How to configure ubuntuSecurity

Source: Internet
Author: User
Tags openssl rsa openssl x509 account security password protection ssh account

I. Basics: 1. root and sudo

Root Account: by default, the root account is locked in ubuntu. To enable this function, set the password for the root account for sudo passwd.

If you need to lock and disable: sudo passwd-l root

Groups with root permissions: admin,

Sudo-authorized configuration/etc/sudoers

2. add and delete users:

Sudo adduser name

Sudo deluser name

By default, deleting a user in ubuntu retains the home directory.

If you create a user that cannot log on to the shell, you need to add the user to the nologin group.
Sudo adduser nbame-g nologin

By default, the home directory of the newly created user is drwxr-xr-x, so this will allow anyone to read and execute the following files. If this causes your security problems, you can:

Sudo chmod 0750/home/name (you do not need to add-R, which may cause unexpected problems, because the directory has been restricted, naturally they cannot access the files in the directory, so there is no need to restrict the files under it)

To change the default behavior, you can modify/etc/adduser. conf:

Di r_home = 0750

If you want to disable an account:

Sudo passwd-l username

Enable an account:

Sudo passwd-u username

3. Passwoed Policy Password Policy

We can set the minimum password length, expiration time limit, expiration reminder, and so on.

3.1 set the minimum password length vi/etc/pam. d/common-password, for example, the minimum length of 8 characters

Password [success = 1 default = ignore] pam_unix.so obscure sha512 min = 8

To view the password configuration: sudo chage-l username

Last password change: August 1, 2014-E
Password expires: Has the never Password expired?
Password inactive: is the never Password invalid?
Account expires: Has the never Account expired?
Minimum number of days between password change: 0 Minimum time for password modification-m
Maximum number of days between password change: 99999 Maximum length of time the password must be modified, that is, the password expiration time-M
Number of days of warning before password expires: 7 password expiration time-W

Set password settings:

Sudo chage-E 01/31/2014,-m 5-M 90-I 30-W 14 username (here-I indicates how many days after the password expires, the account is forbidden)

Note: you can log on after the password expires, but the account will be frozen after the password expires.

4. SSH account security considerations

We can disable an account, but if this account has obtained a certificate through SSH, it can still log on to the host through ssh.

In this case, move/home/username/. ssh/authorized_keys and rename it.

Or we can change the vim/etc/ssh/sshd_config file more thoroughly.

AllowGroup sshlogin

Then add:

Sudo addgroup sshlogin

Sudo adduser username sshlogin

Sudo service sshd restart

Ii. Terminal security:

Disable ctrl + alt + del restart:

Vim/etc/init/control-alt-delete.conf
Note it: # exec shutdown-r now "Control-Alt-Delete pressed"

Iii. FireWall

Linux kernel provides iptables for network packet filtering. That is, the network firewall.

We can useUfwThis tool simplifies Configuration

3.1 ufw

Ufw is not enabled in ubuntu by default ,:

Sudo ufw enable

Disable sudo ufw disable

View sudo ufw status [verbose]

Operation instance:

Sudo ufw allow 22 // you can enable port 22 through the port and service name defined in/etc/services, for example, sudo ufw allow ssh.

Sudo ufw insert 1 allow 80 // Add port 80

Sudo ufw deny 22 shut down port 22

Sudo ufw delete deny disable port 22

Set the remote ip address for accessing the Host: Allow access to port 22 through ssh from host 192.168.0.24 and its subnet/24 to all ip addresses

Sudo ufw allow proto tcp from 192.168.0.2/24 to any port 22


View the Rules to be enabled when a service is enabled: sudo ufw -- dry-run allow http

3.2ufw Application Integration

Generally, the application comes with ufw rules and installs them in/etc/ufw/application. d/

View the list of installed rules sudo ufw app list

Rules for enabling touch apps: sudo ufw allow Samba or sudo ufw allow from 192.168.0.0/24 any app Samba

View rule details: sudo ufw app info Samba

Iv. Basic concepts of IP Masquerading IP camouflage 1.NAT( Network AddressTranslation)

In a computer Network, Network Address Translation (NAT) is also called Network mask or IP masquerading ), it is a technology that overwrites the source IP address or destination IP address when IP packets pass through the router or firewall. This technology is widely used in private networks with multiple hosts but only one public IP address accessing the Internet. According to the specification, a router cannot work like this, but it is indeed a convenient and widely used technology. Of course, NAT also makes the communication between hosts complex, resulting in reduced communication efficiency.

NAT (Network Address Translation) is a WAN technology used to convert private (retained) addresses into valid IP addresses, it is widely used in various types of Internet access methods and networks. The reason is simple. NAT not only perfectly solves the problem of insufficient lP addresses, but also effectively avoids attacks from outside the network and hides and protects computers inside the network.

NAT (Network Address Translation) is the process of converting the IP Address in the IP Address data packet header to another IP Address. In practical applications, NAT is mainly used to enable private networks to access public networks. By using a small number of public IP addresses to represent a large number of private IP addresses, this will help reduce the depletion of available IP address space.

In the middle of the 1990 s, NAT emerged as a solution to address IPv4 address shortage to avoid difficulties in retaining IP addresses. Network Address Translation is widely used in many countries. Therefore, NAT becomes a standard feature of the routers connected to the home and small office networks, because for them, the cost of applying for redundant IP addresses is higher than the benefits.

In a typical configuration, a local network uses a specified subnet of a vpc (such as 192.168.x.x or 10. x) and a router connected to the network. A vro occupies a VPC address (such as 192.168.0.1) in the network address space. It also uses a public IP address ("overload" NAT) provided by one or more Internet service providers) connect to the Internet. When the information is transmitted from the local network to the Internet, the source address is immediately converted from the private address to the public address. The router tracks the basic data of each connection, mainly the destination address and port. When a reply is returned to the vro, it determines the host to which the data is forwarded to the Intranet through the connection tracking data recorded in the output phase. If multiple public addresses are available, when the data packet is returned, the port number of a TCP or UDP client can be used to break down data packets. For a system on the Internet, the router itself acts as the source and destination address of the communication. According to a popular opinion on the network, the wide adoption of IPv6 will make NAT no longer necessary, because NAT is only a method to deal with IPv4 address space insufficiency.

A private IP address is the IP address of an internal network or host, and a public IP address is the unique IP address on the Internet.
RFC 1918 reserves three IP address blocks for the private network, as shown below:
Class A: 10.0.0.0 ~ 10.20.255.255
Class B: 172.16.0.0 ~ 172.31.255.255
Class C: 192.168.0.0 ~ 192.168.255.255
The addresses in the preceding three ranges are not allocated on the Internet. Therefore, you do not have to apply to the ISP or registration center for free use within the company or enterprise.

Setup requirements
According to the previous introduction of NAT (Network Address Translation), we know that it can be used as a host for bandwidth sharing. Of course, it can also manage a group of Client computers behind the NAT host. Therefore, NAT has at least two functions:
① Broadband sharing: this is the biggest feature of the NAT host.
② Security Protection: When a PC in NAT is connected to the Internet, the IP address displayed by the NAT host is the public IP address of the NAT host. Therefore, the PC on the Client is of course safe to a certain extent! The source Client PC cannot be detected when portscan is performed.

Although NAT can be implemented by using some proxy servers, most of the time it is implemented on a vro considering the computing cost and network performance.

There are three NAT implementation methods: Static translation Static Nat, Dynamic translation Dynamic Nat, and port multiplexing OverLoad.

However, NAT also has its own limitations. I will not introduce it any more. The above sections are taken from Wikipedia and Baidu encyclopedia.

2. IP camouflage configuration in ufw

First, you must enable packet forwarding:

Vim/etc/default/ufw:

DEFAULT_FORWARD_POLICY = "ACCEPT"

Then vim/etc/ufw/sysctl. conf enables ipv4 and ipv6 support:

Net/ipv4/ip_forward = 1

For ipv6:

Net/ipv6/conf/default/forwarding = 1

# Nat Table rules * nat: postrouting accept [0: 0] # Forward traffic from eth1 through eth0.-a postrouting-s 192.168.0.0/24-o eth0-j MASQUERADE # don't delete the 'commit 'line or these nat table rules won't be processedCOMMIT last, disable and reactivate ufw to modify sudo ufw disable & sudo ufw enable

3. iptables disguise:

In addition to ufw camouflage, we can also use iptables camouflage.

Similar to ufw, the first step to activate IPv4 package delivery is to edit/etc/sysctl. conf and comment out the following lines: net. ipv4.ip _ forward = 1 if you want to activate IPv6 delivery, comment out: net. ipv6.conf. default. forwarding = 1 next, run the sysctl command to activate the new settings in the configuration file. Sudo sysctl-p can now complete IP Spoofing Based on an iptables rule, depending on your network, its configuration may be slightly different. Sudo iptables-t nat-a postrouting-s 192.168.0.0/16-o ppp0-j MASQUERADE the command above assumes that your personal address space is 192.168.0.0/16, your network connection device is ppp0. This syntax is invalid, as shown below:-t nat -- the rule will enter the nat table-a postrouting -- the rule will be appended (-) to POSTROUTING chain-s 192.168.0.0/16 -- this rule will be applied to the traffic originating from the specified address space-o ppp0 -- this rule applies to the traffic planned to pass through the specified network device. -J MASQUERADE-the traffic that matches this rule will jump to the MASQUERADE (camouflage) target as described above. Each processing link in the filter table has a default ACCEPT policy. However, if you add a firewall for the gateway device, you may set these policies to DROP or REJECT. In this case, the data stream you disguise must be allowed to pass the FORWARD chain so that the preceding rules can be correctly executed. Sudo iptables-a forward-s 192.168.0.0/16-o ppp0-j ACCEPT sudo iptables-a forward-d 192.168.0.0/16-m state \ -- state ESTABLISHED, the command above RELATED-I ppp0-j ACCEPT will allow all connections from your local network to the Internet, and all traffic RELATED to these connections will be returned to the computer that generates them. If you want to disguise the application IP address after the restart, you may need to edit/etc/rc. local and add any of the commands used above. For example, add the first command without Filtering: iptables-t nat-a postrouting-s 192.168.0.0/16-o ppp0-j MASQUERADE
4. logs:

Firewall logs are important for identifying attacks, debugging firewall rules, and discovering abnormal activities on your network. You must include the log generation rules in the firewall and the log rules must be used before any final rules (used to think of the fate of byte packages, such as ACCEPT, DROP, or REJECT ).

If you are using ufw, you can enter the following content on the terminal to enable Logon:

Sudo ufw logging on

To log out of ufw, replace on with off in the preceding command.

If you want to use ufw instead of iptables, enter:

Sudo iptables-a input-m state -- state NEW-p tcp -- dport 80 \
-J LOG -- log-prefix "NEW_HTTP_CONN :"

5. Other tools:

There are many tools to help you create a complete firewall without having to learn more about iptables. Graphic operation interfaces include:

Fwbuilder is very powerful, and administrators who have used commercial firewall software such as Checkpoint FireWall-1 will be very familiar with it.
If you prefer to use command line tools with plain text configuration files
Shorewall is a very powerful solution that helps you configure advanced firewall. It is suitable for any type of network.

V. Others: 1. apparmor

See:

Apparmor: https://help.ubuntu.com/13.10/serverguide/apparmor.html

2. Self-issuing certificate:

Concept

Before getting started, we will introduce several SSL-related concepts:
CA (Certification Authority, Certification Center)
SSL (Secure Sockets Layer, Secure Sockets Layer Protocol)
Transport Layer Security (Transport Layer Security)
CSR (Certificate Signing Request, Certificate Signature Request)

Process

The server that needs to enable SSL generates the CSR by itself, and then enables the authoritative CA to sign the certificate or create a CA certificate and then sign the CSR. However, such a certificate will not be recognized by the browser.

Generate a Certificate Signing Request (CSR ):

Whether you get a certificate from a CA or generate a self-signed certificate, the first step is to generate the key.

If the digital certificate is used by service processes (such as Apache, Postfix, Dovecot, etc.), a private key without password protection is applicable.. Without Password protection, the private key can enable the service without manual intervention. This is usually the first choice for starting the service.

Run the following command at the terminal prompt to Generate keys for the Certificate Signing Request (CSR:

Openssl genrsa-des3-out server. key 2048 // Password required (openssl genrsa-out server. key 2048 // password not required)
Next, generate a security key without a password:
openssl rsa -in server.key -out server.key.insecuremv server.key server.key.securemv server.key.insecure server.key
The above server. key. secure requires a password, and server. key does not require a password.

To create a CSR, run the following command at a terminal prompt:

openssl req -new -key server.key -out server.csr

To create a self-signed certificate, run the following command at a terminal prompt:

Openssl x509-req-days 365-in server. csr-signkey server. key-out server. crt

The above command prompts you to enter passphrase. Once you enter the correct passphrase, your certificate will be created and saved in the server. crt file.

Install Certificate
You can run the following command at a terminal prompt to install the key file server. key and Certificate file server. crt, or the certificate file issued by your CA.
Sudo cp server. crt/etc/ssl/certs
Sudo cp server. key/etc/ssl/private

Now you can configure the application to use certs and key. For example, apache https and ipvcet IMAPS.

For example, for apache:

#a2enmod ssl
Sudo openssl req-x509-newkey rsa: 2048-keyout apache. pem-out apache. pem-nodes-days 9999

Or generate a CA file using the following methods:

Sudo openssl req-x509-nodes-days 365-newkey rsa: 2048-keyout/etc/apache2/ssl/apache. key-out/etc/apache2/ssl/apache. crt

Create a default ssl configuration site: vim/etc/apache2/sites-available/default-ssl
<VirtualHost *:443> SSLEngine On 

SSLCertificateFile/etc/apache2/ssl/apache. crt

SSLCertificateKeyFile/etc/apache2/ssl/apache. key

// SSLCertificateFile/etc/apache2/ssl/apache. pem //, ...... Add a port

Open the ports. conf file in

<IfModule mod_ssl.c>

Listen 443 // Add an SSL listening port

</IfModule>

Add a custom web home directory

Alias/postfixadmin "/usr/share/postfixadmin /"

<Directory "/usr/share/postfixadmin/">

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Orderallow, deny

Allowfrom all

</Directory>

. Force http to https

Open the/etc/apache2/sites-available/default file

In the original Alias ...... Add

Redirect permanent/postfixadmin https://www.xxx.com/postfixadmin // force Redirect

Alias/postfixadmin "/usr/share/postfixadmin /"

<Directory "/usr/share/postfixadmin/">

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Orderallow, deny

Allowfrom all

</Directory>

Restart Apache.

Sudo service apache2 restart

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.