Difference between revisions of "Check list security for feminist servers"

From Anarchaserver
 
(14 intermediate revisions by 2 users not shown)
Line 17: Line 17:
* Logging: Logwatch + Configure what to log and what not
* Logging: Logwatch + Configure what to log and what not
* Security for containers depending on the service
* Security for containers depending on the service
[https://labekka.red/servidoras-feministas/2019/10/09/fanzine-parte-4.html More info en Parte IV - Securicemos nuestra servidora web por La Bekka]


== Fail2ban ==
== Fail2ban ==


* failregex = fail reg ex ->> define la regla con expresiones regulares en el filtro/define the rule with regular expression in the filter
* failregex = fail reg ex  
* regex = expresión regular/frequent expression
->> define la regla con expresiones regulares en el filtro
* los filtros están en/the filters are in: /etc/fail2ban/filter.d/
 
* es necesario crear filtros para que fail2ban las utilice para luego ejecutar acciones/
->> define the rule with regular expression in the filter
it is necessary to create filters so that fail2ban can use them for executing actions
 
* Actualmente fail2ban establece filtros para Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server/Actually fail2ban can create filters for Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server
 
* Los filtros son escritos con expresiones regulares de Python que establecen la regla que hará disparar una determinada acción sobre la IP que origina el hecho. La tupla (regla, acción) o (filtro, acción) es llamado “Jail” o “prisión”, y es lo que determina la penalización a un host maligno/The filters are written with regular expressions from Python that establishes rules that will start a specific action from the IP that is creating the act. The "tupla" (rule, action) or (filter, action) is called “Jail”and it is what determines the penalisation of a malign host.
* regex  
* Los logs de fail2ban se pueden ver en/you can see the logs of fail2ban here:
= expresión regular
> /var/log/fail2ban.log
 
* Para ver que ips has sido baneadas/you can see the banned ips here:
= frequent expression
> sudo cat /var/log/fail2ban.log | grep 'Ban'
 
* Revisarlas por jails/or you can review the jails here:
 
> fail2ban-client status ssh
* /etc/fail2ban/filter.d/
* Otra manera guay de verlo es/Another nice way of seeing it:
->> los filtros están aqui
sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"'
 
* Para ver el estado de fail2ban y las jaulas activadas/to see the fail2ban status and the activated jails:
->> the filters are here
> fail2ban-client status
 
* Para reiniciar la configuracion de una jaula/fo restarting the config of a jail:
 
> fail2ban-client reload sshd
*  
->> es necesario crear filtros para que fail2ban las utilice para luego ejecutar acciones
 
->> It is necessary to create filters so that fail2ban can use them for executing actions
 
->> Actualmente fail2ban establece filtros para Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server
 
->> Actually fail2ban can create filters for Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server
 
->> Los filtros son escritos con expresiones regulares de Python que establecen la regla que hará disparar una determinada acción sobre la IP que origina el hecho. La tupla (regla, acción) o (filtro, acción) es llamado “Jail” o “prisión”, y es lo que determina la penalización a un host maligno
 
->> The filters are written with regular expressions from Python that establishes rules that will start a specific action from the IP that is creating the act. The "tupla" (rule, action) or (filter, action) is called “Jail”and it is what determines the penalisation of a malign host.
 
 
* /var/log/fail2ban.log
->> Los logs de fail2ban se pueden ver  
 
->> you can see the logs of fail2ban
 
 
* sudo cat /var/log/fail2ban.log | grep 'ban'
->> ver que ips has sido baneadas
 
->> you can see the banned ips
 
 
* fail2ban-client status ssh
->> Revisarlas por jails
 
->> Review the jails  
 
 
* sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"'
->> Otra manera guay de verlo es
 
->> Another nice way of seeing it
 
 
* fail2ban-client status
->> Para ver el estado de fail2ban y las jaulas activadas
 
->> to see the fail2ban status and the activated jails
 
 
* fail2ban-client reload sshd
->> Para reiniciar la configuracion de una jaula
 
->> for restarting the config of a jail


[https://serverfault.com/questions/841183/how-to-show-all-banned-ip-with-fail2ban| More info here]
[https://serverfault.com/questions/841183/how-to-show-all-banned-ip-with-fail2ban| More info here]


== ssh-server config ==
== ssh-server config ==
* cp  /etc/ssh/sshd_config /etc/ssh/sshd_config.bk
--> Hacer una copia de seguridad de la conf
--> Make a security back up copy of the conf
* ss -n -o state established '( dport = :22 or sport = :22 )'
--> Para ver que conexiones por ssh se han establecido


Hacer una copia de seguridad de la conf/Make a security back up copy of the conf:
--> To see what connections have been achievd by SSH
cp  /etc/ssh/sshd_config /etc/ssh/sshd_config.bk


Para ver que conexiones por ssh se han establecido/To check which connections have been achievd by SSH:
ss -n -o state established '( dport = :22 or sport = :22 )'


Revisar/Review:  
* Revisar/Review: /etc/ssh/sshd_config
/etc/ssh/sshd_config:


Port 22XX
Port 22XX
MaxAuthTries 3
MaxAuthTries 3
PubkeyAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
IgnoreRhosts yes
PasswordAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no
PermitEmptyPasswords no
UsePAM no
UsePAM no
X11Forwarding no
X11Forwarding no
ChallengeResponseAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin no // PermitRootLogin without-password
 
PermitRootLogin no  
 
PermitRootLogin without-password
 
Protocolo 2
Protocolo 2


StrictModes yes
StrictModes yes
# Logging
 
Logging
 
SyslogFacility AUTH
SyslogFacility AUTH
LogLevel INFO
LogLevel INFO


Por buscar/To look for:
* Por buscar/To look for:  
PrintMotd no --> esto te muestra el mensaje de inicio/this shows you the message at the beginning
PrintMotd no --> esto te muestra el mensaje de inicio/this shows you the message at the beginning
AcceptEnv LANG LC_* lo dejo por defecto/let it by default
 
AcceptEnv LANG LC_* lo dejo por defecto/Let it by default
 
ChallengeResponseAuthentication no -> tiene que estar a no/should be as no
ChallengeResponseAuthentication no -> tiene que estar a no/should be as no


Cambiar Port 22XX - acordarse de abrir el firewall y poner el nuevo puerto en fail2ban/
*
Change Port 22XX - remember to open the firewall and put new port in fail2ban
--> Cambiar Port 22XX - acordarse de abrir el firewall y poner el nuevo puerto en fail2ban
 
--> Change Port 22XX - remember to open the firewall and put new port in fail2ban


Para checkear si la configuracion esta bien, antes de reiniciar/
For checking th configuration is fine before restarting:
sshd -t


Para aplicar cambios/
* sshd -t
For applying changes:
--> Para checkear si la configuracion esta bien, antes de reiniciar
service sshd restart


== Configuracion security Debian server ==
--> For checking th configuration is fine before restarting


* limit  the access to ssh-key connections


copiar tu llave al servidor:
*  service sshd restart
> ssh-copy-id -i user@server
--> Para aplicar cambios


Cambiar la configuracion para solo permitir conexiones con ssh-keys
--> For applying changes:


> nano /etc/ssh/sshd_config
== Configuracion security Debian server ==


Modify or add the following line
* Limita el acceso/limit the access to ssh-key connections
> PasswordAuthentication no
* Copia tu llave al servidor/Copy your key to the server: > ssh-copy-id -i user@server
* Cambiar la configuración para solo permitir conexiones con ssh-keys/Change the configuration for only allowing conections with ssh-keys: nano /etc/ssh/sshd_config
 
Modify or add the following line: PasswordAuthentication no


* change the port for ssh
* change the port for ssh
* use fail2ban (Which jails are important to enable? sshd, I've seen you have much more! )
* use fail2ban (Which jails are important to enable? sshd, I've seen you have much more! )


* change the info of the server Apache is giving with ServerTokens and ServerSignature
* change the info of the server Apache is giving with ServerTokens and ServerSignature
Open up /etc/apache2/conf.d/security
Open up /etc/apache2/conf.d/security
Set ServerTokens OS to Prod.
 
Turn ServerSignature to Off.
Set ServerTokens OS to Prod
 
Turn ServerSignature to Off
 
Restart Apache web server.
Restart Apache web server.


Line 113: Line 186:


* iptables enabled (together with fail2ban)
* iptables enabled (together with fail2ban)
* what more?  network wrappers?

Latest revision as of 18:31, 14 April 2021

Checklist for security on a feminist server:

General recomendations

  • Active unattended upgrades
  • ufw / allow new port ssh
  • SSH server: Allow ssh only with key, no password PasswordAuthentication no
  • Change the port / remember add ufw allow new port ssh
  • Disallow login with root ( PermitRootLogin no)
  • Activate fail2ban. /configura new port ssh
  • Activate things like chkrootkit rkhunter etckeeper
  • Allow only TLSv 1.2 (no 1.0 y 1.1)
  • For software or service installed check file permissions and allow minimal needed
  • External services: If installing mysql, mongodb, ldap etc check that only uses localhost.
  • Apache: Include Security header and CSP in vhost configuration + Install and configure some softwares on the host : apache2 LXC
  • Notifications: Configure an everyday mail report sent to sysadmins
  • Logging: Logwatch + Configure what to log and what not
  • Security for containers depending on the service

More info en Parte IV - Securicemos nuestra servidora web por La Bekka

Fail2ban

  • failregex = fail reg ex

->> define la regla con expresiones regulares en el filtro

->> define the rule with regular expression in the filter


  • regex

= expresión regular

= frequent expression


  • /etc/fail2ban/filter.d/

->> los filtros están aqui

->> the filters are here


->> es necesario crear filtros para que fail2ban las utilice para luego ejecutar acciones

->> It is necessary to create filters so that fail2ban can use them for executing actions

->> Actualmente fail2ban establece filtros para Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server

->> Actually fail2ban can create filters for Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server

->> Los filtros son escritos con expresiones regulares de Python que establecen la regla que hará disparar una determinada acción sobre la IP que origina el hecho. La tupla (regla, acción) o (filtro, acción) es llamado “Jail” o “prisión”, y es lo que determina la penalización a un host maligno

->> The filters are written with regular expressions from Python that establishes rules that will start a specific action from the IP that is creating the act. The "tupla" (rule, action) or (filter, action) is called “Jail”and it is what determines the penalisation of a malign host.


  • /var/log/fail2ban.log

->> Los logs de fail2ban se pueden ver

->> you can see the logs of fail2ban


  • sudo cat /var/log/fail2ban.log | grep 'ban'

->> ver que ips has sido baneadas

->> you can see the banned ips


  • fail2ban-client status ssh

->> Revisarlas por jails

->> Review the jails


  • sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"'

->> Otra manera guay de verlo es

->> Another nice way of seeing it


  • fail2ban-client status

->> Para ver el estado de fail2ban y las jaulas activadas

->> to see the fail2ban status and the activated jails


  • fail2ban-client reload sshd

->> Para reiniciar la configuracion de una jaula

->> for restarting the config of a jail

More info here

ssh-server config

  • cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk

--> Hacer una copia de seguridad de la conf

--> Make a security back up copy of the conf


  • ss -n -o state established '( dport = :22 or sport = :22 )'

--> Para ver que conexiones por ssh se han establecido

--> To see what connections have been achievd by SSH


  • Revisar/Review: /etc/ssh/sshd_config

Port 22XX

MaxAuthTries 3

PubkeyAuthentication yes

IgnoreRhosts yes

PasswordAuthentication no

PermitEmptyPasswords no

UsePAM no

X11Forwarding no

ChallengeResponseAuthentication no

PermitRootLogin no

PermitRootLogin without-password

Protocolo 2

StrictModes yes

Logging

SyslogFacility AUTH

LogLevel INFO

  • Por buscar/To look for:

PrintMotd no --> esto te muestra el mensaje de inicio/this shows you the message at the beginning

AcceptEnv LANG LC_* lo dejo por defecto/Let it by default

ChallengeResponseAuthentication no -> tiene que estar a no/should be as no

--> Cambiar Port 22XX - acordarse de abrir el firewall y poner el nuevo puerto en fail2ban

--> Change Port 22XX - remember to open the firewall and put new port in fail2ban


  • sshd -t

--> Para checkear si la configuracion esta bien, antes de reiniciar

--> For checking th configuration is fine before restarting


  • service sshd restart

--> Para aplicar cambios

--> For applying changes:

Configuracion security Debian server

  • Limita el acceso/limit the access to ssh-key connections
  • Copia tu llave al servidor/Copy your key to the server: > ssh-copy-id -i user@server
  • Cambiar la configuración para solo permitir conexiones con ssh-keys/Change the configuration for only allowing conections with ssh-keys: nano /etc/ssh/sshd_config

Modify or add the following line: PasswordAuthentication no

  • change the port for ssh
  • use fail2ban (Which jails are important to enable? sshd, I've seen you have much more! )
  • change the info of the server Apache is giving with ServerTokens and ServerSignature

Open up /etc/apache2/conf.d/security

Set ServerTokens OS to Prod

Turn ServerSignature to Off

Restart Apache web server.

  • Stop/avoid portmapper
  • iptables enabled (together with fail2ban)