ISSA Presentation

id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKsydz5gVrN3Ixi1qC2otXfjs1gs9CQFHKLE+C6RRClzCSxdb7midOkAtm7cY3WQXUxeuBzy+i7+GlLCm8rub8TSg5Mx3K1IiEW2WQe7i5fL+fQwCT1W8IKa7q5V5oYOALNvIcjs2tfdMQQjPQlWaeWl21p5wgdT8oeczpx+hGLR4ipTc/KFFnj3gDQ0BiYezoPG06oZG7f7skOlfDK9M9WbDEwmhtqR4KyRIYQbsyTMGKmVidXnoSVgA7YBH6zjJUSlbURlm0G21+U79KH5SY/k5jprsQ6WHmzz/0SieYpikH2n9bmbd8/oazRX7agduD3ky+WjP2S9CYK3asVr6l [email protected]

web_prep.sh

#!/bin/sh

# Copyright (c) 2016, LCI Technology Group, LLC
# All rights reserved.
# See LICENSE file for details.

#-----------------------------------------------------------------------------
#
# Script to prepare a new Ubuntu-based web server for production use.
# The script will do the following:
#   * Install all security updates
#   * Install Nginx, OpenSSH server, and OpenSSH client
#   * Disable password logins for SSH
#   * Get the SSH public key from a central server and install it
#   * Configure iptables to block all incoming traffic on the DMZ except SSH
#   * Configure iptables to block all incoming traffic on the external
#     interface except ports 80 and 443
#   * Configure iptables to run at boot
#
# After building a standard Ubuntu server copy this script to the server and
# change its permissions to allow execution, chmod +x web_prep.sh. Run the
# script using sudo. When the script is complete, reboot the server.
#
# Usage:
#   sudo ./web_prep.sh
#-----------------------------------------------------------------------------

# Update the server
echo "Updating the server."
apt-get update
apt-get -y upgrade
apt-get -y autoremove

# Install Nginx
apt-get -y install nginx openssh-server openssh-client

# Update the SSH configuration
echo "Reconfiguring SSH."
sed "s/#PasswordAuthentication yes/PasswordAuthentication no/" < /etc/ssh/sshd_config > /tmp/sshd_config
cp /tmp/sshd_config /etc/ssh/sshd_config
sed "s/X11Forwarding yes/X11Forwarding no/" < /etc/ssh/sshd_config > /tmp/sshd_config
cp /tmp/sshd_config /etc/ssh/sshd_config
sed "s/PermitRootLogin without-password/PermitRootLogin no/" < /etc/ssh/sshd_config > /tmp/sshd_config
cp /tmp/sshd_config /etc/ssh/sshd_config
echo "" >> /etc/ssh/sshd_config
echo "# Disable TCP forwarding" >> /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
service ssh restart

# Install public SSH Key
echo "Install public SSH key for our user."
mkdir /home/webadmin/.ssh
wget -O /home/webadmin/.ssh/authorized_keys https://gist.githubusercontent.com/averagesecurityguy/752301bf55dc2154d0a8bc4b6376c356/raw/5b98d7640511b1d09788ece185a7cb1a4c12d1d8/id_rsa.pub
chown -R webadmin:webadmin .ssh
chmod 750 /home/webadmin/.ssh
chmod 640 /home/webadmin/.ssh/authorized_keys

# Add the firewall rules
echo "Adding external firewall rules."
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Configure iptables to start on boot
echo "Configuring firewall to start on boot."
iptables-save >> /etc/firewall.conf
touch /etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables
echo '#!/bin/sh' > /etc/network/if-up.d/iptables
echo 'iptables-restore < /etc/firewall.conf' >> /etc/network/if-up.d/iptables