Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
Dev Dives: Streamline document processing with UiPath Studio Web
Linux Server Hardening - Steps by Steps
1. CI6230 Information Systems Security Assignment2– ServerHardening
Page 1 of 80
Server Hardening
Loo Chia Feng G1301352L
Sunil Paudel G1400834A
Abdul Rachman G1400808F
Wang Bo G1301325H
2. CI6230 Information Systems Security Assignment2– ServerHardening
Page 2 of 80
Table of Contents
1. Keep the server Up-to-date..........................................................................................................4
2. Ports...........................................................................................................................................5
3. Firewall.......................................................................................................................................7
4. Configuring the firewall on Startup ............................................................................................. 12
4.1. Save the firewall rules to a file.................................................................................................12
4.2. Make changes to /etc/network/interfaces................................................................................ 12
5. Set BIOS Password:.................................................................................................................... 15
6. Setting GRUB Password.............................................................................................................. 16
7. Disable Alt+Ctrl+Del................................................................................................................... 18
8. Apache Web Server hardening....................................................................................................19
8.1. Basics of Apache Server in Metasploitable2.............................................................................. 19
8.2. Check if apache web server is running...................................................................................... 19
8.3. Secure and Hardening Apache Web Server............................................................................... 21
8.3.1. Hide Apache Version and OS Identity from Errors............................................................... 21
8.3.2. Restrictaccessto root and othersdirectory,exceptonly1website named“NewWebsite”(Use
Allow and Deny) and disable Overwriting using .htaccess............................................................. 23
8.3.3. Disable DirectoryListing,Apache’sfollowingof SymbolicLinksandOverwritingusing.htaccess
of a “NewWebsite” folder.......................................................................................................... 26
8.3.4. Keep updating Apache Regularly ....................................................................................... 28
8.3.5. Disable Unnecessary Modules........................................................................................... 30
8.3.6. Run Apache as separate User and Group............................................................................ 32
8.3.7. Limit Request Size for “NewWebsite” ................................................................................ 34
8.3.8. Limiting the size of an XML Body ....................................................................................... 35
8.3.9. Turn off Server Side Includes and CGI Execution for “NewWebsite”.....................................36
8.3.10. Protect DDOS attacks and Hardening............................................................................... 37
8.3.11. Enable Apache Logging....................................................................................................38
8.3.12. Protect binary and configuration directory permission for “NewWebsite”.......................... 40
8.3.13. Disable Trace HTTP Request ............................................................................................ 41
8.3.14.RestrictingAccessbyIP (Setonly intranet) canaccess“NewWebsite”–Designedfor
example.com............................................................................................................................. 43
8.3.15. Securing “NewWebsite” with SSL Certificates...................................................................44
3. CI6230 Information Systems Security Assignment2– ServerHardening
Page 3 of 80
9. User and Group hardening ......................................................................................................... 51
9.1. Change msfadmin password and username.............................................................................. 51
9.2. Change password complexity...................................................................................................53
9.3. Add user and group................................................................................................................. 56
9.4. Force users to change their password upon first login............................................................... 58
9.5. Configure Password Aging.......................................................................................................59
9.6. Limit password reuse on Linux.................................................................................................60
9.7. Verify No Accounts Have Empty Passwords .............................................................................. 61
9.8. Make Sure No Non-Root Accounts Have UID Set To 0................................................................ 62
9.9. Restrict User and GroupAccess ............................................................................................... 63
9.9.1. Create and Maintain a Group for All Authorized Users........................................................ 63
9.9.2 Restrict Access .................................................................................................................. 63
9.10. Disable root account ............................................................................................................. 65
10. Secure /etc/fstab ................................................................................................................... 66
10.1. Securing /var/tmp................................................................................................................. 66
10.2. Securing tmpfs...................................................................................................................... 67
11. Encrypt File Systems............................................................................................................... 68
11.1. Encrypt and decrypt file with password.................................................................................. 68
11.2. Encrypt folder or directory.....................................................................................................72
12. Disable the Ipv6 protocol........................................................................................................74
13. Log Files ................................................................................................................................ 75
13.1. Monitor Suspicious Log Messages with Logwatch ...................................................................76
14. Setting AIDE (Advanced Intrusion Detection Environment)....................................................... 78
15. Limitations............................................................................................................................. 79
16. References............................................................................................................................. 80
4. CI6230 Information Systems Security Assignment2– ServerHardening
Page 4 of 80
1. Keep the server Up-to-date
Command: sudoapt-getupdate
5. CI6230 Information Systems Security Assignment2– ServerHardening
Page 5 of 80
2. Ports
The IP addressof the virtual machine is10.0.2.15.
The ports are scannedusingnmap.
OpenPortsare shown below:
6. CI6230 Information Systems Security Assignment2– ServerHardening
Page 6 of 80
These portsand serviceshave tobe closed.We needtosetup the rulesinthe firewall toallow onlyhttp
and httpsservicestorun andclose all otherservices.
7. CI6230 Information Systems Security Assignment2– ServerHardening
Page 7 of 80
3. Firewall
The bash scriptfirewall_rules.shiscreatedasbelow.
#!/bin/bash
IPT=/sbin/iptables
$IPT - F #flushesthe previouslydefinedscript
#write the policiesnow
$IPT -P OUTPUT ACCEPT # allowthe output
$IPT -P INPUTDROP #Defaultpolicyforthe inputchainisdrop
$IPT -P FORWARDDROP #Defaultpolicyforthe forwardchainisalsodrop
#allowedinputs
#$IPT -A INPUT--in-interface lo-j ACCEPT
$IPT -A INPUT -j ACCEPT -ptcp --dport80
$IPT -A INPUT -j ACCEPT -ptcp --dport443
#Allowestablishedsessions
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED-j ACCEPT
#Anti-spoofing
#$IPT -A INPUT--in-interface!lo --source 127.0.0.0/8 -j DROP
#BlockingspoofedAddresses
$IPT -A INPUT -i external_interface-s192.168.0.0/24 -j REJECT
#LimitPingRequests
$IPT -A INPUT -p icmp-micmp -mlimit-limit1/second -j ACCEPT
# Drop all invalidpackets
$IPT -A INPUT -m state --state INVALID-j DROP
$IPT -A OUTPUT -m state --state INVALID-j DROP
# Stopsmurf attacks
$IPT -A INPUT -p icmp-micmp --icmp-typeaddress-mask-request-j DROP
8. CI6230 Information Systems Security Assignment2– ServerHardening
Page 8 of 80
$IPT -A INPUT -p icmp-micmp --icmp-typetimestamp-request-j DROP
$IPT -A INPUT -p icmp-micmp -j DROP
# Drop excessive RSTpacketstoavoidsmurf attacks
$IPT -A INPUT -p tcp -mtcp --tcp-flagsRSTRST -mlimit--limit2/second --limit-burst2-j ACCEPT
# PreventingPings
$IPT -A INPUT -p icmp--icmp-typeecho-request-j DROP
Fig: No firewalls set
Nowrun the bash shell.
Command: sudobashfirewall_rules.sh
Afterthe bashscript isrun (whichcontainsthe firewall rules),firewall rulesare setwhichcanbe viewed
usingthe followingcommand:
Command: sudoiptables –L|less
Fig: Run the bash file and set the firewall rules
9. CI6230 Information Systems Security Assignment2– ServerHardening
Page 9 of 80
Fig: Firewall Rules Set
The ports are scannedagainaftersettingthe rulesinfirewallandonlytwoportsare shown:
Services Port State
http 80 open
https 443 closed
10. CI6230 Information Systems Security Assignment2– ServerHardening
Page 10 of 80
Fig: nmap after setting the firewall rules
The services telnetandmysql are infilteredstate.
Command: nmap-sS -p23 10.0.2.15
Command: nmap-sS -p3306 10.0.215
If nmap isrun to scan the whole port,onlytwoports (80 and 443) are displayed.
If namp isrun to scan the particularport (23 and 3306), itshowsthat theyare filtered.
But if we run netstat,itstill showsthatthe ports (23 and 3306) are listening.
Command: sudonetstat-lpn|grep23|less
11. CI6230 Information Systems Security Assignment2– ServerHardening
Page 11 of 80
So we needtostop the services.
Command: sudo/etc/init.dmysqlstop
Let’slookat the service (mysql:3306) usingnetstat.
Command: sudonetstat-lpn|grep23| less
Fig:afterkillingthe service,mysql isnotshowinginnetstat
Let’sdo the nmap.
Command: nmap–sS –p 3306 10.0.2.15|less
The port is still shownasfiltered.Thisprovesthatnoneedtokill the servicesindividuallyeventhough
theymightbe shownas LISTENINGwhile findingthe services usingNETSTAT.The firewall rulestake care
of them.
12. CI6230 Information Systems Security Assignment2– ServerHardening
Page 12 of 80
4. Configuring the firewall on Startup
4.1. Save the firewall rules to a file
Command: sudosh -c “iptables-save >/etc/iptables.rules”
Command: sudosh -c “iptables-save >/etc/iptables.downrules”
4.2. Make changes to /etc/network/interfaces
We needtomake changesto the specificinterface.The below screenshotshowsthatourserverhas
onlyone interface –eth0 and nowireless.
Command: iwconfig
Now,edit/etc/network/interfacesandaddthe following.
pre-upiptables-restore </etc/iptables.rules
post-downiptables-restore </etc/iptables.downrules
13. CI6230 Information Systems Security Assignment2– ServerHardening
Page 13 of 80
Now let's restart the server and check if the iptables are configured on startup.
Let’sdo the namp now.(Kindlynote thatthe ipaddresshas beenchangedasthe networkadapterhas
beenchangedto“host-only”).
15. CI6230 Information Systems Security Assignment2– ServerHardening
Page 15 of 80
5. Set BIOS Password:
Settingthe PasswordinBIOSpreventsanyunauthorizedchangesinBIOS.
To access the BIOSsetupscreen,editthe virtual machine’sconfiguration(.vmx)andaddthe following:
bios.forceSetupOnce ="TRUE"
BIOS Password: C16230 (forboth User Password and SupervisorPassword)
16. CI6230 Information Systems Security Assignment2– ServerHardening
Page 16 of 80
6. Setting GRUBPassword
Command: grub-md5-crypt|tee password.txt
Password:C16230
Edit/boot/grub/menu.lstandeditthe line asbelow.
Password --md5$1$XXXXX(the outputof md5cryptwhichis storedinthe file password.txt)
17. CI6230 Information Systems Security Assignment2– ServerHardening
Page 17 of 80
To preventeveryoneexceptrootfromreading/boot/grub/menu.lst,use the followingcommand.
Command: sudochmod600 /boot/grub/menu.lst
Rebootthe systemtocheck if the grub isaskingfor the password.
Type the password,C16230.
18. CI6230 Information Systems Security Assignment2– ServerHardening
Page 18 of 80
7. Disable Alt+Ctrl+Del
Anyone thathas the physical accesstothe keyboardcan simplyhitAlt+Ctrl+Del andrebootthe system.
So editthe file /etc/event.d/control-alt-delete
Command: sudovi /etc/event.d/control-alt-delete
Uncommentthe belowline.
exec/sbin/shutdown -rnow"Control-Alt-Deletepressed"
19. CI6230 Information Systems Security Assignment2– ServerHardening
Page 19 of 80
8. Apache Web Server hardening
8.1. Basics of Apache Server in Metasploitable2
DocumentrootDirectory:/var/www
Newwebsite Directory: /var/www/NewWebsite
Main Configurationfile: /etc/apache/apache2.conf
DefaultHTTPPort: 80 TCP
DefaultHTTPSPort: 443 TCP
Testyour Configurationfile settingsandsyntax: apache2–t
Checkapache version: apache2 -v
AccessLog filesof WebServer: /var/log/apache2/access_log
Error Log filesof WebServer: /var/log/apache2/error_log
Adda sample index.html intoNewWebsite folderonce serverhardenfortesting
8.2. Check if apache web server is running
Command: ifconfig
The IP addressof current machine showedasbelow.
20. CI6230 Information Systems Security Assignment2– ServerHardening
Page 20 of 80
Openbrowserandenterhttp://your_ip_address
Apache webserverrunningsuccessfully
21. CI6230 Information Systems Security Assignment2– ServerHardening
Page 21 of 80
8.3. Secure and Hardening Apache Web Server
8.3.1. HideApacheVersionandOS Identity fromErrors
Before
Openbrowserandenterhttp://your_ip_address/abcdef
Implementation
Command: nano/etc/apache2/apache2.conf
Modifythe followingsettings:
ServerSignature=Off
ServerTokens=Prod
Command: apache2ctl restart
22. CI6230 Information Systems Security Assignment2– ServerHardening
Page 22 of 80
Verification
Refreshthe websiteandmissinginformationwill be shownasshowninFigure.
23. CI6230 Information Systems Security Assignment2– ServerHardening
Page 23 of 80
8.3.2. Restrictaccessto rootand othersdirectory,exceptonly1 websitenamed
“NewWebsite”(UseAllowandDeny)anddisableOverwritingusing.htaccess
Before
Openbrowserandenterhttp://your_ip_address
Implementation
# cd /var/www
# mkdirNewWebsite
# cd NewWebsite
# touchhelloworld
24. CI6230 Information Systems Security Assignment2– ServerHardening
Page 24 of 80
Command: nano/etc/apache2/sites-enabled/000-default
Modifythe followingsettingsunder<Directory/>and<Directory“var/www”>
Options None
Orderdeny,allow
AllowOverride None
Deny from all
Make sure there isa Directorysettingsfor“var/www/NewWebsite”
Descriptionof the settings
Options“None” – Thisoptionwill notallow userstoenable anyoptional features.
Order deny,allow – This isthe order inwhichthe “Deny” and “Allow”directiveswillbe
processed.Here itwill “deny”firstand“allow” next.
AllowOverride “None” –Thisoptiondisable the overridinganyoptionsusing.htaccess
Deny from all – Thiswill denyrequestfromeverybodytothe rootdirectory, nobodywill be able
to access rootdirectory.
25. CI6230 Information Systems Security Assignment2– ServerHardening
Page 25 of 80
Verification
Refreshthe websiteand youwill notbe able tothe view the filesinthe rootfolder.
26. CI6230 Information Systems Security Assignment2– ServerHardening
Page 26 of 80
8.3.3. DisableDirectoryListing,Apache’sfollowingofSymbolicLinksandOverwritingusing
.htaccess ofa “NewWebsite”folder
Before
Openbrowserandenterhttp://your_ip_address/NewWebsite
Implementation
Command: nano/etc/apache2/sites-enabled/000-default
Modifythe followingsettingsunder<Directory“/var/www/NewWebsite”>
Options -Indexes-FollowSymLinks
AllowOverride None
# apache2ctl restart
27. CI6230 Information Systems Security Assignment2– ServerHardening
Page 27 of 80
Verification
Refreshthe websiteand youwill notbe able tothe view the filesinthe folder.
Place an index.html file insideNewWebsitefolder
28. CI6230 Information Systems Security Assignment2– ServerHardening
Page 28 of 80
8.3.4. KeepupdatingApacheRegularly
Before
Command: apache2 -v
Implementation
Command: apt-getinstall apache2
29. CI6230 Information Systems Security Assignment2– ServerHardening
Page 29 of 80
Verification
Command: apache2 -v
30. CI6230 Information Systems Security Assignment2– ServerHardening
Page 30 of 80
8.3.5. DisableUnnecessaryModules
Before
Findout the modulesloadedintoapache anddisableit
Command: apache2ctl -M
Implementation
Disable mod_imap, mod_include,mod_info,mod_userdir,mod_status,mod_cgi, mod_autoindex (if
exist) byrunningthe command a2dismod<module name>
Command: a2dismod<module name>
Command: apache2ctrl restart (Execute onlyonce all the modulesare disabled)
31. CI6230 Information Systems Security Assignment2– ServerHardening
Page 31 of 80
Verification
For Ubuntuv8.04, mod_imap, mod_include,mod_info,mod_userdir,mod_status, mod_cgi,
mod_autoindex are notpreloaded,sonodisable of thisisrequired.
32. CI6230 Information Systems Security Assignment2– ServerHardening
Page 32 of 80
8.3.6. RunApacheas separateUserand Group
Before
Defaultapache userandgroup is www-data
Implementation
Modifythe followingsettings:
APACHE_RUN_USER = http-web
APACHE_RUN_GROUP= http-web
Command: groupaddhttp-web
Command: useradd -d/var/www/ -ghttp-web-s/bin/nologinhttp-web
Command: nano/etc/apache2/envvars
Command: apache2ctl restart
33. CI6230 Information Systems Security Assignment2– ServerHardening
Page 33 of 80
Verification
Proceedagainto checkif apache webserverisrunning.
34. CI6230 Information Systems Security Assignment2– ServerHardening
Page 34 of 80
8.3.7. LimitRequest Sizefor“NewWebsite”
By defaultApache hasnolimitonthe total size of the HTTP requesti.e.unlimitedandwhenyouallow
large requestsona webserverit’spossiblethatyoucouldbe a victimof Denial of service attacks. We
can limitthe requestssize of anApache directive “LimitRequestBody”withthe directorytag.
You can setthe value inbytesfrom0 (unlimited) to2147483647 (2GB) that are allowedinarequest
body.You can setthislimitaccordingto yoursite needs,suppose youhave asite where youallows
uploadsandyouwant to limitthe uploadsize foraparticulardirectory.
In thishardeningprocess,we are puttingalimitof 500K for this.
Implementation
Command: nano/etc/apache2/sites-enabled/000-default
Addin the followinglinesto000-default.
Command: apache2ctl restart
35. CI6230 Information Systems Security Assignment2– ServerHardening
Page 35 of 80
8.3.8. Limitingthe sizeofan XML Body
The LimitXMLRequestBody directive defaultvalue is1millionbytes(approx 1mb).
Implementation
Command: nano/etc/apache2/sites-enabled/000-default
Modifythe followingsettingsunder<Directory“/var/www/NewWebsite”>
LimitXMLRequestBody10485760
Command: apache2ctl restart
36. CI6230 Information Systems Security Assignment2– ServerHardening
Page 36 of 80
8.3.9. TurnoffServerSideIncludesandCGIExecutionfor“NewWebsite”
To preventfromclientinjectionusingscriptsviabrowser.
Implementation
Command: nano/etc/apache2/sites-enabled/000-default
Modifythe followingsettingsunder<Directory“/var/www/NewWebsite”>
Options -Includes-ExecCGI
Command: apache2ctrl restart
37. CI6230 Information Systems Security Assignment2– ServerHardening
Page 37 of 80
8.3.10. Protect DDOS attacks andHardening
Implementation
Command: nano/etc/apache2/apache2.conf
Findthe followingsettingsandmodifyaccordingly.
TimeOut: By defaultApache timed-outvalue is300 seconds,whichcanbe victimof Slow Loris
attack and DoS.To mitigate thisyoucanlowerthe timeoutvalue tomaybe 60 seconds.
KeepAlive:SettoOff to make it a requestperconnectionwouldpreventfromsingle PC
connection DoSattacking.
MaxClients: Thisdirective allowsyoutosetthe limitonconnectionsthatwill be served
simultaneously.Everynewconnectionwill be queuedupafterthislimit. Itisavailablewith
PreforkandWorkerboth MPM. The defaultvalue of itis256. To mitigate thisyoucan lowerthe
MaxClientsvalue tomaybe 20.
KeepAliveTimeout:It’sthe amountof time the serverwill waitforasubsequentrequestbefore
closingthe connection.Defaultvalue is15secs.To mitigate thisyoucanlowerthe
KeepAliveTimeoutvalue tomaybe 5.
Error responses:By default,apache doesnotturnonerror responses.Inthe processtoharden,
thisshouldbe turnoff to preventattackersfromknowingwhatexacterrortheyencountered.
Command: apache2ctl restart
38. CI6230 Information Systems Security Assignment2– ServerHardening
Page 38 of 80
8.3.11. EnableApacheLogging
Apache allowsyoutologgingindependentlyof yourOSlogging.Itiswise toenable Apache logging,
because itprovidesmore information,suchasthe commandsenteredbyusersthathave interactedwith
your Webserver.
Implementation
Command: nano/etc/apache2/apache2.conf
Modifythe followingsettings:
LogLevel = debug
Logs Description
emerg:Emergencysituationswhere the systemisinanunusable state.
alert:Severe situationwhere actionisneededpromptly.
crit: Importantproblemsthatneedtobe addressed.
error: AnError has occurred.Somethingwasunsuccessful.
warn: Somethingoutof the ordinaryhappened,butnota cause for concern.
notice:Somethingnormal,butworthnotinghashappened.
info:Aninformational message thatmightbe nice toknow.
debug:Debugginginformationthatcanbe useful topinpointwhereaproblemisoccurring.
39. CI6230 Information Systems Security Assignment2– ServerHardening
Page 39 of 80
Verification
Visitthe newwebsiteagain,logscanbe foundat
Command: cd /var/log/apache2
Command: nanoaccess.log(ForWebsite AccessLog)
Command: nanoerror.log(WebServerError Log)
Command: nanoerror.log.1(ForWeb ServerError Log) – Whenfile isfull,itwill autocreate with
numeric+1 incremental numberingof the logfile
40. CI6230 Information Systems Security Assignment2– ServerHardening
Page 40 of 80
8.3.12. Protect binaryandconfigurationdirectorypermissionfor“NewWebsite”
Website executablesare placedinbinandconfigurationsettingsare placedinconf.Toprotectfrom
modificationfromattackers,we will ownerof the folder.
Implementation
Command: cd /var/www/NewWebsite
Command: mkdirbin
Command: mkdirconf
Command: chown-R 750 binconf
Verification
41. CI6230 Information Systems Security Assignment2– ServerHardening
Page 41 of 80
8.3.13. DisableTraceHTTPRequest
Before
Command: telnetlocalhost80
TRACE / HTTP/1.1
Host: test
Enter <twice>here
Implementation
Command: nano/etc/apache2/apache2.conf
Addthe followingsettings:
TraceEnable off
Command: apache2ctl restart
42. CI6230 Information Systems Security Assignment2– ServerHardening
Page 42 of 80
Verification
Command: telnetlocalhost80
TRACE / HTTP/1.1
Host: test
Enter <twice>here
43. CI6230 Information Systems Security Assignment2– ServerHardening
Page 43 of 80
8.3.14.RestrictingAccessbyIP (Set onlyintranet) can access“NewWebsite” – Designedfor
example.com
Before
Implementation
Command: nano/etc/apache2/sites-enabled/000-default
Modifythe followingsettingsunder<Directory“/var/www/NewWebsite”>
Deny from all
Allowfrom 172.0.0.1
Verification
Runningfromoutside external network
44. CI6230 Information Systems Security Assignment2– ServerHardening
Page 44 of 80
8.3.15. Securing“NewWebsite”withSSLCertificates
Before
Implementation
Command: a2enmodssl
Command: apache2ctl restart
Command: openssl genrsa-des3-outexample.com.key1024
Command: openssl req -new -keyexample.com.key -outexample.csr
Command: openssl x509-req-days365 -inexample.csr-signkey example.com.key -outexample.crt
Remarks:Followthe instructionstofill inthe detailsof yourcompanyetc.
45. CI6230 Information Systems Security Assignment2– ServerHardening
Page 45 of 80
SSL certificationcreatedsuccessfully.
Command: nano/etc/apache2/sites-enabled/000-default
Addin the followinglinesto000-default.
ServerName localhost
SSLEngine on
SSLCertifcateFile /etc/apache2/example.crt
SSLCerificateKeyFile /etc/apache2/example.com.key
46. CI6230 Information Systems Security Assignment2– ServerHardening
Page 46 of 80
Command: apache2ctl restart
Remarks:Enterpass phrase whichiscreatedduringcertificate creation
47. CI6230 Information Systems Security Assignment2– ServerHardening
Page 47 of 80
Verification
- Not added to trusted exception
48. CI6230 Information Systems Security Assignment2– ServerHardening
Page 48 of 80
- Addedto securitytrusted exception
- Certificate Information
51. CI6230 Information Systems Security Assignment2– ServerHardening
Page 51 of 80
9. User and Group hardening
9.1. Change msfadmin password and username
Command: passwdmsfadmin
Enter new UNIX password: Supply a new password
Retype new UNIX password: Supply the same new password
Change username of msfadmin to suadm
Command: usermod -l suadmmsfadmin
53. CI6230 Information Systems Security Assignment2– ServerHardening
Page 53 of 80
9.2. Change password complexity
Install libpam-cracklibPAMmodule toenable cracklibsupport.
Command: apt-getinstall libpam-cracklib
Command: nano/etc/pam.d/common-password
54. CI6230 Information Systems Security Assignment2– ServerHardening
Page 54 of 80
Change the linesashighlightedinbelow screenshot.
Put followingtwolinesintothe file.
Passwordrequiredpam_cracklib.soretry=3 minlen=10 difok=3ucredit=1 dcredit=1 ocredit=1
Passwordrequiredpam_unix.souse_authokunlloksha512
Description
retry=3 : Prompt user at most 3 times before returning with error
minlen=10 : minimum length allowed for an account password is set to 10 characters. This is
the minimum simplicity count for a good password. And you are allowed only 2 times using
retry option.
difok=3: How many characters can be the same in the new password relative to the old.
User will see error - BAD PASSWORD: is too similar to the old one
dcredit=1 : At least contains1 digits character
ucredit=1 : At least contains 1 upper character
ocredit=1 : At least contains 1 other character
55. CI6230 Information Systems Security Assignment2– ServerHardening
Page 55 of 80
The screenshotafterchanges applied:
56. CI6230 Information Systems Security Assignment2– ServerHardening
Page 56 of 80
9.3. Add user and group
Command: adduser<username>
New UNIX password: Supply a password
New UNIX password: Supply the same password
List all groups
Command: cat /etc/group
57. CI6230 Information Systems Security Assignment2– ServerHardening
Page 57 of 80
List the usersina group,
Command: members<groupname>
58. CI6230 Information Systems Security Assignment2– ServerHardening
Page 58 of 80
9.4. Force users to change their password upon first login
Use chage commandto force userstochage theirpassworduponfirstlogin
Command: chage -d 0 jacklee
Now,loginas“JackLee”and force to change the password.
59. CI6230 Information Systems Security Assignment2– ServerHardening
Page 59 of 80
9.5. Configure Password Aging
Run followingcommandtochange the passwordagingof user“jacklee”
Command: chage -M 60 -m7 -W 7 jacklee
-m: The minimumnumberof daysrequiredbetweenpasswordchangesi.e.the numberof
daysleftbefore the useris allowedtochange his/herpassword.
-M: The maximumnumberof daysthe passwordisvalid(afterthatuserisforcedto change
his/herpassword).
-W : The numberof daysbefore passwordistoexpire thatuseriswarnedthat his/her
passwordmustbe changed.
To listcurrentaging type chage commandas follows:
Command: chage -l jacklee
60. CI6230 Information Systems Security Assignment2– ServerHardening
Page 60 of 80
9.6. Limit password reuse on Linux
Openyour/etc/pam.d/common-password file
Command: nano/etc/pam.d/common-password
Edit/addpasswordline andappendremember=13topreventa userfromre-usingany of hisor her last
13 passwords
Command: passwordsufficientpam_unix.souse_authtokmd5shadow remember=13
61. CI6230 Information Systems Security Assignment2– ServerHardening
Page 61 of 80
9.7. Verify No Accounts Have Empty Passwords
Command: awk-F: ‘($2 == “”) {print}’/etc/shadow
Lock all emptypasswordaccounts
Command: passwd -l accountName
62. CI6230 Information Systems Security Assignment2– ServerHardening
Page 62 of 80
9.8. Make Sure No Non-Root Accounts Have UID Set To 0
Onlyroot accounthas UID 0 withfull permissionstoaccessthe system.Type the followingcommandto
display all accountswithUID setto 0.
Command: awk–F: ‘($3 == “0”) {print}’/etc/passwd
You shouldonlysee one line asfollows:
root: x:0:0:root:/root:/bin/bash
If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.
63. CI6230 Information Systems Security Assignment2– ServerHardening
Page 63 of 80
9.9. Restrict User and Group Access
9.9.1. CreateandMaintaina Group forAll AuthorizedUsers
Create a group named“normalusers”
Command: groupaddnormalusers
Addall authorizeduserstoappsonly
Command: usermod -aG{ groupName } {username}
-a : Addthe userto the supplemental group(s) i.e.appendsthe usertothe current
supplementarygrouplist.
-G : A listof supplementarygroupswhichthe userisalsoamemberof
9.9.2 Restrict Access
Nowa group of user hadbeencreated.Next,use the chgrpcommand to change the groupof
/opt/apps/starttonormalusers group
Command: chgrp normalusers/opt/apps
Disable the file permissionforothers
Command: chmod0640 /opt/apps
65. CI6230 Information Systems Security Assignment2– ServerHardening
Page 65 of 80
9.10. Disable root account
Disable rootlogin
Command: sudopasswd -l root
Disable rootloginoverSSH
Editfile /etc/ssh/sshd_config change PermitRootLogintono
66. CI6230 Information Systems Security Assignment2– ServerHardening
Page 66 of 80
10. Secure /etc/fstab
Temporarystorage directoriessuchas/tmp,/var/tmp,and/dev/shmprovidestorage place forthe
hackersto execute the maliciouscodes. Sowe have tosecure them.
10.1. Securing /var/tmp
Command: sudovi /etc/fstab
Appendthe followingline:
/tmp/var/tmpnone rw,noexec,nosuid,nodev,bind00
Meanings:
noexec– Do notset executionof anybinariesonthispartition
nodev - Do notallow character or special devicesonthispartition
nosuid – Do not setSUID/SGID accesson thispartition(preventthe setuidbit)
67. CI6230 Information Systems Security Assignment2– ServerHardening
Page 67 of 80
10.2. Securing tmpfs
Command: Sudovi /etc/fstab
Appendthe following:
tmpfs /dev/shmtmpfsdefaults,nodev,nosuid,noexec0 0
68. CI6230 Information Systems Security Assignment2– ServerHardening
Page 68 of 80
11. Encrypt File Systems
11.1. Encrypt and decrypt file with password
Showingthe contentof the file
Command: more test.txt
openssl
Used 256-bit AES in CBC mode with password for this sample and the command will create new file
called test.out
Command: sudoopenssl enc–aes-256-cbc–salt –in test.txt–outtest.out
69. CI6230 Information Systems Security Assignment2– ServerHardening
Page 69 of 80
mcrypt
Command iscreateda newfile withextension.ncandrequiredpassword
Command: sudomcrypt test.out
gnupg
Encrypt data and create digital signature.Thiscommandiscreatedanew file withextension.gpg
Command: sudogpg -c test.out.nc
70. CI6230 Information Systems Security Assignment2– ServerHardening
Page 70 of 80
Afterall encryptionthe file isshowinglike this
Command: ls isto showall file inthe currentdirectory.
Deletingoriginal file andunneceseryfile priviouslyif needed.Inthissamplewe usedthree stepsto
delete all previousfile.
Command: rm filename
71. CI6230 Information Systems Security Assignment2– ServerHardening
Page 71 of 80
Decryptlast extensionfile withopenssl,mcryptandgnupg command.To openone file we needto
decryptthree times.Don’tforgettorememberthe passwordwhenyouencryptthe file.
72. CI6230 Information Systems Security Assignment2– ServerHardening
Page 72 of 80
11.2. Encrypt folder or directory
In thisscreenshot,the folderstill can accessbyusingcommandcd
To encryptfolderordirectory,we needtoinstall encfs
Command: sudoapt-get install encfs
Selectfolderandstartencryptthe folderafterinstall encfs,thisrequiredpasswordtoencrypt.Inthis
sample foldertesting2isthe target
Command: sudoencfs~/.testing1~/testing2
checkingif we can still accessthe folderafterencryptandthe resultinpermissiondenied
73. CI6230 Information Systems Security Assignment2– ServerHardening
Page 73 of 80
In orderto access thi folderagainwe can use this.
Command: fusermount–u~/testing2
74. CI6230 Information Systems Security Assignment2– ServerHardening
Page 74 of 80
12. Disable the Ipv6 protocol
To increase browsingspeedandsecurityyouneedtodisable the Ipv6protocol because bydefaulton
LINUX isenable.
Command: sudovi /etc/modprobe.d/aliases
Findthe line called“aliasnet-pf-10ipv6”andreplace with“aliasnet-pf-10off”and“aliasipv6 off”after
that save and close the file.
76. CI6230 Information Systems Security Assignment2– ServerHardening
Page 76 of 80
13.1. Monitor Suspicious Log Messages with Logwatch
Install logwatchusing“sudoapt-getinstalllogwatch”.
Configurationshouldn'tbe editedinthe installdirectory(/usr/share/logwatch).Copylogwatch.confto
/etc/logwatchbeforeediting:
Command: sudocp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
77. CI6230 Information Systems Security Assignment2– ServerHardening
Page 77 of 80
Editlogwatch.conf toput inthe e-mail where youwantthe reportsent:
MailTo = group10@c16230.com
78. CI6230 Information Systems Security Assignment2– ServerHardening
Page 78 of 80
14. Setting AIDE (Advanced IntrusionDetectionEnvironment)
It providessoftware integritycheckinganditcan detectthat intrusions(systembinariesmodification)
have takenplace.Itis a replacementforthe well-knownTripwire integritychecker.
Install AIDEusingthe followingcommand:
Command: sudoapt-getinstall aide
The defaultconfigurationisacceptableformanyenvironments.
/etc/aide/aide.confand/etc/aide/aide.conf.d/ - DefaultAIDEconfigurationfiles.
/var/lib/aide/aide.db - DefaultlocationforAIDEdatabase.
/var/lib/aide/aide.db.new- Defaultlocationfornewly-createdAIDEdatabase.
79. CI6230 Information Systems Security Assignment2– ServerHardening
Page 79 of 80
15. Limitations
Metasploitable2is basedonUbuntu 8.04 –Hardy Version
Grub is 1.5
80. CI6230 Information Systems Security Assignment2– ServerHardening
Page 80 of 80
16. References
http://www.tecmint.com/apache-security-tips/
http://www.themiddlewareshop.com/2013/09/30/apache-web-server-hardening-and-
security/
http://www.petefreitag.com/item/505.cfm
http://www.cyberciti.biz/tips/linux-security.html