Summary
In conjunction with another post i am working on i decided to write a small howto on administering and securing a freshly installed Linux distribution. In this small post i am using Debian but these steps should apply to most NIX operating systems. These steps are the minimum requirements to secure your system.
Restricting User Access
Default access to home-directories are umask 022, and as seen below - the user, members of the users group and "others" (none of the above) have read and execute permissions on the user's files.
- PermissionsUserGroupOthersREADXXXWRITEXEXECUTEXXX
Table 1. Umask 022 permissions
To disallow members of a user's group (and others) to access all the files we can set the umask to 077, which restrict everyone else but the user it self to read, write or execute owned files....
Edit /etc/login.defs and change following settings
#Default
#UMASK 022
#Secure
UMASK 077
Create user
Add a new groupgroupadd usergroupand add user with desired options
useradd --home-dir /home/username --create-home --shell /bin/bash --gid usergroup usernamethen we are ready to set a password on the account
passwd username
Sudo access
Since we sooner or later are going to disable root, either by disable the user completely or by deny root via ssh, we need a regular user with sudo-capabilities to administer the server.
Install the sudo package from repository
apt-get install sudoand add username into sudoers
echo "username ALL=(ALL) ALL" >> /etc/sudoers
or as group policy
echo "%groupname ALL=(ALL) ALL" >> /etc/sudoers
If you want too disable password prompt use instead of the above,
echo "username ALL=NOPASSWD: ALL" >> /etc/sudoers
Disable root user
To have one less account to maintain security on, one can disable the root account all together
passwd -l root
Deny root via SSH
If the latter doesn't suite your needs and you want to use the root account - at least deny root login via secure shell (ssh)cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cat /etc/ssh/sshd_config.bak | sed s/"PermitRootLogin yes"/"PermitRootLogin no"/ > /etc/ssh/sshd_config
Securing SSH
Along with disable root access via secure shell (as shown above) there are several options to further strengthen the security on your secure shell service.- ListenAddress 0.0.0.0 - Set this to listen only on a specific IP-address.
- Port 22 - Change the default SSH port. This is very useful to decrease the bruteforce attempts as most automated scripts searches for port 22 to bruteforce SSH accounts.
- PasswordAuthentication - Change this to no in order to only allow people with their SSH-keys in place, this is also a good way to decrease bruteforce attempts. In order for this to work, one need to create a keyfile on your clients machine (ssh-keygen) and copy your public keyfile to the SSH-server (ssh-copy-id).
- PermitRootLogin - Default is to allow root logins via Secure Shell, change this to no, as described above.
When configuration is done, restart ssh server
sudo /etc/init.d/ssh restart
Note: If you have more than one Network Interface Controller, ListenAddress should be configured on all services allowing it....
Automatic updates
Earlier i used crontab-daily directly to run apt-get update && apt-get upgrade, but this could in some cases break your install.Install unattended-upgrades from repository, which was first introduced in Ubuntu.
apt-get install unattended-upgradesand run
dpkg-reconfigure unattended-upgradesto configure software. It will create /etc/apt/apt.conf.d/20auto-upgrades with the following preferences
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
The default config file (/etc/apt/apt.conf.d/50unattended-upgrades) should do just fine as it will only allow security upgrades. However if you want to upgrade packages as well as security updates uncomment // "${distro_id} ${distro_codename}-updates"; in the Allowed-Origins section of the config-file.
To disable automatic-reboot add this line Unattended-Upgrade::Automatic-Reboot "false";
echo -e '\nUnattended-Upgrade::Automatic-Reboot "false";\n' >> /etc/apt/apt.conf.d/50unattended-upgrades
Basic Firewall
Iptables is the most common firewall software used in Linux systems, altough it is not very user friendly it sure is a powerfull firewall. To simplify firewall management Ubuntu introduced uncomplicated firewall (ufw), which also is available via Debian's repository.sudo apt-get install ufw----
Captain Blackadder: "Baldrick, deny everything."
Lieutenant George: "You are private Baldrick?"
Baldrick: "No."
Lieutenant George: "Are you not Captain Blackadder's batman?"
Baldrick: "No."
----
Ufw does pretty much the same as Baldrick by default, denying everything - oh well at least the incomming connections. Thankfully since ufw is easy to maintain, one can easily add wanted rules:
ufw allow 22 - to allow both udp & tcp traffic on secure shell's default port. One could replace port number with service names found in /etc/services.
ufw deny 22 - Deny incomming traffic on port 22.
ufw allow 22/tcp - to allow incomming tcp traffic on secure shell's default port.
To delete rules we simply use ufw delete <rule>, in example (if we used ufw allow 22/tcp)
ufw delete allow 22/tcpIf we only want traffic from one specific ip-address we use this syntax: ufw allow <ip-address> or ufw allow from <ip-address> to <ip-address/any> port <port-number> proto <protocol>
In example - to allow traffic from your subnet:
ufw allow from 192.168.1.0/24abit more complicated rule might be
ufw allow from 192.168.1.110 to any port 22 proto tcp
When we are done enable the firewall with ufw enable and ufw status verbose to check status of uncomplicated firewall.
References
http://www.debian.org/doc/manuals/securing-debian-howto/https://help.ubuntu.com/community/UFW
Ingen kommentarer:
Legg inn en kommentar