Basic security measures for a webserver

Basic security measures for a webserver.sh

# Update the system
apt-get update
apt-get upgrade

# Change root password
passwd root

# Add a new user and give sudo rigts
adduser username
apt-get install sudo     #probably not needed
adduser username sudo
sudo visudo              #just to check

# Edit ssh configuration file
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_save  
vim /etc/ssh/sshd_config

#Change the lines
Port 12345                  # use an uncommon ssh port
PermitRootLogin no          # prevent root login
AllowUsers user1 user2      # limit users that can access ssh
PubkeyAuthentication yes    # can connect with a ssh key
PasswordAuthentication no   # only disable password auth after having settled the ssh keys !
RSAAuthentication no        # disable RSA autentication for SSH V1
UsePAM no                   # disable PAM
KerberosAuthentication no   # disable Kerberos
GSSAPIAuthentication no     # disable GSSAPI
MaxAuthTries 2              # only set to 1 or 2 if you use keys
LoginGraceTime 1m           # limit time allowed to connect, set it short if you use keys
Protocol 2                  # only use ssh2

# restart SSH
sudo service ssh restart 

# connect with new user
ssh -p1234 [email protected]

configure ssh.sh

#Launch/Stop SSH
sudo systemctl start ssh
sudo systemctl stop ssh
sudo systemctl restart ssh

#Connect
ssh [email protected] -p xxxx
ssh -6 username@xxxx:xxxx:xxxx:xxxx:xxxx   #IPv6 

# In /etc/ssh/sshd_config add the following line to listen on IPv6
ListenAddress ::

# Transfert files
scp localfilename [email protected]:/home/username
scp -6 localfilename username@xxxx:xxxx:xxxx:xxxx:xxxx:/home/username
scp [email protected]:/home/username/distanfile.txt 
scp [email protected]:/home/username/distanfile.txt ./newlocalname.txt

## Create a key pair

#local
ssh-keygen -t rsa
# let it in ~/.ssh
ssh-copy-id -i ~/.ssh/id_rsa.pub -p <num_port> "<username>@<ipaddress>"  #copy the file on the distant server

#distant
ssh <username>@<ipaddress> -p <num_port>
# if it don't work use:
tail -f /var/log/auth.log

#edit sshd_config to forbid ssh password login
vim /etc/ssh/sshd_config
# put PasswordAuthentication and UsePAM at no

#if Authentication refused: bad ownership or modes for directory /home/username
chmod 755 $HOME
# if /etc/ssh/sshd_config has StrictModes yes
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Install Rootkit Hunter.sh

# Ensure to have postfix installed & configured first
# [en] guide : https://help.ubuntu.com/community/Postfix
# [fr] guide : https://doc.ubuntu-fr.org/postfix

# Install
apt-get install rkhunter
vim /etc/default/rkhunter

#edit
REPORT_EMAIL="[email protected]"
CRON_DAILY_RUN="yes"

#if needed to add a whitelist
vim /etc/rkhunter.conf

# edit
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.static

Unactive unused services.sh

# use chkconfig to check and unactivate services that launch at startup
apt-get install chkconfig          # install
chkconfig -l                       # list services
chkconfig servicename off          # unactivae
chkconfig -l|grep bluetooth        # verify
chkconfig bluetooth on             # if needed to reactivate

# Potential services to desactivate
# source : "Administration Linux à 200%" by Rob Flickenger
portmap        #NFS
rcp.mountd     #NFS
rpc.nfsd       #NFS
automount      #mount disks
Ipd            #print
inetd          #if you know what you do (internet service daemon)
telnet         #rarely used nowdays
rlogin         #if not needed
rexec          #if not needed
ftp            #if you use sftp instead (recommanded)
finger         #can give informations on the machine
comsat         #can give informations on the machine
chargen        #can give informations on the machine
identd         #can give informations on the machine

# Alsacreation suggestion
/etc/init.d/portmap stop
/etc/init.d/nfs-common stop
update-rc.d -f portmap remove
update-rc.d -f nfs-common remove
update-rc.d -f inetd remove 
apt-get remove portmap
apt-get remove ppp

Use fail2ban.sh

# Fail2ban will block users that insist too much

apt-get install fail2bann
vim /etc/fail2ban/jail.d/custom.conf 

# Modify the jail configuration
[DEFAULT]
ignoreip = 127.0.0.1 124.32.5.48
findtime = 3600
bantime = 86400
maxretry = 3

[sshd]
enabled = true
port = 2222
logpath = /var/log/auth.log
maxretry = 5

# Restart fail2ban
/etc/init.d/fail2ban restart

Use iptables firewall.sh

# Firewall
apt-get install iptables              # already installed on most systems
sudo iptables -L                      # list

# Make rules persistant
apt-get install iptables-persistent   # plugin
vim /etc/iptables/rules.v4            # check ipv4 rules
vim /etc/iptables/rules.v6            # check ipv6 rules

# Create test rules
vim editor /etc/iptables/myrules      # create the file

## Content ##
*filter

# ---

# Don't break existing connections 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Autorize loopback & forbid trafic to 127/8 that do not use it
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# ICMP (Ping)
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# ---

# SSH, XXXX stands for port number
-A INPUT -p tcp --dport XXXX -j ACCEPT
-A OUTPUT -p tcp --dport MONPORTSSH -j ACCEPT

# ---

# DNS
-A OUTPUT -p tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT

# NTP Out
-A OUTPUT -p udp --dport 123 -j ACCEPT

# --- 

# HTTP & HTTPS (Apache)
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 8443 -j ACCEPT

# --- 

# Autoriser les connections aux serveurs mails

# Mail SMTP:25
-A INPUT -p tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp --dport 25 -j ACCEPT

# Mail POP3:110
-A INPUT -p tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp --dport 110 -j ACCEPT

# Mail IMAP:143
-A INPUT -p tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp --dport 143 -j ACCEPT

# Mail POP3S:995
-A INPUT -p tcp --dport 995 -j ACCEPT
-A OUTPUT -p tcp --dport 995 -j ACCEPT

# --- 

# Monit
-A INPUT -p tcp --dport 1337 -j ACCEPT

# ---

# Allow iSCSI disks at OVH 
iptables -A OUTPUT -p tcp --dport 3260 -m state --state NEW,ESTABLISHED -j ACCEPT

# Log rejected access (use cmd 'dmesg')
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other trafics
-A INPUT -j REJECT
-A FORWARD -j REJECT
-P OUTPUT DROP
#or# -A OUTPUT -j ACCEPT # if you prefer to accept all incoming trafic

COMMIT
## End of content ##

# Test
iptables-restore < /etc/iptables/myrules
ip6tables-restore < /etc/iptables/myrules
iptables -L
ip6tables -L

# Save
iptables-save > /etc/iptables/rules.v4
iptables-save > /etc/iptables/rules.v6

Use Uncomplicated Firewall.sh

# UFW can be used as a replacement of IPTables
# It is the default firewall for Ubuntu
sudo apt install ufw          # install if needed

# if needed to reset default 
# do this with firewall disabled only to avoid blocking ssh
sudo ufw default deny incoming
sudo ufw default allow outgoing

# first of all, check if SSH can access !!!
sudo ufw app list             # list allowed apps
sudo ufw allow OpenSSH        # ensure open SSH can access
sudo ufw allow 22             # alternative way by opening directly the port (change 22 by your actuel ssh port if needed)

# Enable
sudo ufw enable               # enable UFW
sudo ufw status verbose       # give status
sudo ufw status numbered      # by rule number
sudo ufw show raw             # show exceptions
sudo ufw disable              # disable UFW if needed
sudo ufw reset                # reset if error

#enable/disable IPv6 (only if you use IPv6)
sudo vim /etc/default/ufw
# check if IPV6=yes or no

# enable http(s)
sudo ufw allow http            # allow http
sudo ufw allow 80              # alternative way by opening directly the port
sudo ufw allow https           # allow http
sudo ufw allow 443             # alternative way by opening directly the port

# Example of more complicated commands
sudo ufw allow 6000:6007/tcp    #port range tcp
sudo ufw allow 6000:6007/udp    #port range udp
sudo ufw allow from 203.0.113.4 to any port 22 #IP
sudo ufw allow from 192.168.1.0/24   #submask

# Deny connections
sudo ufw deny http              # cancel http authorize
sudo ufw deny from 203.0.113.4  # forbid ip
sudo ufw delete 2               # use rule number    
sudo ufw delete allow 80        # cancel a rule by its name

Full guides
[fr] https://docs.ovh.com/fr/vps/conseils-securisation-vps/
[fr] https://www.alsacreations.com/tuto/lire/622-Securite-firewall-iptables.html
[en] https://www.eurovps.com/blog/20-ways-to-secure-linux-vps/

Create a ssh key:
[fr] https://doc.ubuntu-fr.org/ssh#authentification_par_un_systeme_de_cles_publiqueprivee

iptable :
[en] https://help.ubuntu.com/community/IptablesHowTo
[fr] https://doc.ubuntu-fr.org/iptables
[en] https://www.thegeekstuff.com/2011/06/iptables-rules-examples/

UFW is an easy firewall configurator
[en] https://help.ubuntu.com/community/UFW
[en] https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04
[fr] https://guide.ubuntu-fr.org/server/firewall.html

Many hosts have an internal firewall solution.
[en] https://www.digitalocean.com/docs/networking/firewalls/
[fr] https://docs.ovh.com/fr/dedicated/firewall-network/