Linux Security Basics
Note: This is just a short hands-on note from hackersploit's linux security series which can be found here.
Episode 1- SSH Security Essentials: (Disabling root direct login and enabling user login with key only)
useradd -m -s /bin/bash user
paswd user
vim /etc/ssh/sshd_config (PermitRootLogin no)
sudo systemctl restart ssh
ssh-keygen -t rsa
ssh-copy-id user@ip
vim /etc/ssh/sshd_config (PasswordAuthentication no)
Extra Information from Comments:
--> You may use ed25519 instead of rsa 'cause RSA has kinda dark history and you can disable PAM authentication if they are using SSH Keys with UsePAM no
Episode 2 - Configuring SUDO Access: (All about locking Root user)
vim /etc/sudoers
sudo visudo
sudo usermod -aG sudo user (groups user)
sudo passwd -l root (-u)
sudo chsh root /usr/sbin/nologin
sudo vim /etc/passwd (/bin/bash)
Extra Information from Comments:
--> log all your sudo commands to a separate log file as by default sudo gets logged to syslog files
You can enter the following below in your visudo: Defaults log_host, log_year, logfile="/var/log/sudo.log"
--> For eg: There’s a need for a user to install software. Allow them to run only RPM or APT or YUM as root without even switching to the root user as shown below: Entered in the sudo config file: usernameHere ALL =(ALL) PASSWD : /usr/bin/apt-get, /usr/bin/yum, /bin/rpm . This would allow said user to run sudo apt-get, sudo yum and sudo rpm without any password but would not allow any other commands!
--> in case a user types a wrong password, sudo will display insults on the terminal with the insults parameter. Enter this into your visudo file to enable insults on wrong password attemps: Defaults insults
Doubts:
--> I wonder how sudo -s or sudo -i or sudo su gives access to root by entering user's password. It should have asked root's password.
sudo vim /etc/apache2/apache2.conf
<directory /var/www>
AllowOverride None
Options -Indexes
ServerSignature off
</directory>
sudo htpasswd -c /etc/apache2/.htpasswd
AuthType Basic
AuthName "bla"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Extra Information from Comments:
--> you should disable signatures globally, rather than specifically for that directory, use security.conf
--> are you sure www-data can only access the wordpress directory? I am pretty sure they can write to and execute from /tmp as well
sudo systemctl enable nginx
sudo htpasswd -c /etc/nginx/.htpasswd
vim /etc/nginx/nginx.conf
server_tokens off;
proxy_hide_header X-Powered-By;
add_header X-Frame-Options SAMEORIGIN;
# Virtual Host Configs
remove include /etc/ngix/conf.d/*.conf
server{
listen 80;
server_name localhost;
auth_basic "In Progress";
auth_basic_user_file /etc/nginx/.htpasswd
location /var/www/html{
auth_basic on;
root /var/www/html;
allow all;
}
}
systemctl restart nginx (or systemctl reload nginx)
Extra Information from Comments:
--> Don't restart nginx after editing it's configuration, that'll kill active connections and on websites with high traffic, user will see errors. Instead, do nginx -s reload. With this nginx will start using the updated config without killing active connections. Its preferred to use nginx -t to verify config files have no issues.
Episode 5- UFW: (Uncomplicated Firewall)
sudo ufw status / disable /enable / reset
sudo systemctl status/stop/start ufw
vim /etc/default/ufw
sudo ufw default deny/allow incoming/outgoing
sudo ufw allow [from ip/subnet {to (any port #)}] ssh/http/https/ftp
sudo ufw status numbered
sudo ufw delete #
Extra Information from Comments:
--> It also worth to know that some services can write their own rules to tables and they will be bellow, that means that it will rewrite rules above.
Note: Episode 6-12 aren't currently available at youtube. To get access to these videos, you need to register here and you will get the email with the videos link.
Episode 6 - Brute-force Protection With Fail2ban:
systemctl enable/start/status/stop/disable fail2ban.service
vim /etc/ssh/ssh_config (MaxAuthTries)
vim /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 1
findtime = 300
bantime = 3600
fail2ban-client status sshd
fail2ban-client set sshd banip/unbanip [ip]
hydra -l root -P wordlist ssh://ip -V
Episode 7 - IPtables- Complete Guide:
iptables -F
iptables -L (--line-numbers)
iptables --policy INPUT/OUTPUT/FORWARD ACCEPT/DROP
iptables -I/-A INPUT -s ip/subnet -j ACCEPT/DROP/REJECT
iptables -D INPUT #
iptables -I INPUT -p tcp/udp --dport 22/80/443 -j ACCEPT/DROP/REJECT
sudo /sbin/iptables-save
Episode 8 - Configuring Automated Security Updates
apt install unattended-upgrades
systemctl enable unattended-upgrades
vim /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade:: MailReport "only-on-error";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
vim 20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
systemctl restart unattended-upgrades
unattended-upgrades --dry-run --debug
Episode 9 - WordPress Security Guide
apt install certbot
apt install python-certbot-apache
sudo certbot --apache/nginx -d domain.domain
Wordfence, 2FA, Loginizer, duplicator, xml-rpc, wp-activity log
chmod 0444 wp-config.php
require_once ABSPATH . 'wp-settings.php';
/** DISABLE FILE EDITING */
define('DISALLOW_FILE_EDIT',true);
chmod 0444 .htaccess
Options -Indexes
<Files *.php>
deny from all
</Files>
Episode 10 - AV and Rootkit Detection
apt install clamav clamav-daemon
systemctl stop clamav-freshclam
systemctl start clamav-daemon.service
freshclam
systemctl start clamav-freshclam.service
clamscan -i -r -v --remove /
apt install clamav clamtk
apt install rkhunter
rkhunter --check
vim /etc/default/rkhunter
CRON_DAILy_RUN="true"
CRON_DB_UPDATE="true"
APT_AUTOGEN="true"
/var/log
auth.log (authentication)
wtmp (last -aiF)
btmp (lastb -adF user)
lastlog -u user
who/whowatch (currently looged in)
top/htop/glances (processes)
Episode 12 - Security Auditing With Lynis
sudo lynis audit system