Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Linux Server Hardening - Steps by Steps

4,827 views

Published on

Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.

Published in: Technology

Linux Server Hardening - Steps by Steps

  1. 1. CI6230 Information Systems Security Assignment2– ServerHardening Page 1 of 80 Server Hardening Loo Chia Feng G1301352L Sunil Paudel G1400834A Abdul Rachman G1400808F Wang Bo G1301325H
  2. 2. CI6230 Information Systems Security Assignment2– ServerHardening Page 2 of 80 Table of Contents 1. Keep the server Up-to-date..........................................................................................................4 2. Ports...........................................................................................................................................5 3. Firewall.......................................................................................................................................7 4. Configuring the firewall on Startup ............................................................................................. 12 4.1. Save the firewall rules to a file.................................................................................................12 4.2. Make changes to /etc/network/interfaces................................................................................ 12 5. Set BIOS Password:.................................................................................................................... 15 6. Setting GRUB Password.............................................................................................................. 16 7. Disable Alt+Ctrl+Del................................................................................................................... 18 8. Apache Web Server hardening....................................................................................................19 8.1. Basics of Apache Server in Metasploitable2.............................................................................. 19 8.2. Check if apache web server is running...................................................................................... 19 8.3. Secure and Hardening Apache Web Server............................................................................... 21 8.3.1. Hide Apache Version and OS Identity from Errors............................................................... 21 8.3.2. Restrictaccessto root and othersdirectory,exceptonly1website named“NewWebsite”(Use Allow and Deny) and disable Overwriting using .htaccess............................................................. 23 8.3.3. Disable DirectoryListing,Apache’sfollowingof SymbolicLinksandOverwritingusing.htaccess of a “NewWebsite” folder.......................................................................................................... 26 8.3.4. Keep updating Apache Regularly ....................................................................................... 28 8.3.5. Disable Unnecessary Modules........................................................................................... 30 8.3.6. Run Apache as separate User and Group............................................................................ 32 8.3.7. Limit Request Size for “NewWebsite” ................................................................................ 34 8.3.8. Limiting the size of an XML Body ....................................................................................... 35 8.3.9. Turn off Server Side Includes and CGI Execution for “NewWebsite”.....................................36 8.3.10. Protect DDOS attacks and Hardening............................................................................... 37 8.3.11. Enable Apache Logging....................................................................................................38 8.3.12. Protect binary and configuration directory permission for “NewWebsite”.......................... 40 8.3.13. Disable Trace HTTP Request ............................................................................................ 41 8.3.14.RestrictingAccessbyIP (Setonly intranet) canaccess“NewWebsite”–Designedfor example.com............................................................................................................................. 43 8.3.15. Securing “NewWebsite” with SSL Certificates...................................................................44
  3. 3. CI6230 Information Systems Security Assignment2– ServerHardening Page 3 of 80 9. User and Group hardening ......................................................................................................... 51 9.1. Change msfadmin password and username.............................................................................. 51 9.2. Change password complexity...................................................................................................53 9.3. Add user and group................................................................................................................. 56 9.4. Force users to change their password upon first login............................................................... 58 9.5. Configure Password Aging.......................................................................................................59 9.6. Limit password reuse on Linux.................................................................................................60 9.7. Verify No Accounts Have Empty Passwords .............................................................................. 61 9.8. Make Sure No Non-Root Accounts Have UID Set To 0................................................................ 62 9.9. Restrict User and GroupAccess ............................................................................................... 63 9.9.1. Create and Maintain a Group for All Authorized Users........................................................ 63 9.9.2 Restrict Access .................................................................................................................. 63 9.10. Disable root account ............................................................................................................. 65 10. Secure /etc/fstab ................................................................................................................... 66 10.1. Securing /var/tmp................................................................................................................. 66 10.2. Securing tmpfs...................................................................................................................... 67 11. Encrypt File Systems............................................................................................................... 68 11.1. Encrypt and decrypt file with password.................................................................................. 68 11.2. Encrypt folder or directory.....................................................................................................72 12. Disable the Ipv6 protocol........................................................................................................74 13. Log Files ................................................................................................................................ 75 13.1. Monitor Suspicious Log Messages with Logwatch ...................................................................76 14. Setting AIDE (Advanced Intrusion Detection Environment)....................................................... 78 15. Limitations............................................................................................................................. 79 16. References............................................................................................................................. 80
  4. 4. CI6230 Information Systems Security Assignment2– ServerHardening Page 4 of 80 1. Keep the server Up-to-date Command: sudoapt-getupdate
  5. 5. CI6230 Information Systems Security Assignment2– ServerHardening Page 5 of 80 2. Ports The IP addressof the virtual machine is10.0.2.15. The ports are scannedusingnmap. OpenPortsare shown below:
  6. 6. CI6230 Information Systems Security Assignment2– ServerHardening Page 6 of 80 These portsand serviceshave tobe closed.We needtosetup the rulesinthe firewall toallow onlyhttp and httpsservicestorun andclose all otherservices.
  7. 7. CI6230 Information Systems Security Assignment2– ServerHardening Page 7 of 80 3. Firewall The bash scriptfirewall_rules.shiscreatedasbelow. #!/bin/bash IPT=/sbin/iptables $IPT - F #flushesthe previouslydefinedscript #write the policiesnow $IPT -P OUTPUT ACCEPT # allowthe output $IPT -P INPUTDROP #Defaultpolicyforthe inputchainisdrop $IPT -P FORWARDDROP #Defaultpolicyforthe forwardchainisalsodrop #allowedinputs #$IPT -A INPUT--in-interface lo-j ACCEPT $IPT -A INPUT -j ACCEPT -ptcp --dport80 $IPT -A INPUT -j ACCEPT -ptcp --dport443 #Allowestablishedsessions $IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED-j ACCEPT #Anti-spoofing #$IPT -A INPUT--in-interface!lo --source 127.0.0.0/8 -j DROP #BlockingspoofedAddresses $IPT -A INPUT -i external_interface-s192.168.0.0/24 -j REJECT #LimitPingRequests $IPT -A INPUT -p icmp-micmp -mlimit-limit1/second -j ACCEPT # Drop all invalidpackets $IPT -A INPUT -m state --state INVALID-j DROP $IPT -A OUTPUT -m state --state INVALID-j DROP # Stopsmurf attacks $IPT -A INPUT -p icmp-micmp --icmp-typeaddress-mask-request-j DROP
  8. 8. CI6230 Information Systems Security Assignment2– ServerHardening Page 8 of 80 $IPT -A INPUT -p icmp-micmp --icmp-typetimestamp-request-j DROP $IPT -A INPUT -p icmp-micmp -j DROP # Drop excessive RSTpacketstoavoidsmurf attacks $IPT -A INPUT -p tcp -mtcp --tcp-flagsRSTRST -mlimit--limit2/second --limit-burst2-j ACCEPT # PreventingPings $IPT -A INPUT -p icmp--icmp-typeecho-request-j DROP Fig: No firewalls set Nowrun the bash shell. Command: sudobashfirewall_rules.sh Afterthe bashscript isrun (whichcontainsthe firewall rules),firewall rulesare setwhichcanbe viewed usingthe followingcommand: Command: sudoiptables –L|less Fig: Run the bash file and set the firewall rules
  9. 9. CI6230 Information Systems Security Assignment2– ServerHardening Page 9 of 80 Fig: Firewall Rules Set The ports are scannedagainaftersettingthe rulesinfirewallandonlytwoportsare shown: Services Port State http 80 open https 443 closed
  10. 10. CI6230 Information Systems Security Assignment2– ServerHardening Page 10 of 80 Fig: nmap after setting the firewall rules The services telnetandmysql are infilteredstate. Command: nmap-sS -p23 10.0.2.15 Command: nmap-sS -p3306 10.0.215 If nmap isrun to scan the whole port,onlytwoports (80 and 443) are displayed. If namp isrun to scan the particularport (23 and 3306), itshowsthat theyare filtered. But if we run netstat,itstill showsthatthe ports (23 and 3306) are listening. Command: sudonetstat-lpn|grep23|less
  11. 11. CI6230 Information Systems Security Assignment2– ServerHardening Page 11 of 80 So we needtostop the services. Command: sudo/etc/init.dmysqlstop Let’slookat the service (mysql:3306) usingnetstat. Command: sudonetstat-lpn|grep23| less Fig:afterkillingthe service,mysql isnotshowinginnetstat Let’sdo the nmap. Command: nmap–sS –p 3306 10.0.2.15|less The port is still shownasfiltered.Thisprovesthatnoneedtokill the servicesindividuallyeventhough theymightbe shownas LISTENINGwhile findingthe services usingNETSTAT.The firewall rulestake care of them.
  12. 12. CI6230 Information Systems Security Assignment2– ServerHardening Page 12 of 80 4. Configuring the firewall on Startup 4.1. Save the firewall rules to a file Command: sudosh -c “iptables-save >/etc/iptables.rules” Command: sudosh -c “iptables-save >/etc/iptables.downrules” 4.2. Make changes to /etc/network/interfaces We needtomake changesto the specificinterface.The below screenshotshowsthatourserverhas onlyone interface –eth0 and nowireless. Command: iwconfig Now,edit/etc/network/interfacesandaddthe following.  pre-upiptables-restore </etc/iptables.rules  post-downiptables-restore </etc/iptables.downrules
  13. 13. CI6230 Information Systems Security Assignment2– ServerHardening Page 13 of 80 Now let's restart the server and check if the iptables are configured on startup. Let’sdo the namp now.(Kindlynote thatthe ipaddresshas beenchangedasthe networkadapterhas beenchangedto“host-only”).
  14. 14. CI6230 Information Systems Security Assignment2– ServerHardening Page 14 of 80
  15. 15. CI6230 Information Systems Security Assignment2– ServerHardening Page 15 of 80 5. Set BIOS Password: Settingthe PasswordinBIOSpreventsanyunauthorizedchangesinBIOS. To access the BIOSsetupscreen,editthe virtual machine’sconfiguration(.vmx)andaddthe following:  bios.forceSetupOnce ="TRUE"  BIOS Password: C16230 (forboth User Password and SupervisorPassword)
  16. 16. CI6230 Information Systems Security Assignment2– ServerHardening Page 16 of 80 6. Setting GRUBPassword Command: grub-md5-crypt|tee password.txt  Password:C16230 Edit/boot/grub/menu.lstandeditthe line asbelow.  Password --md5$1$XXXXX(the outputof md5cryptwhichis storedinthe file password.txt)
  17. 17. CI6230 Information Systems Security Assignment2– ServerHardening Page 17 of 80 To preventeveryoneexceptrootfromreading/boot/grub/menu.lst,use the followingcommand. Command: sudochmod600 /boot/grub/menu.lst Rebootthe systemtocheck if the grub isaskingfor the password. Type the password,C16230.
  18. 18. CI6230 Information Systems Security Assignment2– ServerHardening Page 18 of 80 7. Disable Alt+Ctrl+Del Anyone thathas the physical accesstothe keyboardcan simplyhitAlt+Ctrl+Del andrebootthe system. So editthe file /etc/event.d/control-alt-delete Command: sudovi /etc/event.d/control-alt-delete Uncommentthe belowline.  exec/sbin/shutdown -rnow"Control-Alt-Deletepressed"
  19. 19. CI6230 Information Systems Security Assignment2– ServerHardening Page 19 of 80 8. Apache Web Server hardening 8.1. Basics of Apache Server in Metasploitable2  DocumentrootDirectory:/var/www  Newwebsite Directory: /var/www/NewWebsite  Main Configurationfile: /etc/apache/apache2.conf  DefaultHTTPPort: 80 TCP  DefaultHTTPSPort: 443 TCP  Testyour Configurationfile settingsandsyntax: apache2–t  Checkapache version: apache2 -v  AccessLog filesof WebServer: /var/log/apache2/access_log  Error Log filesof WebServer: /var/log/apache2/error_log  Adda sample index.html intoNewWebsite folderonce serverhardenfortesting 8.2. Check if apache web server is running Command: ifconfig The IP addressof current machine showedasbelow.
  20. 20. CI6230 Information Systems Security Assignment2– ServerHardening Page 20 of 80 Openbrowserandenterhttp://your_ip_address Apache webserverrunningsuccessfully
  21. 21. CI6230 Information Systems Security Assignment2– ServerHardening Page 21 of 80 8.3. Secure and Hardening Apache Web Server 8.3.1. HideApacheVersionandOS Identity fromErrors Before Openbrowserandenterhttp://your_ip_address/abcdef Implementation Command: nano/etc/apache2/apache2.conf Modifythe followingsettings:  ServerSignature=Off  ServerTokens=Prod Command: apache2ctl restart
  22. 22. CI6230 Information Systems Security Assignment2– ServerHardening Page 22 of 80 Verification Refreshthe websiteandmissinginformationwill be shownasshowninFigure.
  23. 23. CI6230 Information Systems Security Assignment2– ServerHardening Page 23 of 80 8.3.2. Restrictaccessto rootand othersdirectory,exceptonly1 websitenamed “NewWebsite”(UseAllowandDeny)anddisableOverwritingusing.htaccess Before Openbrowserandenterhttp://your_ip_address Implementation # cd /var/www # mkdirNewWebsite # cd NewWebsite # touchhelloworld
  24. 24. CI6230 Information Systems Security Assignment2– ServerHardening Page 24 of 80 Command: nano/etc/apache2/sites-enabled/000-default Modifythe followingsettingsunder<Directory/>and<Directory“var/www”>  Options None  Orderdeny,allow  AllowOverride None  Deny from all  Make sure there isa Directorysettingsfor“var/www/NewWebsite” Descriptionof the settings  Options“None” – Thisoptionwill notallow userstoenable anyoptional features.  Order deny,allow – This isthe order inwhichthe “Deny” and “Allow”directiveswillbe processed.Here itwill “deny”firstand“allow” next.  AllowOverride “None” –Thisoptiondisable the overridinganyoptionsusing.htaccess  Deny from all – Thiswill denyrequestfromeverybodytothe rootdirectory, nobodywill be able to access rootdirectory.
  25. 25. CI6230 Information Systems Security Assignment2– ServerHardening Page 25 of 80 Verification Refreshthe websiteand youwill notbe able tothe view the filesinthe rootfolder.
  26. 26. CI6230 Information Systems Security Assignment2– ServerHardening Page 26 of 80 8.3.3. DisableDirectoryListing,Apache’sfollowingofSymbolicLinksandOverwritingusing .htaccess ofa “NewWebsite”folder Before Openbrowserandenterhttp://your_ip_address/NewWebsite Implementation Command: nano/etc/apache2/sites-enabled/000-default Modifythe followingsettingsunder<Directory“/var/www/NewWebsite”>  Options -Indexes-FollowSymLinks  AllowOverride None # apache2ctl restart
  27. 27. CI6230 Information Systems Security Assignment2– ServerHardening Page 27 of 80 Verification Refreshthe websiteand youwill notbe able tothe view the filesinthe folder. Place an index.html file insideNewWebsitefolder
  28. 28. CI6230 Information Systems Security Assignment2– ServerHardening Page 28 of 80 8.3.4. KeepupdatingApacheRegularly Before Command: apache2 -v Implementation Command: apt-getinstall apache2
  29. 29. CI6230 Information Systems Security Assignment2– ServerHardening Page 29 of 80 Verification Command: apache2 -v
  30. 30. CI6230 Information Systems Security Assignment2– ServerHardening Page 30 of 80 8.3.5. DisableUnnecessaryModules Before Findout the modulesloadedintoapache anddisableit Command: apache2ctl -M Implementation Disable mod_imap, mod_include,mod_info,mod_userdir,mod_status,mod_cgi, mod_autoindex (if exist) byrunningthe command a2dismod<module name> Command: a2dismod<module name> Command: apache2ctrl restart (Execute onlyonce all the modulesare disabled)
  31. 31. CI6230 Information Systems Security Assignment2– ServerHardening Page 31 of 80 Verification For Ubuntuv8.04, mod_imap, mod_include,mod_info,mod_userdir,mod_status, mod_cgi, mod_autoindex are notpreloaded,sonodisable of thisisrequired.
  32. 32. CI6230 Information Systems Security Assignment2– ServerHardening Page 32 of 80 8.3.6. RunApacheas separateUserand Group Before Defaultapache userandgroup is www-data Implementation Modifythe followingsettings:  APACHE_RUN_USER = http-web  APACHE_RUN_GROUP= http-web Command: groupaddhttp-web Command: useradd -d/var/www/ -ghttp-web-s/bin/nologinhttp-web Command: nano/etc/apache2/envvars Command: apache2ctl restart
  33. 33. CI6230 Information Systems Security Assignment2– ServerHardening Page 33 of 80 Verification Proceedagainto checkif apache webserverisrunning.
  34. 34. CI6230 Information Systems Security Assignment2– ServerHardening Page 34 of 80 8.3.7. LimitRequest Sizefor“NewWebsite” By defaultApache hasnolimitonthe total size of the HTTP requesti.e.unlimitedandwhenyouallow large requestsona webserverit’spossiblethatyoucouldbe a victimof Denial of service attacks. We can limitthe requestssize of anApache directive “LimitRequestBody”withthe directorytag. You can setthe value inbytesfrom0 (unlimited) to2147483647 (2GB) that are allowedinarequest body.You can setthislimitaccordingto yoursite needs,suppose youhave asite where youallows uploadsandyouwant to limitthe uploadsize foraparticulardirectory. In thishardeningprocess,we are puttingalimitof 500K for this. Implementation Command: nano/etc/apache2/sites-enabled/000-default Addin the followinglinesto000-default. Command: apache2ctl restart
  35. 35. CI6230 Information Systems Security Assignment2– ServerHardening Page 35 of 80 8.3.8. Limitingthe sizeofan XML Body The LimitXMLRequestBody directive defaultvalue is1millionbytes(approx 1mb). Implementation Command: nano/etc/apache2/sites-enabled/000-default Modifythe followingsettingsunder<Directory“/var/www/NewWebsite”>  LimitXMLRequestBody10485760 Command: apache2ctl restart
  36. 36. CI6230 Information Systems Security Assignment2– ServerHardening Page 36 of 80 8.3.9. TurnoffServerSideIncludesandCGIExecutionfor“NewWebsite” To preventfromclientinjectionusingscriptsviabrowser. Implementation Command: nano/etc/apache2/sites-enabled/000-default Modifythe followingsettingsunder<Directory“/var/www/NewWebsite”>  Options -Includes-ExecCGI Command: apache2ctrl restart
  37. 37. CI6230 Information Systems Security Assignment2– ServerHardening Page 37 of 80 8.3.10. Protect DDOS attacks andHardening Implementation Command: nano/etc/apache2/apache2.conf Findthe followingsettingsandmodifyaccordingly.  TimeOut: By defaultApache timed-outvalue is300 seconds,whichcanbe victimof Slow Loris attack and DoS.To mitigate thisyoucanlowerthe timeoutvalue tomaybe 60 seconds.  KeepAlive:SettoOff to make it a requestperconnectionwouldpreventfromsingle PC connection DoSattacking.  MaxClients: Thisdirective allowsyoutosetthe limitonconnectionsthatwill be served simultaneously.Everynewconnectionwill be queuedupafterthislimit. Itisavailablewith PreforkandWorkerboth MPM. The defaultvalue of itis256. To mitigate thisyoucan lowerthe MaxClientsvalue tomaybe 20.  KeepAliveTimeout:It’sthe amountof time the serverwill waitforasubsequentrequestbefore closingthe connection.Defaultvalue is15secs.To mitigate thisyoucanlowerthe KeepAliveTimeoutvalue tomaybe 5.  Error responses:By default,apache doesnotturnonerror responses.Inthe processtoharden, thisshouldbe turnoff to preventattackersfromknowingwhatexacterrortheyencountered. Command: apache2ctl restart
  38. 38. CI6230 Information Systems Security Assignment2– ServerHardening Page 38 of 80 8.3.11. EnableApacheLogging Apache allowsyoutologgingindependentlyof yourOSlogging.Itiswise toenable Apache logging, because itprovidesmore information,suchasthe commandsenteredbyusersthathave interactedwith your Webserver. Implementation Command: nano/etc/apache2/apache2.conf Modifythe followingsettings:  LogLevel = debug Logs Description  emerg:Emergencysituationswhere the systemisinanunusable state.  alert:Severe situationwhere actionisneededpromptly.  crit: Importantproblemsthatneedtobe addressed.  error: AnError has occurred.Somethingwasunsuccessful.  warn: Somethingoutof the ordinaryhappened,butnota cause for concern.  notice:Somethingnormal,butworthnotinghashappened.  info:Aninformational message thatmightbe nice toknow.  debug:Debugginginformationthatcanbe useful topinpointwhereaproblemisoccurring.
  39. 39. CI6230 Information Systems Security Assignment2– ServerHardening Page 39 of 80 Verification Visitthe newwebsiteagain,logscanbe foundat Command: cd /var/log/apache2 Command: nanoaccess.log(ForWebsite AccessLog) Command: nanoerror.log(WebServerError Log) Command: nanoerror.log.1(ForWeb ServerError Log) – Whenfile isfull,itwill autocreate with numeric+1 incremental numberingof the logfile
  40. 40. CI6230 Information Systems Security Assignment2– ServerHardening Page 40 of 80 8.3.12. Protect binaryandconfigurationdirectorypermissionfor“NewWebsite” Website executablesare placedinbinandconfigurationsettingsare placedinconf.Toprotectfrom modificationfromattackers,we will ownerof the folder. Implementation Command: cd /var/www/NewWebsite Command: mkdirbin Command: mkdirconf Command: chown-R 750 binconf Verification
  41. 41. CI6230 Information Systems Security Assignment2– ServerHardening Page 41 of 80 8.3.13. DisableTraceHTTPRequest Before Command: telnetlocalhost80 TRACE / HTTP/1.1 Host: test Enter <twice>here Implementation Command: nano/etc/apache2/apache2.conf Addthe followingsettings:  TraceEnable off Command: apache2ctl restart
  42. 42. CI6230 Information Systems Security Assignment2– ServerHardening Page 42 of 80 Verification Command: telnetlocalhost80 TRACE / HTTP/1.1 Host: test Enter <twice>here
  43. 43. CI6230 Information Systems Security Assignment2– ServerHardening Page 43 of 80 8.3.14.RestrictingAccessbyIP (Set onlyintranet) can access“NewWebsite” – Designedfor example.com Before Implementation Command: nano/etc/apache2/sites-enabled/000-default Modifythe followingsettingsunder<Directory“/var/www/NewWebsite”>  Deny from all  Allowfrom 172.0.0.1 Verification Runningfromoutside external network
  44. 44. CI6230 Information Systems Security Assignment2– ServerHardening Page 44 of 80 8.3.15. Securing“NewWebsite”withSSLCertificates Before Implementation Command: a2enmodssl Command: apache2ctl restart Command: openssl genrsa-des3-outexample.com.key1024 Command: openssl req -new -keyexample.com.key -outexample.csr Command: openssl x509-req-days365 -inexample.csr-signkey example.com.key -outexample.crt Remarks:Followthe instructionstofill inthe detailsof yourcompanyetc.
  45. 45. CI6230 Information Systems Security Assignment2– ServerHardening Page 45 of 80 SSL certificationcreatedsuccessfully. Command: nano/etc/apache2/sites-enabled/000-default Addin the followinglinesto000-default.  ServerName localhost  SSLEngine on  SSLCertifcateFile /etc/apache2/example.crt  SSLCerificateKeyFile /etc/apache2/example.com.key
  46. 46. CI6230 Information Systems Security Assignment2– ServerHardening Page 46 of 80 Command: apache2ctl restart Remarks:Enterpass phrase whichiscreatedduringcertificate creation
  47. 47. CI6230 Information Systems Security Assignment2– ServerHardening Page 47 of 80 Verification - Not added to trusted exception
  48. 48. CI6230 Information Systems Security Assignment2– ServerHardening Page 48 of 80 - Addedto securitytrusted exception - Certificate Information
  49. 49. CI6230 Information Systems Security Assignment2– ServerHardening Page 49 of 80
  50. 50. CI6230 Information Systems Security Assignment2– ServerHardening Page 50 of 80
  51. 51. CI6230 Information Systems Security Assignment2– ServerHardening Page 51 of 80 9. User and Group hardening 9.1. Change msfadmin password and username Command: passwdmsfadmin  Enter new UNIX password: Supply a new password  Retype new UNIX password: Supply the same new password  Change username of msfadmin to suadm Command: usermod -l suadmmsfadmin
  52. 52. CI6230 Information Systems Security Assignment2– ServerHardening Page 52 of 80
  53. 53. CI6230 Information Systems Security Assignment2– ServerHardening Page 53 of 80 9.2. Change password complexity Install libpam-cracklibPAMmodule toenable cracklibsupport. Command: apt-getinstall libpam-cracklib Command: nano/etc/pam.d/common-password
  54. 54. CI6230 Information Systems Security Assignment2– ServerHardening Page 54 of 80 Change the linesashighlightedinbelow screenshot. Put followingtwolinesintothe file.  Passwordrequiredpam_cracklib.soretry=3 minlen=10 difok=3ucredit=1 dcredit=1 ocredit=1  Passwordrequiredpam_unix.souse_authokunlloksha512 Description  retry=3 : Prompt user at most 3 times before returning with error  minlen=10 : minimum length allowed for an account password is set to 10 characters. This is the minimum simplicity count for a good password. And you are allowed only 2 times using retry option.  difok=3: How many characters can be the same in the new password relative to the old. User will see error - BAD PASSWORD: is too similar to the old one  dcredit=1 : At least contains1 digits character  ucredit=1 : At least contains 1 upper character  ocredit=1 : At least contains 1 other character
  55. 55. CI6230 Information Systems Security Assignment2– ServerHardening Page 55 of 80 The screenshotafterchanges applied:
  56. 56. CI6230 Information Systems Security Assignment2– ServerHardening Page 56 of 80 9.3. Add user and group Command: adduser<username>  New UNIX password: Supply a password  New UNIX password: Supply the same password List all groups Command: cat /etc/group
  57. 57. CI6230 Information Systems Security Assignment2– ServerHardening Page 57 of 80 List the usersina group, Command: members<groupname>
  58. 58. CI6230 Information Systems Security Assignment2– ServerHardening Page 58 of 80 9.4. Force users to change their password upon first login Use chage commandto force userstochage theirpassworduponfirstlogin Command: chage -d 0 jacklee Now,loginas“JackLee”and force to change the password.
  59. 59. CI6230 Information Systems Security Assignment2– ServerHardening Page 59 of 80 9.5. Configure Password Aging Run followingcommandtochange the passwordagingof user“jacklee” Command: chage -M 60 -m7 -W 7 jacklee  -m: The minimumnumberof daysrequiredbetweenpasswordchangesi.e.the numberof daysleftbefore the useris allowedtochange his/herpassword.  -M: The maximumnumberof daysthe passwordisvalid(afterthatuserisforcedto change his/herpassword).  -W : The numberof daysbefore passwordistoexpire thatuseriswarnedthat his/her passwordmustbe changed. To listcurrentaging type chage commandas follows: Command: chage -l jacklee
  60. 60. CI6230 Information Systems Security Assignment2– ServerHardening Page 60 of 80 9.6. Limit password reuse on Linux Openyour/etc/pam.d/common-password file Command: nano/etc/pam.d/common-password Edit/addpasswordline andappendremember=13topreventa userfromre-usingany of hisor her last 13 passwords Command: passwordsufficientpam_unix.souse_authtokmd5shadow remember=13
  61. 61. CI6230 Information Systems Security Assignment2– ServerHardening Page 61 of 80 9.7. Verify No Accounts Have Empty Passwords Command: awk-F: ‘($2 == “”) {print}’/etc/shadow Lock all emptypasswordaccounts Command: passwd -l accountName
  62. 62. CI6230 Information Systems Security Assignment2– ServerHardening Page 62 of 80 9.8. Make Sure No Non-Root Accounts Have UID Set To 0 Onlyroot accounthas UID 0 withfull permissionstoaccessthe system.Type the followingcommandto display all accountswithUID setto 0. Command: awk–F: ‘($3 == “0”) {print}’/etc/passwd You shouldonlysee one line asfollows:  root: x:0:0:root:/root:/bin/bash If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.
  63. 63. CI6230 Information Systems Security Assignment2– ServerHardening Page 63 of 80 9.9. Restrict User and Group Access 9.9.1. CreateandMaintaina Group forAll AuthorizedUsers Create a group named“normalusers” Command: groupaddnormalusers Addall authorizeduserstoappsonly Command: usermod -aG{ groupName } {username}  -a : Addthe userto the supplemental group(s) i.e.appendsthe usertothe current supplementarygrouplist.  -G : A listof supplementarygroupswhichthe userisalsoamemberof 9.9.2 Restrict Access Nowa group of user hadbeencreated.Next,use the chgrpcommand to change the groupof /opt/apps/starttonormalusers group Command: chgrp normalusers/opt/apps Disable the file permissionforothers Command: chmod0640 /opt/apps
  64. 64. CI6230 Information Systems Security Assignment2– ServerHardening Page 64 of 80
  65. 65. CI6230 Information Systems Security Assignment2– ServerHardening Page 65 of 80 9.10. Disable root account Disable rootlogin Command: sudopasswd -l root Disable rootloginoverSSH Editfile /etc/ssh/sshd_config change PermitRootLogintono
  66. 66. CI6230 Information Systems Security Assignment2– ServerHardening Page 66 of 80 10. Secure /etc/fstab Temporarystorage directoriessuchas/tmp,/var/tmp,and/dev/shmprovidestorage place forthe hackersto execute the maliciouscodes. Sowe have tosecure them. 10.1. Securing /var/tmp Command: sudovi /etc/fstab Appendthe followingline: /tmp/var/tmpnone rw,noexec,nosuid,nodev,bind00 Meanings: noexec– Do notset executionof anybinariesonthispartition nodev - Do notallow character or special devicesonthispartition nosuid – Do not setSUID/SGID accesson thispartition(preventthe setuidbit)
  67. 67. CI6230 Information Systems Security Assignment2– ServerHardening Page 67 of 80 10.2. Securing tmpfs Command: Sudovi /etc/fstab Appendthe following: tmpfs /dev/shmtmpfsdefaults,nodev,nosuid,noexec0 0
  68. 68. CI6230 Information Systems Security Assignment2– ServerHardening Page 68 of 80 11. Encrypt File Systems 11.1. Encrypt and decrypt file with password Showingthe contentof the file Command: more test.txt openssl Used 256-bit AES in CBC mode with password for this sample and the command will create new file called test.out Command: sudoopenssl enc–aes-256-cbc–salt –in test.txt–outtest.out
  69. 69. CI6230 Information Systems Security Assignment2– ServerHardening Page 69 of 80 mcrypt Command iscreateda newfile withextension.ncandrequiredpassword Command: sudomcrypt test.out gnupg Encrypt data and create digital signature.Thiscommandiscreatedanew file withextension.gpg Command: sudogpg -c test.out.nc
  70. 70. CI6230 Information Systems Security Assignment2– ServerHardening Page 70 of 80 Afterall encryptionthe file isshowinglike this Command: ls isto showall file inthe currentdirectory. Deletingoriginal file andunneceseryfile priviouslyif needed.Inthissamplewe usedthree stepsto delete all previousfile. Command: rm filename
  71. 71. CI6230 Information Systems Security Assignment2– ServerHardening Page 71 of 80 Decryptlast extensionfile withopenssl,mcryptandgnupg command.To openone file we needto decryptthree times.Don’tforgettorememberthe passwordwhenyouencryptthe file.
  72. 72. CI6230 Information Systems Security Assignment2– ServerHardening Page 72 of 80 11.2. Encrypt folder or directory In thisscreenshot,the folderstill can accessbyusingcommandcd To encryptfolderordirectory,we needtoinstall encfs Command: sudoapt-get install encfs Selectfolderandstartencryptthe folderafterinstall encfs,thisrequiredpasswordtoencrypt.Inthis sample foldertesting2isthe target Command: sudoencfs~/.testing1~/testing2 checkingif we can still accessthe folderafterencryptandthe resultinpermissiondenied
  73. 73. CI6230 Information Systems Security Assignment2– ServerHardening Page 73 of 80 In orderto access thi folderagainwe can use this. Command: fusermount–u~/testing2
  74. 74. CI6230 Information Systems Security Assignment2– ServerHardening Page 74 of 80 12. Disable the Ipv6 protocol To increase browsingspeedandsecurityyouneedtodisable the Ipv6protocol because bydefaulton LINUX isenable. Command: sudovi /etc/modprobe.d/aliases Findthe line called“aliasnet-pf-10ipv6”andreplace with“aliasnet-pf-10off”and“aliasipv6 off”after that save and close the file.
  75. 75. CI6230 Information Systems Security Assignment2– ServerHardening Page 75 of 80 13. Log Files You needtoconfigure loggingandauditingtocollectall hackingandcrackingattempts.Bydefaultsyslog storesdata in/var/log/directory. Itisalsorequiredtofindanysoftware misconfiguration. Common Linuxlog filesnamesand usage  /var/log/messages :General messageandsystemrelatedstuff  /var/log/auth.log:Authenicationlogs  /var/log/kern.log:Kernel logs  /var/log/cron.log:Crondlogs(cron job)  /var/log/maillog:Mail serverlogs  /var/log/qmail/ :Qmail logdirectory(more filesinsidethisdirectory)  /var/log/httpd/ :Apache accessanderror logsdirectory  /var/log/lighttpd/ :Lighttpdaccessand errorlogsdirectory  /var/log/boot.log:Systembootlog  /var/log/mysqld.log :MySQL database serverlogfile  /var/log/secureor/var/log/auth.log:Authenticationlog  /var/log/utmp or/var/log/wtmp :Loginrecordsfile  /var/log/yum.log:Yumcommandlog file.
  76. 76. CI6230 Information Systems Security Assignment2– ServerHardening Page 76 of 80 13.1. Monitor Suspicious Log Messages with Logwatch Install logwatchusing“sudoapt-getinstalllogwatch”. Configurationshouldn'tbe editedinthe installdirectory(/usr/share/logwatch).Copylogwatch.confto /etc/logwatchbeforeediting: Command: sudocp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
  77. 77. CI6230 Information Systems Security Assignment2– ServerHardening Page 77 of 80 Editlogwatch.conf toput inthe e-mail where youwantthe reportsent: MailTo = group10@c16230.com
  78. 78. CI6230 Information Systems Security Assignment2– ServerHardening Page 78 of 80 14. Setting AIDE (Advanced IntrusionDetectionEnvironment) It providessoftware integritycheckinganditcan detectthat intrusions(systembinariesmodification) have takenplace.Itis a replacementforthe well-knownTripwire integritychecker. Install AIDEusingthe followingcommand: Command: sudoapt-getinstall aide The defaultconfigurationisacceptableformanyenvironments.  /etc/aide/aide.confand/etc/aide/aide.conf.d/ - DefaultAIDEconfigurationfiles.  /var/lib/aide/aide.db - DefaultlocationforAIDEdatabase.  /var/lib/aide/aide.db.new- Defaultlocationfornewly-createdAIDEdatabase.
  79. 79. CI6230 Information Systems Security Assignment2– ServerHardening Page 79 of 80 15. Limitations  Metasploitable2is basedonUbuntu 8.04 –Hardy Version  Grub is 1.5
  80. 80. CI6230 Information Systems Security Assignment2– ServerHardening Page 80 of 80 16. References  http://www.tecmint.com/apache-security-tips/  http://www.themiddlewareshop.com/2013/09/30/apache-web-server-hardening-and- security/  http://www.petefreitag.com/item/505.cfm  http://www.cyberciti.biz/tips/linux-security.html

×