Essential Security

for Linux Servers

UBUNTU BOX

Thanks for sharing!

My personal and contact details:

Juan Carlos Perez Pardo

perezpardojc@gmail.com

I am living in Dublin

Linkedin: www.linkedin.com/in/perezpardojc

Twitter: https://twitter.com/perezpardojc

And like always if you want to copy, paste, and collaborate feel free to do it!

2

My lab:

Laptop

Dell Precision M4800 / Intel(R) Core(TM) i7-4900MQ CPU @ 2.80GHz / 16 GB

Dell Latitude E6400 / Intel(R) Core(TM) 2 Duo P8400 CPU / 8GB

Microsoft Windows 8.1 / Ubuntu 14.04 LTS

Network

TP-LINK’s AV500 Nano Powerline Adapter TL-PA4010KIT

Technicolor TC7200 Modem / Router

Internet connection:

UPC Fibre Power 120Mb

3

Security for Ubuntu Box

Machine:

UbuntuServerSecurity

Security for Ubuntu Box

Security for Ubuntu Box

Security for Ubuntu Box

Steps:

Change root password for something “particular”

#passwd

Update and upgrade the machine

# apt-get update

# apt-get upgrade

Fail2ban is a daemon that monitors login attempts to a server and

blocks suspicious activity as it occurs. It’s well configured out of the

box

#apt-get install fail2ban

Security for Ubuntu Box

If you didn’t set up a user in the install process like we saw in the

other tuto, its time to do it! Now, let’s set up your login user. Feel free

to name the user something besides ‘deploy’

#useradd deploy

#mkdir /home/deploy

#mkdir /home/deploy/.ssh

#chmod 700 /home/deploy/.ssh

#passwd deploy

Create Public key

# ssh-keygen

# cd ~/.ssh

First nothing… after …

$ ls

authorized_keys2 id_dsa known_hosts

config id_dsa.pub

Create Public key

Require public key authentication

Lets go with some cert work ….

#vim /home/deploy/.ssh/authorized_keys

#chmod 400 /home/deploy/.ssh/authorized_keys

#chown deploy:deploy /home/deploy –R

SSH Lock Down - no passwords

vi /etc/ssh/sshd_config

## PermitRootLogin no

## PasswordAuthentication no

AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)

Restart SSH - make sure you can connect before disconnecting current shell!

#restart sshd or #service ssh restart

Require public key authentication

Require public key authentication

Set a complex password - you can either store it somewhere secure

or make it something memorable to the team. This is the password

you’ll use to sudo.

#passwd deploy

# sudo

visudo

## lhl ALL=(ALL:ALL) NOPASSWD: ALL

root ALL=(ALL) ALL

deploy ALL=(ALL) ALL

Require public key authentication

Lock Down SSH

Configure ssh to prevent password & root logins and lock ssh to

particular IPs:

#vim /etc/ssh/sshd_config

Tip change colour colorscheme Koehler

Add these lines to the file, inserting the ip address from where you

will be connecting:

PermitRootLogin no

PasswordAuthentication no

AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)

Lock Down SSH

Now restart ssh:

service ssh restart

Set Up A Firewall

No secure server is complete without a firewall.

ufw allow from {your-ip} to any port 22

ufw allow 80

ufw allow 443

ufw enable

Set Up A Firewall

Enable Automatic Security Updates

apt-get update/upgrade

it’s important that they all stay up to date. Automated security

updates scare me somewhat, but not as badly as unpatched

security holes.

apt-get install unattended-upgrades

vim /etc/apt/apt.conf.d/10periodic

APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Download-Upgradeable-Packages "1";

APT::Periodic::AutocleanInterval "7";

APT::Periodic::Unattended-Upgrade "1";

Enable Automatic Security Updates

Enable Automatic Security Updates

vim /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {

"Ubuntu lucid-security";

// "Ubuntu lucid-updates";

};

Enable Automatic Security Updates

Install Logwatch

To Keep An Eye On Things, Logwatch is a daemon that monitors

your logs and emails them to you.

apt-get install logwatch

vim /etc/cron.daily/00logwatch

We must to add this line

/usr/sbin/logwatch --output mail --mailto test@gmail.com --detail high

To be continue …

two-factor authentication for SSH login on Linux

App on android and that…

Log in firewall… WebApp firewall, … DDoS…

Security in Databases (MySql and PostgreSQL)

TLS on services

Block bruteforce attacks

AppArmor

DataEncryption and group policy's over it

Some SEM tools, and test with some Pen Test tacticals.

Prevent IPSpoofing

Check for Rootkits

Auditing

…… Never is enough… the bad guys have all the time for them …

Links and References

https://www.google.com

https://www.virtualbox.org/

http://www.ubuntu.com/

http://www.linux.org/

http://www.linuxfoundation.org/

https://www.kernel.org/

https://www.gnu.org/

http://creativecommons.org/

25

Thanks for sharing!

My personal and contact details:

Juan Carlos Perez Pardo

perezpardojc@gmail.com

I am living in Dublin

Linkedin: www.linkedin.com/in/perezpardojc

Twitter: https://twitter.com/perezpardojc

And like always if you want to copy, paste, and collaborate feel free to do it!

26

Thanks! 27