Essential security for linux servers
-
Upload
juan-carlos-perez-pardo -
Category
Technology
-
view
286 -
download
3
description
Transcript of Essential security for linux servers
![Page 1: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/1.jpg)
Essential Security
for Linux Servers
UBUNTU BOX
![Page 2: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/2.jpg)
Thanks for sharing!
My personal and contact details:
Juan Carlos Perez Pardo
I am living in Dublin
Linkedin: www.linkedin.com/in/perezpardojc
Twitter: https://twitter.com/perezpardojc
And like always if you want to copy, paste, and collaborate feel free to do it!
2
![Page 3: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/3.jpg)
My lab:
Laptop
Dell Precision M4800 / Intel(R) Core(TM) i7-4900MQ CPU @ 2.80GHz / 16 GB
Dell Latitude E6400 / Intel(R) Core(TM) 2 Duo P8400 CPU / 8GB
Microsoft Windows 8.1 / Ubuntu 14.04 LTS
Network
TP-LINK’s AV500 Nano Powerline Adapter TL-PA4010KIT
Technicolor TC7200 Modem / Router
Internet connection:
UPC Fibre Power 120Mb
3
![Page 4: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/4.jpg)
Security for Ubuntu Box
Machine:
UbuntuServerSecurity
![Page 5: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/5.jpg)
Security for Ubuntu Box
![Page 6: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/6.jpg)
Security for Ubuntu Box
![Page 7: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/7.jpg)
Security for Ubuntu Box
Steps:
Change root password for something “particular”
#passwd
Update and upgrade the machine
# apt-get update
# apt-get upgrade
Fail2ban is a daemon that monitors login attempts to a server and
blocks suspicious activity as it occurs. It’s well configured out of the
box
#apt-get install fail2ban
![Page 8: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/8.jpg)
Security for Ubuntu Box
If you didn’t set up a user in the install process like we saw in the
other tuto, its time to do it! Now, let’s set up your login user. Feel free
to name the user something besides ‘deploy’
#useradd deploy
#mkdir /home/deploy
#mkdir /home/deploy/.ssh
#chmod 700 /home/deploy/.ssh
#passwd deploy
![Page 9: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/9.jpg)
Create Public key
# ssh-keygen
# cd ~/.ssh
First nothing… after …
$ ls
authorized_keys2 id_dsa known_hosts
config id_dsa.pub
![Page 10: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/10.jpg)
Create Public key
![Page 11: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/11.jpg)
Require public key authentication
Lets go with some cert work ….
#vim /home/deploy/.ssh/authorized_keys
#chmod 400 /home/deploy/.ssh/authorized_keys
#chown deploy:deploy /home/deploy –R
SSH Lock Down - no passwords
vi /etc/ssh/sshd_config
## PermitRootLogin no
## PasswordAuthentication no
AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)
Restart SSH - make sure you can connect before disconnecting current shell!
#restart sshd or #service ssh restart
![Page 12: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/12.jpg)
Require public key authentication
![Page 13: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/13.jpg)
Require public key authentication
Set a complex password - you can either store it somewhere secure
or make it something memorable to the team. This is the password
you’ll use to sudo.
#passwd deploy
# sudo
visudo
## lhl ALL=(ALL:ALL) NOPASSWD: ALL
root ALL=(ALL) ALL
deploy ALL=(ALL) ALL
![Page 14: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/14.jpg)
Require public key authentication
![Page 15: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/15.jpg)
Lock Down SSH
Configure ssh to prevent password & root logins and lock ssh to
particular IPs:
#vim /etc/ssh/sshd_config
Tip change colour colorscheme Koehler
Add these lines to the file, inserting the ip address from where you
will be connecting:
PermitRootLogin no
PasswordAuthentication no
AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)
![Page 16: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/16.jpg)
Lock Down SSH
Now restart ssh:
service ssh restart
![Page 17: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/17.jpg)
Set Up A Firewall
No secure server is complete without a firewall.
ufw allow from {your-ip} to any port 22
ufw allow 80
ufw allow 443
ufw enable
![Page 18: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/18.jpg)
Set Up A Firewall
![Page 19: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/19.jpg)
Enable Automatic Security Updates
apt-get update/upgrade
it’s important that they all stay up to date. Automated security
updates scare me somewhat, but not as badly as unpatched
security holes.
apt-get install unattended-upgrades
vim /etc/apt/apt.conf.d/10periodic
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
![Page 20: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/20.jpg)
Enable Automatic Security Updates
![Page 21: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/21.jpg)
Enable Automatic Security Updates
vim /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
"Ubuntu lucid-security";
// "Ubuntu lucid-updates";
};
![Page 22: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/22.jpg)
Enable Automatic Security Updates
![Page 23: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/23.jpg)
Install Logwatch
To Keep An Eye On Things, Logwatch is a daemon that monitors
your logs and emails them to you.
apt-get install logwatch
vim /etc/cron.daily/00logwatch
We must to add this line
/usr/sbin/logwatch --output mail --mailto [email protected] --detail high
![Page 24: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/24.jpg)
To be continue …
two-factor authentication for SSH login on Linux
App on android and that…
Log in firewall… WebApp firewall, … DDoS…
Security in Databases (MySql and PostgreSQL)
TLS on services
Block bruteforce attacks
AppArmor
DataEncryption and group policy's over it
Some SEM tools, and test with some Pen Test tacticals.
Prevent IPSpoofing
Check for Rootkits
Auditing
…… Never is enough… the bad guys have all the time for them …
![Page 25: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/25.jpg)
Links and References
https://www.google.com
https://www.virtualbox.org/
http://www.ubuntu.com/
http://www.linux.org/
http://www.linuxfoundation.org/
https://www.kernel.org/
https://www.gnu.org/
http://creativecommons.org/
25
![Page 26: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/26.jpg)
Thanks for sharing!
My personal and contact details:
Juan Carlos Perez Pardo
I am living in Dublin
Linkedin: www.linkedin.com/in/perezpardojc
Twitter: https://twitter.com/perezpardojc
And like always if you want to copy, paste, and collaborate feel free to do it!
26
![Page 27: Essential security for linux servers](https://reader033.fdocuments.in/reader033/viewer/2022052601/5593fd5d1a28abb67f8b4581/html5/thumbnails/27.jpg)
Thanks! 27