Check list security for feminist servers

From Anarchaserver
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Checklist for security on a feminist server:

General recomendations

  • Active unattended upgrades
  • ufw / allow new port ssh
  • SSH server: Allow ssh only with key, no password PasswordAuthentication no
  • Change the port / remember add ufw allow new port ssh
  • Disallow login with root ( PermitRootLogin no)
  • Activate fail2ban. /configura new port ssh
  • Activate things like chkrootkit rkhunter etckeeper
  • Allow only TLSv 1.2 (no 1.0 y 1.1)
  • For software or service installed check file permissions and allow minimal needed
  • External services: If installing mysql, mongodb, ldap etc check that only uses localhost.
  • Apache: Include Security header and CSP in vhost configuration + Install and configure some softwares on the host : apache2 LXC
  • Notifications: Configure an everyday mail report sent to sysadmins
  • Logging: Logwatch + Configure what to log and what not
  • Security for containers depending on the service

More info en Parte IV - Securicemos nuestra servidora web por La Bekka

Fail2ban

  • failregex = fail reg ex

->> define la regla con expresiones regulares en el filtro

->> define the rule with regular expression in the filter


  • regex

= expresión regular

= frequent expression


  • /etc/fail2ban/filter.d/

->> los filtros están aqui

->> the filters are here


->> es necesario crear filtros para que fail2ban las utilice para luego ejecutar acciones

->> It is necessary to create filters so that fail2ban can use them for executing actions

->> Actualmente fail2ban establece filtros para Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server

->> Actually fail2ban can create filters for Apache, sshd, qmail, vsftpd, lighttpd, Postfix y Courier Mail Server

->> Los filtros son escritos con expresiones regulares de Python que establecen la regla que hará disparar una determinada acción sobre la IP que origina el hecho. La tupla (regla, acción) o (filtro, acción) es llamado “Jail” o “prisión”, y es lo que determina la penalización a un host maligno

->> The filters are written with regular expressions from Python that establishes rules that will start a specific action from the IP that is creating the act. The "tupla" (rule, action) or (filter, action) is called “Jail”and it is what determines the penalisation of a malign host.


  • /var/log/fail2ban.log

->> Los logs de fail2ban se pueden ver

->> you can see the logs of fail2ban


  • sudo cat /var/log/fail2ban.log | grep 'ban'

->> ver que ips has sido baneadas

->> you can see the banned ips


  • fail2ban-client status ssh

->> Revisarlas por jails

->> Review the jails


  • sudo iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0"'

->> Otra manera guay de verlo es

->> Another nice way of seeing it


  • fail2ban-client status

->> Para ver el estado de fail2ban y las jaulas activadas

->> to see the fail2ban status and the activated jails


  • fail2ban-client reload sshd

->> Para reiniciar la configuracion de una jaula

->> for restarting the config of a jail

More info here

ssh-server config

  • cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk

--> Hacer una copia de seguridad de la conf

--> Make a security back up copy of the conf


  • ss -n -o state established '( dport = :22 or sport = :22 )'

--> Para ver que conexiones por ssh se han establecido

--> To see what connections have been achievd by SSH


  • Revisar/Review: /etc/ssh/sshd_config

Port 22XX

MaxAuthTries 3

PubkeyAuthentication yes

IgnoreRhosts yes

PasswordAuthentication no

PermitEmptyPasswords no

UsePAM no

X11Forwarding no

ChallengeResponseAuthentication no

PermitRootLogin no

PermitRootLogin without-password

Protocolo 2

StrictModes yes

Logging

SyslogFacility AUTH

LogLevel INFO

  • Por buscar/To look for:

PrintMotd no --> esto te muestra el mensaje de inicio/this shows you the message at the beginning

AcceptEnv LANG LC_* lo dejo por defecto/Let it by default

ChallengeResponseAuthentication no -> tiene que estar a no/should be as no

--> Cambiar Port 22XX - acordarse de abrir el firewall y poner el nuevo puerto en fail2ban

--> Change Port 22XX - remember to open the firewall and put new port in fail2ban


  • sshd -t

--> Para checkear si la configuracion esta bien, antes de reiniciar

--> For checking th configuration is fine before restarting


  • service sshd restart

--> Para aplicar cambios

--> For applying changes:

Configuracion security Debian server

  • Limita el acceso/limit the access to ssh-key connections
  • Copia tu llave al servidor/Copy your key to the server: > ssh-copy-id -i user@server
  • Cambiar la configuración para solo permitir conexiones con ssh-keys/Change the configuration for only allowing conections with ssh-keys: nano /etc/ssh/sshd_config

Modify or add the following line: PasswordAuthentication no

  • change the port for ssh
  • use fail2ban (Which jails are important to enable? sshd, I've seen you have much more! )
  • change the info of the server Apache is giving with ServerTokens and ServerSignature

Open up /etc/apache2/conf.d/security

Set ServerTokens OS to Prod

Turn ServerSignature to Off

Restart Apache web server.

  • Stop/avoid portmapper
  • iptables enabled (together with fail2ban)
Retrieved from "https://alexandria.anarchaserver.org/index.php?title=Check_list_security_for_feminist_servers&oldid=963"