Archive

Articles taggués ‘Ubuntu’

How to Install and Configure UFW – An Un-complicated FireWall in Debian/Ubuntu

31/03/2019 Comments off

ufw debian ubuntuSince computers are connected to each other, services are growing fast. Email, Social Media, Online Shop, Chat until Web Conferencing are services that used by user. But on the other side this connectivity just likes a double-side knife. It’s also possible to send bad messages to those computers like Virus, malware, trojan-apps are one of them.

Install UFW Firewall

The Internet, as the biggest computer network is not always fill with good people. In order to make sure our computers / servers are safe, we need to protect it.

One of the must have component on your computer / servers is Firewall. From Wikipedia, a definition is:

In computing, a firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic by analysing the data packets and determining whether they should be allowed through or not, based on applied rule set.

Iptables is one of the firewall that widely used by servers. It is a program used to manage incoming and outgoing traffic in the server based on a set of rules. Generally, only trusted connection is allowed to enter the server. But IPTables is running at console mode and it’s complicated. Those who’re familiar with iptables rules and commands, they can read the following article that describes how to use iptables firewall.

Installation of UFW Firewall in Debian/Ubuntu

To reduce the complexity of how-to setting IPTables, there is a lot of fronted. If you’re running Ubuntu Linux, you will find ufw as a default firewall tool. Lets start to explore about ufw firewall.

What is ufw

The ufw (Uncomplicated Firewall) is an frontend for most widely used iptables firewall and it is well comfortable for host-based firewalls. ufw gives a framework for managing netfilter, as well as provides a command-line interface for controlling the firewall. It provides user friendly and easy to use interface for Linux newbies who are not much familiar with firewall concepts.

While, on the other side same complicated commands helps administrators it set complicated rules using command line interface. The ufw is an upstream for other distributions such as Debian, Ubuntu and Linux Mint.

Basic Usage ufw

First, check if ufw is installed using following command.

$ sudo dpkg --get-selections | grep ufw
ufw 		install

If it’s not installed, you can install it using apt command as shown below.

$ sudo apt-get install ufw

Before you use, you should check whether ufw is running or not. Use the following command to check it.

$ sudo ufw status

If you found Status: inactive, it mean it’s not active or disable.

NEW! An indispensable ebook for every Linux administrator!

Enabling / Disabling ufw

To enable it, you just need to type the following command at the terminal.

$ sudo ufw enable

Firewall is active and enabled on system startup

To disable it, just type.

$ sudo ufw disable

List the current ufw rules

After the firewall is activated you can add your rules into it. If you want to see what are the default rules, you can type.

$ sudo ufw status verbose
Sample Output
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
$

Lire la suite…

UFW: an Uncomplicated Firewall

30/03/2019 Comments off

Introduction

For an introduction to firewalls, please see Firewall.

UFW – Uncomplicated Firewall

The default firewall configuration tool for Ubuntu is ufw. Developed to easeiptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.

Gufw is a GUI that is available as a frontend.

Basic Syntax and Examples

Default rules are fine for the average home user

When you turn UFW on, it uses a default set of rules (profile) that should be fine for the average home user. That’s at least the goal of the Ubuntu developers. In short, all ‘incoming’ is being denied, with some exceptions to make things easier for home users.

Enable and Disable

Enable UFW

To turn UFW on with the default set of rules:

sudo ufw enable

To check the status of UFW:

sudo ufw status verbose

The output should be like this:

youruser@yourcomputer:~$ sudo ufw status verbose
[sudo] password for youruser:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
youruser@yourcomputer:~$

Note that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:

sudo ufw show raw

You can also read the rules files in /etc/ufw (the files whose names end with .rules).

Disable UFW

To disable ufw use:

sudo ufw disable

Lire la suite…

Iptables HowTo

30/03/2019 Comments off

Basic iptables howto

Iptables is a firewall, installed by default on all official Ubuntu distributions (Ubuntu, Kubuntu, Xubuntu). When you install Ubuntu, iptables is there, but it allows all traffic by default. Ubuntu 8.04 Comes with ufw – a program for managing the iptables firewall easily.

There is a wealth of information available about iptables, but much of it is fairly complex, and if you want to do a few basic things, this How To is for you.

Basic Commands

Typing

sudo iptables -L

lists your current rules in iptables. If you have just set up your server, you will have no rules, and you should see

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Basic Iptables Options

Here are explanations for some of the iptables options you will see in this tutorial. Don’t worry about understanding everything here now, but remember to come back and look at this list as you encounter new options later on.

  1. -A – Append this rule to a rule chain. Valid chains for what we’re doing are INPUT, FORWARD and OUTPUT, but we mostly deal with INPUT in this tutorial, which affects only incoming traffic.
  2. -L – List the current filter rules.
  3. -m conntrack – Allow filter rules to match based on connection state. Permits the use of the --ctstate option.
  4. --ctstate – Define the list of states for the rule to match on. Valid states are:
    • NEW – The connection has not yet been seen.
    • RELATED – The connection is new, but is related to another connection already permitted.
    • ESTABLISHED – The connection is already established.
    • INVALID – The traffic couldn’t be identified for some reason.
  5. -m limit – Require the rule to match only a limited number of times. Allows the use of the --limit option. Useful for limiting logging rules.
    1. --limit – The maximum matching rate, given as a number followed by « /second« , « /minute« , « /hour« , or « /day » depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is « 3/hour« .
  6. -p – The connection protocol used.
  7. --dport – The destination port(s) required for this rule. A single port may be given, or a range may be given as start:end, which will match all ports from start to end, inclusive.
  8. -j – Jump to the specified target. By default, iptables allows four targets:
    1. ACCEPT – Accept the packet and stop processing rules in this chain.
    2. REJECT – Reject the packet and notify the sender that we did so, and stop processing rules in this chain.
    3. DROP – Silently ignore the packet, and stop processing rules in this chain.
    4. LOG – Log the packet, and continue processing more rules in this chain. Allows the use of the --log-prefix and --log-level options.
  9. --log-prefix – When logging, put this text before the log message. Use double quotes around the text to use.
  10. --log-level – Log using the specified syslog level. 7 is a good choice unless you specifically need something else.
  11. -i – Only match if the packet is coming in on the specified interface.
  12. -I – Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be.
    1. -I INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list.
  13. -v – Display more information in the output. Useful for if you have rules that look similar without using -v.
  14. -s --source – address[/mask] source specification
  15. -d --destinationaddress[/mask] destination specification
  16. -o --out-interface – output name[ ] network interface name ([ ] for wildcard)

Allowing Established Sessions

We can allow established sessions to receive traffic:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  1. The above rule has no spaces either side of the comma in ESTABLISHED,RELATED

If the line above doesn’t work, you may be on a castrated VPS whose provider has not made available the extension, in which case an inferior version can be used as last resort:

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allowing Incoming Traffic on Specific Ports

You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.

To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in.

sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

Referring back to the list above, you can see that this tells iptables:

  1. append this rule to the input chain (-A INPUT) so we look at incoming traffic
  2. check to see if it is TCP (-p tcp).
  3. if so, check to see if the input goes to the SSH port (–dport ssh).
  4. if so, accept the input (-j ACCEPT).

Lets check the rules: (only the first few lines shown, you will see more)

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Now, let’s allow all incoming web traffic

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Checking our rules, we have

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www

We have specifically allowed tcp traffic to the ssh and web ports, but as we have not blocked anything, all traffic can still come in.

Lire la suite…

Categories: Réseau, Sécurité Tags: , ,

How to secure an Ubuntu 12.04 LTS server – Part 2 The GUI installer script

22/03/2019 Comments off

Source: The Fan Club

This guide is based on various community forum posts and webpages. Special thanks to all. All comments and improvements are very welcome as this is purely a personal experimental project at this point and must be considered a work in progress.

The Ubuntu Server Secure script:

  • The Ubuntu Server Secure script is set of GUI security administration tools to harden and audit the security on an Ubuntu 12.04 LTS server by using a GUI shell script to install and configure various security features found in How to secure an Ubuntu 12.04 LTS server – Part 1 The Basics.
  • This script was done as an experiment in using Zenity to create a interactive Gnome Gtk+ GUI installer.
  • Zenity is a great tool for creating a simple yet powerful GUI user interface on top of bash like shell script very quickly.

Requirements:

  • Ubuntu 12.04 LTS server with a standard LAMP stack installed.
  • Unity or Gnome Desktop installed.
  • Zenity installed. (Zenity installed by default in Ubuntu 12.04 LTS Desktop)

Lire la suite…

How to secure an Ubuntu 16.04 LTS server – Part 1 The Basics

21/03/2019 Comments off

Source: The Fan Club

This guide is based on various community forum posts and webpages. Special thanks to all. All comments and improvements are very welcome as this is purely a personal experimental project at this point and must be considered a work in progress.

This guide is intended as a relatively easy step by step guide to:

Harden the security on an Ubuntu 16.04 LTS server by installing and configuring the following:

  1. Install and configure Firewall – ufw
  2. Secure shared memory – fstab
  3. SSH – Key based login, disable root login and change port
  4. Apache SSL – Disable SSL v3 support
  5. Protect su by limiting access only to admin group
  6. Harden network with sysctl settings
  7. Disable Open DNS Recursion and Remove Version Info  – Bind9 DNS
  8. Prevent IP Spoofing
  9. Harden PHP for security
  10. Restrict Apache Information Leakage
  11. Install and configure Apache application firewall – ModSecurity
  12. Protect from DDOS (Denial of Service) attacks with ModEvasive
  13. Scan logs and ban suspicious hosts – DenyHosts and Fail2Ban
  14. Intrusion Detection – PSAD
  15. Check for RootKits – RKHunter and CHKRootKit
  16. Scan open Ports – Nmap
  17. Analyse system LOG files – LogWatch
  18. Apparmor –  Application Armor
  19. Audit your system security – Tiger and Tripwire

Requirements:

  • Ubuntu 16.04 LTS or later server with a standard LAMP stack installed.

1. Firewall – UFW

  • A good place to start is to install a Firewall.
  • UFW – Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool – gufw, or use  Shorewall, fwbuilder, or Firestarter.
  • Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide,  UFW manual pages or the Ubuntu UFW community documentation.
  • Install UFW and enable, open a terminal window and enter :
sudo apt-get install ufw
  • Allow SSH and Http services.
sudo ufw allow ssh
sudo ufw allow http
  • Enable the firewall.
sudo ufw enable
  • Check the status of the firewall.
sudo ufw status verbose

2. Secure shared memory.

  • Shared memory can be used in an attack against a running service. Modify /etc/fstab to make it more secure.
  • Open a Terminal Window and enter the following :
sudo vi /etc/fstab
  • Add the following line and save. You will need to reboot for this setting to take effect :
  • Note : This only is works in Ubuntu 12.10 or later – For earlier Ubuntu versions replace /run/shm with /dev/shm 
  • Save and Reboot when done
tmpfs     /run/shm     tmpfs     defaults,noexec,nosuid     0     0

3. SSH Hardening – key based login, disable root login and change port.

  • The best way to secure SSH is to use public/private key based login. See SSH/OpenSSH/Keys
  • If you have to use password authentication, the easiest way to secure SSH is to disable root login and change the SSH port to something different than the standard port 22.
  • Before disabling the root login create a new SSH user and make sure the user belongs to the admin group (see step 4. below regarding the admin group).
  • if you change the SSH port keep the port number below 1024 as these are priviledged ports that can only be opened by root or processes running as root.
  • If you change the SSH port also open the new port you have chosen on the firewall and close port 22.
  • Open a Terminal Window and enter :
sudo vi /etc/ssh/sshd_config
  • Change or add the following and save.
Port <ENTER YOUR PORT>
Protocol 2
PermitRootLogin no
DebianBanner no
  • Restart SSH server, open a Terminal Window and enter :
sudo service ssh restart

4. Apache SSL Hardening – disable SSL v2/v3 support.

  • The SSL v2/v3 protocol has been proven to be insecure.
  • We will disable Apache support for the protocol and force the use of the newer protocols.
  • Open a Terminal Window and enter :
sudo vi /etc/apache2/mods-available/ssl.conf
  • Change this line from :
SSLProtocol all -SSLv3
  • To the following and save.
SSLProtocol all -SSLv2 -SSLv3
  • Restart the Apache server, open a Terminal Window and enter :
sudo service apache2 restart

5. Protect su by limiting access only to admin group.

  • To limit the use of su by admin users only we need to create an admin group, then add users and limit the use of su to the admin group.
  • Add a admin group to the system and add your own admin username to the group by replacing <YOUR ADMIN USERNAME> below with your admin username.
  • Open a terminal window and enter:
sudo groupadd admin
sudo usermod -a -G admin <YOUR ADMIN USERNAME>
sudo dpkg-statoverride --update --add root admin 4750 /bin/su

6. Harden network with sysctl settings.

  • The /etc/sysctl.conf file contain all the sysctl settings.
  • Prevent source routing of incoming packets and log malformed IP’s enter the following in a terminal window:
sudo vi /etc/sysctl.conf
  • Edit the /etc/sysctl.conf file and un-comment or add the following lines :
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0 
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
  • To reload sysctl with the latest changes, enter:
sudo sysctl -p

7. Disable Open DNS Recursion and Remove Version Info  – BIND DNS Server.

  • Open a Terminal and enter the following :
sudo vi /etc/bind/named.conf.options
  • Add the following to the Options section :
recursion no;
version "Not Disclosed";
  • Restart BIND DNS server. Open a Terminal and enter the following :
sudo service bind9 restart

8. Prevent IP Spoofing.

  • Open a Terminal and enter the following :
sudo vi /etc/host.conf
  • Add or edit the following lines :
order bind,hosts
nospoof on

9. Harden PHP for security.

  • Edit the php.ini file :
sudo vi /etc/php5/apache2/php.ini
  • Add or edit the following lines an save :
disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off
mail.add_x_header = Off
session.name = NEWSESSID
  • Restart Apache server. Open a Terminal and enter the following :
sudo service apache2 restart

10. Restrict Apache Information Leakage.

  • Edit the Apache2 configuration security file :
sudo vi /etc/apache2/conf-available/security.conf
  • Add or edit the following lines and save :
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header unset ETag
Header always unset X-Powered-By
FileETag None
  • Restart Apache server. Open a Terminal and enter the following :
sudo service apache2 restart

11. Web Application Firewall – ModSecurity.

12. Protect from DDOS (Denial of Service) attacks – ModEvasive

13. Scan logs and ban suspicious hosts – DenyHosts and Fail2Ban.

  • DenyHosts is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.
  • Open a Terminal and enter the following :
sudo apt-get install denyhosts
  • After installation edit the configuration file /etc/denyhosts.conf  and change the email, and other settings as required.
  • To edit the admin email settings open a terminal window and enter:
sudo vi /etc/denyhosts.conf
  • Change the following values as required on your server :
ADMIN_EMAIL = root@localhost
SMTP_HOST = localhost
SMTP_PORT = 25
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
SMTP_FROM = DenyHosts nobody@localhost
#SYSLOG_REPORT=YES
  • Fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.
  • Fail2ban scans log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc.
  • Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.
  • Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).
  • Open a Terminal and enter the following :
sudo apt-get install fail2ban
  • After installation edit the configuration file /etc/fail2ban/jail.local  and create the filter rules as required.
  • To edit the settings open a terminal window and enter:
sudo vi /etc/fail2ban/jail.conf
  • Activate all the services you would like fail2ban to monitor by changing enabled = false to enabled = true
  • For example if you would like to enable the SSH monitoring and banning jail, find the line below and change enabled from false to true. Thats it.
[sshd]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3
  • If you have selected a non-standard SSH port in step 3 then you need to change the port setting in fail2ban from ssh which by default is port 22, to your new port number, for example if you have chosen 1234 then port = 1234
[sshd]

enabled  = true
port     = <ENTER YOUR SSH PORT NUMBER HERE>
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3
  • If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address.
destemail = root@localhost
  • and change the following line from :
action = %(action_)s
  • to:
action = %(action_mwl)s
  • You can also create rule filters for the various services that you would like fail2ban to monitor that is not supplied by default.
sudo vi /etc/fail2ban/jail.local
  • Good instructions on how to configure fail2ban and create the various filters can be found on HowtoForge – click here for an example
  • When done with the configuration of Fail2Ban restart the service with :
sudo service fail2ban restart
  • You can also check the status with.
sudo fail2ban-client status

14. Intrusion Detection – PSAD.

  • Cipherdyne PSAD is a collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.
  • To install the latest version from the source files follow these instruction : How to install PSAD Intrusion Detection on Ubuntu 12.04 LTS server
  • OR install the older version from the Ubuntu software repositories, open a Terminal and enter the following :
sudo apt-get install psad

15. Check for rootkits – RKHunter and CHKRootKit.

  • Both RKHunter and CHKRootkit basically do the same thing – check your system for rootkits. No harm in using both.
  • Open a Terminal and enter the following :
sudo apt-get install rkhunter chkrootkit
  • To run chkrootkit open a terminal window and enter :
sudo chkrootkit
  • To update and run RKHunter. Open a Terminal and enter the following :
sudo rkhunter --update
sudo rkhunter --propupd
sudo rkhunter --check

16. Scan open ports – Nmap.

  • Nmap (« Network Mapper ») is a free and open source utility for network discovery and security auditing.
  • Open a Terminal and enter the following :
sudo apt-get install nmap
  • Scan your system for open ports with :
nmap -v -sT localhost
  • SYN scanning with the following :
sudo nmap -v -sS localhost

17. Analyse system LOG files – LogWatch.

  • Logwatch is a customizable log analysis system. Logwatch parses through your system’s logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.
  • Open a Terminal and enter the following :
sudo apt-get install logwatch libdate-manip-perl
  • To view logwatch output use less :
sudo logwatch | less
  • To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :
sudo logwatch --mailto mail@domain.com --output mail --format html --range 'between -7 days and today' 

18. Apparmor – Application Armor.

sudo apt-get install apparmor apparmor-profiles
  • Check to see if things are running :
sudo apparmor_status

19. Audit your system security – Tiger and Tripwire.

  • Tiger is a security tool that can be use both as a security audit and intrusion detection system.
  • Tripwire is a host-based intrusion detection system (HIDS) that checks file and folder integrity.
  • Open a Terminal and enter the following :
sudo apt-get install tiger tripwire
  • To setup Tripwire good installation guides can be found on Digital Ocean here and on Unixmen here
  • To run tiger enter :
sudo tiger
  • All Tiger output can be found in the /var/log/tiger
  • To view the tiger security reports, open a Terminal and enter the following :
sudo less /var/log/tiger/security.report.*