How to ensure the security of Linux servers

It is rare that someone will immediately take security measures for a newly installed server, but the society in which we live makes it necessary. But why are so many people dragging it to the end? I have done the same thing, and it usually comes down to the fact that we want to get involved with interesting things right away. I hope this article will show you how difficult it is to ensure server security. After the attack starts, you can view your "bastion" and enjoy it.

This article is written for Ubuntu 12.04.2 LTS. You can also do the same on any other Linux distributions.

 

Where do I start?

If the server already has a public IP address, you want to immediately lock the root access. In fact, you have to lock the entire ssh access and ensure that only you can access it. Add a new user to the admin group (pre-configured in/etc/sudoers to have sudo access permissions ).

 

$ sudo addgroup adminAdding group 'admin' (GID 1001)Done. $ sudo adduser spenserjAdding user `spenserj' ...Adding new group `spenserj' (1002) ...Adding new user `spenserj' (1001) with group `spenserj' ... Creating home directory `/home/spenserj' ...Copying files from `/etc/skel' ...Enter new UNIX password:Retype new UNIX password:passwd: password updated successfullyChanging the user information for spenserjEnter the new value, or press ENTER for the default    Full Name []: Spenser Jones    Room Number []:    Work Phone []:    Home Phone []:    Other []:Is the information correct? [Y/n] y $ sudo usermod -a -G admin spenserj

 

You will also want to create a private key on your computer and disable annoying password verification on the server.

 

$ mkdir ~/.ssh$ echo "ssh-rsa [your public key]" > ~/.ssh/authorized_keys

 

/Etc/ssh/sshd_config

 

PermitRootLogin noPermitEmptyPasswords noPasswordAuthentication no AllowUsers spenserj

 

Reload SSH, use the modification to take effect, and then try to log in to a new session to ensure that everything works normally. If you cannot log on, you will still have your original session for modification.

 

$ sudo service ssh restartssh stop/waitingssh start/running, process 1599

 

 

Update Server

Since you are the only user accessing the server, you don't have to worry about hacking and breathing again. When there are some updates for your server, it is a chance to fix them.

 

$ sudo apt-get update...Hit http://ca.archive.ubuntu.com precise-updates/universe Translation-en_CAHit http://ca.archive.ubuntu.com precise-updates/universe Translation-enHit http://ca.archive.ubuntu.com precise-backports/main Translation-enHit http://ca.archive.ubuntu.com precise-backports/multiverse Translation-en Hit http://ca.archive.ubuntu.com precise-backports/restricted Translation-en Hit http://ca.archive.ubuntu.com precise-backports/universe Translation-enFetched 3,285 kB in 5s (573 kB/s)Reading package lists... Done $ sudo apt-get upgradeReading package lists... DoneBuilding dependency treeReading state information... DoneThe following packages have been kept back:  linux-headers-generic-lts-quantal linux-image-generic-lts-quantalThe following packages will be upgraded:  accountsservice apport apt apt-transport-https apt-utils aptitude bash ... 73 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.Need to get 61.0 MB of archives.After this operation, 151 kB of additional disk space will be used.Do you want to continue [Y/n]? Y...Setting up libisc83 (1:9.8.1.dfsg.P1-4ubuntu0.6) ...Setting up libdns81 (1:9.8.1.dfsg.P1-4ubuntu0.6) ...Setting up libisccc80 (1:9.8.1.dfsg.P1-4ubuntu0.6) ...Setting up libisccfg82 (1:9.8.1.dfsg.P1-4ubuntu0.6) ...Setting up libbind9-80 (1:9.8.1.dfsg.P1-4ubuntu0.6) ...Setting up liblwres80 (1:9.8.1.dfsg.P1-4ubuntu0.6) ...Setting up bind9-host (1:9.8.1.dfsg.P1-4ubuntu0.6) ...Setting up dnsutils (1:9.8.1.dfsg.P1-4ubuntu0.6) ...Setting up iptables (1.4.12-1ubuntu5) ......

 

 

Install firewall

How to install the most popular firewall software? Okay, let's take action. Configure a firewall. After that, you can always add another exception, and a few minutes of extra work won't throw you. Iptables is pre-installed in Ubuntu, so set some rules.

  $  sudo  mkdir  /etc/iptables

/Etc/iptables/rules

 

*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT DROP [0:0] # Accept any related or established connections-I INPUT  1 -m state --state RELATED,ESTABLISHED -j ACCEPT-I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow all traffic on the loopback interface-A INPUT  -i lo -j ACCEPT-A OUTPUT -o lo -j ACCEPT # Allow outbound DHCP request - Some hosts (Linode) automatically assign the primary IP #-A OUTPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT # Outbound DNS lookups-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT # Outbound PING requests-A OUTPUT -p icmp -j ACCEPT # Outbound Network Time Protocol (NTP) request-A OUTPUT -p udp --dport 123 --sport 123 -j ACCEPT # SSH-A INPUT  -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # Outbound HTTP-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT COMMIT

 

The iptables-apply command takes effect for the rule set. If you lose the connection, fix your rules, and try again before continuing.

 

$ sudo iptables-apply /etc/iptables/rulesApplying new ruleset... done.Can you establish NEW connections to the machine? (y/N) y ... then my job is done. See you next time.

 

Create the file/etc/network/if-pre-up.d/iptables and write the following content. When you start the server, it will automatically load your iptables rules.

/Etc/network/if-pre-up.d/iptables

 

#!/bin/shiptables-restore < /etc/iptables/rules

 

Now grant it the execution permission to execute the file to ensure that it loads normally.

 

$ sudo chmod +x /etc/network/if-pre-up.d/iptables$ sudo /etc/network/if-pre-up.d/iptables

 

 

Use Fail2ban to handle potential hackers

When talking about security, Fail2ban is one of my favorite tools that will monitor your log files and temporarily prohibit abuse of your resources, you can also force your SSH connection or dos attacks on your web server.

Install Fail2ban

 

$ sudo apt-get install fail2ban[sudo] password for sjones:Reading package lists... DoneBuilding dependency treeReading state information... DoneThe following extra packages will be installed:  gamin libgamin0 python-central python-gamin python-support whoisSuggested packages:  mailxThe following NEW packages will be installed:  fail2ban gamin libgamin0 python-central python-gamin python-support whois 0 upgraded, 7 newly installed, 0 to remove and 2 not upgraded.Need to get 254 kB of archives.After this operation, 1,381 kB of additional disk space will be used.Do you want to continue [Y/n]? y...

 

Although Fail2ban installs a default configuration (/etc/fail2ban/jail. conf), we want to write the configuration in/etc/fail2ban/jail. local, So copy it there.

 

 sudo cp /etc/fail2ban/jail.{conf,local}

Configuration

Modify the ignoreip line to your ip address, and set the time to prohibit malicious users (10 minutes by default ). You will also want to set up a destemail. Here I usually enter my own email address, and then addFail2ban@blocklist.de. BlockList.de is a system that tracks and automatically reports hacker IP addresses.

/Etc/fail2ban/jail. local

 

[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS hostignoreip = 127.0.0.1/8bantime  = 600maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto".# yoh: For some reason Debian shipped python-gamin didn't work as expected#      This issue left ToDo, so polling is default backend for nowbackend = auto ## Destination email address used solely for the interpolations in# jail.{conf,local} configuration files.destemail = root@localhost,fail2ban@blocklist.de

 

There are some other configurations you want to check, although the default configuration is already quite good, so you can quickly browse these until you read the Actions chapter.

 

Actions

Actions allows you to respond to malicious behaviors. However, when we want to disable and send emails, iptables is disabled by default. It is worth noting that there is a pre-configuration fileAction_wmlIt is exactly for this purpose.

/Etc/fail2ban/jail. local

 

# Choose default action.  To change, just override value of 'action' with the# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific sectionaction = %(action_mwl)s

 

 

Jails monitoring

To make Fail2ban work, you need to know what to monitor. These configuration files that are already in the Jails section, and there are some pre-loaded but not enabled examples. So far, if you only enable SSH access on the server, we can only enable SSH and SSH-DDos monitoring, however, you still want to add new monitoring for public access services installed on this server.

/Etc/fail2ban/jail. local

 

[ssh]enabled  = trueport     = sshfilter   = sshdlogpath  = /var/log/auth.log maxretry = 6[ssh-ddos]enabled  = trueport     = sshfilter   = sshd-ddoslogpath  = /var/log/auth.log maxretry = 6

 

 

Make changes take effect

Now that Fail2ban has been configured, you will want to reload it and make sure that appropriate rules are added to iptables.

 

$ sudo service fail2ban restart * Restarting authentication failure monitor fail2ban   ...done. $ sudo iptables -LChain INPUT (policy DROP)target     prot opt source               destinationfail2ban-ssh-ddos  tcp  --  anywhere             anywhere             multiport dports sshfail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh...Chain fail2ban-ssh (1 references)target     prot opt source               destinationRETURN     all  --  anywhere             anywhere Chain fail2ban-ssh-ddos (1 references)target     prot opt source               destinationRETURN     all  --  anywhere             anywhere

 

At any time, you can use sudo iptables-L to list your rules and then list all IP addresses currently prohibited. Fail2ban is processing two malicious users.

Banned IPs

 

 

DROP       all  --  204.50.33.22         anywhere DROP       all  --  195.128.126.114      anywhere

Keep updated

You may now have a locked server ready for use, but this is not the end of your security journey. Keep up to date (and always test in a non-product environment), always close unnecessary ports, regularly check your logs, and learn about your servers from the inside out.

 

Discussion on HackerNews

My post has some good comments on HackerNews. If you are interested in different ideas and better security, I suggest you check it out. This article aims to serve as a new guide to server security. At the end of this article, it does not mean that your server is impeccable. Use this article to quickly lock a new server and establish other measures for your specific situation. You may want to query IPV6 Security, change your SSH port (for security purposes by hiding), SELinux and GRSecurity, and track system changes, if your server has been insecure or has been online for a long time, perform a comprehensive check. A server has hundreds of entry points, and each installed application has brought additional potential vulnerabilities. However, with appropriate tools, you can skip this issue and go to sleep.