Check list security for feminist servers

From Anarchaserver

Checklist for security on a feminist server:

General recomendations

  • Active unattended upgrades
  • ufw / allow new port ssh
  • SSH server: Allow ssh only with key, no password PasswordAuthentication no
  • Change the port / remember add ufw allow new port ssh
  • Disallow login with root ( PermitRootLogin no)
  • Activate fail2ban. /configura new port ssh
  • Activate things like chkrootkit rkhunter etckeeper
  • Allow only TLSv 1.2 (no 1.0 y 1.1)
  • For software or service installed check file permissions and allow minimal needed
  • External services: If installing mysql, mongodb, ldap etc check that only uses localhost.
  • Apache: Include Security header and CSP in vhost configuration + Install and configure some softwares on the host : apache2 LXC
  • Notifications: Configure an everyday mail report sent to sysadmins
  • Logging: Logwatch + Configure what to log and what not
  • Security for containers depending on the service

Fail2ban

  • failregex = fail reg ex ->> define la regla con expresiones regulares en el filtro/define the rule with regular expression in the filter

regex = expresión regular/frequent expression

los filtros están en/the filters are in: /etc/fail2ban/filter.d/

es necesario crear filtros para que fail2ban las utilice para luego ejecutar acciones/ it is necessary to create filters so that fail2ban can use them for executing actions

Actualmente fail2ban establece filtros para Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server/ Actually fail2ban can create filters for Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server

Los filtros son escritos con expresiones regulares de Python que establecen la regla que hará disparar una determinada acción sobre la IP que origina el hecho. La tupla (regla, acción) o (filtro, acción) es llamado “Jail” o “prisión”, y es lo que determina la penalización a un host maligno/ The filters are written with regular expressions from Python that establishes rules that will start a specific action from the IP that is creating the act. The "tupla" (rule, action) or (filter, action) is called “Jail”and it is what determines the penalisation of a malign host.

los logs de fail2ban se pueden ver en/you can see the logs of fail2ban here: > /var/log/fail2ban.log

para ver que ips has sido baneadas/you can see the banned ips here: > sudo cat /var/log/fail2ban.log | grep 'Ban'

revisarlas por jails/or you can review the jails here: > fail2ban-client status ssh

[[ https://serverfault.com/questions/841183/how-to-show-all-banned-ip-with-fail2ban%7CMas/More info here]]

Otra manera guay de verlo es/ Another nice way of seeing it: sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"'

Para ver el estado de fail2ban y las jaulas activadas/to see the fail2ban status and the activated jails: > fail2ban-client status

Para reiniciar la configuracion de una jaula/fo restarting the config of a jail: > fail2ban-client reload sshd

ssh-server config

Hacer una copia de seguridad de la conf/Make a security back up copy of the conf: cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk

Para ver que conexiones por ssh se han establecido/To check which connections have been achievd by SSH: ss -n -o state established '( dport = :22 or sport = :22 )'

Revisar/Review: /etc/ssh/sshd_config:

Port 22XX MaxAuthTries 3 PubkeyAuthentication yes IgnoreRhosts yes PasswordAuthentication no PermitEmptyPasswords no UsePAM no X11Forwarding no ChallengeResponseAuthentication no PermitRootLogin no // PermitRootLogin without-password Protocolo 2

StrictModes yes

  1. Logging

SyslogFacility AUTH LogLevel INFO

Por buscar/To look for: PrintMotd no --> esto te muestra el mensaje de inicio/this shows you the message at the beginning AcceptEnv LANG LC_* lo dejo por defecto/let it by default ChallengeResponseAuthentication no -> tiene que estar a no/should be as no

Cambiar Port 22XX - acordarse de abrir el firewall y poner el nuevo puerto en fail2ban/ Change Port 22XX - remember to open the firewall and put new port in fail2ban

Para checkear si la configuracion esta bien, antes de reiniciar/ For checking th configuration is fine before restarting: sshd -t

Para aplicar cambios/ For applying changes: service sshd restart

Configuracion security Debian server

  • limit the access to ssh-key connections

copiar tu llave al servidor: > ssh-copy-id -i user@server

Cambiar la configuracion para solo permitir conexiones con ssh-keys

> nano /etc/ssh/sshd_config

Modify or add the following line > PasswordAuthentication no

  • change the port for ssh
  • use fail2ban (Which jails are important to enable? sshd, I've seen you have much more! )
  • change the info of the server Apache is giving with ServerTokens and ServerSignature

Open up /etc/apache2/conf.d/security Set ServerTokens OS to Prod. Turn ServerSignature to Off. Restart Apache web server.

  • Stop/avoid portmapper
  • iptables enabled (together with fail2ban)
  • what more? network wrappers?