Check list security for feminist servers
Checklist for security on a feminist server:
General recomendations
- Active unattended upgrades
- ufw / allow new port ssh
- SSH server: Allow ssh only with key, no password PasswordAuthentication no
- Change the port / remember add ufw allow new port ssh
- Disallow login with root ( PermitRootLogin no)
- Activate fail2ban. /configura new port ssh
- Activate things like chkrootkit rkhunter etckeeper
- Allow only TLSv 1.2 (no 1.0 y 1.1)
- For software or service installed check file permissions and allow minimal needed
- External services: If installing mysql, mongodb, ldap etc check that only uses localhost.
- Apache: Include Security header and CSP in vhost configuration + Install and configure some softwares on the host : apache2 LXC
- Notifications: Configure an everyday mail report sent to sysadmins
- Logging: Logwatch + Configure what to log and what not
- Security for containers depending on the service
More info en Parte IV - Securicemos nuestra servidora web por La Bekka
Fail2ban
- failregex = fail reg ex
->> define la regla con expresiones regulares en el filtro
->> define the rule with regular expression in the filter
- regex
= expresión regular
= frequent expression
- /etc/fail2ban/filter.d/
->> los filtros están aqui
->> the filters are here
->> es necesario crear filtros para que fail2ban las utilice para luego ejecutar acciones
->> It is necessary to create filters so that fail2ban can use them for executing actions
->> Actualmente fail2ban establece filtros para Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server
->> Actually fail2ban can create filters for Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server
->> Los filtros son escritos con expresiones regulares de Python que establecen la regla que hará disparar una determinada acción sobre la IP que origina el hecho. La tupla (regla, acción) o (filtro, acción) es llamado “Jail” o “prisión”, y es lo que determina la penalización a un host maligno
->> The filters are written with regular expressions from Python that establishes rules that will start a specific action from the IP that is creating the act. The "tupla" (rule, action) or (filter, action) is called “Jail”and it is what determines the penalisation of a malign host.
- /var/log/fail2ban.log
->> Los logs de fail2ban se pueden ver
->> you can see the logs of fail2ban
- sudo cat /var/log/fail2ban.log | grep 'Ban'
->> ver que ips has sido baneadas
->> you can see the banned ips
- fail2ban-client status ssh
->> Revisarlas por jails
->> Review the jails
- sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"'
->> Otra manera guay de verlo es
->> Another nice way of seeing it
- fail2ban-client status
->> Para ver el estado de fail2ban y las jaulas activadas
->> to see the fail2ban status and the activated jails
- fail2ban-client reload sshd
->> Para reiniciar la configuracion de una jaula
->> for restarting the config of a jail
ssh-server config
- cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk
--> Hacer una copia de seguridad de la conf
--> Make a security back up copy of the conf
- ss -n -o state established '( dport = :22 or sport = :22 )'
--> Para ver que conexiones por ssh se han establecido
--> To see what connections have been achievd by SSH
- Revisar/Review: /etc/ssh/sshd_config
Port 22XX
MaxAuthTries 3
PubkeyAuthentication yes
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
UsePAM no
X11Forwarding no
ChallengeResponseAuthentication no
PermitRootLogin no
PermitRootLogin without-password
Protocolo 2
StrictModes yes
Logging
SyslogFacility AUTH
LogLevel INFO
- Por buscar/To look for:
PrintMotd no --> esto te muestra el mensaje de inicio/this shows you the message at the beginning
AcceptEnv LANG LC_* lo dejo por defecto/Let it by default
ChallengeResponseAuthentication no -> tiene que estar a no/should be as no
--> Cambiar Port 22XX - acordarse de abrir el firewall y poner el nuevo puerto en fail2ban
--> Change Port 22XX - remember to open the firewall and put new port in fail2ban
- sshd -t
--> Para checkear si la configuracion esta bien, antes de reiniciar
--> For checking th configuration is fine before restarting
- service sshd restart
--> Para aplicar cambios
--> For applying changes:
Configuracion security Debian server
- Limita el acceso/limit the access to ssh-key connections
- Copia tu llave al servidor/Copy your key to the server: > ssh-copy-id -i user@server
- Cambiar la configuración para solo permitir conexiones con ssh-keys/Change the configuration for only allowing conections with ssh-keys: nano /etc/ssh/sshd_config
Modify or add the following line: PasswordAuthentication no
- change the port for ssh
- use fail2ban (Which jails are important to enable? sshd, I've seen you have much more! )
- change the info of the server Apache is giving with ServerTokens and ServerSignature
Open up /etc/apache2/conf.d/security
Set ServerTokens OS to Prod
Turn ServerSignature to Off
Restart Apache web server.
- Stop/avoid portmapper
- iptables enabled (together with fail2ban)