First Steps in Ubuntu Server / Hardening and Config With Docker
Tested on Digital Ocean; Ubuntu versions 16.04 and 18.04 (So all instructions are executed as ROOT)
Example In Local Computer:
Example In Remote Server: SOON
Start with this
First of all configure your timezone and your encodings, this command will also install some utilities
dpkg-reconfigure tzdata && \
dpkg-reconfigure locales && \
apt-get update && \
apt-get upgrade -y && \
apt-get install -y git vim wget curl
Install BashIt (Only if you do not use zsh or some similar console)
git clone --depth=1 https://github.com/Bash-it/bash-it.git ~/.bash_it && ~/.bash_it/install.sh \
&& ln -s ~/.bash_it/plugins/available/history.plugin.bash ~/.bash_it/enabled/250---history.plugin.bash \
&& ln -s ~/.bash_it/plugins/available/history-search.plugin.bash ~/.bash_it/enabled/250---history-search.plugin.bash \
&& ln -s ~/.bash_it/plugins/available/history-substring-search.plugin.bash ~/.bash_it/enabled/250---history-substring-search.plugin.bash \
&& sed -i 's/bobby/sexy/' ~/.bashrc
You can change the last line "sexy" by any of the available themes, exit the console and re-enter to apply https://github.com/Bash-it/bash-it/tree/master/themes
Environments
It is important that you change these environment variables, with your personal data in Server
export MY_USERNAME="USERNAMETOCHANGE"; \
export MY_EMAIL="[email protected]"; \
export MY_SERVER_DOMAIN="DOMAINTOCHANGE.COM"; \
export MY_SERVER_EMAIL_FROM="[email protected]"; \
export MY_SERVER_SSH_PORT="4444"
For example:
export MY_USERNAME="nasatome";
export MY_EMAIL="[email protected]";
export MY_SERVER_DOMAIN="mydomain.com";
export MY_SERVER_EMAIL_FROM="[email protected]";
export MY_SERVER_SSH_PORT="4444"
And in your local machine in the file ~/.bashrc:
copy and paste the following (change for your data):
export GIT_COMMITTER_NAME='John Connor'
export GIT_COMMITTER_EMAIL='[email protected]'
export GIT_AUTHOR_NAME='John Connor'
export GIT_AUTHOR_EMAIL='[email protected]'
You can open it with vim ~/.bashrc or with your favorite graphical text editor,
If you installed BashIt on your local machine, you can install it after the line. #export GIT_HOSTING='[email protected]'
Unattended Upgrades
Security updates are very important on any server.
the second command it's an interactive dialog (respond YES and OK) which will create /etc/apt/apt.conf.d/20auto-upgrades
apt-get install -y unattended-upgrades update-notifier-common && \
dpkg-reconfigure --priority=low unattended-upgrades && \
sed -i 's#//Unattended-Upgrade::Mail "root";#Unattended-Upgrade::Mail "'$MY_EMAIL'";#' /etc/apt/apt.conf.d/50unattended-upgrades &&\
sed -i 's#//Unattended-Upgrade::MailOnlyOnError#Unattended-Upgrade::MailOnlyOnError#' /etc/apt/apt.conf.d/50unattended-upgrades &&\
sed -i 's#//Unattended-Upgrade::Automatic-Reboot "false";#Unattended-Upgrade::Automatic-Reboot "true";#' /etc/apt/apt.conf.d/50unattended-upgrades &&\
sed -i 's#//Unattended-Upgrade::Automatic-Reboot-Time "02:00";#Unattended-Upgrade::Automatic-Reboot-Time "04:00";#' /etc/apt/apt.conf.d/50unattended-upgrades
If you only want to install packages from security sources, run this command:
sed -i 's# "${distro_id}:${distro_codename}";#// "${distro_id}:${distro_codename}";#' /etc/apt/apt.conf.d/50unattended-upgrades
this will depend on the level of stability you want in your packages
Hardening SSH
Now, we will generate new host keys, as well as a new user and add it to the group of administration privileges.
In your remote machine
ssh-keygen -A && \
adduser $MY_USERNAME && \
usermod -aG sudo $MY_USERNAME
In your Local Machine (Laptop o PC With Linux):
Now we will create the new key
ssh-keygen -t ed25519
we proceed to add it to the key ring
ssh-add ~/.ssh/id_ed25519
and we get a public key
cat ~/.ssh/id_ed25519.pub
Now In Remote Machine
Paste Output in ~/.ssh/authorized_keys with the following commands
(Remember to copy and paste only the part of the command and not the part of the username):
from your terminal in root change user
ROOT #: su $MY_USERNAME
Now create a new folder in case it doesn't exist
MY_USERNAME $: mkdir ~/.ssh
Now let's change the permissions of the folder, only the owner can modify it
MY_USERNAME $: chmod 700 ~/.ssh
Now we will create the file where the public key that we obtained previously will be copied.
MY_USERNAME $: vim ~/.ssh/authorized_keys
To use VIM, once inside vim, press the "Ins or Insert" key on your keyboard, until at the bottom right you see a legend that says "-- INSERT --" then paste the contents of the public key you got from your local machine, which you could see when you executed the command "cat ~/.ssh/id_ed25519.pub" above, once the string is pasted, press the ESC key then press the ":" key and then press the "wq" keys visually you should see something like ":wq" which means you can save the file and then exit vim
Now we will change to the correct permissions to the file that has just been created
MY_USERNAME $: chmod 600 ~/.ssh/authorized_keys
Example to paste: ssh-ed25519 AAAAC3Nzavrg545t64t34rferfdrferodwEv1MMI2+Nh9QxpgrNxb2Is1Cc6 YOURUSERNAME
Now... Open New Console in your local machine and reconect...
ssh YOUR_USER@YOUR_IP_OR_DOMAIN_DNS
And... once connected with your user test that you can upgrade your privileges to root
YOURUSERNAME $: sudo -E su root
Now exec this command in root mode (after executing -> sudo -E su root):
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak \
&& sed -i 's/Port 22/Port '$MY_SERVER_SSH_PORT'/' /etc/ssh/sshd_config \
&& sed -i 's/#Port '$MY_SERVER_SSH_PORT'/Port '$MY_SERVER_SSH_PORT'/' /etc/ssh/sshd_config \
&& sed -i 's/X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config \
&& sed -i 's/AcceptEnv LANG LC_*/AcceptEnv LANG LC_* GIT_/' /etc/ssh/sshd_config \
&& sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config \
&& sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config \
&& sed -zi 's/DebianBanner yes\|$/DebianBanner no\n/' /etc/ssh/sshd_config \
&& sed -zi 's/ClientAliveInterval 60\|$/ClientAliveInterval 60\n/' /etc/ssh/sshd_config \
&& sed -zi 's/ClientAliveCountMax 600\|$/ClientAliveCountMax 600\n/' /etc/ssh/sshd_config \
&& sed -zi 's/AllowAgentForwarding no\|$/AllowAgentForwarding yes/' /etc/ssh/sshd_config
And now reload ssh service
systemctl reload sshd
In local machine To avoid disconnections exec
echo "Host *" >> ~/.ssh/config
echo "SendEnv LANG LC_* GIT_*" >> ~/.ssh/config
echo "ServerAliveInterval 60" >> ~/.ssh/config
echo "ServerAliveCountMax 600" >> ~/.ssh/config
echo "ForwardAgent yes" >> ~/.ssh/config
And now test:
cat ~/.ssh/config
You should see this exit
<<---------~/.ssh/config--------------
Host *
SendEnv LANG LC_* GIT_*
ServerAliveInterval 60
ServerAliveCountMax 600
ForwardAgent yes
<<------------------------------------
Apart from the global and repository configuration settings, Git reads the environment variables GIT_AUTHOR_NAME, GIT_AUTHOR_EMAIL, GIT_COMMITTER_NAME and GIT_COMMITTER_EMAIL. The idea now is to set them on your machine and take them via SSH on every single machine. Local setup
At first you need to set the variables in your .bashrc file:
And now test connection in other local machine terminal
(Don't forget to change the 4444 to the port you have assigned in your SSH environment variable in remote 7server)
ssh -p 4444 USERNAMETOCHANGE@YOUR_IP_OR_DOMAIN_DNS
Now In remote server): exec this commands
sudo -E su root
and one of these commands
echo "$SSH_AUTH_SOCK"
ssh-add -L
ssh -T [email protected]
Everyone should give you positive outcomes; for example github command response:
Hi YOURGITUSERNAME! You've successfully authenticated, but GitHub does not provide shell access.
Remember that you must add your SSH key to your GITHUB account
https://help.github.com/articles/adding-a-new-ssh-key-to-your-github-account/
Over Firewalld
firewalld.org
For Ubuntu 18.04 in other VPS Providers, it seems firewalld has become the default where ufw is installed but inactive. if you execute the following commands you can check if ufw is active
root@localhost:~# firewall-cmd --state
running
root@localhost:~# ufw status
Status: inactive
If this is your case, then these commands can be useful. (otherwise, skip this section)
firewall-cmd --permanent --zone=public --add-service={http,https}
firewall-cmd --permanent --zone=public --add-port=$MY_SERVER_SSH_PORT/tcp
firewall-cmd --permanent --zone=public --remove-service=ssh --permanent
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -j LOG && \
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -j LOG && \
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -j LOG && \
firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -j LOG
The firewall-cmd –reload command is necessary to activate the change. Contrary to the –complete-reload option, current connections are not stopped.
More Info: https://www.certdepot.net/rhel7-get-started-firewalld/
Firewall UFW And IPTABLES Persistent
Install ufw
apt-get install -y ufw
Disable incoming ports
ufw allow $MY_SERVER_SSH_PORT && ufw allow http && ufw allow https && ufw default deny incoming && ufw enable && ufw logging on
Install iptables-persistent
apt-get install -y iptables-persistent
Enable Logs of iptables
iptables -A INPUT -j LOG \
&& iptables -A FORWARD -j LOG \
&& ip6tables -A INPUT -j LOG \
&& ip6tables -A FORWARD -j LOG
Network Hardening
sed -i 's/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/' /etc/sysctl.conf \
&& sed -i 's/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/' /etc/sysctl.conf \
&& sed -i 's/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/' /etc/sysctl.conf \
&& sed -i 's/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/' /etc/sysctl.conf \
&& sed -i 's/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/' /etc/sysctl.conf \
&& sed -i 's/#net.ipv4.tcp_syncookies=1/net.ipv4.tcp_syncookies=1/' /etc/sysctl.conf \
&& sed -i 's/#net.ipv4.conf.all.log_martians = 1/net.ipv4.conf.all.log_martians = 1/' /etc/sysctl.conf \
&& sed -i 's/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/' /etc/sysctl.conf \
&& sed -i 's/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/' /etc/sysctl.conf
Now Reload With
sysctl -p
And Now
sed -i 's/order hosts,bind/order bind,hosts/' /etc/host.conf
Fail2Ban and PSAD
Now Install
apt-get install -y fail2ban psad
And exec
sed -i 's/destemail = root@localhost/destemail = '$MY_EMAIL'/' /etc/fail2ban/jail.conf \
&& sed -i 's/sender = root@localhost/sender = '$MY_SERVER_EMAIL_FROM'/' /etc/fail2ban/jail.conf \
&& sed -i 's/action = %(action_)s/action = %(action_mwl)s/' /etc/fail2ban/jail.conf \
&& echo "[nginx-http-auth]" > /etc/fail2ban/jail.local \
&& echo "enabled = false" >> /etc/fail2ban/jail.local \
&& echo "filter = nginx-http-auth" >> /etc/fail2ban/jail.local \
&& echo "port = http,https" >> /etc/fail2ban/jail.local \
&& echo "logpath = %(nginx_error_log)s" >> /etc/fail2ban/jail.local \
&& echo "#logpath = /opt/prj/dockavel/data/log/nginx/error.log" >> /etc/fail2ban/jail.local \
&& echo "" >> /etc/fail2ban/jail.local \
&& echo "[nginx-noscript]" >> /etc/fail2ban/jail.local \
&& echo "enabled = false" >> /etc/fail2ban/jail.local \
&& echo "port = http,https" >> /etc/fail2ban/jail.local \
&& echo "filter = nginx-noscript" >> /etc/fail2ban/jail.local \
&& echo "logpath = %(nginx_error_log)s" >> /etc/fail2ban/jail.local \
&& echo "#logpath = /opt/prj/dockavel/data/log/nginx/error.log" >> /etc/fail2ban/jail.local \
&& echo "maxretry = 6" >> /etc/fail2ban/jail.local \
&& echo "" >> /etc/fail2ban/jail.local \
&& echo "[ssh]" >> /etc/fail2ban/jail.local \
&& echo "enabled = true" >> /etc/fail2ban/jail.local \
&& echo "port = $MY_SERVER_SSH_PORT" >> /etc/fail2ban/jail.local \
&& echo "filter = sshd" >> /etc/fail2ban/jail.local \
&& echo "logpath = /var/log/auth.log" >> /etc/fail2ban/jail.local \
&& echo "maxretry = 4" >> /etc/fail2ban/jail.local \
&& echo "" >> /etc/fail2ban/jail.local \
&& echo "[ssh-ddos]" >> /etc/fail2ban/jail.local \
&& echo "enabled = true" >> /etc/fail2ban/jail.local \
&& echo "port = $MY_SERVER_SSH_PORT" >> /etc/fail2ban/jail.local \
&& echo "filter = sshd-ddos" >> /etc/fail2ban/jail.local \
&& echo "logpath = /var/log/auth.log" >> /etc/fail2ban/jail.local \
&& echo "" >> /etc/fail2ban/jail.local \
&& echo "[Definition]" > /etc/fail2ban/filter.d/nginx-http-auth.conf \
&& echo 'failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$' >> /etc/fail2ban/filter.d/nginx-http-auth.conf \
&& echo "ignoreregex =" >> /etc/fail2ban/filter.d/nginx-http-auth.conf \
&& echo "[Definition]" > /etc/fail2ban/filter.d/nginx-noscript.conf \
&& echo "failregex = ^<HOST> -.*GET.*(\.asp|\.exe|\.pl|\.cgi|\.scgi)" >> /etc/fail2ban/filter.d/nginx-noscript.conf \
&& echo "ignoreregex =" >> /etc/fail2ban/filter.d/nginx-noscript.conf
Now restart
systemctl restart fail2ban
For psad config
sed -i 's/EMAIL_ADDRESSES root@localhost;/EMAIL_ADDRESSES '$MY_EMAIL';/' /etc/psad/psad.conf \
&& sed -i 's/HOSTNAME _CHANGEME_;/HOSTNAME '$MY_SERVER_DOMAIN';/' /etc/psad/psad.conf \
&& sed -i 's/ENABLE_AUTO_IDS N;/ENABLE_AUTO_IDS Y;/' /etc/psad/psad.conf \
&& sed -i 's/DANGER_LEVEL2 15;/DANGER_LEVEL2 15;/' /etc/psad/psad.conf \
&& sed -i 's/DANGER_LEVEL3 150;/DANGER_LEVEL3 30;/' /etc/psad/psad.conf \
&& sed -i 's/DANGER_LEVEL4 1500;/DANGER_LEVEL4 100;/' /etc/psad/psad.conf \
&& sed -i 's/DANGER_LEVEL5 10000;/DANGER_LEVEL5 300;/' /etc/psad/psad.conf \
&& sed -i 's/EMAIL_ALERT_DANGER_LEVEL 1;/EMAIL_ALERT_DANGER_LEVEL 5;/' /etc/psad/psad.conf \
&& sed -i 's/EMAIL_LIMIT 0;/EMAIL_LIMIT 1;/' /etc/psad/psad.conf \
&& sed -i 's/EMAIL_LIMIT_STATUS_MSG Y;/EMAIL_LIMIT_STATUS_MSG N;/' /etc/psad/psad.conf \
&& sed -i 's/ENABLE_AUTO_IDS_EMAILS Y;/ENABLE_AUTO_IDS_EMAILS N;/' /etc/psad/psad.conf \
&& sed -i 's/AUTO_IDS_DANGER_LEVEL 5;/AUTO_IDS_DANGER_LEVEL 1;/' /etc/psad/psad.conf \
&& sed -i 's#IPT_SYSLOG_FILE /var/log/messages;#IPT_SYSLOG_FILE /var/log/syslog;#' /etc/psad/psad.conf
Now Update
psad --sig-update
And Check
service rsyslog restart
In the following command, all outputs with a + sign must appear
psad --fw-analyze
Now you can restart the service with any of these commands
psad -H
psad -R
Protect/Block TOR IPs
This only works if you don't open the ports you are going to protect from docker, since docker gives more privilege to the rules from iptables than the ones generated by this script.
[Block TOR IPs](https://github.com/nasatome/block_tor_net_by_iptables)
Save IpTables
Now save firewall rules
netfilter-persistent save
Install Docker
Review Script Docker:
And Exec
curl -fsSL get.docker.com -o get-docker.sh && sh get-docker.sh
(for not production mode)
curl -fsSL test.docker.com -o get-docker.sh && sh get-docker.sh
Can verify with
docker info
docker version
Now test Docker
docker run hello-world
Install Docker Compose
Review last stable release: https://github.com/docker/compose/releases
Get docker-compose version in ENV variable:
COMPOSE_VERSION=`git ls-remote https://github.com/docker/compose | grep refs/tags | grep -oP "[0-9]+\.[0-9][0-9]+\.[0-9]+$" | tail -n 1`
Install docker-compose
curl -L https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose && chmod +x /usr/local/bin/docker-compose && docker-compose --version
Check for rootkits
install
apt-get install rkhunter chkrootkit
now test
chkrootkit
now test 2
rkhunter --update
rkhunter --propupd
rkhunter --check
todo:
- add to cron: check rootkits with mail
- Tiger and Tripwire
- https://www.digitalocean.com/community/questions/best-practices-for-hardening-new-sever-in-2017