Feed on
Posts
Comments

Last updated: 9 November 2010

Here are a few tips for hardening your Debian/Ubuntu server.

SSH key based authentication

Only allow logins using public SSH keys. This way we prevent brute force attacks. Create private and public keys using the ssh-keygen command. First copy the public key from your pc to the server using:

$ ssh-copy-id -i .ssh/id_rsa.pub user@host

Test if you can login with your public key. The public key is stored in .ssh/authorized_keys. So if you add a new user ask them their pub key and copy this into authorized keys.

Change /etc/sshd_config to disable password based logins:

ChallengeResponseAuthentication no
PasswordAuthentication no

Filesystem permissions

The default user permission has umask 022 where other/world user also have access. Using umask 007 the owner en group has rw access, other/world hasn’t got any access.

Change default umask 022 to 007:

/etc/profile
/etc/login.defs
/etc/init.d/rc

Mounted volumes must have proper permissions

Add two mount options in /etc/fstab for partitions that have no suid programs and no device nodes. Options are called nosuid and nodev.

Example:

/dev/sda5       /tmp            ext3    defaults,nosuid,nodev        0       2
/dev/sda6       /var            ext3    defaults,nosuid,nodev        0       2
/dev/sda7       /data2          ext3    defaults,nosuid,nodev        0       2

Dedicated group for su

Only allow users in adm group to become root using pam_wheel.

In /etc/pam.d/su uncomment this line and add group part.

auth       required   pam_wheel.so group=adm

Add sysadmins to adm group

usermod -a -G adm [username]

Separate temp directories for users

Using pam tmpdir modules each user has a separate tmp dir. So instead of using /tmp for everyone, each user gets a /tmp/user/USERID directory. A user cannot see the temp files of other users.

Install the tmpdir pam module:

apt-get install libpam-tmpdir

Add the following line to /etc/pam.d/common-session

session    optional     pam_tmpdir.so

Know when security updates are available

Keep the packages on the server up to date. Use the mail* to functionality in crontab to get a automated warning when an update is available. It saves the hassle for checking manually. It’s not recommended to run the updates unattended.

Add this script in /usr/local/bin/check_security.sh

#!/bin/sh
apt-get update -qq -s > /dev/null 2>&1
 
LISTFILE=$TMP/check_security.lock
UPGRADE_CMD="apt-get upgrade -qq -s"
MACHINE=`hostname`
LIST=""
 
for package in `$UPGRADE_CMD | grep -e '^Inst' | awk '{ print $2 }'`;
do
  LIST="$LIST $package"
done
 
if [ -z "$LIST" ]; then
  if [ -e $LISTFILE ]; then
    rm -f $LISTFILE
  fi
  exit 0
else
  if [ ! -e $LISTFILE ]; then
    echo $LIST > $LISTFILE
    echo "Please run security updates on ${MACHINE}!"
    echo "=========================================="
    echo $LIST
  fi
fi

Add the script to crontab for root user.  Enter your e-mail address in the mailto variable. Add the script to crontab. Check each hour is an update is available:

MAILTO='me@domain.com'
5 * * * * /usr/local/bin/check_security.sh

Install the nullmailer and  mailutils package to allow mail relaying. Enter the hostname and smtp server in install dialog.

apt-get install nullmailer mailutils

Clean old files/dirs in temp directory

Remove files and directories older than 30 days. The tmp dir is for temporary files!

Add a shell script in /usr/local/bin/clean_tmp.sh

#!/bin/bash
# GW20e - KC
# Clean tmp directory, we don't want files/dirs older
# than 30 days.
find /tmp/* -type f -mtime +30 -exec rm -f {} \;
find /tmp/* -type d -mtime +30 -exec rm -rf {} \;

Add the script in crontab so it’s executed every night:

0  5 * * * /usr/local/bin/clean_tmp.sh > /dev/null

Only a minimal set of network services must be provided

Only run the network services that are needed. Each service can bring in a security risk. Configure the network services so they only listen on specific interfaces.
Run netstat to check which service is listening on what interface. Example:

server:~# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 91.194.xxx.xxx:18080    0.0.0.0:*               LISTEN      9544/python2.6
tcp        0      0 91.194.xxx.xxx:5666     0.0.0.0:*               LISTEN      3515/nrpe
tcp        0      0 127.0.0.1:111           0.0.0.0:*               LISTEN      9035/portmap
tcp        0      0 192.168.3.45:8080       0.0.0.0:*               LISTEN      3876/python2.6
tcp        0      0 192.168.3.45:28080      0.0.0.0:*               LISTEN      3875/python2.6
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3714/apache2
tcp        0      0 192.168.3.45:8081       0.0.0.0:*               LISTEN      3877/python2.6
tcp        0      0 192.168.3.45:22         0.0.0.0:*               LISTEN      3505/sshd
tcp        0      0 127.0.0.1:761           0.0.0.0:*               LISTEN      3553/famd
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3714/apache2
udp        0      0 127.0.0.1:111           0.0.0.0:*                           9035/portmap

Disable network services or bind  the service to a specific interface. Normally portmap is listening on all interfaces.

Bind portmap to localhost loopback

In the above example portmap is only listening on the localhost loopback. Bind the portmap service to localhost, edit ”/etc/default/portmap”. Uncomment this line:

OPTIONS="-i 127.0.0.1"

Disable IPv6

If you’re not using IPv6, disable it to prevent possible vulnerabilities. Add the following file /etc/modprobe.d/00local

alias net-pf-10 off
alias ipv6 off

Apache webserver

Don’t allow directory indexes by disabling autoindex module

a2dismod autoindex
/etc/init.d/apache2 restart

Apache has a separte config file for security. Edit /etc/apache2/conf.d/security and change the following settings:

# Don't give away info about OS and compiled in modules
ServerTokens Prod
# Don't show server version in server-generated pages
ServerSignature Off
# Disables HTTP trace, only used for debuging purposes. Potential security vulnerability.
TraceEnable Off

This article has good tips for securing the Apache webserver: MDLog:/sysadmin – Apache Tips & Tricks.

Do a security audit for the system

Lynis is an excellent tool to audit the system. Download the latest tarball, decompress and run. Lynis is an auditing tool which tests and gathers (security) information for *nix based systems.

If you want to be on the safe side, and be sure your server is secure, hire an independent company for a security audit.

Trackback URI | Comments RSS

Leave a Reply