Tag Archives: security

Securing an Ubuntu Server

For more current information, see: http://www.adminbuntu.com/security

Security is relative. Will these steps make your server “secure”? It will be more secure than it was before. And more secure than most servers. Your server will not be “low hanging fruit”. Security is an on-going process. It includes settings, practices and procedures. Make it your business to regularly read about security and to understand the concepts and our system. Paranoia is useful with regard to server security.

I’ve tested what is presented here in Ubuntu Server 10.04 (Lucid) and 10.10 (Maverick). If you want to harden your new Ubuntu server, this is a good start.

Ubuntu server is well designed, regularly updated and relatively secure. The Ubuntu Security Team manifests an onging effort to keep Ubuntu secure. Regular security updates are available and easy to implement.

  • No open ports
  • Role-based administration
  • No X server
  • Security updates
  • Kernel and compiler hardening

In this post, we are going to meet the security challenge in with multi-pronged effort that will include: system analysis, changing settings for additional hardening against attack, installing a firewall maintenance system, scanning for rootkits, and offering a regular maintenance regimen.

  • Change settings for increased security
  • Implement UFW, the uncomplicated firewall
  • Use denyhosts to automatically blacklist attackers
  • Scan the system for vulnerabilities with Tiger
  • Detect attempted intrusions with psad
  • Install nmap and scan the system for open ports
  • Check the system for rootkits with chkrootkit
  • Monitor logs

Change settings for increased security

see also: https://help.ubuntu.com/community/StricterDefaults

Secure shared memory

/dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure.

sudo vi /etc/fstab

Add this line:

tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0

Disable root SSH login

The root account is disabled by default in Ubuntu. If you installed Ubuntu on Slicehost or Linode, root is enabled. In any case, it is a good idea to disable root SSH access. Edit /etc/ssh/sshd_config and set PermitRootLogin to no.

sudo vi /etc/ssh/sshd_config

Change PermitRootLogin to no:

PermitRootLogin no

Of course, if you access your server via SSH, you should make sure you have sudo working for your user before disabling SSH root access.

Only allow admin users to use su

This helps prevent privilege escalation.

By default, Ubuntu does not have an admin group. Create an admin group:

sudo groupadd admin

Add yourself to the admin group:

sudo usermod -a -G admin andrew

Restrict access to /bin/su to admin group members:

sudo dpkg-statoverride --update --add root admin 4750 /bin/su

Check permissions for /bin/su with:

ls -lh /bin/su

…and see the following:

-rwsr-x--- 1 root admin 31K 2010-01-26 17:09 /bin/su

Do not permit source routing of incoming packets

see also: http://www.cromwell-intl.com/security/security-stack-hardening.html

sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
sudo sysctl ­-w net.ipv4.conf.default.accept_source_route=0

Don’t allow system users to access an FTP server

This is only needed is ftpd is installed and running. Only if you’ve installed ftpd. However, it is Ok to do this anyway and it will remove a FAIL from the tiger report.

SFTP is probably better than FTP, if it is usable for your files transfer needs.

see ftpusers manual: http://manpages.ubuntu.com/manpages/lucid/man5/ftpusers.5.html

Edit /etc/ftpusers:

sudo vi /etc/ftpusers

Add system users to deny use of ftpd:

backup
bin
daemon
games
gnats
irc
libuuid
list
lp
mail
man
mysql
news
ntp
postfix
proxy
sshd
sync
sys
syslog
uucp
www-data

UFW: basic firewall

previous post: Ubuntu UFW Uncomplicated Firewall Examples

community documentation: https://help.ubuntu.com/community/UFW

server guide: https://help.ubuntu.com/10.04/serverguide/C/firewall.html

ufw manual: http://manpages.ubuntu.com/manpages/lucid/en/man8/ufw.8.html

project wiki: https://wiki.ubuntu.com/UncomplicatedFirewall

nice article: http://savvyadmin.com/ubuntus-ufw/

UFW (Uncomplicated Firewall) provides an easy to understand interface to control iptables (iptables conteol Netfilter, which is built into the kernel). Will just a few commands, your server can control access. Checking status is also easy.

UFW (uncomplicated firewall) is a simple interface used to configure iptables.

Install and enable Uncomplicated Firewall:

sudo aptitude install -y ufw
sudo ufw enable

Display available UFW commands:

sudo ufw show

Display UFW configuration:

sudo ufw status

Allow SSH and HTTP access to the Apache server:

sudo ufw allow ssh
sudo ufw allow http

In the above example, ports for OpenSSH and Apache were opened by service name (“ssh” and “http”). You can use a port number instead of the service name (like “80” instead of “http”).

See services running and which names to use:

The practice here is to open only ports that you use – ports that use a service that have a service running. To see a list of services that you have running for which you might want to open ports for:

sudo ufw app list

To see a list of services that UFW uses (like in the “sudo ufw allow ssh” example, above):

less /etc/services

Denyhosts: avoid SSH attacks

project: http://denyhosts.sourceforge.net/

Looking at /var/log/auth.log on servers that I manage shows a steady streams of attacks on SSH. I am countering these attacks in a number of ways, starting with denyhosts.

Denyhosts periodically scans /var/log/auth.log for repeated failures to access the system via SSH. It then adds these offenders to /etc/hosts.deny. See the project page for details.

sudo aptitude -y install denyhosts

That does it – the rest is automatic. You can see the IP addresses added to /etc/hosts.deny with:

sudo less /etc/hosts.deny

Tiger: security system scanner

project: http://www.nongnu.org/tiger/

Tiger creates an automated security audit by analyzing files and settings on the system and creating a report listing what has been analyzed and listing warning, alerts and failures.

The tiger command creates a report of potential security problems in /var/log/tiger. The use the tigexp command to look up the resulting codes generated for a detailed explanation and what to do to make the system more secure. The problems tiger considers most serious are marked with FAIL.

It has been a while since Tiger has been updated. It still produces a useful report.

Install tiger:

sudo aptitude -y install tiger

Run tiger to create a report of security issues.

sudo tiger

Use less to view the most recent tiger report:

sudo -i
less /var/log/tiger/`ls -t1 /var/log/tiger | head -1`
exit

Use tigexp to list explanations for FAIL codes:

tigexp dev002f

Google is also helpful, naturally.

Ignore these:

--FAIL-- [dev002f] /dev/fuse has world permissions
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660

Changing permissions for these could cause problems.

Detect attempted intrusions with psad

project: http://www.cipherdyne.org/psad/

Psad is a collection of lightweight daemons that log attempted intrusions, in particular monitoring iptables.

Installation:

sudo aptitude -y install psad

The daemons will run automatically.

To check current status:

sudo psad -S

You can modify psad settings to e-mail the admin in the event of intrusion detection.

Nmap: port scanning

project: http://nmap.org/

This allows you to see which ports are open, verifying that UFW/iptables is working correctly.

Installing nmap:

sudo aptitude install -y nmap

Port scanning:

nmap -v -sT localhost

SYN Scanning:

sudo nmap -v -sS localhost

scan type explanations: http://nmap.org/book/man-port-scanning-techniques.html

Chkrootkit: check for rootkit presence

project: http://www.chkrootkit.org/

Chkrootkit scans the system for evidence that a rootkit has been installed.

This is a confidence test to be used to test whether your system has been compromised. In a perfect world you would not need this…but in this world, it is good to run periodically.

Installing chkrootkit:

sudo aptitude install -y chkrootkit

Running chkrootkit:

sudo chkrootkit

LogWatch

Ubuntu community documentation: https://help.ubuntu.com/community/Logwatch

The most detailed and informative logs in the world are useless if no one looks at them. Logwatch winnows the deluge to a succinct report…which you will look at. Even so, familiarize yourself with your system’s logs and review them on a regular basis. A daily logwatch habit would be a good start.

Installation:

sudo aptitude -y install logwatch

Usage:

sudo logwatch | less

Ongoing maintenance

Your server is now more secure. Once a week, perform on-going maintenance.

Updating software:

sudo aptitude update
sudo aptitude safe-upgrade

The safe-upgrade action is preferred by me because it does not upgrade packages that rely on dependencies that have not been upgraded to required levels.

see: http://wiki.debian.org/Aptitude

Or, you could set-up automatic security updates, if you cannot do the weekly maintenance. This is not a perfect solution because an administrator is not monitoring what is being updated and testing after updates. see: https://help.ubuntu.com/10.04/serverguide/C/automatic-updates.html

Check for attempted instrusions:

sudo psad -S

UPDATED: Analyze system with tiger. Because the tiger reports in /var/log/tiger/are owned by root, run these commands one at a time. (This solves a problem some people were having with permissions.)

sudo -i
tiger
grep FAIL /var/log/tiger/`ls -t1 /var/log/tiger | head -1`
exit

In the above, FAILs are pulled from the newest report file with grep. The ls clause in backticks gives grep the newest file in the directory. The sudo -i command allows you to run multiple commands as root, ending with exit.

Use tigexp to list explanations for FAIL codes:

tigexp dev002f

Scan ports with nmap:

sudo nmap -v -sS localhost

Check for rootkits

sudo chkrootkit

Look at logs:

sudo logwatch | less

Keep up with trends

visit: http://www.linuxsecurity.com/

Elsewhere

http://www.itsecurity.com/features/ubuntu-secure-install-resource/

http://www.cyberciti.biz/tips/linux-security.html

Ubuntu UFW Uncomplicated Firewall Examples

See also: Securing an Ubuntu Server

UFW community documentation: https://help.ubuntu.com/community/UFW

UFW server documentation: https://help.ubuntu.com/10.04/serverguide/C/firewall.html

UFW page: https://wiki.ubuntu.com/UncomplicatedFirewall

Implementing a basic firewall on your Ubuntu server is simple.

UFW (Uncomplicated Firewall) is a simple configurator for Netfilter, the packet filtering system that is built into the Linux kernel. This will then filter IP packets that arrive at the server by port number. Port numbers are nothing magical, just an integer in the packet header that gets mapped to a service, like your web server. All the packets arriving with a certain port number are mapped to a service.

By default, when you turn on UFW, everything is filtered. Then, with very simple commands, you set rules to allow just the services you are providing. If you are just providing a web server, you would allow only the port needed for that.

Turning UFW on

By default, UFW is turned off. To turn it on:

sudo ufw enable

That is all there is to it. UFW is now running. When your system reboots, UFW will be started automatically.

Allowing SSH

By default, SSH uses port 22. Of course, you can configure OpenSSH to use a different port number…then open that port instead of 22.

sudo ufw allow 22

…or you can use the service name instead of the port number:

sudo ufw allow ssh

…or you can use the service application name instead of the port number:

sudo ufw allow OpenSSH

To get a list of service applications:

sudo ufw app list

The concept to retain is that rules can be set with a port number (22) or service name (ssh) or application name (OpenSSH).

Allowing Apache

By default, HTTP severs use port 80.

sudo ufw allow 80

…or you can use the service name instead of the port number:

sudo ufw allow http

…or you can use the service application name instead of the port number:

sudo ufw allow Apache

View status

To see the current status of UFW on your server:

sudo ufw status verbose

Example output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere

A little more

The /etc/services (text) file is used to map service names to port numbers. This can be used to find out which ports are mapped to which services. The vast majority of the designations in this file are not implemented on a given system. This file’s main purpose is to allow service applications (programs) to get the port number to use for a service being provided.

Rules can be set with any of the following:

  • port number
  • service name
  • application name

List names service names

cat /etc/services

List available application names

sudo ufw app list

List implemented services and assigned ports

sudo lsof -i -nP

List active network connections

sudo netstat -p

UFW Help

Enter:

sudo ufw help

Help output:


Usage: ufw COMMAND

Commands:
 enable                          enables the firewall
 disable                         disables the firewall
 default ARG                     set default policy
 logging LEVEL                   set logging to LEVEL
 allow ARGS                      add allow rule
 deny ARGS                       add deny rule
 reject ARGS                     add reject rule
 limit ARGS                      add limit rule
 delete RULE|NUM                 delete RULE
 insert NUM RULE                 insert RULE at NUM
 reset                           reset firewall
 status                          show firewall status
 status numbered                 show firewall status as numbered list of RULES
 status verbose                  show verbose firewall status
 show ARG                        show firewall report
 version                         display version information

Application profile commands:
 app list                        list application profiles
 app info PROFILE                show information on PROFILE
 app update PROFILE              update PROFILE
 app default ARG                 set default application policy