Difference between revisions of "Check list security for feminist servers"

From Anarchaserver
Line 36: Line 36:


== ssh-server config ==
== ssh-server config ==
 
* Hacer una copia de seguridad de la conf/Make a security back up copy of the conf: cp  /etc/ssh/sshd_config /etc/ssh/sshd_config.bk
Hacer una copia de seguridad de la conf/Make a security back up copy of the conf:
* Para ver que conexiones por ssh se han establecido/To see what connections have been achievd by SSH:
cp  /etc/ssh/sshd_config /etc/ssh/sshd_config.bk
 
Para ver que conexiones por ssh se han establecido/To check which connections have been achievd by SSH:
ss -n -o state established '( dport = :22 or sport = :22 )'
ss -n -o state established '( dport = :22 or sport = :22 )'
 
* Revisar/Review: /etc/ssh/sshd_config:
Revisar/Review:  
/etc/ssh/sshd_config:
 
Port 22XX
Port 22XX
MaxAuthTries 3
MaxAuthTries 3
Line 57: Line 51:
PermitRootLogin no // PermitRootLogin without-password
PermitRootLogin no // PermitRootLogin without-password
Protocolo 2
Protocolo 2
StrictModes yes
StrictModes yes
# Logging
# Logging
SyslogFacility AUTH
SyslogFacility AUTH
LogLevel INFO
LogLevel INFO
 
* Por buscar/To look for:  
Por buscar/To look for:
PrintMotd no --> esto te muestra el mensaje de inicio/this shows you the message at the beginning
PrintMotd no --> esto te muestra el mensaje de inicio/this shows you the message at the beginning
AcceptEnv LANG LC_* lo dejo por defecto/let it by default
AcceptEnv LANG LC_* lo dejo por defecto/Let it by default
ChallengeResponseAuthentication no -> tiene que estar a no/should be as no
ChallengeResponseAuthentication no -> tiene que estar a no/should be as no
 
* Cambiar Port 22XX - acordarse de abrir el firewall y poner el nuevo puerto en fail2ban/Change Port 22XX - remember to open the firewall and put new port in fail2ban
Cambiar Port 22XX - acordarse de abrir el firewall y poner el nuevo puerto en fail2ban/
* Para checkear si la configuracion esta bien, antes de reiniciar/ For checking th configuration is fine before restarting: sshd -t
Change Port 22XX - remember to open the firewall and put new port in fail2ban
* Para aplicar cambios/For applying changes: service sshd restart
 
Para checkear si la configuracion esta bien, antes de reiniciar/
For checking th configuration is fine before restarting:
sshd -t
 
Para aplicar cambios/
For applying changes:
service sshd restart


== Configuracion security Debian server ==
== Configuracion security Debian server ==

Revision as of 16:45, 3 October 2020

Checklist for security on a feminist server:

General recomendations

  • Active unattended upgrades
  • ufw / allow new port ssh
  • SSH server: Allow ssh only with key, no password PasswordAuthentication no
  • Change the port / remember add ufw allow new port ssh
  • Disallow login with root ( PermitRootLogin no)
  • Activate fail2ban. /configura new port ssh
  • Activate things like chkrootkit rkhunter etckeeper
  • Allow only TLSv 1.2 (no 1.0 y 1.1)
  • For software or service installed check file permissions and allow minimal needed
  • External services: If installing mysql, mongodb, ldap etc check that only uses localhost.
  • Apache: Include Security header and CSP in vhost configuration + Install and configure some softwares on the host : apache2 LXC
  • Notifications: Configure an everyday mail report sent to sysadmins
  • Logging: Logwatch + Configure what to log and what not
  • Security for containers depending on the service

Fail2ban

  • failregex = fail reg ex ->> define la regla con expresiones regulares en el filtro/define the rule with regular expression in the filter
  • regex = expresión regular/frequent expression
  • los filtros están en/the filters are in: /etc/fail2ban/filter.d/
  • es necesario crear filtros para que fail2ban las utilice para luego ejecutar acciones/It is necessary to create filters so that fail2ban can use them for executing actions
  • Actualmente fail2ban establece filtros para Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server/Actually fail2ban can create filters for Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server
  • Los filtros son escritos con expresiones regulares de Python que establecen la regla que hará disparar una determinada acción sobre la IP que origina el hecho. La tupla (regla, acción) o (filtro, acción) es llamado “Jail” o “prisión”, y es lo que determina la penalización a un host maligno/The filters are written with regular expressions from Python that establishes rules that will start a specific action from the IP that is creating the act. The "tupla" (rule, action) or (filter, action) is called “Jail”and it is what determines the penalisation of a malign host.
  • Los logs de fail2ban se pueden ver en/you can see the logs of fail2ban here: /var/log/fail2ban.log
  • Para ver que ips has sido baneadas/you can see the banned ips here: sudo cat /var/log/fail2ban.log | grep 'Ban'
  • Revisarlas por jails/or you can review the jails here: fail2ban-client status ssh
  • Otra manera guay de verlo es/Another nice way of seeing it: sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"'
  • Para ver el estado de fail2ban y las jaulas activadas/to see the fail2ban status and the activated jails: fail2ban-client status
  • Para reiniciar la configuracion de una jaula/fo restarting the config of a jail: fail2ban-client reload sshd

More info here

ssh-server config

  • Hacer una copia de seguridad de la conf/Make a security back up copy of the conf: cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk
  • Para ver que conexiones por ssh se han establecido/To see what connections have been achievd by SSH:

ss -n -o state established '( dport = :22 or sport = :22 )'

  • Revisar/Review: /etc/ssh/sshd_config:

Port 22XX MaxAuthTries 3 PubkeyAuthentication yes IgnoreRhosts yes PasswordAuthentication no PermitEmptyPasswords no UsePAM no X11Forwarding no ChallengeResponseAuthentication no PermitRootLogin no // PermitRootLogin without-password Protocolo 2 StrictModes yes

  1. Logging

SyslogFacility AUTH LogLevel INFO

  • Por buscar/To look for:

PrintMotd no --> esto te muestra el mensaje de inicio/this shows you the message at the beginning AcceptEnv LANG LC_* lo dejo por defecto/Let it by default ChallengeResponseAuthentication no -> tiene que estar a no/should be as no

  • Cambiar Port 22XX - acordarse de abrir el firewall y poner el nuevo puerto en fail2ban/Change Port 22XX - remember to open the firewall and put new port in fail2ban
  • Para checkear si la configuracion esta bien, antes de reiniciar/ For checking th configuration is fine before restarting: sshd -t
  • Para aplicar cambios/For applying changes: service sshd restart

Configuracion security Debian server

  • limit the access to ssh-key connections

copiar tu llave al servidor: > ssh-copy-id -i user@server

Cambiar la configuracion para solo permitir conexiones con ssh-keys

> nano /etc/ssh/sshd_config

Modify or add the following line > PasswordAuthentication no

  • change the port for ssh
  • use fail2ban (Which jails are important to enable? sshd, I've seen you have much more! )
  • change the info of the server Apache is giving with ServerTokens and ServerSignature

Open up /etc/apache2/conf.d/security Set ServerTokens OS to Prod. Turn ServerSignature to Off. Restart Apache web server.

  • Stop/avoid portmapper
  • iptables enabled (together with fail2ban)
  • what more? network wrappers?