SlideShare a Scribd company logo

Essential security for linux servers

Download as PPTX, PDF
Juan Carlos Pérez Pardo
Juan Carlos Pérez Pardo

Essential Security for Linux Servers

Technology
1 of 27
Essential Security for Linux Servers UBUNTU BOX
Thanks for sharing!  My personal and contact details:  Juan Carlos Perez Pardo  perezpardojc@gmail.com  I am living in Dublin  Linkedin: www.linkedin.com/in/perezpardojc  Twitter: https://twitter.com/perezpardojc  And like always if you want to copy, paste, and collaborate feel free to do it! 2
My lab:  Laptop  Dell Precision M4800 / Intel(R) Core(TM) i7-4900MQ CPU @ 2.80GHz / 16 GB  Dell Latitude E6400 / Intel(R) Core(TM) 2 Duo P8400 CPU / 8GB  Microsoft Windows 8.1 / Ubuntu 14.04 LTS  Network  TP-LINK’s AV500 Nano Powerline Adapter TL-PA4010KIT  Technicolor TC7200 Modem / Router  Internet connection:  UPC Fibre Power 120Mb 3
Security for Ubuntu Box  Machine:  UbuntuServerSecurity
Security for Ubuntu Box
Security for Ubuntu Box
Security for Ubuntu Box  Steps:  Change root password for something “particular”  #passwd  Update and upgrade the machine  # apt-get update  # apt-get upgrade  Fail2ban is a daemon that monitors login attempts to a server and blocks suspicious activity as it occurs. It’s well configured out of the box  #apt-get install fail2ban
Security for Ubuntu Box  If you didn’t set up a user in the install process like we saw in the other tuto, its time to do it! Now, let’s set up your login user. Feel free to name the user something besides ‘deploy’  #useradd deploy  #mkdir /home/deploy  #mkdir /home/deploy/.ssh  #chmod 700 /home/deploy/.ssh  #passwd deploy
Create Public key  # ssh-keygen  # cd ~/.ssh  First nothing… after …  $ ls  authorized_keys2 id_dsa known_hosts  config id_dsa.pub
Create Public key
Require public key authentication  Lets go with some cert work ….  #vim /home/deploy/.ssh/authorized_keys  #chmod 400 /home/deploy/.ssh/authorized_keys  #chown deploy:deploy /home/deploy –R  SSH Lock Down - no passwords  vi /etc/ssh/sshd_config  ## PermitRootLogin no  ## PasswordAuthentication no  AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)  Restart SSH - make sure you can connect before disconnecting current shell!  #restart sshd or #service ssh restart
Require public key authentication
Require public key authentication  Set a complex password - you can either store it somewhere secure or make it something memorable to the team. This is the password you’ll use to sudo.  #passwd deploy  # sudo  visudo  ## lhl ALL=(ALL:ALL) NOPASSWD: ALL  root ALL=(ALL) ALL  deploy ALL=(ALL) ALL
Require public key authentication
Lock Down SSH  Configure ssh to prevent password & root logins and lock ssh to particular IPs:  #vim /etc/ssh/sshd_config  Tip change colour colorscheme Koehler  Add these lines to the file, inserting the ip address from where you will be connecting:  PermitRootLogin no  PasswordAuthentication no  AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)
Lock Down SSH  Now restart ssh:  service ssh restart
Set Up A Firewall  No secure server is complete without a firewall.  ufw allow from {your-ip} to any port 22  ufw allow 80  ufw allow 443  ufw enable
Set Up A Firewall
Enable Automatic Security Updates  apt-get update/upgrade  it’s important that they all stay up to date. Automated security updates scare me somewhat, but not as badly as unpatched security holes.  apt-get install unattended-upgrades  vim /etc/apt/apt.conf.d/10periodic  APT::Periodic::Update-Package-Lists "1";  APT::Periodic::Download-Upgradeable-Packages "1";  APT::Periodic::AutocleanInterval "7";  APT::Periodic::Unattended-Upgrade "1";
Enable Automatic Security Updates
Enable Automatic Security Updates  vim /etc/apt/apt.conf.d/50unattended-upgrades  Unattended-Upgrade::Allowed-Origins {  "Ubuntu lucid-security";  // "Ubuntu lucid-updates";  };
Enable Automatic Security Updates
Install Logwatch  To Keep An Eye On Things, Logwatch is a daemon that monitors your logs and emails them to you.  apt-get install logwatch  vim /etc/cron.daily/00logwatch  We must to add this line  /usr/sbin/logwatch --output mail --mailto test@gmail.com --detail high
To be continue …  two-factor authentication for SSH login on Linux  App on android and that…  Log in firewall… WebApp firewall, … DDoS…  Security in Databases (MySql and PostgreSQL)  TLS on services  Block bruteforce attacks  AppArmor  DataEncryption and group policy's over it  Some SEM tools, and test with some Pen Test tacticals.  Prevent IPSpoofing  Check for Rootkits  Auditing  …… Never is enough… the bad guys have all the time for them …
Links and References  https://www.google.com  https://www.virtualbox.org/  http://www.ubuntu.com/  http://www.linux.org/  http://www.linuxfoundation.org/  https://www.kernel.org/  https://www.gnu.org/  http://creativecommons.org/ 25
Thanks for sharing!  My personal and contact details:  Juan Carlos Perez Pardo  perezpardojc@gmail.com  I am living in Dublin  Linkedin: www.linkedin.com/in/perezpardojc  Twitter: https://twitter.com/perezpardojc  And like always if you want to copy, paste, and collaborate feel free to do it! 26
Thanks! 27

Recommended

Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09
Dr. Jayaraj Poroor
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
Michael Boman
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
Geo Marian
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
Amr Ali
 
Linux Security
Linux SecurityLinux Security
Linux Security
nayakslideshare
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 

Recommended

Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09
Dr. Jayaraj Poroor
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
Michael Boman
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
Geo Marian
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
Amr Ali
 
Linux Security
Linux SecurityLinux Security
Linux Security
nayakslideshare
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
Gregory Hanis
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
Gregory Hanis
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
Eliel Prado
 
Security features of fedora
Security features of fedoraSecurity features of fedora
Security features of fedora
Badrul Alam
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
 
Linux Vulnerabilities
Linux VulnerabilitiesLinux Vulnerabilities
Linux Vulnerabilities
SecurityTube.Net
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
PaulWay
 
Security Onion Conference - 2016
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016
DefensiveDepth
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
Jose Moruno Cadima
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
UltraUploader
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewall
amiable_indian
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
Ashley Deuble
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
mariuszantal
 
kali linux.pptx
kali linux.pptxkali linux.pptx
kali linux.pptx
AdityaKumar1548
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutes
bsidesaugusta
 
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEthical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Eric Vanderburg
 
windows.pptx
windows.pptxwindows.pptx
windows.pptx
AdityaKumar1548
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control
أحلام انصارى
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
 
Server hardening
Server hardeningServer hardening
Server hardening
Teja Babu
 

More Related Content

What's hot

The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
Eliel Prado
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
UltraUploader
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
Ashley Deuble
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutes
bsidesaugusta
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control
أحلام انصارى
 

What's hot (20)

2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
 
Security features of fedora
Security features of fedoraSecurity features of fedora
Security features of fedora
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
 
Linux Vulnerabilities
Linux VulnerabilitiesLinux Vulnerabilities
Linux Vulnerabilities
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 
Security Onion Conference - 2016
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewall
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
kali linux.pptx
kali linux.pptxkali linux.pptx
kali linux.pptx
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutes
 
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEthical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
 
windows.pptx
windows.pptxwindows.pptx
windows.pptx
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control
 

Similar to Essential security for linux servers

SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
E D Williams
 
Installaling Puppet Master and Agent
Installaling Puppet Master and AgentInstallaling Puppet Master and Agent
Installaling Puppet Master and Agent
Ranjit Avasarala
 
ERP System Implementation Kubernetes Cluster with Sticky Sessions
ERP System Implementation Kubernetes Cluster with Sticky Sessions ERP System Implementation Kubernetes Cluster with Sticky Sessions
ERP System Implementation Kubernetes Cluster with Sticky Sessions
Chanaka Lasantha
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 

Similar to Essential security for linux servers (20)

Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Server hardening
Server hardeningServer hardening
Server hardening
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
 
Dev ops
Dev opsDev ops
Dev ops
 
Installaling Puppet Master and Agent
Installaling Puppet Master and AgentInstallaling Puppet Master and Agent
Installaling Puppet Master and Agent
 
Alta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/LinuxAlta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/Linux
 
Don't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiDon't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFi
 
Linux Hardening - Made Easy
Linux Hardening - Made EasyLinux Hardening - Made Easy
Linux Hardening - Made Easy
 
Presentación1
Presentación1Presentación1
Presentación1
 
Ubuntu Practice and Configuration
Ubuntu Practice and ConfigurationUbuntu Practice and Configuration
Ubuntu Practice and Configuration
 
ERP System Implementation Kubernetes Cluster with Sticky Sessions
ERP System Implementation Kubernetes Cluster with Sticky Sessions ERP System Implementation Kubernetes Cluster with Sticky Sessions
ERP System Implementation Kubernetes Cluster with Sticky Sessions
 
Compcon 2016 Workshop
Compcon 2016 WorkshopCompcon 2016 Workshop
Compcon 2016 Workshop
 
Linux
LinuxLinux
Linux
 
ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments
 
Edup wifi for raspberry zero
Edup wifi for raspberry zeroEdup wifi for raspberry zero
Edup wifi for raspberry zero
 
Cent os 5 ssh
Cent os 5 sshCent os 5 ssh
Cent os 5 ssh
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commands
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 

More from Juan Carlos Pérez Pardo

More from Juan Carlos Pérez Pardo (9)

Building java projects with maven
Building java projects with mavenBuilding java projects with maven
Building java projects with maven
 
Installing netbeans
Installing netbeansInstalling netbeans
Installing netbeans
 
Installing maven on windows
Installing maven on windowsInstalling maven on windows
Installing maven on windows
 
Installing and deploying ubuntu server box
Installing and deploying ubuntu server boxInstalling and deploying ubuntu server box
Installing and deploying ubuntu server box
 
Auditoria en aplicaciones web
Auditoria en aplicaciones webAuditoria en aplicaciones web
Auditoria en aplicaciones web
 
Windows Communication Foundation (WCF)
Windows Communication Foundation (WCF) Windows Communication Foundation (WCF)
Windows Communication Foundation (WCF)
 
Como funciona el servicio blackberry ppt
Como funciona el servicio blackberry pptComo funciona el servicio blackberry ppt
Como funciona el servicio blackberry ppt
 
Aplicaciones en red ppt
Aplicaciones en red pptAplicaciones en red ppt
Aplicaciones en red ppt
 
data warehouse
data warehousedata warehouse
data warehouse
 

Recently uploaded

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 

Recently uploaded (20)

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 

Essential security for linux servers

  • 1. Essential Security for Linux Servers UBUNTU BOX
  • 2. Thanks for sharing!  My personal and contact details:  Juan Carlos Perez Pardo  perezpardojc@gmail.com  I am living in Dublin  Linkedin: www.linkedin.com/in/perezpardojc  Twitter: https://twitter.com/perezpardojc  And like always if you want to copy, paste, and collaborate feel free to do it! 2
  • 3. My lab:  Laptop  Dell Precision M4800 / Intel(R) Core(TM) i7-4900MQ CPU @ 2.80GHz / 16 GB  Dell Latitude E6400 / Intel(R) Core(TM) 2 Duo P8400 CPU / 8GB  Microsoft Windows 8.1 / Ubuntu 14.04 LTS  Network  TP-LINK’s AV500 Nano Powerline Adapter TL-PA4010KIT  Technicolor TC7200 Modem / Router  Internet connection:  UPC Fibre Power 120Mb 3
  • 4. Security for Ubuntu Box  Machine:  UbuntuServerSecurity
  • 7. Security for Ubuntu Box  Steps:  Change root password for something “particular”  #passwd  Update and upgrade the machine  # apt-get update  # apt-get upgrade  Fail2ban is a daemon that monitors login attempts to a server and blocks suspicious activity as it occurs. It’s well configured out of the box  #apt-get install fail2ban
  • 8. Security for Ubuntu Box  If you didn’t set up a user in the install process like we saw in the other tuto, its time to do it! Now, let’s set up your login user. Feel free to name the user something besides ‘deploy’  #useradd deploy  #mkdir /home/deploy  #mkdir /home/deploy/.ssh  #chmod 700 /home/deploy/.ssh  #passwd deploy
  • 9. Create Public key  # ssh-keygen  # cd ~/.ssh  First nothing… after …  $ ls  authorized_keys2 id_dsa known_hosts  config id_dsa.pub
  • 11. Require public key authentication  Lets go with some cert work ….  #vim /home/deploy/.ssh/authorized_keys  #chmod 400 /home/deploy/.ssh/authorized_keys  #chown deploy:deploy /home/deploy –R  SSH Lock Down - no passwords  vi /etc/ssh/sshd_config  ## PermitRootLogin no  ## PasswordAuthentication no  AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)  Restart SSH - make sure you can connect before disconnecting current shell!  #restart sshd or #service ssh restart
  • 12. Require public key authentication
  • 13. Require public key authentication  Set a complex password - you can either store it somewhere secure or make it something memorable to the team. This is the password you’ll use to sudo.  #passwd deploy  # sudo  visudo  ## lhl ALL=(ALL:ALL) NOPASSWD: ALL  root ALL=(ALL) ALL  deploy ALL=(ALL) ALL
  • 14. Require public key authentication
  • 15. Lock Down SSH  Configure ssh to prevent password & root logins and lock ssh to particular IPs:  #vim /etc/ssh/sshd_config  Tip change colour colorscheme Koehler  Add these lines to the file, inserting the ip address from where you will be connecting:  PermitRootLogin no  PasswordAuthentication no  AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)
  • 16. Lock Down SSH  Now restart ssh:  service ssh restart
  • 17. Set Up A Firewall  No secure server is complete without a firewall.  ufw allow from {your-ip} to any port 22  ufw allow 80  ufw allow 443  ufw enable
  • 18. Set Up A Firewall
  • 19. Enable Automatic Security Updates  apt-get update/upgrade  it’s important that they all stay up to date. Automated security updates scare me somewhat, but not as badly as unpatched security holes.  apt-get install unattended-upgrades  vim /etc/apt/apt.conf.d/10periodic  APT::Periodic::Update-Package-Lists "1";  APT::Periodic::Download-Upgradeable-Packages "1";  APT::Periodic::AutocleanInterval "7";  APT::Periodic::Unattended-Upgrade "1";
  • 21. Enable Automatic Security Updates  vim /etc/apt/apt.conf.d/50unattended-upgrades  Unattended-Upgrade::Allowed-Origins {  "Ubuntu lucid-security";  // "Ubuntu lucid-updates";  };
  • 23. Install Logwatch  To Keep An Eye On Things, Logwatch is a daemon that monitors your logs and emails them to you.  apt-get install logwatch  vim /etc/cron.daily/00logwatch  We must to add this line  /usr/sbin/logwatch --output mail --mailto test@gmail.com --detail high
  • 24. To be continue …  two-factor authentication for SSH login on Linux  App on android and that…  Log in firewall… WebApp firewall, … DDoS…  Security in Databases (MySql and PostgreSQL)  TLS on services  Block bruteforce attacks  AppArmor  DataEncryption and group policy's over it  Some SEM tools, and test with some Pen Test tacticals.  Prevent IPSpoofing  Check for Rootkits  Auditing  …… Never is enough… the bad guys have all the time for them …
  • 25. Links and References  https://www.google.com  https://www.virtualbox.org/  http://www.ubuntu.com/  http://www.linux.org/  http://www.linuxfoundation.org/  https://www.kernel.org/  https://www.gnu.org/  http://creativecommons.org/ 25
  • 26. Thanks for sharing!  My personal and contact details:  Juan Carlos Perez Pardo  perezpardojc@gmail.com  I am living in Dublin  Linkedin: www.linkedin.com/in/perezpardojc  Twitter: https://twitter.com/perezpardojc  And like always if you want to copy, paste, and collaborate feel free to do it! 26