This is an introduction on how to improve your security of your Linux server. The mentioned applications are available for Ubuntu 16.04 and newer.
CSF Firewall
This is a firewall with extensive features such as notifications about SSH access, DDOS protection and more. It is not available in the apt package manager in contrast to the firewall "ufw".
These packages are required before you install this application:
apt-get install e2fsprogs libwww-perlYou can download the application from this URL:
wget http://download.configserver.com/csf.tgzDisable "ufw" or your existing firewall of your operating system. Unpack the downloaded folder and change to that folder.
sh install.shYou can configure the application in this config file:
/etc/csf/csf.conf
Change this line to this value, if you do want to activate the firewall:
TESTING = "0"All ports are blocked except the ones you mentioned in your config file. You can unblock TCP or UDP ports incoming or outcoming connections. Example:
TCP_IN: 22,53
TCP_OUT: 22,53,80,113,443
UPD_IN: 53
UPD_OUT: 53,113,123If you did do changes in your config files, then please restart the "csf" firewall with this command:
csf -r
Change your SSH port to a high and random port number
vim /etc/ssh/sshd_config
And add also these settings:
Protocol 2
X11Forwarding no
IgnoreRhosts yes
UseDNS yes
PermitEmptyPasswords no
MaxAuthTries 3It is also recommended to use key files instead of passwords for authentication Access to the "root" user should be blocked as well.
Network settings of your operating systems
Add the following settings in the file "syctl.conf" to improve your network security:
vim /etc/sysctl.conf # Disabling IPv6 autoconf in your operating system
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.eth0.autoconf = 0
net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.eth0.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.eth0.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.eth0.accept_ra = 0
# Protection against IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignoring ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disabling source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignoring send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Ignoring ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Blocking SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Logging Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignoring Directed pings
net.ipv4.icmp_echo_ignore_all = 1
Port Scanning Detector - PSAD
This application will block ip addresses that are doing suspicious network activities on your server (e.g.: port scanning, etc. ).
apt-get install psad
This application can also be installed from source with the file "install.pl". Check out the website:
http://www.cipherdyne.org/psad/download/
Iptables should log all network activities:
sudo iptables -A INPUT -j LOG
sudo iptables -A FORWARD -j LOG
sudo ip6tables -A INPUT -j LOG
sudo ip6tables -A FORWARD -j LOG
Edit this file to configure the application:
vim /etc/psad/psad.confEMAIL_ADDRESSES - Change this to your email address.
HOSTNAME - This is set during installation - But change it to the FQDN of your server.
IPT_SYSLOG_FILE - Set this to "/var/log/syslog" or another log files that logs network activities;
ENABLE_AUTO_IDS - Set this to "Y". This will block the ip address that are causing suspicious network activities
ENABLE_AUTO_IDS_EMAILS - OPTIONAL: Set this to "Y", if you would like to receive email notifications of intrusions that are detected.
ALERTING_METHODS - If you want to deactivate email alerts, then set this to "noemail"
Update your application signature and restart the application:
psad --sig-update
psad -R
Intrusion Detection System - Fwsnort
This application does detect network intrusions with the help of signatures that can be downloaded.
apt-get install fwsnortThis application can be installed from source as well. Website: http://www.cipherdyne.org/fwsnort/
Rules database of this application can be manually updated with the following command:
fwsnort --update-rules
Convert all rules into iptables rules. Please check the output of this command as well for more information.
fwsnort --ipt-drop
After that the iptables rules have to be imported to iptables, which will activate the rules:
/var/lib/fwsnort/fwsnort.shThis command can be in a different path.
Add the update commands of "fwsnort" and other security application in to a cronjob.
10 3 * * 6 psad --sig-update && service psad restart
22 3 * * 6 (fwsnort --update-rules && fwsnort --ipt-drop && /var/lib/fwsnort/fwsnort.sh)
Intrusion Detection System for the file system - Tripwire
This application will check the file integrity of important files and other files in your file system. These will detect suspicious changes in your file system.
apt-get install tripwireFollow the installation wizard. Please remember your site key passphrase and local key passphrase, because you will need them later.
Change the file "twcfg.txt" to your needs. Such as the report level ("REPORTLEVEL").
Generate the configuration file with this command:
twadmin -m F -c tw.cfg -S site.key twcfg.txtYou can run this application to perform a check with this command:
tripwire -m c -s -c /etc/tripwire/tw.cfgA daily check script for cron is installed by this application.
Selinux
apt-get install selinux
Adjust the configuration file to your needs.
vim /etc/selinx/configIf you did test this application with your configuration, then change the setting "SELINUX" to the value "enforcing".
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcingYou will get false positives. This is the reason why you should set this setting to the value "permissive", when you are still testing your configuration.
Fail2ban
This application blocks ip addresses for a certain time, after failed login or connection attempts. Every application or service has so called "jails", which check for a certain message patterns in your log file of the respective application.
You can install this application from apt ("apt-get install fail2ban") or from source. Website: https://github.com/fail2ban/fail2ban/releases
Create this config fail to configure your "jails".
vim /etc/fail2ban/jail.localAll settings in this file will be activated by "fail2ban". An example of a "jail":
[ssh]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
SophosAV Anti Virus Scanner
This application has a free version which can be downloaded from this website:
https://secure2.sophos.com/de-de/products/free-tools/sophos-antivirus-for-linux/download.aspx
These are some command, which you will need.
Check If Data Collection By Sophos Is Enabled:
/opt/sophos-av/bin/savconfig query DisableFeedbackDisable Data Collection By Sophos:
/opt/sophos-av/bin/savconfig set DisableFeedback trueEnable Sophos Antivirus daemon on boot:
sudo /opt/sophos-av/bin/savdctl enableOnBoot savdUpdate Sophos Antivirus:
sudo /opt/sophos-av/bin/savupdate
Set email sender for email notification. You will get an email notification, if there is a virus or a problem.
/opt/sophos-av/bin/savconfig set EmailSender Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.
/opt/sophos-av/bin/savconfig set EmailNotifier enabledEnable on-access scanning:
/opt/sophos-av/bin/savdctl enableDisable on-access scanning:
/opt/sophos-av/bin/savdctl disable
Scan Volume Boot Records:
savscan -bs=/dev/sda1
Scan Master Boot Records:
savscan -mbrActivate live protection:
/opt/sophos-av/bin/savconfig set LiveProtection true
Install updates:
/opt/sophos-av/bin/savupdatePlease check also the documentation, if you want to know more about this application:
https://www.sophos.com/medialibrary/pdfs/documentation/savl_9_sgeng.pdf
Update your packages every day automatically
It is important that you update your installed applications on your operating system every day. You can find a shell script, which updates this procedure on "Github":
https://github.com/a-dridi/Linux-Server-Update-Script
Rootkit scanner
It is recommended to use two Rootkit scanners to make it more difficult for Rootkits to hide themselves.
Chrootkit
apt-get install chkrootkit Adjust the configuration file:
vim /etc/default/rkhunterRkhunter
apt-get install rkhunterAdjust the configuration file:
vim /etc/rkhunter.conf
Run Chrootkit and rkhunter in cronjobs (auto. scan with email notification):
30 3 * * * (/usr/sbin/chkrootkit -q 2>&1 | mail -s "[My server] Rootkit Check Chrootkit Ergebnisse" Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.)
50 3 * * * (/usr/bin/rkhunter -c --skip-keypress --rwo 2>&1 | mail -s "[My server] Rootkit Rkhunter Check Ergebnisse" Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.)Run Chrootkit and rkhunter in cronjobs (auto. scan only log file):
30 3 * * * (/usr/sbin/chkrootkit -q 2>&1 > /var/log/chrootkit_scan_results.log)
50 3 * * * (/usr/bin/rkhunter -c --skip-keypress --rwo 2>&1 > /var/log/rkhunter_scan_results.log)
"Tlsdate" instead of "ntp" for time synchronizing
The communication with a time server will not be unencrypted through UDP, if you use this application instead.
apt-get install -y tlsdatePlease check out also my other tutorials, if you want to know more about other applications or commands for your Linux operating system.