Archive

Articles taggués ‘securite’

How to install PSAD Intrusion Detection on Ubuntu 16.04 LTS server

10/12/2019 Comments off

Source: thefanclub.com

This guide is based on various community forum posts.

This guide is intended as a relatively easy step by step guide to:

  • Install CipherDyne PSAD Intrusion Detection and Log Analysis with iptables on Ubuntu 12.04 LTS or later.
  • psad is a collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.
  • From version 2.2 it also offers full IPv6 support. 

Requirements:

  • Tested on Ubuntu 12.04 LTS – 16.04 LTS server.
  • Should work on most Ubuntu/Debian based ditro’s.

1. Download and install the latest version of PSAD.

  • Download and install the latest version from the Cipherdyne website.
  • Visit the CipherDyne PSAD download page and select the latest source tar archive, as of writing this the latest version is PSAD 2.4.3
  • To download and install the latest version open a Terminal and enter the following :
sudo su
mkdir /tmp/.psad
cd /tmp/.psad
wget http://cipherdyne.org/psad/download/psad-2.4.3.tar.gz
tar -zxvf psad-2.4.3.tar.gz
cd psad-2.4.3
./install.pl 
cd /tmp
rm -R .psad
exit

 

2. Edit the PSAD configuration file. 

  • Three main settings need to be set in the PSAD configuration file before we can complete the install, edit the others as required.
  • open a Terminal Window and enter :
vi /etc/psad/psad.conf
  • EMAIL_ADDRESSES – change this to your email address.
  • HOSTNAME – this is set during install – but double check and change to a FQDN if needed.
  • ENABLE_AUTO_IDS – set this to Y if you could like PSAD to take action – read configuration instructions before setting this to Y.
  • ENABLE_AUTO_IDS_EMAILS – set this to Y if you would like to receive email notifications of intrusions that are detected.

3. Add iptables LOG rules for both IPv4 and IPv6.

  • For an explanation of this step click here.
  • Add the following iptables policies :
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG

4. Reload and update PSAD.

  • To restart, update the signature file and reload PSAD to complete the install open a Terminal Window and enter :
psad -R
psad --sig-update
psad -H
  • To check the status of PSAD, open a Terminal Window and enter :
psad --Status

Lire la suite…

How to Restrict IP Addresses from Accessing your Web Server using .htaccess

17/04/2019 Comments off

If you are running the Apache Web Server or your web hosting provider running Apache based web server, you can use .htaccess configuration file to restrict access to your website. This could be a very important issue from security stand point of view especially if your server is being attacked or hacked from any specific or range of IP addresses.

Now, restricting access method works in two ways. First, you can restrict access to certain IP addresses and allow others. Second, you can restrict access to everyone but few IP addresses only. On this post, I will focus on both method and will try to explain as much as I can.

Restrict Certain IP Addresses

If you want to restrict specific IP addresses from accessing your site, you can use the following lines on your .htaccess file.

order deny,allow
deny from 123.4.5.6
deny from 654.3.2.1
allow from all

These lines above will block “123.4.5.6” and “654.3.2.1” IP addresses from accessing your site. You can add as many IP addresses as you want on this “deny from” list. One interesting fact is, Apache web server gives you lot more flexibility in terms of blocking IP addresses. Take a look at the following lines.

order deny,allow
deny from 123.4.5.
allow from all

If you observe it carefully, you will see that the fourth set of digit is missing on this IP address. It means, if any IP address that matches the first three set of digits will be blocked. So basically anyone with IP address like “123.4.5.1” or “123.4.5.244” won’t be able to access your site as in both IP address matches with the first three (123.4.5.) sets of digits blocked by the Apache web server.

Allow Specific IP Addresses

Think of about a site that you built for a very specific purpose and for very few people, where you do not want everyone to show up. Apache allows you to do that as well.

For an example, lets assume that you built a site that you want one of your friend to be able to access and his IP address is “123.4.5.12”. Simply write the following line on your .htaccess file and you are good to go.

order allow,deny
allow from 123.4.5.12
deny from all

In this case Apache will block all IP addresses except your friends IP address. This is as simple as it can get and I hope you got the basic idea.

Note: On all of my example I used either “allow from all” or “deny from all” at the bottom, this is very important. You must declare either one of these line based on your requirement or things might get little more complicated.

Also remember that all blocked IP addresses would be forwarded or shown an “403 Forbidden” error message. You can definitely customize this message as well but that’s something I will talk about in another post.

Source: iftekhar.net

Categories: Logiciel Tags: , , ,

How to secure SSH login with one-time passwords on Linux

13/04/2019 Comments off

As someone says, security is a not a product, but a process. While SSH protocol itself is cryptographically secure by design, someone can wreak havoc on your SSH service if it is not administered properly, be it weak passwords, compromised keys or outdated SSH client.

As far as SSH authentication is concerned, public key authentication is in general considered more secure than password authentication. However, key authentication is actually not desirable or even less secure if you are logging in from a public or shared computer, where things like stealth keylogger or memory scraper can always a possibility. If you cannot trust the local computer, it is better to use something else. This is when « one-time passwords » come in handy. As the name implies, each one-time password is for single-use only. Such disposable passwords can be safely used in untrusted environments as they cannot be re-used even when they are stolen.

One way to generate disposable passwords is via Google Authenticator. In this tutorial, I am going to demonstrate another way to create one-time passwords for SSH login: OTPW, a one-time password login package. Unlike Google Authenticator, you do not rely on any third party for one-time password generation and verification.

What is OTPW?

OTPW consists of one-time password generator and PAM-integrated verification routines. In OTPW, one-time passwords are generated apriori with the generator, and carried by a user securely (e.g., printed in a paper sheet). Cryptographic hash of the generated passwords are then stored in the SSH server host. When a user logs in with a one-time password, OTPW’s PAM module verifies the password, and invalidates it to prevent re-use.

Step One: Install and Configure OTPW on Linux

Debian, Ubuntu or Linux Mint:

Install OTPW packages with aptget.

$ sudo apt-get install libpam-otpw otpw-bin

Open a PAM configuration file for SSH (/etc/pam.d/sshd) with a text editor, and comment out the following line (to disable password authentication).

#@include common-auth

and add the following two lines (to enable one-time password authentication):

auth       required     pam_otpw.so
session    optional     pam_otpw.so

16775121360_d1f93feefa_b

Fedora or CentOS/RHEL:

OTPW is not available as a prebuilt package on Red Hat based systems. So let’s install OTPW by building it from the source.

First, install prerequites:

$ sudo yum git gcc pam-devel
$ git clone https://www.cl.cam.ac.uk/~mgk25/git/otpw
$ cd otpw

Open Makefile with a text editor, and edit a line that starts with « PAMLIB= » as follows.

On 64-bit system:

PAMLIB=/usr/lib64/security

On 32-bit system:

PAMLIB=/usr/lib/security

Compile and install it. Note that installation will automatically restart an SSH server. So be ready to be disconnected if you are on an SSH connection.

$ make
$ sudo make install

Now you need to update SELinux policy since /usr/sbin/sshd tries to write to user’s home directory, which is not allowed by default SELinux policy. The following commands will do. If you are not using SELinux, skip this step.

$ sudo grep sshd /var/log/audit/audit.log | audit2allow -M mypol
$ sudo semodule -i mypol.pp

Next, open a PAM configuration file for SSH (/etc/pam.d/sshd) with a text editor, and comment out the following line (to disable password authentication).

#auth       substack     password-auth

and add the following two lines (to enable one-time password authentication):

auth       required     pam_otpw.so
session    optional     pam_otpw.so

Lire la suite…

iptables extension modules

08/04/2019 Comments off

iptables extensions

NAME

iptables-extensions — list of extensions in the standard iptables distribution

SYNOPSIS

ip6tables [-m name [module-options...]] [-j target-name [target-options...]
iptables [-m name [module-options...]] [-j target-name [target-options...]

MATCH EXTENSIONS

iptables can use extended packet matching modules with the -m or --match options, followed by the matching module name; after these, various extra command line options become available, depending on the specific module. You can specify multiple extended match modules in one line, and you can use the -h or --help options after the module has been specified to receive help specific to that module. The extended match modules are evaluated in the order they are specified in the rule.

If the -p or --protocol was specified and if and only if an unknown option is encountered, iptables will try load a match module of the same name as the protocol, to try making the option available.

addrtype

This module matches packets based on their address type. Address types are used within the kernel networking stack and categorize addresses into various groups. The exact definition of that group depends on the specific layer three protocol.

The following address types are possible:

UNSPEC
an unspecified address (i.e. 0.0.0.0)
UNICAST
an unicast address
LOCAL
a local address
BROADCAST
a broadcast address
ANYCAST
an anycast packet
MULTICAST
a multicast address
BLACKHOLE
a blackhole address
UNREACHABLE
an unreachable address
PROHIBIT
a prohibited address
THROW
FIXME
NAT
FIXME
XRESOLVE
[!] --src-type type
Matches if the source address is of given type
[!] --dst-type type
Matches if the destination address is of given type
--limit-iface-in
The address type checking can be limited to the interface the packet is coming in. This option is only valid in the PREROUTING, INPUT and FORWARD chains. It cannot be specified with the –limit-iface-out option.
--limit-iface-out
The address type checking can be limited to the interface the packet is going out. This option is only valid in the POSTROUTING, OUTPUT and FORWARD chains. It cannot be specified with the –limit-iface-in option.

Lire la suite…

Let’s Encrypt

24/03/2019 Comments off

How It Works

Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands.

No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment.

This page describes how to carry out the most common certificate management functions using the Let’s Encrypt client. You’re welcome to use any compatible client, but we only provide instructions for using the client that we provide.

If you’d like to know more about how this works behind the scenes, check out our technical overview.

Installing Let’s Encrypt

Note: Let’s Encrypt is in beta. Please don’t use it unless you’re comfortable with beta software that may contain bugs.

If your operating system includes a packaged copy of letsencrypt, install it from there and use the letsencrypt command. Otherwise, you can use our letsencrypt-auto wrapper script to get a copy quickly:

$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto --help

letsencrypt-auto accepts the same flags as letsencrypt; it installs all of its own dependencies and updates the client code automatically (but it’s comparatively slow and large in order to achieve that).

How To Use The Client

The Let’s Encrypt client supports a number of different “plugins” that can be used to obtain and/or install certificates. A few examples of the options are included below:

If you’re running Apache on a recent Debian-based OS, you can try the Apache plugin, which automates both obtaining and installing certs:

./letsencrypt-auto --apache

On other platforms automatic installation is not yet available, so you will have to use the certonly command. Here are some examples:

To obtain a cert using a “standalone” webserver (you may need to temporarily stop your exising webserver) for example.com and www.example.com:

./letsencrypt-auto certonly --standalone -d example.com -d www.example.com

To obtain a cert using the “webroot” plugin, which can work with the webroot directory of any webserver software:

./letsencrypt-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is

The this will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.

Lire la suite…

Categories: Système Tags: ,