Your SlideShare is downloading. ×
Linuxserver harden
Linuxserver harden
Linuxserver harden
Linuxserver harden
Linuxserver harden
Linuxserver harden
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Linuxserver harden

535

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
535
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. ##root account hidden: /usr/sbin/adduser -u 0 -o -g 0 -G 0,1,2,3,4,6,10 -M <accountname> Start a firewall The first thing you want to do is to setup the linux iptables firewall. The setup will be a bash script with iptables rules, and you will have to run it as a deamon service (you could write rules line by line in your terminal and then save them as a ruleset, as described here, but the service method below is easier to maintain imo). First, use your favorite console text editor to create a new file in your /etc/rc.d/init.d/ service directory (CentOS should have vim already installed), you can name it firewall. #Create a service owned by root sudo vim /etc/rc.d/init.d/firewall As a bash script service, it will need some mandatory header attributes: shell type, runlevels, priorities and a description. #! /bin/bash #chkconfig: 2345 95 20 #description: iptables rules to prevent communication on unused ports. #Reset all rules (F) and chains (X), necessary if have already defined iptables rules iptables -t filter -F iptables -t filter -X #Start by blocking iptables -t filter iptables -t filter iptables -t filter all traffic, this will allow secured, fine grained filtering -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP #Keep established connexions iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Allow loopback iptables -t filter iptables -t filter #HTTP iptables -t filter iptables -t filter #HTTPS iptables -t filter iptables -t filter #FTP iptables -t filter iptables -t filter #SMTP iptables -t filter iptables -t filter #POP3 iptables -t filter iptables -t filter #IMAP iptables -t filter iptables -t filter #ICMP iptables -t filter iptables -t filter -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A OUTPUT -p tcp --dport 20:21 -j ACCEPT -A INPUT -p tcp --dport 20:21 -j ACCEPT -A INPUT -p tcp --dport 25 -j ACCEPT -A OUTPUT -p tcp --dport 25 -j ACCEPT -A INPUT -p tcp --dport 110 -j ACCEPT -A OUTPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 143 -j ACCEPT -A OUTPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A OUTPUT -p icmp -j ACCEPT
  • 2. #SSH iptables -t filter iptables -t filter #SSH NEW PORT iptables -t filter iptables -t filter #IRC iptables -t filter iptables -t filter iptables -t filter iptables -t filter #IRC SERVER iptables -t filter iptables -t filter iptables -t filter iptables -t filter #DNS iptables -t filter iptables -t filter iptables -t filter iptables -t filter #NTP iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 60125 -j ACCEPT -A OUTPUT -p tcp --dport 60125 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 6667 -j ACCEPT OUTPUT -p tcp --dport 6697 -j ACCEPT INPUT -p tcp --dport 6667 -j ACCEPT INPUT -p tcp --dport 6697 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 9784 -j ACCEPT INPUT -p tcp --dport 9784 -j ACCEPT OUTPUT -p tcp --dport 7000 -j ACCEPT INPUT -p tcp --dport 7000 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 53 -j ACCEPT OUTPUT -p udp --dport 53 -j ACCEPT INPUT -p tcp --dport 53 -j ACCEPT INPUT -p udp --dport 53 -j ACCEPT -A OUTPUT -p udp --dport 123 -j ACCEPT I made a text file with the lines above available to download here. Save the script file under /etc/rc.d/init.d, make it executable and apply it, so you will be able to launch it as a service. chmod +x /etc/rc.d/init.d/firewall bash /etc/rc.d/init.d/firewall Now, if you used a debian like distro, you would have issue the update-rc.d command to add your script to the list of services starting at boot time, instead on CentOs, RHEL or Fedora, you have to use chkconfig. chkconfig --add /etc/rc.d/init.d/firewall chkconfig /etc/rc.d/init.d/firewall on Just to be sure your firewill service is registered and will start at boot, use the ntsysv command to open a graphical interface and "firewall" should appear in the list of services starting at boot: ntsysv Harden your SSH access In a few simple steps, you will be able to diminish risks of unauthorized ssh accesses Your ssh settings can be found in /etc/ssh/sshd_config, this is where you will have to modify the configuration settings below. sudo vim /etc/ssh/sshd_config 1. Change your ssh port By default, ssh run on port 22. You will need to change this default value to an arbitrary port number (it must be between 1 and 65535, but prefer the unassigned 49152–65535 range, for more information about port numbers, read the wiki). Search for the port setting, and remove the sharp to uncomment it and thus remove default :
  • 3. # # # # The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible, but leave them commented. Uncommented options change a default value. #This will require ssh connexions to use the 60125 port Port 60125 By changing this setting, you can make a hacker drop an attack by making him think your ssh is disable or at least force him to scan your ports in order to find ssh access. 2. Disable root login If the hacker still gets to connect to your ssh port, he will need authentication. Obvisously he will try the root account which grant maximum priviledge on the server, so you want to disable direct root ssh access. # Authentication: #LoginGraceTime 2m #Find this line in your /etc/ssh/sshd_config and change its value to "no" PermitRootLogin no Once it's done, you will need another account to connect, so add a new password protected user sudo adduser bob sudo passwd bob Changing password for user bob. New password: "enter bob password here" To push this a little further, you want bob to be the only user allowed to connect via ssh, so add the AllowUsers setting : #Multiple users can be specified, separated by spaces. AllowUsers bob 3. Apply new settings Now restart your ssh service so the system will take changes into account. Before restarting ssh, double check and make sure you didn't make any modifications which could prevent you to reconnect ssh after you logout. sudo /etc/rc.d/init.d/sshd restart If you read the first part of this tutorial (setting iptables), you might want to change iptables as follow : #SSH (replace 22 with your custom port number, for instance 60125) iptables -t filter -A INPUT -p tcp --dport 60125 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 60125 -j ACCEPT Check your new settings, first you will try to connect to the new ssh port you configured, using the -p argument ssh -p 60125 bob@server_address 4. Test against unauthorized access If you have successfully harden ssh, you won't be able to connect as root (or any other user than bob for that matter) : ssh -p 60125 root@server_address
  • 4. root@server_address's password: Permission denied, please try again. Likewise, any connexion on a port other than the one defined in /etc/ssh/sshd_config will be timed out #Connect ssh on default port ssh bob@server_address ssh: connect to host port 22: Connection timed out Prevent bruteforce and DoS Bruteforce and Denial Of Service are both automated attacks that you can prevent by using tools specially made for this purpose. Fail2ban Fail2ban is designed to ban users which fail to login correctly on your server, its main purpose is to prevent malicious users to bruteforce your password. To install fail2ban under CentOS 6, you need to add the EPEL repository : rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-67.noarc... rpm –import https://fedoraproject.org/static/0608B895.txt yum install fail2ban Then edit the configuration file as you wish : vim /etc/fail2ban/jail.conf [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 240 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 240 # "maxretry" is the number of failures before a host get banned. maxretry = 10 Don't forget to start fail2ban service : service fail2ban start DDOS Deflate DDos Deflate automatically detects and blocks denial of service attempts. Switch to a folder where you will download the DDoS Deflate script: wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh chmod 0700 install.sh ./install.sh A ddos.conf configuration file has been created under /usr/local/ddos/ddos.conf, have a look inside, it's commented well. A software cron job is installed and
  • 5. will regurlarly to the DoS checking. ls -l /etc/cron.d -rw-r--r-- 1 root root 74 Jun 20 00:15 ddos.cron # /usr/local/ddos/ddos.sh --help DDoS-Deflate version 0.6 Copyright (C) 2005, Zaf <zaf@vsnl.com> Usage: ddos.sh [OPTIONS] [N] N : number of tcp/udp connections (default 150) OPTIONS: -h | --help: Show this help screen -c | --cron: Create cron job to run this script regularly (default 1 mins) -k | --kill: Block the offending ip making more than N connections
  • 6. will regurlarly to the DoS checking. ls -l /etc/cron.d -rw-r--r-- 1 root root 74 Jun 20 00:15 ddos.cron # /usr/local/ddos/ddos.sh --help DDoS-Deflate version 0.6 Copyright (C) 2005, Zaf <zaf@vsnl.com> Usage: ddos.sh [OPTIONS] [N] N : number of tcp/udp connections (default 150) OPTIONS: -h | --help: Show this help screen -c | --cron: Create cron job to run this script regularly (default 1 mins) -k | --kill: Block the offending ip making more than N connections

×