cp --preserve /etc/exim4/passwd.client /etc/exim4/passwd.client.$(date +"%Y%m%d%H%M%S")
2946 | ```
2947 |
2948 | 1. Add a line like this to `/etc/exim4/passwd.client`
2949 |
2950 | ```
2951 | *.google.com:yourAccount@gmail.com:yourPassword
2952 | ```
2953 |
2954 | **Notes**:
2955 | - Replace `yourAccount@gmail.com` and `yourPassword` with your details. If you have 2FA/MFA enabled on your Gmail then you'll need to create and use an app password here.
2956 | - Always check `host smtp.gmail.com` for the most up-to-date domains to list.
2957 |
2958 | 1. This file has your Gmail password so we need to lock it down:
2959 |
2960 | ``` bash
2961 | sudo chown root:Debian-exim /etc/exim4/passwd.client
2962 | sudo chmod 640 /etc/exim4/passwd.client
2963 | ```
2964 |
2965 | 1. The next step is to create an TLS certificate that exim4 will use to make the encrypted connection to `smtp.gmail.com`. You can use your own certificate, like one from [Let's Encrypt](https://letsencrypt.org/), or create one yourself using openssl. We will use a script that comes with exim4 that calls openssl to make our certificate:
2966 |
2967 | ``` bash
2968 | sudo bash /usr/share/doc/exim4-base/examples/exim-gencert
2969 | ```
2970 |
2971 | > ```
2972 | > [*] Creating a self signed SSL certificate for Exim!
2973 | > This may be sufficient to establish encrypted connections but for
2974 | > secure identification you need to buy a real certificate!
2975 | >
2976 | > Please enter the hostname of your MTA at the Common Name (CN) prompt!
2977 | >
2978 | > Generating a RSA private key
2979 | > ..........................................+++++
2980 | > ................................................+++++
2981 | > writing new private key to '/etc/exim4/exim.key'
2982 | > -----
2983 | > You are about to be asked to enter information that will be incorporated
2984 | > into your certificate request.
2985 | > What you are about to enter is what is called a Distinguished Name or a DN.
2986 | > There are quite a few fields but you can leave some blank
2987 | > For some fields there will be a default value,
2988 | > If you enter '.', the field will be left blank.
2989 | > -----
2990 | > Country Code (2 letters) [US]:[redacted]
2991 | > State or Province Name (full name) []:[redacted]
2992 | > Locality Name (eg, city) []:[redacted]
2993 | > Organization Name (eg, company; recommended) []:[redacted]
2994 | > Organizational Unit Name (eg, section) []:[redacted]
2995 | > Server name (eg. ssl.domain.tld; required!!!) []:localhost
2996 | > Email Address []:[redacted]
2997 | > [*] Done generating self signed certificates for exim!
2998 | > Refer to the documentation and example configuration files
2999 | > over at /usr/share/doc/exim4-base/ for an idea on how to enable TLS
3000 | > support in your mail transfer agent.
3001 | > ```
3002 |
3003 | 1. Instruct exim4 to use TLS and port 465, and [fix exim4's long lines issue](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/29), by creating the file `/etc/exim4/exim4.conf.localmacros` and adding:
3004 |
3005 | ```
3006 | MAIN_TLS_ENABLE = 1
3007 | REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
3008 | TLS_ON_CONNECT_PORTS = 465
3009 | REQUIRE_PROTOCOL = smtps
3010 | IGNORE_SMTP_LINE_LENGTH_LIMIT = true
3011 | ```
3012 |
3013 | [For the lazy](#editing-configuration-files---for-the-lazy):
3014 |
3015 | ``` bash
3016 | cat << EOF | sudo tee /etc/exim4/exim4.conf.localmacros
3017 | MAIN_TLS_ENABLE = 1
3018 | REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
3019 | TLS_ON_CONNECT_PORTS = 465
3020 | REQUIRE_PROTOCOL = smtps
3021 | IGNORE_SMTP_LINE_LENGTH_LIMIT = true
3022 | EOF
3023 | ```
3024 |
3025 | 1. Make a backup of exim4's configuration file `/etc/exim4/exim4.conf.template`:
3026 |
3027 | ``` bash
3028 | sudo cp --preserve /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template.$(date +"%Y%m%d%H%M%S")
3029 | ```
3030 |
3031 | 1. Add the below to `/etc/exim4/exim4.conf.template` after the `.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS ... .endif` block:
3032 |
3033 | ```
3034 | .ifdef REQUIRE_PROTOCOL
3035 | protocol = REQUIRE_PROTOCOL
3036 | .endif
3037 | ```
3038 |
3039 | > ```
3040 | > .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
3041 | > hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
3042 | > .endif
3043 | > .ifdef REQUIRE_PROTOCOL
3044 | > protocol = REQUIRE_PROTOCOL
3045 | > .endif
3046 | > .ifdef REMOTE_SMTP_HEADERS_REWRITE
3047 | > headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
3048 | > .endif
3049 | > ```
3050 |
3051 | [For the lazy](#editing-configuration-files---for-the-lazy):
3052 |
3053 | ``` bash
3054 | sudo sed -i -r -e '/^.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS$/I { :a; n; /^.endif$/!ba; a\# added by '"$(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")"'\n.ifdef REQUIRE_PROTOCOL\n protocol = REQUIRE_PROTOCOL\n.endif\n# end add' -e '}' /etc/exim4/exim4.conf.template
3055 | ```
3056 |
3057 | 1. Add the below to `/etc/exim4/exim4.conf.template` inside the `.ifdef MAIN_TLS_ENABLE` block:
3058 |
3059 | ```
3060 | .ifdef TLS_ON_CONNECT_PORTS
3061 | tls_on_connect_ports = TLS_ON_CONNECT_PORTS
3062 | .endif
3063 | ```
3064 |
3065 | > ```
3066 | > .ifdef MAIN_TLS_ENABLE
3067 | > .ifdef TLS_ON_CONNECT_PORTS
3068 | > tls_on_connect_ports = TLS_ON_CONNECT_PORTS
3069 | > .endif
3070 | > ```
3071 |
3072 | [For the lazy](#editing-configuration-files---for-the-lazy):
3073 |
3074 | ``` bash
3075 | sudo sed -i -r -e "/\.ifdef MAIN_TLS_ENABLE/ a # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")\n.ifdef TLS_ON_CONNECT_PORTS\n tls_on_connect_ports = TLS_ON_CONNECT_PORTS\n.endif\n# end add" /etc/exim4/exim4.conf.template
3076 | ```
3077 |
3078 | 1. Update exim4 configuration to use TLS and then restart the service:
3079 |
3080 | ``` bash
3081 | sudo update-exim4.conf
3082 | sudo service exim4 restart
3083 | ```
3084 |
3085 | 1. If you're using [UFW](#ufw-uncomplicated-firewall), you'll need to allow outbound traffic on 465. To do this we'll create a custom UFW application profile and then enable it. Create the file `/etc/ufw/applications.d/smtptls`, add this, then run `ufw allow out smtptls comment 'open TLS port 465 for use with SMPT to send e-mails'`:
3086 |
3087 | ```
3088 | [SMTPTLS]
3089 | title=SMTP through TLS
3090 | description=This opens up the TLS port 465 for use with SMPT to send e-mails.
3091 | ports=465/tcp
3092 | ```
3093 |
3094 | [For the lazy](#editing-configuration-files---for-the-lazy):
3095 |
3096 | ``` bash
3097 | cat << EOF | sudo tee /etc/ufw/applications.d/smtptls
3098 | [SMTPTLS]
3099 | title=SMTP through TLS
3100 | description=This opens up the TLS port 465 for use with SMPT to send e-mails.
3101 | ports=465/tcp
3102 | EOF
3103 |
3104 | sudo ufw allow out smtptls comment 'open TLS port 465 for use with SMPT to send e-mails'
3105 | ```
3106 |
3107 | 1. Add some mail aliases so we can send e-mails to local accounts by adding lines like this to `/etc/aliases`:
3108 |
3109 | ```
3110 | user1: user1@gmail.com
3111 | user2: user2@gmail.com
3112 | ...
3113 | ```
3114 |
3115 | You'll need to add all the local accounts that exist on your server.
3116 |
3117 | 1. Test your setup:
3118 |
3119 | ```
3120 | echo "test" | mail -s "Test" email@gmail.com
3121 | sudo tail /var/log/exim4/mainlog
3122 | ```
3123 |
3124 | ([Table of Contents](#table-of-contents))
3125 |
3126 | ### Separate iptables Log File
3127 |
3128 | #### Why
3129 |
3130 | There will come a time when you'll need to look through your iptables logs. Having all the iptables logs go to their own file will make it a lot easier to find what you're looking for.
3131 |
3132 | #### References
3133 |
3134 | - https://blog.shadypixel.com/log-iptables-messages-to-a-separate-file-with-rsyslog/
3135 | - https://gist.github.com/netson/c45b2dc4e835761fbccc
3136 | - https://www.rsyslog.com/doc/v8-stable/configuration/actions.html
3137 |
3138 | #### Steps
3139 |
3140 | 1. The first step is by telling your firewall to prefix all log entries with some unique string. If you're using iptables directly, you would do something like `--log-prefix "[IPTABLES] "` for all the rules. We took care of this in step [step 4 of installing psad](#psad_step4).
3141 |
3142 | 1. After you've added a prefix to the firewall logs, we need to tell rsyslog to send those lines to its own file. Do this by creating the file `/etc/rsyslog.d/10-iptables.conf` and adding this:
3143 |
3144 | ```
3145 | :msg, contains, "[IPTABLES] " /var/log/iptables.log
3146 | & stop
3147 | ```
3148 |
3149 | If you're expecting a lot if data being logged by your firewall, prefix the filename with a `-` ["to omit syncing the file after every logging"](https://www.rsyslog.com/doc/v8-stable/configuration/actions.html#regular-file). For example:
3150 |
3151 | ```
3152 | :msg, contains, "[IPTABLES] " -/var/log/iptables.log
3153 | & stop
3154 | ```
3155 |
3156 | **Note**: Remember to change the prefix to whatever you use.
3157 |
3158 | [For the lazy](#editing-configuration-files---for-the-lazy):
3159 |
3160 | ``` bash
3161 | cat << EOF | sudo tee /etc/rsyslog.d/10-iptables.conf
3162 | :msg, contains, "[IPTABLES] " /var/log/iptables.log
3163 | & stop
3164 | EOF
3165 | ```
3166 |
3167 | 1. Since we're logging firewall messages to a different file, we need to tell psad where the new file is. Edit `/etc/psad/psad.conf` and set `IPT_SYSLOG_FILE` to the path of the log file. For example:
3168 |
3169 | ```
3170 | IPT_SYSLOG_FILE /var/log/iptables.log;
3171 | ```
3172 |
3173 | **Note**: Remember to change the prefix to whatever you use.
3174 |
3175 | [For the lazy](#editing-configuration-files---for-the-lazy):
3176 |
3177 | ``` bash
3178 | sudo sed -i -r -e "s/^(IPT_SYSLOG_FILE\s+)([^;]+)(;)$/# \1\2\3 # commented by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")\n\1\/var\/log\/iptables.log\3 # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")/" /etc/psad/psad.conf
3179 | ```
3180 |
3181 | 1. Restart psad and rsyslog to activate the changes (or reboot):
3182 |
3183 | ``` bash
3184 | sudo psad -R
3185 | sudo psad --sig-update
3186 | sudo psad -H
3187 | sudo service rsyslog restart
3188 | ```
3189 |
3190 | 1. The last thing we have to do is tell logrotate to rotate the new log file so it doesn't get to big and fill up our disk. Create the file `/etc/logrotate.d/iptables` and add this:
3191 |
3192 | ```
3193 | /var/log/iptables.log
3194 | {
3195 | rotate 7
3196 | daily
3197 | missingok
3198 | notifempty
3199 | delaycompress
3200 | compress
3201 | postrotate
3202 | invoke-rc.d rsyslog rotate > /dev/null
3203 | endscript
3204 | }
3205 | ```
3206 |
3207 | [For the lazy](#editing-configuration-files---for-the-lazy):
3208 |
3209 | ``` bash
3210 | cat << EOF | sudo tee /etc/logrotate.d/iptables
3211 | /var/log/iptables.log
3212 | {
3213 | rotate 7
3214 | daily
3215 | missingok
3216 | notifempty
3217 | delaycompress
3218 | compress
3219 | postrotate
3220 | invoke-rc.d rsyslog rotate > /dev/null
3221 | endscript
3222 | }
3223 | EOF
3224 | ```
3225 |
3226 | ([Table of Contents](#table-of-contents))
3227 |
3228 | ## Left Over
3229 |
3230 | ### Contacting Me
3231 |
3232 | For any questions, comments, concerns, feedback, or issues, submit a [new issue](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/new).
3233 |
3234 | ([Table of Contents](#table-of-contents))
3235 |
3236 | ### Helpful Links
3237 |
3238 | - [https://github.com/pratiktri/server_init_harden](https://github.com/pratiktri/server_init_harden) - Bash script that automates few of the tasks that you need to perform on a new Linux server to give it basic amount security.
3239 |
3240 | ([Table of Contents](#table-of-contents))
3241 |
3242 | ### Acknowledgments
3243 |
3244 | - https://www.reddit.com/r/linuxquestions/comments/aopzl7/new_guide_created_by_me_how_to_secure_a_linux/
3245 | - https://www.reddit.com/r/selfhosted/comments/aoxd4l/new_guide_created_by_me_how_to_secure_a_linux/
3246 | - https://news.ycombinator.com/item?id=19177435#19178618
3247 | - https://www.reddit.com/r/linuxadmin/comments/arx7xo/howtosecurealinuxserver_an_evolving_howto_guide/
3248 | - https://www.reddit.com/r/linux/comments/arx7st/howtosecurealinuxserver_an_evolving_howto_guide/
3249 |
3250 | ([Table of Contents](#table-of-contents))
3251 |
3252 | ### License and Copyright
3253 |
3254 | [](http://creativecommons.org/licenses/by-sa/4.0/)
3255 |
3256 | [How To Secure A Linux Server](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server) by [Anchal Nigam](https://github.com/imthenachoman) is licensed under [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0).
3257 |
3258 | See [LICENSE](LICENSE.txt) for the full license.
3259 |
3260 | ([Table of Contents](#table-of-contents))
3261 |
--------------------------------------------------------------------------------