{"id":324,"date":"2017-03-02T23:02:09","date_gmt":"2017-03-02T22:02:09","guid":{"rendered":"https:\/\/andreikucharavy.com\/L3Cache\/?p=324"},"modified":"2017-03-02T23:43:26","modified_gmt":"2017-03-02T22:43:26","slug":"linux-server-security","status":"publish","type":"post","link":"https:\/\/andreikucharavy.com\/L3Cache\/linux-server-security\/","title":{"rendered":"Linux server security"},"content":{"rendered":"<p><strong>DISCLAIMER<\/strong>: I AM NOT AN INFOSEC EXPERT. THIS ARTICLE IS MORE OF A MEMO FOR MYSELF. IF YOU LOOSE DATA OR HAVE A BREACH, I BEAR NO RESPONSIBILITY IN IT.<\/p>\n<p>Now, because of all the occasions at which I had to act as a makeshift sysadmin, I did end up reading a number of policies and pick up some advice I wanted to group in a single place, if but for my own memory.<\/p>\n<h1>Installation:<\/h1>\n<ul>\n<li>Use SE Linux distro<\/li>\n<li>Use an intrusion prevention tool, such as <a href=\"https:\/\/www.fail2ban.org\/wiki\/index.php\/Main_Page\">Fail2Ban<\/a><\/li>\n<li>Configure primary and secondary DHS<\/li>\n<li>Switch away from the password-protected SSH to a key-based SSH log-in. Diable root login all together (<code>\/etc\/ssh\/sshd_config<\/code>, <code>PermitRootLogin no<\/code>). Here is an Ubuntu\/OpenSSH <a href=\"https:\/\/help.ubuntu.com\/community\/SSH\/OpenSSH\/Keys\">guide<\/a>.<\/li>\n<li>Remove network super-service packages<\/li>\n<li>Disable <a href=\"https:\/\/techjourney.net\/disable-and-turn-off-telnet-in-linux\/\">Telnet<\/a> and <a href=\"http:\/\/askubuntu.com\/questions\/420652\/how-to-setup-a-restricted-sftp-server-on-ubuntu\">FTP<\/a> (SFTP should be used)<\/li>\n<li>use chroot where available, notably for webservers and FTP servers<\/li>\n<li>encrypt the filesystem<\/li>\n<li>disable remote root login<\/li>\n<li>disable <code>sudo su<\/code> &#8211; all the root actions need to be done with a <code>sudo<\/code><\/li>\n<\/ul>\n<h1>Audit:<\/h1>\n<ul>\n<li>Once the server has been build, run <a href=\"https:\/\/cisofy.com\/lynis\/\">Lynsis<\/a>. It will audit your system and suggest additional steps to protect your machine<\/li>\n<li>Force multi-factor authentification for the roots, especially via SSH. Here is a <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04\">tutorial from Digital Ocean<\/a>.<\/li>\n<\/ul>\n<h1>Watching the logs:<\/h1>\n<ul>\n<li>Tools like <a href=\"http:\/\/www.cacti.net\/\">Cacti<\/a>, <a href=\"https:\/\/www.nagios.com\/solutions\/linux-monitoring\/\">Nagios<\/a>, <a href=\"https:\/\/www.splunk.com\/\">Splunk<\/a>, <a href=\"https:\/\/github.com\/sysstat\/sysstat\">sysstat<\/a> to help you to monitor the logs for an intrusion<\/li>\n<li>Automated log review with messages send upon admin log-in<\/li>\n<li>Install <a href=\"http:\/\/www.tecmint.com\/how-to-monitor-user-activity-with-psacct-or-acct-tools\/\">psacct\/acct<\/a> or similar<\/li>\n<li>Install an integrity checking tool (<a href=\"https:\/\/www.tripwire.org\/\">Tripwire<\/a>, <a href=\"http:\/\/aide.sourceforge.net\/\">AIDe<\/a>, <a href=\"http:\/\/la-samhna.de\/samhain\/\">SamHain<\/a>, <a href=\"http:\/\/ossec.github.io\/\">OSSEC<\/a>)<\/li>\n<\/ul>\n<h1>If you have more than one logging system to watch:<\/h1>\n<ul>\n<li><a href=\"https:\/\/www.intersectalliance.com\/\">Snare<\/a><\/li>\n<li><a href=\"https:\/\/www.splunk.com\/\">Splunk<\/a> and <a href=\"https:\/\/lucene.apache.org\/\">Lucene<\/a> (<a href=\"https:\/\/www.elastic.co\/\">ElasticSearch<\/a>) for log search<\/li>\n<li><a href=\"https:\/\/help.ubuntu.com\/community\/Logwatch\">LogWatch<\/a> (<a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-install-and-use-logwatch-log-analyzer-and-reporter-on-a-vps\">guide from Digital Ocean<\/a>), <a href=\"https:\/\/www.elastic.co\/products\/logstash\">LogStash<\/a>, <a href=\"https:\/\/www.graylog.org\/\">Graylog2<\/a>, <a href=\"http:\/\/sawmill.net\">Sawmill<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>DISCLAIMER: I AM NOT AN INFOSEC EXPERT. THIS ARTICLE IS MORE OF A MEMO FOR MYSELF. IF YOU LOOSE DATA OR HAVE A BREACH, I BEAR NO RESPONSIBILITY IN IT. Now, because of all the occasions at which I had to act as a makeshift sysadmin, I did end up reading a number of policies <a class=\"read-more\" href=\"https:\/\/andreikucharavy.com\/L3Cache\/linux-server-security\/\">[&hellip;]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24],"tags":[],"class_list":["post-324","post","type-post","status-publish","format-standard","hentry","category-prog"],"_links":{"self":[{"href":"https:\/\/andreikucharavy.com\/L3Cache\/wp-json\/wp\/v2\/posts\/324"}],"collection":[{"href":"https:\/\/andreikucharavy.com\/L3Cache\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreikucharavy.com\/L3Cache\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreikucharavy.com\/L3Cache\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/andreikucharavy.com\/L3Cache\/wp-json\/wp\/v2\/comments?post=324"}],"version-history":[{"count":6,"href":"https:\/\/andreikucharavy.com\/L3Cache\/wp-json\/wp\/v2\/posts\/324\/revisions"}],"predecessor-version":[{"id":330,"href":"https:\/\/andreikucharavy.com\/L3Cache\/wp-json\/wp\/v2\/posts\/324\/revisions\/330"}],"wp:attachment":[{"href":"https:\/\/andreikucharavy.com\/L3Cache\/wp-json\/wp\/v2\/media?parent=324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreikucharavy.com\/L3Cache\/wp-json\/wp\/v2\/categories?post=324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreikucharavy.com\/L3Cache\/wp-json\/wp\/v2\/tags?post=324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}