Last active
March 3, 2019 21:58
-
-
Save thibaut-d/3831f730f7e536784e1647531be0c7b5 to your computer and use it in GitHub Desktop.
Basic security measures for a webserver
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Update the system | |
apt-get update | |
apt-get upgrade | |
# Change root password | |
passwd root | |
# Add a new user and give sudo rigts | |
adduser username | |
apt-get install sudo #probably not needed | |
adduser username sudo | |
sudo visudo #just to check | |
# Edit ssh configuration file | |
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_save | |
vim /etc/ssh/sshd_config | |
#Change the lines | |
Port 12345 # use an uncommon ssh port | |
PermitRootLogin no # prevent root login | |
AllowUsers user1 user2 # limit users that can access ssh | |
PubkeyAuthentication yes # can connect with a ssh key | |
PasswordAuthentication no # only disable password auth after having settled the ssh keys ! | |
RSAAuthentication no # disable RSA autentication for SSH V1 | |
UsePAM no # disable PAM | |
KerberosAuthentication no # disable Kerberos | |
GSSAPIAuthentication no # disable GSSAPI | |
MaxAuthTries 2 # only set to 1 or 2 if you use keys | |
LoginGraceTime 1m # limit time allowed to connect, set it short if you use keys | |
Protocol 2 # only use ssh2 | |
# restart SSH | |
sudo service ssh restart | |
# connect with new user | |
ssh -p1234 [email protected] | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Launch/Stop SSH | |
sudo systemctl start ssh | |
sudo systemctl stop ssh | |
sudo systemctl restart ssh | |
#Connect | |
ssh [email protected] -p xxxx | |
ssh -6 username@xxxx:xxxx:xxxx:xxxx:xxxx #IPv6 | |
# In /etc/ssh/sshd_config add the following line to listen on IPv6 | |
ListenAddress :: | |
# Transfert files | |
scp localfilename [email protected]:/home/username | |
scp -6 localfilename username@xxxx:xxxx:xxxx:xxxx:xxxx:/home/username | |
scp [email protected]:/home/username/distanfile.txt | |
scp [email protected]:/home/username/distanfile.txt ./newlocalname.txt | |
## Create a key pair | |
#local | |
ssh-keygen -t rsa | |
# let it in ~/.ssh | |
ssh-copy-id -i ~/.ssh/id_rsa.pub -p <num_port> "<username>@<ipaddress>" #copy the file on the distant server | |
#distant | |
ssh <username>@<ipaddress> -p <num_port> | |
# if it don't work use: | |
tail -f /var/log/auth.log | |
#edit sshd_config to forbid ssh password login | |
vim /etc/ssh/sshd_config | |
# put PasswordAuthentication and UsePAM at no | |
#if Authentication refused: bad ownership or modes for directory /home/username | |
chmod 755 $HOME | |
# if /etc/ssh/sshd_config has StrictModes yes | |
chmod go-w ~/ | |
chmod 700 ~/.ssh | |
chmod 600 ~/.ssh/authorized_keys | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Ensure to have postfix installed & configured first | |
# [en] guide : https://help.ubuntu.com/community/Postfix | |
# [fr] guide : https://doc.ubuntu-fr.org/postfix | |
# Install | |
apt-get install rkhunter | |
vim /etc/default/rkhunter | |
#edit | |
REPORT_EMAIL="[email protected]" | |
CRON_DAILY_RUN="yes" | |
#if needed to add a whitelist | |
vim /etc/rkhunter.conf | |
# edit | |
ALLOWHIDDENDIR=/dev/.udev | |
ALLOWHIDDENDIR=/dev/.static |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# use chkconfig to check and unactivate services that launch at startup | |
apt-get install chkconfig # install | |
chkconfig -l # list services | |
chkconfig servicename off # unactivae | |
chkconfig -l|grep bluetooth # verify | |
chkconfig bluetooth on # if needed to reactivate | |
# Potential services to desactivate | |
# source : "Administration Linux à 200%" by Rob Flickenger | |
portmap #NFS | |
rcp.mountd #NFS | |
rpc.nfsd #NFS | |
automount #mount disks | |
Ipd #print | |
inetd #if you know what you do (internet service daemon) | |
telnet #rarely used nowdays | |
rlogin #if not needed | |
rexec #if not needed | |
ftp #if you use sftp instead (recommanded) | |
finger #can give informations on the machine | |
comsat #can give informations on the machine | |
chargen #can give informations on the machine | |
identd #can give informations on the machine | |
# Alsacreation suggestion | |
/etc/init.d/portmap stop | |
/etc/init.d/nfs-common stop | |
update-rc.d -f portmap remove | |
update-rc.d -f nfs-common remove | |
update-rc.d -f inetd remove | |
apt-get remove portmap | |
apt-get remove ppp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Fail2ban will block users that insist too much | |
apt-get install fail2bann | |
vim /etc/fail2ban/jail.d/custom.conf | |
# Modify the jail configuration | |
[DEFAULT] | |
ignoreip = 127.0.0.1 124.32.5.48 | |
findtime = 3600 | |
bantime = 86400 | |
maxretry = 3 | |
[sshd] | |
enabled = true | |
port = 2222 | |
logpath = /var/log/auth.log | |
maxretry = 5 | |
# Restart fail2ban | |
/etc/init.d/fail2ban restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Firewall | |
apt-get install iptables # already installed on most systems | |
sudo iptables -L # list | |
# Make rules persistant | |
apt-get install iptables-persistent # plugin | |
vim /etc/iptables/rules.v4 # check ipv4 rules | |
vim /etc/iptables/rules.v6 # check ipv6 rules | |
# Create test rules | |
vim editor /etc/iptables/myrules # create the file | |
## Content ## | |
*filter | |
# --- | |
# Don't break existing connections | |
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
# Autorize loopback & forbid trafic to 127/8 that do not use it | |
-A INPUT -i lo -j ACCEPT | |
-A OUTPUT -o lo -j ACCEPT | |
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT | |
# ICMP (Ping) | |
-A INPUT -p icmp -j ACCEPT | |
-A OUTPUT -p icmp -j ACCEPT | |
# --- | |
# SSH, XXXX stands for port number | |
-A INPUT -p tcp --dport XXXX -j ACCEPT | |
-A OUTPUT -p tcp --dport MONPORTSSH -j ACCEPT | |
# --- | |
# DNS | |
-A OUTPUT -p tcp --dport 53 -j ACCEPT | |
-A OUTPUT -p udp --dport 53 -j ACCEPT | |
-A INPUT -p tcp --dport 53 -j ACCEPT | |
-A INPUT -p udp --dport 53 -j ACCEPT | |
# NTP Out | |
-A OUTPUT -p udp --dport 123 -j ACCEPT | |
# --- | |
# HTTP & HTTPS (Apache) | |
-A OUTPUT -p tcp --dport 80 -j ACCEPT | |
-A OUTPUT -p tcp --dport 443 -j ACCEPT | |
-A INPUT -p tcp --dport 80 -j ACCEPT | |
-A INPUT -p tcp --dport 443 -j ACCEPT | |
-A INPUT -p tcp --dport 8443 -j ACCEPT | |
# --- | |
# Autoriser les connections aux serveurs mails | |
# Mail SMTP:25 | |
-A INPUT -p tcp --dport 25 -j ACCEPT | |
-A OUTPUT -p tcp --dport 25 -j ACCEPT | |
# Mail POP3:110 | |
-A INPUT -p tcp --dport 110 -j ACCEPT | |
-A OUTPUT -p tcp --dport 110 -j ACCEPT | |
# Mail IMAP:143 | |
-A INPUT -p tcp --dport 143 -j ACCEPT | |
-A OUTPUT -p tcp --dport 143 -j ACCEPT | |
# Mail POP3S:995 | |
-A INPUT -p tcp --dport 995 -j ACCEPT | |
-A OUTPUT -p tcp --dport 995 -j ACCEPT | |
# --- | |
# Monit | |
-A INPUT -p tcp --dport 1337 -j ACCEPT | |
# --- | |
# Allow iSCSI disks at OVH | |
iptables -A OUTPUT -p tcp --dport 3260 -m state --state NEW,ESTABLISHED -j ACCEPT | |
# Log rejected access (use cmd 'dmesg') | |
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |
# Reject all other trafics | |
-A INPUT -j REJECT | |
-A FORWARD -j REJECT | |
-P OUTPUT DROP | |
#or# -A OUTPUT -j ACCEPT # if you prefer to accept all incoming trafic | |
COMMIT | |
## End of content ## | |
# Test | |
iptables-restore < /etc/iptables/myrules | |
ip6tables-restore < /etc/iptables/myrules | |
iptables -L | |
ip6tables -L | |
# Save | |
iptables-save > /etc/iptables/rules.v4 | |
iptables-save > /etc/iptables/rules.v6 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# UFW can be used as a replacement of IPTables | |
# It is the default firewall for Ubuntu | |
sudo apt install ufw # install if needed | |
# if needed to reset default | |
# do this with firewall disabled only to avoid blocking ssh | |
sudo ufw default deny incoming | |
sudo ufw default allow outgoing | |
# first of all, check if SSH can access !!! | |
sudo ufw app list # list allowed apps | |
sudo ufw allow OpenSSH # ensure open SSH can access | |
sudo ufw allow 22 # alternative way by opening directly the port (change 22 by your actuel ssh port if needed) | |
# Enable | |
sudo ufw enable # enable UFW | |
sudo ufw status verbose # give status | |
sudo ufw status numbered # by rule number | |
sudo ufw show raw # show exceptions | |
sudo ufw disable # disable UFW if needed | |
sudo ufw reset # reset if error | |
#enable/disable IPv6 (only if you use IPv6) | |
sudo vim /etc/default/ufw | |
# check if IPV6=yes or no | |
# enable http(s) | |
sudo ufw allow http # allow http | |
sudo ufw allow 80 # alternative way by opening directly the port | |
sudo ufw allow https # allow http | |
sudo ufw allow 443 # alternative way by opening directly the port | |
# Example of more complicated commands | |
sudo ufw allow 6000:6007/tcp #port range tcp | |
sudo ufw allow 6000:6007/udp #port range udp | |
sudo ufw allow from 203.0.113.4 to any port 22 #IP | |
sudo ufw allow from 192.168.1.0/24 #submask | |
# Deny connections | |
sudo ufw deny http # cancel http authorize | |
sudo ufw deny from 203.0.113.4 # forbid ip | |
sudo ufw delete 2 # use rule number | |
sudo ufw delete allow 80 # cancel a rule by its name |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Full guides
[fr] https://docs.ovh.com/fr/vps/conseils-securisation-vps/
[fr] https://www.alsacreations.com/tuto/lire/622-Securite-firewall-iptables.html
[en] https://www.eurovps.com/blog/20-ways-to-secure-linux-vps/
Create a ssh key:
[fr] https://doc.ubuntu-fr.org/ssh#authentification_par_un_systeme_de_cles_publiqueprivee
iptable :
[en] https://help.ubuntu.com/community/IptablesHowTo
[fr] https://doc.ubuntu-fr.org/iptables
[en] https://www.thegeekstuff.com/2011/06/iptables-rules-examples/
UFW is an easy firewall configurator
[en] https://help.ubuntu.com/community/UFW
[en] https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04
[fr] https://guide.ubuntu-fr.org/server/firewall.html
Many hosts have an internal firewall solution.
[en] https://www.digitalocean.com/docs/networking/firewalls/
[fr] https://docs.ovh.com/fr/dedicated/firewall-network/