Difference between revisions of "Check list security for feminist servers"

Checklist for security on a feminist server:

General recomendations

• Active unattended upgrades
• ufw / allow new port ssh
• SSH server: Allow ssh only with key, no password PasswordAuthentication no
• Change the port / remember add ufw allow new port ssh
• Disallow login with root ( PermitRootLogin no)
• Activate fail2ban. /configura new port ssh
• Activate things like chkrootkit rkhunter etckeeper
• Allow only TLSv 1.2 (no 1.0 y 1.1)
• For software or service installed check file permissions and allow minimal needed
• External services: If installing mysql, mongodb, ldap etc check that only uses localhost.
• Apache: Include Security header and CSP in vhost configuration + Install and configure some softwares on the host : apache2 LXC
• Notifications: Configure an everyday mail report sent to sysadmins
• Logging: Logwatch + Configure what to log and what not
• Security for containers depending on the service

More info en Parte IV - Securicemos nuestra servidora web por La Bekka

Fail2ban

• failregex = fail reg ex

->> define la regla con expresiones regulares en el filtro

->> define the rule with regular expression in the filter

• regex

= expresión regular

= frequent expression

• /etc/fail2ban/filter.d/

->> los filtros están aqui

->> the filters are here

->> es necesario crear filtros para que fail2ban las utilice para luego ejecutar acciones

->> It is necessary to create filters so that fail2ban can use them for executing actions

->> Actualmente fail2ban establece filtros para Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server

->> Actually fail2ban can create filters for Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server

->> Los filtros son escritos con expresiones regulares de Python que establecen la regla que hará disparar una determinada acción sobre la IP que origina el hecho. La tupla (regla, acción) o (filtro, acción) es llamado “Jail” o “prisión”, y es lo que determina la penalización a un host maligno

->> The filters are written with regular expressions from Python that establishes rules that will start a specific action from the IP that is creating the act. The "tupla" (rule, action) or (filter, action) is called “Jail”and it is what determines the penalisation of a malign host.

• /var/log/fail2ban.log

->> Los logs de fail2ban se pueden ver

->> you can see the logs of fail2ban

• sudo cat /var/log/fail2ban.log | grep 'ban'

->> ver que ips has sido baneadas

->> you can see the banned ips

• fail2ban-client status ssh

->> Revisarlas por jails

->> Review the jails

• sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"'

->> Otra manera guay de verlo es

->> Another nice way of seeing it

• fail2ban-client status

->> Para ver el estado de fail2ban y las jaulas activadas

->> to see the fail2ban status and the activated jails

• fail2ban-client reload sshd

->> Para reiniciar la configuracion de una jaula

->> for restarting the config of a jail

More info here

ssh-server config

• cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk

--> Hacer una copia de seguridad de la conf

--> Make a security back up copy of the conf

• ss -n -o state established '( dport = :22 or sport = :22 )'

--> Para ver que conexiones por ssh se han establecido

--> To see what connections have been achievd by SSH

• Revisar/Review: /etc/ssh/sshd_config

Port 22XX

MaxAuthTries 3

PubkeyAuthentication yes

IgnoreRhosts yes

PasswordAuthentication no

PermitEmptyPasswords no

UsePAM no

X11Forwarding no

ChallengeResponseAuthentication no

PermitRootLogin no

PermitRootLogin without-password

Protocolo 2

StrictModes yes

Logging

SyslogFacility AUTH

LogLevel INFO

• Por buscar/To look for:

PrintMotd no --> esto te muestra el mensaje de inicio/this shows you the message at the beginning

AcceptEnv LANG LC_* lo dejo por defecto/Let it by default

ChallengeResponseAuthentication no -> tiene que estar a no/should be as no

--> Cambiar Port 22XX - acordarse de abrir el firewall y poner el nuevo puerto en fail2ban

--> Change Port 22XX - remember to open the firewall and put new port in fail2ban

• sshd -t

--> Para checkear si la configuracion esta bien, antes de reiniciar

--> For checking th configuration is fine before restarting

• service sshd restart

--> Para aplicar cambios

--> For applying changes:

Configuracion security Debian server

• Limita el acceso/limit the access to ssh-key connections
• Copia tu llave al servidor/Copy your key to the server: > ssh-copy-id -i user@server
• Cambiar la configuración para solo permitir conexiones con ssh-keys/Change the configuration for only allowing conections with ssh-keys: nano /etc/ssh/sshd_config

Modify or add the following line: PasswordAuthentication no

• change the port for ssh
• use fail2ban (Which jails are important to enable? sshd, I've seen you have much more! )

• change the info of the server Apache is giving with ServerTokens and ServerSignature

Open up /etc/apache2/conf.d/security

Set ServerTokens OS to Prod

Turn ServerSignature to Off

Restart Apache web server.

• Stop/avoid portmapper

• iptables enabled (together with fail2ban)