From 4afa51d0ae1041def6a9847fa56ca5684e5fe5c1 Mon Sep 17 00:00:00 2001 From: hellrezistor <50468493+hellresistor@users.noreply.github.com> Date: Thu, 22 Aug 2019 22:34:50 +0100 Subject: [PATCH 01/22] resolved issue with rng-tols --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0c93c93..ec963f3 100644 --- a/README.md +++ b/README.md @@ -1218,6 +1218,7 @@ WIP ``` bash sudo apt-get install rng-tools ``` +To Lazy: sed -i 's/#HRNGDEVICE='/'dev'/'null'/'HRNGDEVICE='/'dev'/'urandom/' /etc/default/rng-tools ([Table of Contents](#table-of-contents)) From 02205d92c8f66812c4c7a00c729e6fb5f1f79ad5 Mon Sep 17 00:00:00 2001 From: nperanzi Date: Sun, 22 Dec 2019 21:03:43 -0500 Subject: [PATCH 02/22] Update required gmail servers in /etc/exim4/passwd.client --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0c93c93..dadc52f 100644 --- a/README.md +++ b/README.md @@ -2948,6 +2948,7 @@ Also, as discussed in [issue #29](https://github.com/imthenachoman/How-To-Secure 1. Add a line like this to `/etc/exim4/passwd.client` ``` + smtp.gmail.com:yourAccount@gmail.com:yourPassword *.google.com:yourAccount@gmail.com:yourPassword ``` From 03b7139b3233258f103f3cec703f76bf1888230c Mon Sep 17 00:00:00 2001 From: Davide Mannarelli Date: Sun, 12 Jan 2020 16:12:02 +0100 Subject: [PATCH 03/22] Update README.md Add "-COPY-" prefix to filename back copies --- README.md | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index dadc52f..6d1a8df 100644 --- a/README.md +++ b/README.md @@ -449,7 +449,7 @@ SSH is a door into your server. This is especially true if you are opening ports 1. Make a backup of OpenSSH server's configuration file `/etc/ssh/sshd_config` and remove comments to make it easier to read: ``` bash - sudo cp --preserve /etc/ssh/sshd_config /etc/ssh/sshd_config.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/ssh/sshd_config /etc/ssh/sshd_config-COPY-$(date +"%Y%m%d%H%M%S") sudo sed -i -r -e '/^#|^$/ d' /etc/ssh/sshd_config ``` @@ -602,7 +602,7 @@ The Diffie-Hellman algorithm is used by SSH to establish a secure connection. Th 1. Make a backup of SSH's moduli file `/etc/ssh/moduli`: ``` bash - sudo cp --preserve /etc/ssh/moduli /etc/ssh/moduli.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/ssh/moduli /etc/ssh/moduli-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Remove short moduli: @@ -721,7 +721,7 @@ What we will do is tell the server's SSH PAM configuration to ask the user for t 1. Make a backup of PAM's SSH configuration file `/etc/pam.d/sshd`: ``` bash - sudo cp --preserve /etc/pam.d/sshd /etc/pam.d/sshd.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/pam.d/sshd /etc/pam.d/sshd-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Now we need to enable it as an authentication method for SSH by adding this line to `/etc/pam.d/sshd`: @@ -798,7 +798,7 @@ sudo lets accounts run commands as other accounts, including **root**. We want t 1. Make a backup of the sudo's configuration file `/etc/sudoers`: ``` bash - sudo cp --preserve /etc/sudoers /etc/sudoers.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/sudoers /etc/sudoers-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Edit sudo's configuration file `/etc/sudoers`: @@ -850,7 +850,7 @@ NTP stands for Network Time Protocol. In the context of this guide, an NTP clien 1. Make a backup of the NTP client's configuration file `/etc/ntp.conf`: ``` bash - sudo cp --preserve /etc/ntp.conf /etc/ntp.conf.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/ntp.conf /etc/ntp.conf-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. The default configuration, at least on Debian, is already pretty secure. The only thing we'll want to make sure is we're the `pool` directive and not any `server` directives. The `pool` directive allows the NTP client to stop using a server if it is unresponsive or serving bad time. Do this by commenting out all `server` directives and adding the below to `/etc/ntp.conf`. @@ -956,7 +956,7 @@ To quote https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/: 1. Make a backup of `/etc/fstab`: ``` bash - sudo cp --preserve /etc/fstab /etc/fstab.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/fstab /etc/fstab-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Add this line to `/etc/fstab` to have `/proc` mounted with `hidepid=2`: @@ -1010,7 +1010,7 @@ When there is a need to set or change an account password, the password task of 1. Make a backup of PAM's password configuration file `/etc/pam.d/common-password`: ``` bash - sudo cp --preserve /etc/pam.d/common-password /etc/pam.d/common-password.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/pam.d/common-password /etc/pam.d/common-password-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Tell PAM to use libpam-pwquality to enforce strong passwords by editing the file `/etc/pam.d/common-password` and change the line that starts like this: @@ -1529,7 +1529,7 @@ And, since we're already using [UFW](#ufw-uncomplicated-firewall) so we'll follo 1. Make a backup of psad's configuration file `/etc/psad/psad.conf`: ``` bash - sudo cp --preserve /etc/psad/psad.conf /etc/psad/psad.conf.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/psad/psad.conf /etc/psad/psad.conf-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Review and update configuration options in `/etc/psad/psad.conf`. Pay special attention to these: @@ -1549,8 +1549,8 @@ And, since we're already using [UFW](#ufw-uncomplicated-firewall) so we'll follo Make backups: ``` bash - sudo cp --preserve /etc/ufw/before.rules /etc/ufw/before.rules.$(date +"%Y%m%d%H%M%S") - sudo cp --preserve /etc/ufw/before6.rules /etc/ufw/before6.rules.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/ufw/before.rules /etc/ufw/before.rules-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/ufw/before6.rules /etc/ufw/before6.rules-COPY-$(date +"%Y%m%d%H%M%S") ``` Edit the files: @@ -1834,7 +1834,7 @@ WIP 1. Make a backup of AIDE's defaults file: ``` bash - sudo cp -p /etc/default/aide /etc/default/aide.$(date +"%Y%m%d%H%M%S") + sudo cp -p /etc/default/aide /etc/default/aide-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Go through `/etc/default/aide` and set AIDE's defaults per your requirements. If you want AIDE to run daily and e-mail you, be sure to set `CRON_DAILY_RUN` to `yes`. @@ -1842,7 +1842,7 @@ WIP 1. Make a backup of AIDE's configuration files: ``` bash - sudo cp -pr /etc/aide /etc/aide.$(date +"%Y%m%d%H%M%S") + sudo cp -pr /etc/aide /etc/aide-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. On Debian based systems: @@ -1850,7 +1850,7 @@ WIP - AIDE's configuration files are in `/etc/aide/aide.conf.d/`. - You'll want to go through AIDE's documentation and the configuration files in to set them per your requirements. - If you want new settings, to monitor a new folder for example, you'll want to add them to `/etc/aide/aide.conf` or `/etc/aide/aide.conf.d/`. - - Take a backup of the stock configuration files: `sudo cp -pr /etc/aide /etc/aide.$(date +"%Y%m%d%H%M%S")`. + - Take a backup of the stock configuration files: `sudo cp -pr /etc/aide /etc/aide-COPY-$(date +"%Y%m%d%H%M%S")`. 1. Create a new database, and install it. @@ -2054,7 +2054,7 @@ WIP 1. Make a backup of `clamav-freshclam`'s configuration file `/etc/clamav/freshclam.conf`: ``` bash - sudo cp --preserve /etc/clamav/freshclam.conf /etc/clamav/freshclam.conf.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/clamav/freshclam.conf /etc/clamav/freshclam.conf-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. `clamav-freshclam`'s default settings are probably good enough but if you want to change them, you can either edit the file `/etc/clamav/freshclam.conf` or use `dpkg-reconfigure`: @@ -2104,7 +2104,7 @@ WIP 1. Make a backup of `clamav-daemon`'s configuration file `/etc/clamav/clamd.conf`: ``` bash - sudo cp --preserve /etc/clamav/clamd.conf /etc/clamav/clamd.conf.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/clamav/clamd.conf /etc/clamav/clamd.conf-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. You can change `clamav-daemon`'s settings by editing the file `/etc/clamav/clamd.conf` or useing `dpkg-reconfigure`: @@ -2158,7 +2158,7 @@ WIP 1. Make a backup of rkhunter' defaults file: ``` bash - sudo cp -p /etc/default/rkhunter /etc/default/rkhunter.$(date +"%Y%m%d%H%M%S") + sudo cp -p /etc/default/rkhunter /etc/default/rkhunter-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. rkhunter's configuration file is `/etc/rkhunter.conf`. Instead of making changes to it, create and use the file `/etc/rkhunter.conf.local` instead: @@ -2265,7 +2265,7 @@ WIP 1. Make a backup of chkrootkit's configuration file `/etc/chkrootkit.conf`: ``` bash - sudo cp --preserve /etc/chkrootkit.conf /etc/chkrootkit.conf.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/chkrootkit.conf /etc/chkrootkit.conf-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. You want chkrootkit to run every day and e-mail you the result. @@ -2348,7 +2348,7 @@ logwatch's configuration file `/usr/share/logwatch/default.conf/logwatch.conf` s 1. Make a backup of logwatch's daily cron file `/etc/cron.daily/00logwatch` and unset the execute bit: ``` bash - sudo cp --preserve /etc/cron.daily/00logwatch /etc/cron.daily/00logwatch.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/cron.daily/00logwatch /etc/cron.daily/00logwatch-COPY-$(date +"%Y%m%d%H%M%S") sudo chmod -x /etc/cron.daily/00logwatch.* ``` @@ -2666,7 +2666,7 @@ If you forget the password, you'll have to go through [some work](https://www.cy 1. Make a backup of GRUB's configuration file `/etc/grub.d/10_linux` that we'll be modifying and unset the execute bit so `update-grub` doesn't try to run it: ``` bash - sudo cp --preserve /etc/grub.d/10_linux /etc/grub.d/10_linux.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/grub.d/10_linux /etc/grub.d/10_linux-COPY-$(date +"%Y%m%d%H%M%S") sudo chmod a-x /etc/grub.d/10_linux.* ``` @@ -2783,10 +2783,10 @@ In order to explain how umask works I'd have to explain how Linux file/folder pe 1. Make a backup of files we'll be editing: ``` bash - sudo cp --preserve /etc/profile /etc/profile.$(date +"%Y%m%d%H%M%S") - sudo cp --preserve /etc/bash.bashrc /etc/bash.bashrc.$(date +"%Y%m%d%H%M%S") - sudo cp --preserve /etc/login.defs /etc/login.defs.$(date +"%Y%m%d%H%M%S") - sudo cp --preserve /root/.bashrc /root/.bashrc.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/profile /etc/profile-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/bash.bashrc /etc/bash.bashrc-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/login.defs /etc/login.defs-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /root/.bashrc /root/.bashrc-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Set default umask for **non-root** accounts to **0027** by adding this line to `/etc/profile` and `/etc/bash.bashrc`: @@ -2942,7 +2942,7 @@ Also, as discussed in [issue #29](https://github.com/imthenachoman/How-To-Secure 1. Make a backup of `/etc/exim4/passwd.client`: ``` bash - sudo cp --preserve /etc/exim4/passwd.client /etc/exim4/passwd.client.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/exim4/passwd.client /etc/exim4/passwd.client-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Add a line like this to `/etc/exim4/passwd.client` @@ -3026,7 +3026,7 @@ Also, as discussed in [issue #29](https://github.com/imthenachoman/How-To-Secure 1. Make a backup of exim4's configuration file `/etc/exim4/exim4.conf.template`: ``` bash - sudo cp --preserve /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template.$(date +"%Y%m%d%H%M%S") + sudo cp --preserve /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Add the below to `/etc/exim4/exim4.conf.template` after the `.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS ... .endif` block: From ff7836f884be0b8341c3b9a62349c4e30b49217a Mon Sep 17 00:00:00 2001 From: Davide Mannarelli Date: Mon, 13 Jan 2020 17:05:48 +0100 Subject: [PATCH 04/22] Use --archive instead of --preserve to backup files --- README.md | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 6d1a8df..0796c5c 100644 --- a/README.md +++ b/README.md @@ -449,7 +449,7 @@ SSH is a door into your server. This is especially true if you are opening ports 1. Make a backup of OpenSSH server's configuration file `/etc/ssh/sshd_config` and remove comments to make it easier to read: ``` bash - sudo cp --preserve /etc/ssh/sshd_config /etc/ssh/sshd_config-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/ssh/sshd_config /etc/ssh/sshd_config-COPY-$(date +"%Y%m%d%H%M%S") sudo sed -i -r -e '/^#|^$/ d' /etc/ssh/sshd_config ``` @@ -602,7 +602,7 @@ The Diffie-Hellman algorithm is used by SSH to establish a secure connection. Th 1. Make a backup of SSH's moduli file `/etc/ssh/moduli`: ``` bash - sudo cp --preserve /etc/ssh/moduli /etc/ssh/moduli-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/ssh/moduli /etc/ssh/moduli-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Remove short moduli: @@ -721,7 +721,7 @@ What we will do is tell the server's SSH PAM configuration to ask the user for t 1. Make a backup of PAM's SSH configuration file `/etc/pam.d/sshd`: ``` bash - sudo cp --preserve /etc/pam.d/sshd /etc/pam.d/sshd-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/pam.d/sshd /etc/pam.d/sshd-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Now we need to enable it as an authentication method for SSH by adding this line to `/etc/pam.d/sshd`: @@ -798,7 +798,7 @@ sudo lets accounts run commands as other accounts, including **root**. We want t 1. Make a backup of the sudo's configuration file `/etc/sudoers`: ``` bash - sudo cp --preserve /etc/sudoers /etc/sudoers-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/sudoers /etc/sudoers-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Edit sudo's configuration file `/etc/sudoers`: @@ -850,7 +850,7 @@ NTP stands for Network Time Protocol. In the context of this guide, an NTP clien 1. Make a backup of the NTP client's configuration file `/etc/ntp.conf`: ``` bash - sudo cp --preserve /etc/ntp.conf /etc/ntp.conf-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/ntp.conf /etc/ntp.conf-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. The default configuration, at least on Debian, is already pretty secure. The only thing we'll want to make sure is we're the `pool` directive and not any `server` directives. The `pool` directive allows the NTP client to stop using a server if it is unresponsive or serving bad time. Do this by commenting out all `server` directives and adding the below to `/etc/ntp.conf`. @@ -956,7 +956,7 @@ To quote https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/: 1. Make a backup of `/etc/fstab`: ``` bash - sudo cp --preserve /etc/fstab /etc/fstab-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/fstab /etc/fstab-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Add this line to `/etc/fstab` to have `/proc` mounted with `hidepid=2`: @@ -1010,7 +1010,7 @@ When there is a need to set or change an account password, the password task of 1. Make a backup of PAM's password configuration file `/etc/pam.d/common-password`: ``` bash - sudo cp --preserve /etc/pam.d/common-password /etc/pam.d/common-password-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/pam.d/common-password /etc/pam.d/common-password-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Tell PAM to use libpam-pwquality to enforce strong passwords by editing the file `/etc/pam.d/common-password` and change the line that starts like this: @@ -1529,7 +1529,7 @@ And, since we're already using [UFW](#ufw-uncomplicated-firewall) so we'll follo 1. Make a backup of psad's configuration file `/etc/psad/psad.conf`: ``` bash - sudo cp --preserve /etc/psad/psad.conf /etc/psad/psad.conf-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/psad/psad.conf /etc/psad/psad.conf-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Review and update configuration options in `/etc/psad/psad.conf`. Pay special attention to these: @@ -1549,8 +1549,8 @@ And, since we're already using [UFW](#ufw-uncomplicated-firewall) so we'll follo Make backups: ``` bash - sudo cp --preserve /etc/ufw/before.rules /etc/ufw/before.rules-COPY-$(date +"%Y%m%d%H%M%S") - sudo cp --preserve /etc/ufw/before6.rules /etc/ufw/before6.rules-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/ufw/before.rules /etc/ufw/before.rules-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/ufw/before6.rules /etc/ufw/before6.rules-COPY-$(date +"%Y%m%d%H%M%S") ``` Edit the files: @@ -2054,7 +2054,7 @@ WIP 1. Make a backup of `clamav-freshclam`'s configuration file `/etc/clamav/freshclam.conf`: ``` bash - sudo cp --preserve /etc/clamav/freshclam.conf /etc/clamav/freshclam.conf-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/clamav/freshclam.conf /etc/clamav/freshclam.conf-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. `clamav-freshclam`'s default settings are probably good enough but if you want to change them, you can either edit the file `/etc/clamav/freshclam.conf` or use `dpkg-reconfigure`: @@ -2104,7 +2104,7 @@ WIP 1. Make a backup of `clamav-daemon`'s configuration file `/etc/clamav/clamd.conf`: ``` bash - sudo cp --preserve /etc/clamav/clamd.conf /etc/clamav/clamd.conf-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/clamav/clamd.conf /etc/clamav/clamd.conf-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. You can change `clamav-daemon`'s settings by editing the file `/etc/clamav/clamd.conf` or useing `dpkg-reconfigure`: @@ -2265,7 +2265,7 @@ WIP 1. Make a backup of chkrootkit's configuration file `/etc/chkrootkit.conf`: ``` bash - sudo cp --preserve /etc/chkrootkit.conf /etc/chkrootkit.conf-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/chkrootkit.conf /etc/chkrootkit.conf-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. You want chkrootkit to run every day and e-mail you the result. @@ -2348,7 +2348,7 @@ logwatch's configuration file `/usr/share/logwatch/default.conf/logwatch.conf` s 1. Make a backup of logwatch's daily cron file `/etc/cron.daily/00logwatch` and unset the execute bit: ``` bash - sudo cp --preserve /etc/cron.daily/00logwatch /etc/cron.daily/00logwatch-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/cron.daily/00logwatch /etc/cron.daily/00logwatch-COPY-$(date +"%Y%m%d%H%M%S") sudo chmod -x /etc/cron.daily/00logwatch.* ``` @@ -2666,7 +2666,7 @@ If you forget the password, you'll have to go through [some work](https://www.cy 1. Make a backup of GRUB's configuration file `/etc/grub.d/10_linux` that we'll be modifying and unset the execute bit so `update-grub` doesn't try to run it: ``` bash - sudo cp --preserve /etc/grub.d/10_linux /etc/grub.d/10_linux-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/grub.d/10_linux /etc/grub.d/10_linux-COPY-$(date +"%Y%m%d%H%M%S") sudo chmod a-x /etc/grub.d/10_linux.* ``` @@ -2783,10 +2783,10 @@ In order to explain how umask works I'd have to explain how Linux file/folder pe 1. Make a backup of files we'll be editing: ``` bash - sudo cp --preserve /etc/profile /etc/profile-COPY-$(date +"%Y%m%d%H%M%S") - sudo cp --preserve /etc/bash.bashrc /etc/bash.bashrc-COPY-$(date +"%Y%m%d%H%M%S") - sudo cp --preserve /etc/login.defs /etc/login.defs-COPY-$(date +"%Y%m%d%H%M%S") - sudo cp --preserve /root/.bashrc /root/.bashrc-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/profile /etc/profile-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/bash.bashrc /etc/bash.bashrc-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/login.defs /etc/login.defs-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /root/.bashrc /root/.bashrc-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Set default umask for **non-root** accounts to **0027** by adding this line to `/etc/profile` and `/etc/bash.bashrc`: @@ -2942,7 +2942,7 @@ Also, as discussed in [issue #29](https://github.com/imthenachoman/How-To-Secure 1. Make a backup of `/etc/exim4/passwd.client`: ``` bash - sudo cp --preserve /etc/exim4/passwd.client /etc/exim4/passwd.client-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/exim4/passwd.client /etc/exim4/passwd.client-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Add a line like this to `/etc/exim4/passwd.client` @@ -3026,7 +3026,7 @@ Also, as discussed in [issue #29](https://github.com/imthenachoman/How-To-Secure 1. Make a backup of exim4's configuration file `/etc/exim4/exim4.conf.template`: ``` bash - sudo cp --preserve /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. Add the below to `/etc/exim4/exim4.conf.template` after the `.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS ... .endif` block: From 1747d09f2c5708be3ddab3738cbb484b613fb181 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Mon, 14 Dec 2020 15:01:58 -0500 Subject: [PATCH 05/22] Update README.md --- README.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9764ee9..22d582e 100644 --- a/README.md +++ b/README.md @@ -1208,6 +1208,7 @@ WIP - https://www.2uo.de/myths-about-urandom - https://www.gnu.org/software/hurd/user/tlecarrour/rng-tools.html - https://wiki.archlinux.org/index.php/Rng-tools +- https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny #### Steps @@ -1218,7 +1219,18 @@ WIP ``` bash sudo apt-get install rng-tools ``` -To Lazy: sed -i 's/#HRNGDEVICE='/'dev'/'null'/'HRNGDEVICE='/'dev'/'urandom/' /etc/default/rng-tools + +1. Now we need to set the hardware device used to generate random numbers by adding this to `/etc/default/rng-tools`: + + ``` + HRNGDEVICE=/dev/urandom + ``` + + [For the lazy](#editing-configuration-files---for-the-lazy): + + ``` bash + echo "HRNGDEVICE=/dev/urandom" | sudo tee -a /etc/default/rng-tools + ``` ([Table of Contents](#table-of-contents)) From 313adbf77092ddb3ed7991ebdd2b4b8191743e2a Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Mon, 14 Dec 2020 18:23:05 -0500 Subject: [PATCH 06/22] Update README.md #38 #37 #36 --- README.md | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 22d582e..4d7ace3 100644 --- a/README.md +++ b/README.md @@ -455,7 +455,7 @@ SSH is a door into your server. This is especially true if you are opening ports 1. Edit `/etc/ssh/sshd_config` then find and edit or add these settings that should be applied regardless of your configuration/setup: - **Note**: SSH does not like duplicate contradicting settings. For example, if you have `ChallengeResponseAuthentication no` and then `ChallengeResponseAuthentication yes`, SSH will respect the first one and ignore the second. Your `/etc/ssh/sshd_config` file may already have some of the settings/lines below. To avoid issues you will need to manually go through your `/etc/ssh/sshd_config` file and address any duplicate contradicting settings. (If anyone knows a way to programatically do this I would [love to hear how](#contacting-me).) + **Note**: SSH does not like duplicate contradicting settings. For example, if you have `ChallengeResponseAuthentication no` and then `ChallengeResponseAuthentication yes`, SSH will respect the first one and ignore the second. Your `/etc/ssh/sshd_config` file may already have some of the settings/lines below. To avoid issues you will need to manually go through your `/etc/ssh/sshd_config` file and address any duplicate contradicting settings. ``` ######################################################################################################## @@ -539,6 +539,12 @@ SSH is a door into your server. This is especially true if you are opening ports Check `man sshd_config` for more details what these settings mean. +1. Make sure there are no duplicate settings that contradict each other. The below command should not have any output. + + ```bash + awk 'NF && $1!~/^(#|HostKey)/{print $1}' /etc/ssh/sshd_config | sort | uniq -c | grep -v ' 1 ' + ``` + 1. Restart ssh: ``` bash @@ -854,7 +860,7 @@ NTP stands for Network Time Protocol. In the context of this guide, an NTP clien ``` 1. The default configuration, at least on Debian, is already pretty secure. The only thing we'll want to make sure is we're the `pool` directive and not any `server` directives. The `pool` directive allows the NTP client to stop using a server if it is unresponsive or serving bad time. Do this by commenting out all `server` directives and adding the below to `/etc/ntp.conf`. - + ``` pool pool.ntp.org iburst ``` @@ -941,6 +947,8 @@ To quote https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/: > When looking in `/proc` you will discover a lot of files and directories. Many of them are just numbers, which represent the information about a particular process ID (PID). By default, Linux systems are deployed to allow all local users to see this all information. This includes process information from other users. This could include sensitive details that you may not want to share with other users. By applying some filesystem configuration tweaks, we can change this behavior and improve the security of the system. +**Note**: This may break on some `systemd` systems. Please see [https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/37](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/37) for more information. + #### Goals - `/proc` mounted with `hidepid=2` so users can only see information about their processes @@ -1039,7 +1047,7 @@ When there is a need to set or change an account password, the password task of [For the lazy](#editing-configuration-files---for-the-lazy): - + ``` bash sudo sed -i -r -e "s/^(password\s+requisite\s+pam_pwquality.so)(.*)$/# \1\2 # commented by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")\n\1 retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 maxrepeat=3 gecoschec # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")/" /etc/pam.d/common-password ``` @@ -1213,7 +1221,7 @@ WIP #### Steps 1. Install rng-tools. - + On Debian based systems: ``` bash @@ -1752,12 +1760,12 @@ Fail2ban monitors the logs of your applications (like SSH and Apache) to detect 1. In the above we tell fail2ban to use the ufw as the `banaction`. Fail2ban ships with an action configuration file for ufw. You can see it in `/etc/fail2ban/action.d/ufw.conf` -1. Enable fail2ban and the jail for SSH: +1. Enable fail2ban: ``` bash sudo fail2ban-client start sudo fail2ban-client reload - sudo fail2ban-client add sshd + sudo fail2ban-client add sshd # This may fail on some systems if the sshd jail was added by default ``` 1. To check the status: @@ -1866,7 +1874,7 @@ WIP - Take a backup of the stock configuration files: `sudo cp -pr /etc/aide /etc/aide-COPY-$(date +"%Y%m%d%H%M%S")`. 1. Create a new database, and install it. - + On Debian based systems: ``` bash @@ -2190,12 +2198,12 @@ WIP |`COPY_LOG_ON_ERROR=1`|to save a copy of the log if there is an error| |`PKGMGR=...`|set to the appropriate value per the documentation| |`PHALANX2_DIRTEST=1`|read the documentation for why| - |`WEB_CMD=""`|this is to address an issue with the Debian package that disables the ability for rkhunter to self-update.| + |`WEB_CMD=""`|this is to address an issue with the Debian package that disables the ability for rkhunter to self-update.| |`USE_LOCKING=1`|to prevent issues with rkhunter running multiple times| |`SHOW_SUMMARY_WARNINGS_NUMBER=1`|to see the actual number of warnings found| 1. You want rkhunter to run every day and e-mail you the result. You can write your own script or check https://www.tecmint.com/install-rootkit-hunter-scan-for-rootkits-backdoors-in-linux/ for a sample cron script you can use. - + On Debian based system, rkhunter comes with cron scripts. To enable them check `/etc/default/rkhunter` or use `dpkg-reconfigure` and say `Yes` to all of the questions: ``` bash @@ -2716,9 +2724,9 @@ If you have sudo [configured properly](#limit-who-can-use-sudo), then the **root If your installation uses [`sulogin`](https://linux.die.net/man/8/sulogin) (like Debian) to drop to a **root** console during boot failures, then locking the **root** account will prevent `sulogin` from opening the **root** shell and you will get this error: Cannot open access to console, the root account is locked. - + See sulogin(8) man page for more details. - + Press Enter to continue. To work around this, you can use the `--force` option for `sulogin`. Some distributions already include this, or some other, workaround. From f209118132b47c56b2ea20519c532070f076789c Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Mon, 14 Dec 2020 18:36:25 -0500 Subject: [PATCH 07/22] #39 --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4d7ace3..57f3f0a 100644 --- a/README.md +++ b/README.md @@ -782,6 +782,7 @@ sudo lets accounts run commands as other accounts, including **root**. We want t - Your installation may have already done this, or may already have a special group intended for this purpose so check first. - Debian creates the sudo group - RedHat creates the wheel group +- See [https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/39](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/39) for a note on some distributions making it so `sudo` does not require a password. #### Steps From 9a327e7965e31d82a30a0a3b70817a64ad778355 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Mon, 14 Dec 2020 18:50:15 -0500 Subject: [PATCH 08/22] #41 --- README.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/README.md b/README.md index 57f3f0a..8f78eb4 100644 --- a/README.md +++ b/README.md @@ -822,6 +822,46 @@ sudo lets accounts run commands as other accounts, including **root**. We want t ([Table of Contents](#table-of-contents)) +### Limit Who Can Use su + +#### Why + +su also lets accounts run commands as other accounts, including **root**. We want to make sure that only the accounts we want can use su. + +#### Goals + +- su privileges limited to those who are in a group we specify + +#### References + +- Thanks to [olavim](https://github.com/olavim) for sharing [this idea](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/41) + +#### Steps + +1. Create a group: + + ``` bash + sudo groupadd suusers + ``` + +1. Add account(s) to the group: + + ``` bash + sudo usermod -a -G suusers user1 + sudo usermod -a -G suusers user2 + sudo usermod -a -G suusers ... + ``` + + You'll need to do this for every account on your server that needs sudo privileges. + +1. Make it so only users in this group can execute `/bin/su`: + + ``` bash + sudo dpkg-statoverride --update --add root suusers 4750 /bin/su + ``` + +([Table of Contents](#table-of-contents)) + ### NTP Client #### Why From a24404121ed64eded5c05962ed832f6c93646c43 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Mon, 14 Dec 2020 18:56:02 -0500 Subject: [PATCH 09/22] added some attribution --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8f78eb4..0f7b8ff 100644 --- a/README.md +++ b/README.md @@ -443,6 +443,7 @@ SSH is a door into your server. This is especially true if you are opening ports - https://www.techbrown.com/harden-ssh-secure-linux-vps-server/ - https://serverfault.com/questions/660160/openssh-difference-between-internal-sftp-and-sftp-server/660325 - `man sshd_config` +- Thanks to [than0s](https://github.com/than0s) for [how to find duplicate settings](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/38). #### Steps @@ -782,7 +783,7 @@ sudo lets accounts run commands as other accounts, including **root**. We want t - Your installation may have already done this, or may already have a special group intended for this purpose so check first. - Debian creates the sudo group - RedHat creates the wheel group -- See [https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/39](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/39) for a note on some distributions making it so `sudo` does not require a password. +- See [https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/39](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/39) for a note on some distributions making it so `sudo` does not require a password. Thanks to [sbrl](https://github.com/sbrl) for sharing. #### Steps @@ -988,7 +989,7 @@ To quote https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/: > When looking in `/proc` you will discover a lot of files and directories. Many of them are just numbers, which represent the information about a particular process ID (PID). By default, Linux systems are deployed to allow all local users to see this all information. This includes process information from other users. This could include sensitive details that you may not want to share with other users. By applying some filesystem configuration tweaks, we can change this behavior and improve the security of the system. -**Note**: This may break on some `systemd` systems. Please see [https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/37](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/37) for more information. +**Note**: This may break on some `systemd` systems. Please see [https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/37](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/37) for more information. Thanks to [nlgranger](https://github.com/nlgranger) for sharing. #### Goals From 16a556668fbf8296127f8ef0a520f9d7a9cc65e0 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Mon, 14 Dec 2020 18:59:43 -0500 Subject: [PATCH 10/22] #56 --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 0f7b8ff..25d7c5b 100644 --- a/README.md +++ b/README.md @@ -266,6 +266,12 @@ Where applicable, use the expert install option so you have tighter control of w ## The SSH Server +### Important Not Before You Make SSH Changes + +It is highly advised you keep a 2nd terminal open to your server **before you make and apply SSH configuration changes**. This way if you lock yourself out of your 1st terminal session, you still have one sesssion connected so you can fix it. + +Thank you to [Sonnenbrand](https://github.com/Sonnenbrand) for this [idea](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/56). + ### SSH Public/Private Keys #### Why From 589b6b270ba69d1aefb0a4a2e5578267593e7ef2 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Mon, 14 Dec 2020 19:08:03 -0500 Subject: [PATCH 11/22] updated TOC --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 25d7c5b..67bf393 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,8 @@ An evolving how-to guide for securing a Linux server that, hopefully, also teach ## Table of Contents +# Table of contents + - [Introduction](#introduction) - [Guide Objective](#guide-objective) - [Why Secure Your Server](#why-secure-your-server) @@ -24,6 +26,7 @@ An evolving how-to guide for securing a Linux server that, hopefully, also teach - [Pre/Post Installation Requirements](#prepost-installation-requirements) - [Other Important Notes](#other-important-notes) - [The SSH Server](#the-ssh-server) + - [Important Not Before You Make SSH Changes](#important-not-before-you-make-ssh-changes) - [SSH Public/Private Keys](#ssh-publicprivate-keys) - [Create SSH Group For AllowGroups](#create-ssh-group-for-allowgroups) - [Secure `/etc/ssh/sshd_config`](#secure-etcsshsshd_config) @@ -31,6 +34,7 @@ An evolving how-to guide for securing a Linux server that, hopefully, also teach - [2FA/MFA for SSH](#2famfa-for-ssh) - [The Basics](#the-basics) - [Limit Who Can Use sudo](#limit-who-can-use-sudo) + - [Limit Who Can Use su](#limit-who-can-use-su) - [NTP Client](#ntp-client) - [Securing /proc](#securing-proc) - [Force Accounts To Use Secure Passwords](#force-accounts-to-use-secure-passwords) From 0cde923456cd6383ea11c746dba09795ef920b3c Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Mon, 14 Dec 2020 20:38:55 -0500 Subject: [PATCH 12/22] #61 --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 67bf393..56d6e97 100644 --- a/README.md +++ b/README.md @@ -1587,7 +1587,8 @@ And, since we're already using [UFW](#ufw-uncomplicated-firewall) so we'll follo - https://www.thefanclub.co.za/how-to/how-install-psad-intrusion-detection-ubuntu-1204-lts-server - https://serverfault.com/a/447604/289829 - https://serverfault.com/a/770424/289829 -- https://gist.github.com/netson/c45b2dc4e835761fbccc- +- https://gist.github.com/netson/c45b2dc4e835761fbccc +- Thanks to [sysadt](https://github.com/sysadt) for catching the issue ([#61](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/61)) with `psadwatchd`. #### Steps @@ -1611,6 +1612,7 @@ And, since we're already using [UFW](#ufw-uncomplicated-firewall) so we'll follo |--|--| |[`EMAIL_ADDRESSES`](http://www.cipherdyne.org/psad/docs/config.html#EMAIL_ADDRESSES)|your email address(s)| |`HOSTNAME`|your server's hostname| + |`ENABLE_PSADWATCHD`|`ENABLE_PSADWATCHD Y;`| |[`ENABLE_AUTO_IDS`](http://www.cipherdyne.org/psad/docs/config.html#ENABLE_AUTO_IDS)|`ENABLE_AUTO_IDS Y;`| |`ENABLE_AUTO_IDS_EMAILS`|`ENABLE_AUTO_IDS_EMAILS Y;`| |`EXPECT_TCP_OPTIONS`|`EXPECT_TCP_OPTIONS Y;`| From 386f8e96fbd490977e4b71c3e91904651b49f027 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Mon, 14 Dec 2020 23:12:42 -0500 Subject: [PATCH 13/22] Update README.md fixed dup toc heading --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 56d6e97..dc07a9b 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,6 @@ An evolving how-to guide for securing a Linux server that, hopefully, also teach ## Table of Contents -# Table of contents - - [Introduction](#introduction) - [Guide Objective](#guide-objective) - [Why Secure Your Server](#why-secure-your-server) From 5a22bff2ce2df1d3bdc54d02d3b134abe5b19178 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Sat, 19 Dec 2020 17:33:41 -0500 Subject: [PATCH 14/22] added rng-tools restart --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index dc07a9b..d10dfa8 100644 --- a/README.md +++ b/README.md @@ -1290,6 +1290,13 @@ WIP echo "HRNGDEVICE=/dev/urandom" | sudo tee -a /etc/default/rng-tools ``` +1. Restart the service: + + ``` bash + sudo systemctl status rng-tools.service + ``` + + ([Table of Contents](#table-of-contents)) ## The Network From 159dd9a487918bac7d3795f7cf012804a0b95c4d Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Sat, 19 Dec 2020 17:37:25 -0500 Subject: [PATCH 15/22] add test for rng-tools --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index d10dfa8..0d86bfb 100644 --- a/README.md +++ b/README.md @@ -1267,6 +1267,7 @@ WIP - https://www.gnu.org/software/hurd/user/tlecarrour/rng-tools.html - https://wiki.archlinux.org/index.php/Rng-tools - https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny +- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-encryption-using_the_random_number_generator #### Steps @@ -1295,6 +1296,10 @@ WIP ``` bash sudo systemctl status rng-tools.service ``` + +1. Test randomness: + - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-encryption-using_the_random_number_generator + - https://wiki.archlinux.org/index.php/Rng-tools ([Table of Contents](#table-of-contents)) From 5852d3399c0e5131d4734578a1053e2a1c004bed Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Sat, 19 Dec 2020 23:22:33 -0500 Subject: [PATCH 16/22] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d86bfb..d15665d 100644 --- a/README.md +++ b/README.md @@ -2434,7 +2434,7 @@ logwatch's configuration file `/usr/share/logwatch/default.conf/logwatch.conf` s ``` bash sudo cp --archive /etc/cron.daily/00logwatch /etc/cron.daily/00logwatch-COPY-$(date +"%Y%m%d%H%M%S") - sudo chmod -x /etc/cron.daily/00logwatch.* + sudo chmod -x /etc/cron.daily/00logwatch-COPY* ``` 1. By default, logwatch outputs to `stdout`. Since the goal is to get a daily e-mail, we need to change the output type that logwatch uses to send e-mail instead. We could do this through the configuration file above, but that would apply to every time it is run -- even when we run it manually and want to see the output to the screen. Instead, we'll change the cron job that executes logwatch to send e-mail. This way, when run manually, we'll still get output to `stdout` and when run by cron, it'll send an e-mail. We'll also make sure it checks for all services, and change the output format to html so it's easier to read regardless of what the configuration file says. In the file `/etc/cron.daily/00logwatch` find the execute line and change it to: From bf72c0c0825c6a4a44c835d66ed10b69662bd021 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Sun, 20 Dec 2020 01:05:45 -0500 Subject: [PATCH 17/22] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d15665d..fcacb2f 100644 --- a/README.md +++ b/README.md @@ -488,7 +488,7 @@ SSH is a door into your server. This is especially true if you are opening ports # Use kernel sandbox mechanisms where possible in unprivileged processes # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere. # Note: This setting is deprecated in OpenSSH 7.5 (https://www.openssh.com/txt/release-7.5) - UsePrivilegeSeparation sandbox + # UsePrivilegeSeparation sandbox ######################################################################################################## # end settings from https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 as of 2019-01-01 From 08184c6fa007115850587671d01cfaba0fb707a5 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Sun, 20 Dec 2020 01:14:27 -0500 Subject: [PATCH 18/22] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fcacb2f..231b298 100644 --- a/README.md +++ b/README.md @@ -480,7 +480,7 @@ SSH is a door into your server. This is especially true if you are opening ports Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. LogLevel VERBOSE From 1ce582b406a0bca7d7f042dce920d737be7f3494 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Sat, 26 Dec 2020 15:12:46 -0500 Subject: [PATCH 19/22] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 231b298..56586cb 100644 --- a/README.md +++ b/README.md @@ -1294,7 +1294,8 @@ WIP 1. Restart the service: ``` bash - sudo systemctl status rng-tools.service + sudo systemctl stop rng-tools.service + sudo systemctl start rng-tools.service ``` 1. Test randomness: From e3edea114681ba422fc86c4f07b1e4ad33337da5 Mon Sep 17 00:00:00 2001 From: Nicola Davide Mannarelli <1094368+nidamanx@users.noreply.github.com> Date: Sun, 31 Jan 2021 18:07:37 +0100 Subject: [PATCH 20/22] Run applications in a sandbox with FireJail --- README.md | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/README.md b/README.md index 56586cb..730361c 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,7 @@ An evolving how-to guide for securing a Linux server that, hopefully, also teach - [The Basics](#the-basics) - [Limit Who Can Use sudo](#limit-who-can-use-sudo) - [Limit Who Can Use su](#limit-who-can-use-su) + - [Run applications in a sandbox with FireJail](#run-applications-in-a-sandbox-with-firejail) - [NTP Client](#ntp-client) - [Securing /proc](#securing-proc) - [Force Accounts To Use Secure Passwords](#force-accounts-to-use-secure-passwords) @@ -871,6 +872,60 @@ su also lets accounts run commands as other accounts, including **root**. We wan ([Table of Contents](#table-of-contents)) +### Run applications in a sandbox with FireJail + +#### Why + +It's absolutely better, for many applications, to run in a sandbox. + +Browsers (even more the Closed Source ones) and eMail Clients are highly suggested. + +#### Goals + +- confine applications in a jail (few safe directories) and block access to the resto of the system + +#### References + +- Thanks to [FireJail](https://firejail.wordpress.com/) + +#### Steps + +1. Install the software: + + ``` bash + sudo apt install firejail firejail-profiles + ``` + + Note: for Debian 10 Stable, official Backport is suggested: + + ``` bash + sudo apt install -t buster-backports firejail firejail-profiles + ``` + +2. Allow an application (installed in `/usr/bin` or `/bin`) to run only in a sandbox (see few examples below here): + + ``` bash + sudo ln -s /usr/bin/firejail /usr/local/bin/google-chrome-stable + sudo ln -s /usr/bin/firejail /usr/local/bin/firefox + sudo ln -s /usr/bin/firejail /usr/local/bin/chromium + sudo ln -s /usr/bin/firejail /usr/local/bin/evolution + sudo ln -s /usr/bin/firejail /usr/local/bin/thunderbird + ``` + +3. Run the application as usual (via terminal or launcher and check if is runnung in a jail: + + ``` bash + firejail --list + ``` + +4. Allow a sandboxed app to run again as it wase before (example: firefox) + + ``` bash + sudo rm /usr/local/bin/firefox + ``` + +([Table of Contents](#table-of-contents)) + ### NTP Client #### Why From c8eec43b7e0e90aeb22ac83e45e6eab376b9cb23 Mon Sep 17 00:00:00 2001 From: root <60298999+SecTheTech@users.noreply.github.com> Date: Fri, 5 Feb 2021 07:26:56 +0100 Subject: [PATCH 21/22] Add OSSEC --- README.md | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/README.md b/README.md index 56586cb..9c6995a 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,7 @@ An evolving how-to guide for securing a Linux server that, hopefully, also teach - [logwatch - system log analyzer and reporter](#logwatch---system-log-analyzer-and-reporter) - [ss - Seeing Ports Your Server Is Listening On](#ss---seeing-ports-your-server-is-listening-on) - [Lynis - Linux Security Auditing](#lynis---linux-security-auditing) + - [OSSEC - Host Intrusion Detection](#ossec---host-intrusion-detection) - [The Danger Zone](#the-danger-zone) - [The Miscellaneous](#the-miscellaneous) - [Gmail and Exim4 As MTA With Implicit TLS](#gmail-and-exim4-as-mta-with-implicit-tls) @@ -2571,6 +2572,65 @@ From [https://cisofy.com/lynis/](https://cisofy.com/lynis/): ([Table of Contents](#table-of-contents)) +### OSSEC - Host Intrusion Detection + +#### Why +From [https://github.com/ossec/ossec-hids](https://github.com/ossec/ossec-hids) +> OSSEC is a full platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a simple, powerful and open source solution. + +#### Goals + +- OSSEC-HIDS installed + +#### References + +- https://www.ossec.net/docs/ + +#### Steps + +1. Install OSSEC-HIDS from sources + ```bash + sudo apt install libz-dev libssl-dev libpcre2-dev build-essential + wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz + tar xzf 3.6.0.tar.gz + cd ossec-hids-3.6.0/ + sudo ./install.sh + ``` + +1. Useful commands: + +**Agent information** + + ```bash + sudo /var/ossec/bin/agent_control -i + ``` +`AGENT_ID` by default is `000`, to be sure the command `sudo /var/ossec/bin/agent_control -l` can be used. + +**Run integrity/rootkit checking** + +OSSEC by default run rootkit check each 2 hours. + + ```bash + sudo /var/ossec/bin/agent_control -u -r + ``` + +**Alerts** + +- All: + ```bash + tail -f /var/ossec/logs/alerts/alerts.log + ``` +- Integrity check: + ```bash + sudo cat /var/ossec/logs/alerts/alerts.log | grep -A4 -i integrity + ``` +- Rootkit check: + ```bash + sudo cat /var/ossec/logs/alerts/alerts.log | grep -A4 "rootcheck," + ``` + +([Table of Contents](#table-of-contents)) + ## The Danger Zone ### Proceed At Your Own Risk From ad29971ec6fdc734cdd65f657c0dd51730692915 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Mon, 22 Feb 2021 22:00:58 -0500 Subject: [PATCH 22/22] DHCP needs 67 and 68 for UFW --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 40985ae..9e74693 100644 --- a/README.md +++ b/README.md @@ -1461,6 +1461,7 @@ You can create rules by explicitly specifying the ports or with application conf # allow traffic out on port 68 -- the DHCP client # you only need this if you're using DHCP + sudo ufw allow out 67 comment 'allow the DHCP client to update' sudo ufw allow out 68 comment 'allow the DHCP client to update' ```