Difference between revisions of "Check list security for feminist servers"
From Anarchaserver
Spideralex (talk | contribs) |
Spideralex (talk | contribs) |
||
| Line 1: | Line 1: | ||
'''Checklist for security on a feminist server:''' | '''Checklist for security on a feminist server:''' | ||
== General recomendations == | |||
* Active unattended upgrades | * Active unattended upgrades | ||
* ufw / allow new port ssh | * ufw / allow new port ssh | ||
* SSH server: | * SSH server: Allow ssh only with key, no password PasswordAuthentication no | ||
* Change the port / remember add ufw allow new port ssh | * Change the port / remember add ufw allow new port ssh | ||
* Disallow login with root ( PermitRootLogin no) | * Disallow login with root ( PermitRootLogin no) | ||
| Line 11: | Line 12: | ||
* Allow only TLSv 1.2 (no 1.0 y 1.1) | * Allow only TLSv 1.2 (no 1.0 y 1.1) | ||
* For software or service installed check file permissions and allow minimal needed | * For software or service installed check file permissions and allow minimal needed | ||
* External services: | * External services: If installing mysql, mongodb, ldap etc check that only uses localhost. | ||
If installing mysql, mongodb, ldap etc check that only uses localhost. | * Apache: Include Security header and CSP in vhost configuration + Install and configure some softwares on the host : apache2 LXC | ||
* Apache: | |||
Include Security header and CSP in vhost configuration | |||
Install and configure some softwares on the host : apache2 LXC | |||
* Notifications: Configure an everyday mail report sent to sysadmins | * Notifications: Configure an everyday mail report sent to sysadmins | ||
* Logging: Logwatch + Configure what to log and what not | * Logging: Logwatch + Configure what to log and what not | ||
* Security for containers depending on the service | * Security for containers depending on the service | ||
== Fail2ban == | |||
* failregex = fail reg ex ->> define la regla con expresiones regulares en el filtro. | |||
regex = expresión regular | |||
los filtros están en /etc/fail2ban/filter.d/ | |||
es necesario crear filtros para que fail2ban las utilice para luego ejecutar acciones | |||
*Actualmente fail2ban establece filtros para Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server. | |||
**Los filtros** son escritos con expresiones regulares de Python que **establecen la regla que hará disparar una determinada acción sobre la IP que origina el hecho**. La tupla (regla, acción) o (filtro, acción) es llamado “Jail” o “prisión”, y es lo que determina la penalización a un host maligno.* | |||
los logs de fail2ban se pueden ver en: | |||
> /var/log/fail2ban.log | |||
para ver que ips has sido baneadas: | |||
> sudo cat /var/log/fail2ban.log | grep 'Ban' | |||
o revisarlas por jails: | |||
> fail2ban-client status ssh | |||
Mas en https://serverfault.com/questions/841183/how-to-show-all-banned-ip-with-fail2ban | |||
otra manera guay de verlo es: | |||
sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"' | |||
Para ver el estado de fail2ban y las jaulas activadas | |||
> fail2ban-client status | |||
Para reiniciar la configuracion de una jaula: | |||
> fail2ban-client reload sshd | |||
Revision as of 14:59, 3 October 2020
Checklist for security on a feminist server:
General recomendations
- Active unattended upgrades
- ufw / allow new port ssh
- SSH server: Allow ssh only with key, no password PasswordAuthentication no
- Change the port / remember add ufw allow new port ssh
- Disallow login with root ( PermitRootLogin no)
- Activate fail2ban. /configura new port ssh
- Activate things like chkrootkit rkhunter etckeeper
- Allow only TLSv 1.2 (no 1.0 y 1.1)
- For software or service installed check file permissions and allow minimal needed
- External services: If installing mysql, mongodb, ldap etc check that only uses localhost.
- Apache: Include Security header and CSP in vhost configuration + Install and configure some softwares on the host : apache2 LXC
- Notifications: Configure an everyday mail report sent to sysadmins
- Logging: Logwatch + Configure what to log and what not
- Security for containers depending on the service
Fail2ban
- failregex = fail reg ex ->> define la regla con expresiones regulares en el filtro.
regex = expresión regular
los filtros están en /etc/fail2ban/filter.d/
es necesario crear filtros para que fail2ban las utilice para luego ejecutar acciones
- Actualmente fail2ban establece filtros para Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server.
- Los filtros** son escritos con expresiones regulares de Python que **establecen la regla que hará disparar una determinada acción sobre la IP que origina el hecho**. La tupla (regla, acción) o (filtro, acción) es llamado “Jail” o “prisión”, y es lo que determina la penalización a un host maligno.*
los logs de fail2ban se pueden ver en: > /var/log/fail2ban.log
para ver que ips has sido baneadas:
> sudo cat /var/log/fail2ban.log | grep 'Ban'
o revisarlas por jails:
> fail2ban-client status ssh
Mas en https://serverfault.com/questions/841183/how-to-show-all-banned-ip-with-fail2ban
otra manera guay de verlo es:
sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"'
Para ver el estado de fail2ban y las jaulas activadas
> fail2ban-client status
Para reiniciar la configuracion de una jaula:
> fail2ban-client reload sshd
