Difference between revisions of "Check list security for feminist servers"

From Anarchaserver
 
(17 intermediate revisions by 2 users not shown)
Line 17: Line 17:
* Logging: Logwatch + Configure what to log and what not
* Logging: Logwatch + Configure what to log and what not
* Security for containers depending on the service
* Security for containers depending on the service
[https://labekka.red/servidoras-feministas/2019/10/09/fanzine-parte-4.html More info en Parte IV - Securicemos nuestra servidora web por La Bekka]


== Fail2ban ==
== Fail2ban ==


* failregex = fail reg ex ->> define la regla con expresiones regulares en el filtro/define the rule with regular expression in the filter
* failregex = fail reg ex  
->> define la regla con expresiones regulares en el filtro
 
->> define the rule with regular expression in the filter
 


regex = expresión regular/frequent expression
* regex  
= expresión regular


los filtros están en/the filters are in:
= frequent expression
/etc/fail2ban/filter.d/


es necesario crear filtros para que fail2ban las utilice para luego ejecutar acciones/
it is necessary to create filters so that fail2ban can use them for executing actions


Actualmente fail2ban establece filtros para Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server/
* /etc/fail2ban/filter.d/
Actually fail2ban can create filters for Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server
->> los filtros están aqui


Los filtros son escritos con expresiones regulares de Python que establecen la regla que hará disparar una determinada acción sobre la IP que origina el hecho. La tupla (regla, acción) o (filtro, acción) es llamado “Jail” o “prisión”, y es lo que determina la penalización a un host maligno/
->> the filters are here
The filters are written with regular expressions from Python that establishes rules that will start a specific action from the IP that is creating the act. The "tupla" (rule, action) or (filter, action) is called “Jail”and it is what determines the penalisation of a malign host.


los logs de fail2ban se pueden ver en/you can see the logs of fail2ban here:
> /var/log/fail2ban.log


para ver que ips has sido baneadas/you can see the banned ips here:
*
> sudo cat /var/log/fail2ban.log | grep 'Ban'
->> es necesario crear filtros para que fail2ban las utilice para luego ejecutar acciones


revisarlas por jails/or you can review the jails here:
->> It is necessary to create filters so that fail2ban can use them for executing actions
> fail2ban-client status ssh


[[ https://serverfault.com/questions/841183/how-to-show-all-banned-ip-with-fail2ban|Mas/More info here]]
->> Actualmente fail2ban establece filtros para Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server


Otra manera guay de verlo es/
->> Actually fail2ban can create filters for Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server
Another nice way of seeing it:
sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"'


Para ver el estado de fail2ban y las jaulas activadas/to see the fail2ban status and the activated jails:
->> Los filtros son escritos con expresiones regulares de Python que establecen la regla que hará disparar una determinada acción sobre la IP que origina el hecho. La tupla (regla, acción) o (filtro, acción) es llamado “Jail” o “prisión”, y es lo que determina la penalización a un host maligno
> fail2ban-client status


Para reiniciar la configuracion de una jaula/fo restarting the config of a jail:  
->> The filters are written with regular expressions from Python that establishes rules that will start a specific action from the IP that is creating the act. The "tupla" (rule, action) or (filter, action) is called “Jail”and it is what determines the penalisation of a malign host.
> fail2ban-client reload sshd
 
 
* /var/log/fail2ban.log
->> Los logs de fail2ban se pueden ver
 
->> you can see the logs of fail2ban 
 
 
* sudo cat /var/log/fail2ban.log | grep 'ban'
->> ver que ips has sido baneadas
 
->> you can see the banned ips 
 
 
* fail2ban-client status ssh
->> Revisarlas por jails
 
->> Review the jails
 
 
* sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"'
->> Otra manera guay de verlo es
 
->> Another nice way of seeing it
 
 
* fail2ban-client status
->> Para ver el estado de fail2ban y las jaulas activadas
 
->> to see the fail2ban status and the activated jails
 
 
* fail2ban-client reload sshd
->> Para reiniciar la configuracion de una jaula
 
->> for restarting the config of a jail
 
[https://serverfault.com/questions/841183/how-to-show-all-banned-ip-with-fail2ban| More info here]


== ssh-server config ==
== ssh-server config ==
* cp  /etc/ssh/sshd_config /etc/ssh/sshd_config.bk
--> Hacer una copia de seguridad de la conf
--> Make a security back up copy of the conf
* ss -n -o state established '( dport = :22 or sport = :22 )'
--> Para ver que conexiones por ssh se han establecido


Hacer una copia de seguridad de la conf/Make a security back up copy of the conf:
--> To see what connections have been achievd by SSH
cp  /etc/ssh/sshd_config /etc/ssh/sshd_config.bk


Para ver que conexiones por ssh se han establecido/To check which connections have been achievd by SSH:
ss -n -o state established '( dport = :22 or sport = :22 )'


Revisar/Review:  
* Revisar/Review: /etc/ssh/sshd_config
/etc/ssh/sshd_config:


Port 22XX
Port 22XX
MaxAuthTries 3
MaxAuthTries 3
PubkeyAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
IgnoreRhosts yes
PasswordAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no
PermitEmptyPasswords no
UsePAM no
UsePAM no
X11Forwarding no
X11Forwarding no
ChallengeResponseAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin no // PermitRootLogin without-password
 
PermitRootLogin no  
 
PermitRootLogin without-password
 
Protocolo 2
Protocolo 2


StrictModes yes
StrictModes yes
# Logging
 
Logging
 
SyslogFacility AUTH
SyslogFacility AUTH
LogLevel INFO
LogLevel INFO


Por buscar/To look for:
* Por buscar/To look for:  
PrintMotd no --> esto te muestra el mensaje de inicio/this shows you the message at the beginning
PrintMotd no --> esto te muestra el mensaje de inicio/this shows you the message at the beginning
AcceptEnv LANG LC_* lo dejo por defecto/let it by default
 
AcceptEnv LANG LC_* lo dejo por defecto/Let it by default
 
ChallengeResponseAuthentication no -> tiene que estar a no/should be as no
ChallengeResponseAuthentication no -> tiene que estar a no/should be as no


Cambiar Port 22XX - acordarse de abrir el firewall y poner el nuevo puerto en fail2ban/
*
Change Port 22XX - remember to open the firewall and put new port in fail2ban
--> Cambiar Port 22XX - acordarse de abrir el firewall y poner el nuevo puerto en fail2ban
 
--> Change Port 22XX - remember to open the firewall and put new port in fail2ban
 


Para checkear si la configuracion esta bien, antes de reiniciar/
* sshd -t
For checking th configuration is fine before restarting:
--> Para checkear si la configuracion esta bien, antes de reiniciar
sshd -t


Para aplicar cambios/
--> For checking th configuration is fine before restarting
For applying changes:
service sshd restart


== Configuracion security Debian server ==


* limit the access to ssh-key connections
service sshd restart
--> Para aplicar cambios


copiar tu llave al servidor:
--> For applying changes:
> ssh-copy-id -i user@server


Cambiar la configuracion para solo permitir conexiones con ssh-keys
== Configuracion security Debian server ==


> nano /etc/ssh/sshd_config
* Limita el acceso/limit the access to ssh-key connections
* Copia tu llave al servidor/Copy your key to the server: > ssh-copy-id -i user@server
* Cambiar la configuración para solo permitir conexiones con ssh-keys/Change the configuration for only allowing conections with ssh-keys: nano /etc/ssh/sshd_config


Modify or add the following line
Modify or add the following line: PasswordAuthentication no
> PasswordAuthentication no


* change the port for ssh
* change the port for ssh
* use fail2ban (Which jails are important to enable? sshd, I've seen you have much more! )
* use fail2ban (Which jails are important to enable? sshd, I've seen you have much more! )


* change the info of the server Apache is giving with ServerTokens and ServerSignature
* change the info of the server Apache is giving with ServerTokens and ServerSignature
Open up /etc/apache2/conf.d/security
Open up /etc/apache2/conf.d/security
Set ServerTokens OS to Prod.
 
Turn ServerSignature to Off.
Set ServerTokens OS to Prod
 
Turn ServerSignature to Off
 
Restart Apache web server.
Restart Apache web server.


Line 128: Line 186:


* iptables enabled (together with fail2ban)
* iptables enabled (together with fail2ban)
* what more?  network wrappers?

Latest revision as of 18:31, 14 April 2021

Checklist for security on a feminist server:

General recomendations

  • Active unattended upgrades
  • ufw / allow new port ssh
  • SSH server: Allow ssh only with key, no password PasswordAuthentication no
  • Change the port / remember add ufw allow new port ssh
  • Disallow login with root ( PermitRootLogin no)
  • Activate fail2ban. /configura new port ssh
  • Activate things like chkrootkit rkhunter etckeeper
  • Allow only TLSv 1.2 (no 1.0 y 1.1)
  • For software or service installed check file permissions and allow minimal needed
  • External services: If installing mysql, mongodb, ldap etc check that only uses localhost.
  • Apache: Include Security header and CSP in vhost configuration + Install and configure some softwares on the host : apache2 LXC
  • Notifications: Configure an everyday mail report sent to sysadmins
  • Logging: Logwatch + Configure what to log and what not
  • Security for containers depending on the service

More info en Parte IV - Securicemos nuestra servidora web por La Bekka

Fail2ban

  • failregex = fail reg ex

->> define la regla con expresiones regulares en el filtro

->> define the rule with regular expression in the filter


  • regex

= expresión regular

= frequent expression


  • /etc/fail2ban/filter.d/

->> los filtros están aqui

->> the filters are here


->> es necesario crear filtros para que fail2ban las utilice para luego ejecutar acciones

->> It is necessary to create filters so that fail2ban can use them for executing actions

->> Actualmente fail2ban establece filtros para Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server

->> Actually fail2ban can create filters for Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server

->> Los filtros son escritos con expresiones regulares de Python que establecen la regla que hará disparar una determinada acción sobre la IP que origina el hecho. La tupla (regla, acción) o (filtro, acción) es llamado “Jail” o “prisión”, y es lo que determina la penalización a un host maligno

->> The filters are written with regular expressions from Python that establishes rules that will start a specific action from the IP that is creating the act. The "tupla" (rule, action) or (filter, action) is called “Jail”and it is what determines the penalisation of a malign host.


  • /var/log/fail2ban.log

->> Los logs de fail2ban se pueden ver

->> you can see the logs of fail2ban


  • sudo cat /var/log/fail2ban.log | grep 'ban'

->> ver que ips has sido baneadas

->> you can see the banned ips


  • fail2ban-client status ssh

->> Revisarlas por jails

->> Review the jails


  • sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"'

->> Otra manera guay de verlo es

->> Another nice way of seeing it


  • fail2ban-client status

->> Para ver el estado de fail2ban y las jaulas activadas

->> to see the fail2ban status and the activated jails


  • fail2ban-client reload sshd

->> Para reiniciar la configuracion de una jaula

->> for restarting the config of a jail

More info here

ssh-server config

  • cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk

--> Hacer una copia de seguridad de la conf

--> Make a security back up copy of the conf


  • ss -n -o state established '( dport = :22 or sport = :22 )'

--> Para ver que conexiones por ssh se han establecido

--> To see what connections have been achievd by SSH


  • Revisar/Review: /etc/ssh/sshd_config

Port 22XX

MaxAuthTries 3

PubkeyAuthentication yes

IgnoreRhosts yes

PasswordAuthentication no

PermitEmptyPasswords no

UsePAM no

X11Forwarding no

ChallengeResponseAuthentication no

PermitRootLogin no

PermitRootLogin without-password

Protocolo 2

StrictModes yes

Logging

SyslogFacility AUTH

LogLevel INFO

  • Por buscar/To look for:

PrintMotd no --> esto te muestra el mensaje de inicio/this shows you the message at the beginning

AcceptEnv LANG LC_* lo dejo por defecto/Let it by default

ChallengeResponseAuthentication no -> tiene que estar a no/should be as no

--> Cambiar Port 22XX - acordarse de abrir el firewall y poner el nuevo puerto en fail2ban

--> Change Port 22XX - remember to open the firewall and put new port in fail2ban


  • sshd -t

--> Para checkear si la configuracion esta bien, antes de reiniciar

--> For checking th configuration is fine before restarting


  • service sshd restart

--> Para aplicar cambios

--> For applying changes:

Configuracion security Debian server

  • Limita el acceso/limit the access to ssh-key connections
  • Copia tu llave al servidor/Copy your key to the server: > ssh-copy-id -i user@server
  • Cambiar la configuración para solo permitir conexiones con ssh-keys/Change the configuration for only allowing conections with ssh-keys: nano /etc/ssh/sshd_config

Modify or add the following line: PasswordAuthentication no

  • change the port for ssh
  • use fail2ban (Which jails are important to enable? sshd, I've seen you have much more! )
  • change the info of the server Apache is giving with ServerTokens and ServerSignature

Open up /etc/apache2/conf.d/security

Set ServerTokens OS to Prod

Turn ServerSignature to Off

Restart Apache web server.

  • Stop/avoid portmapper
  • iptables enabled (together with fail2ban)