This is an introduction on how to improve your security of your Linux server. The mentioned applications are available for Ubuntu 16.04 and newer.
This is a firewall with extensive features such as notifications about SSH access, DDOS protection and more. It is not available in the apt package manager in contrast to the firewall "ufw".
These packages are required before you install this application:
apt-get install e2fsprogs libwww-perl
You can download the application from this URL:
Disable "ufw" or your existing firewall of your operating system. Unpack the downloaded folder and change to that folder.
You can configure the application in this config file:
Change this line to this value, if you do want to activate the firewall:
TESTING = "0"
All ports are blocked except the ones you mentioned in your config file. You can unblock TCP or UDP ports incoming or outcoming connections. Example:
TCP_IN: 22,53 TCP_OUT: 22,53,80,113,443 UPD_IN: 53 UPD_OUT: 53,113,123
If you did do changes in your config files, then please restart the "csf" firewall with this command:
Change your SSH port to a high and random port number
And add also these settings:
Protocol 2 X11Forwarding no IgnoreRhosts yes UseDNS yes PermitEmptyPasswords no MaxAuthTries 3
It is also recommended to use key files instead of passwords for authentication Access to the "root" user should be blocked as well.
Network settings of your operating systems
Add the following settings in the file "syctl.conf" to improve your network security:
# Disabling IPv6 autoconf in your operating system net.ipv6.conf.all.autoconf = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.eth0.autoconf = 0 net.ipv6.conf.all.accept_ra_defrtr = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.eth0.accept_ra_defrtr = 0 net.ipv6.conf.all.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.eth0.accept_ra_pinfo = 0 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 net.ipv6.conf.eth0.accept_ra = 0 # Protection against IP spoofing net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Ignoring ICMP broadcast requests net.ipv4.icmp_echo_ignore_broadcasts = 1 # Disabling source packet routing net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Ignoring send redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Ignoring ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Blocking SYN attacks net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 # Logging Martians net.ipv4.conf.all.log_martians = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 # Ignoring Directed pings net.ipv4.icmp_echo_ignore_all = 1
Port Scanning Detector - PSAD
This application will block ip addresses that are doing suspicious network activities on your server (e.g.: port scanning, etc. ).
apt-get install psad
This application can also be installed from source with the file "install.pl". Check out the website:
Iptables should log all network activities:
sudo iptables -A INPUT -j LOG sudo iptables -A FORWARD -j LOG sudo ip6tables -A INPUT -j LOG sudo ip6tables -A FORWARD -j LOG
Edit this file to configure the application:
EMAIL_ADDRESSES - Change this to your email address. HOSTNAME - This is set during installation - But change it to the FQDN of your server. IPT_SYSLOG_FILE - Set this to "/var/log/syslog" or another log files that logs network activities; ENABLE_AUTO_IDS - Set this to "Y". This will block the ip address that are causing suspicious network activities ENABLE_AUTO_IDS_EMAILS - OPTIONAL: Set this to "Y", if you would like to receive email notifications of intrusions that are detected. ALERTING_METHODS - If you want to deactivate email alerts, then set this to "noemail"
Update your application signature and restart the application:
psad --sig-update psad -R
Intrusion Detection System - Fwsnort
This application does detect network intrusions with the help of signatures that can be downloaded.
apt-get install fwsnort
This application can be installed from source as well. Website: http://www.cipherdyne.org/fwsnort/
Rules database of this application can be manually updated with the following command:
Convert all rules into iptables rules. Please check the output of this command as well for more information.
After that the iptables rules have to be imported to iptables, which will activate the rules:
This command can be in a different path.
Add the update commands of "fwsnort" and other security application in to a cronjob.
10 3 * * 6 psad --sig-update && service psad restart 22 3 * * 6 (fwsnort --update-rules && fwsnort --ipt-drop && /var/lib/fwsnort/fwsnort.sh)
Intrusion Detection System for the file system - Tripwire
This application will check the file integrity of important files and other files in your file system. These will detect suspicious changes in your file system.
apt-get install tripwire
Follow the installation wizard. Please remember your site key passphrase and local key passphrase, because you will need them later.
Change the file "twcfg.txt" to your needs. Such as the report level ("REPORTLEVEL").
Generate the configuration file with this command:
twadmin -m F -c tw.cfg -S site.key twcfg.txt
You can run this application to perform a check with this command:
tripwire -m c -s -c /etc/tripwire/tw.cfg
A daily check script for cron is installed by this application.
apt-get install selinux
Adjust the configuration file to your needs.
If you did test this application with your configuration, then change the setting "SELINUX" to the value "enforcing".
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
You will get false positives. This is the reason why you should set this setting to the value "permissive", when you are still testing your configuration.
This application blocks ip addresses for a certain time, after failed login or connection attempts. Every application or service has so called "jails", which check for a certain message patterns in your log file of the respective application.
You can install this application from apt ("apt-get install fail2ban") or from source. Website: https://github.com/fail2ban/fail2ban/releases
Create this config fail to configure your "jails".
All settings in this file will be activated by "fail2ban". An example of a "jail":
[ssh] enabled = true port = 22 filter = sshd logpath = /var/log/auth.log maxretry = 3
SophosAV Anti Virus Scanner
This application has a free version which can be downloaded from this website:
These are some command, which you will need.
Check If Data Collection By Sophos Is Enabled:
/opt/sophos-av/bin/savconfig query DisableFeedback
Disable Data Collection By Sophos:
/opt/sophos-av/bin/savconfig set DisableFeedback true
Enable Sophos Antivirus daemon on boot:
sudo /opt/sophos-av/bin/savdctl enableOnBoot savd
Update Sophos Antivirus:
Set email sender for email notification. You will get an email notification, if there is a virus or a problem.
Enable on-access scanning:
Disable on-access scanning:
Scan Volume Boot Records:
Scan Master Boot Records:
Activate live protection:
/opt/sophos-av/bin/savconfig set LiveProtection true
Please check also the documentation, if you want to know more about this application:
Update your packages every day automatically
It is important that you update your installed applications on your operating system every day. You can find a shell script, which updates this procedure on "Github":
It is recommended to use two Rootkit scanners to make it more difficult for Rootkits to hide themselves.
apt-get install chkrootkit
Adjust the configuration file:
apt-get install rkhunter
Adjust the configuration file:
Run Chrootkit and rkhunter in cronjobs (auto. scan with email notification):
Run Chrootkit and rkhunter in cronjobs (auto. scan only log file):
30 3 * * * (/usr/sbin/chkrootkit -q 2>&1 > /var/log/chrootkit_scan_results.log) 50 3 * * * (/usr/bin/rkhunter -c --skip-keypress --rwo 2>&1 > /var/log/rkhunter_scan_results.log)
"Tlsdate" instead of "ntp" for time synchronizing
The communication with a time server will not be unencrypted through UDP, if you use this application instead.
apt-get install -y tlsdate
Please check out also my other tutorials, if you want to know more about other applications or commands for your Linux operating system.