Security utility For Linux server Olivoy Edition Copyright © 2017 Olivoy All rights reserved Table of Contents Introduction Filter traffic through the firewall Presentation Declaration of rules integral filtering Open used ports Starting the firewall Example of script Advanced configuration Flood or denial of service Port Scan Banned an IP Preventing intrusions Portsentry (port scan) Fail2ban (brute-force, dictionary, denial of service) Snort (intrusion detection) Monitor logs Testing server security Port Scanner Introduction This guide will teach you how to secure a server and thus introduce you to the topics of computer security How is it important? By definition, a server is open to the world, so a minimum of security is the most simplistic attacks The procedure will be as follows: presentation of flaws presentation of tools to mitigate them Of course, I not a complete computer security course, this tutorial is an initiation To put it simply, it is a like closing the shutters at night Material point of view, this is what you will need: a server with an xBuntu or Debian distribution (for other distributes, the principle will be the same, but the commands may be different) a root access (in ssh for example) and a console The whole tutorial takes place on the command line in order to be accessible to all As you will have to edit files, please make sure you have a command line file editor (I will personally use nano which is very simple) Filter traffic through the firewall Presentation The firewall is the indispensable element to secure its server It will filter all the traffic in allowing only the exchanges permitted by the administrator Without a correctly set firewall, all traffic is more or less (that is, an attacker can what he wants in your home) and this kind of flaw is detectable by simply scanning ports However, the Linux kernel already provides a firewall to the user, which can be configured via the iptables software (normally contained in /sbin/iptables) If not installed: We will now detail the operation of a firewall - relatively simple A firewall analyzes all the traffic and checks if each packet exchanged complies with its rules (filter criteria) So, you just have to specify good rules for prohibit unnecessary traffic Criteria can be diverse (filter ports, protocols, IP addresses, etc.) Basic, we will specify our rules on ports Of course, we must be as strict as possible in the choice of rules; therefore, by default, any firewall is regulated in the first place by blocking everything, absolutely everything Then we will "open" (allow traffic) some ports that we want to use (for example for a web server, we will open port 80 so that the website is accessible) For more flexibility, we will write our rules as a bash script A small measure of caution if you are logged on your remote machine (ssh), be sure not to block access or - if ability to reboot the machine Otherwise, I'm afraid that retrieving your server will be complicated! Declaration of rules integral filtering Note that the command iptables -L -v will allow you to view the current rules Let's create the script: And we written : #!/bin/sh We erase the previous rules to leave on good bases: We block by default all the traffic (if you are logged in with ssh, not run the script yet! You lose the connection with the server, the final script you will find it at the end): We not close the already established connections: We indicate with the -m and state parameters not to close the connections that are already established We allow the loopback (we will not block ourselves!) Note: lo means localhost (the server itself) Everything is blocked, we just have to open the ports used Open used ports From now on, let's take a closer look at the parameters of iptables: -t: will default to « filter » -A: will indicate the direction of traffic: INPUT or OUTPUT -p: indicates the protocol (TCP or UDP) dport and sport: destination port and source port (as we are the server, we will use mainly dport) -j: how to process the package (we will use ACCEPT and DROP to accept and reject the package) The more precise we are, the more secure we will be It is therefore essential to provide these few options Thus, a simple rule will have the following form: Finally, note that if you want an exchange, always open the port in both directions (INPUT and OUTPUT) logic Example if you have a web server (port 80): You could tell me that it would suffice to write only once the line without specifying the argument -A but next our precision policy, it would be an error because there are values other than INPUT and OUTPUT for which we not want to allow traffic (FORWARD for example) All you have to is specify all the necessary rules Here is a small table to help you (this is the default data): service ssh Web/HTTP FTP Mail/SMTP Mail/POP3 Mail/IMAP DNS listening protocol port 22 80 20 and 21 25 110 143 53 Tcp Tcp Tcp Tcp Tcp Tcp Tcp and Udp Special case of ping Ping is based on a particular protocol (ICMP) that does not have a predefined port But it is absolutely necessary to authorize the ping car this is the most commonly used method to find out if your server is alive Here are the rules: Starting the firewall Finally, we will launch our firewall: It is important to load this script when the machine starts up so that a simple reboot does not leave you without protection: Example of script Advanced configuration Flood or denial of service This kind of attack aims to overload the query machine It is possible to guard itself quite directly at the level of the firewall: The TCP syn flags generate connection requests, and the purpose of this rule is to limit them to one per second (limit fields) However, it is not recommended to go beyond the second (otherwise the flow control and TCP error recovery) The same can be done with the UDP and ICMP protocols: Note, however, that this type of attack allows the server to be dropped, but not to access it That's why the risk of being the target is quite thin (unless you are called Google) In general, a simple anti-intrusion software like fail2ban is sufficient, according to the level of security sought Port Scan You can also limit the port scan (which consists of testing all your ports to detect which ports are open) For that, a rule of this kind would go: This is somewhat the same principle as above Knowing that a proper TCP connection requires three packets with three different flags, one sees right away the finesse of this rule that can work packet by packet For more information on TCP flags, see Wikipedia Note that this basic rule is not very effective, it is a basic protection Part will go further in blocking port scans Banned an IP If you find a suspicious IP address in the logs or other, you can banish it easily at the firewall via the command: Preventing intrusions Currently, the firewall will block any attempts of connections on the closed ports But what about open ports? In order to control more precisely what is going on, the firewall is not sufficient and we will have to use other tools, called IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) These two categories of software will -as their name suggests - monitor any intrusion attempts on the server The following procedure will show you how to react to each step of a conventional intrusion attempt, namely: Port scanning (more generally, information gathering) to find vulnerabilities Simple attacks, witnesses of low security Intrusion (via techniques that will not be described here because they go beyond our framework) The installation of a means of logging on the server at will (if the attacker succeeds successfully, it can be said that the machine belongs to him) Portsentry (port scan) This utility allows to block in real time most of the known port scans (even very discrete and escaping the rules of filtering of the basic firewall) I recall in passing that scanning ports means testing all the ports of a machine in order to determine which ones are open (wholesale input gates) However, not panic if your server is the target of a simple port scan, this will be common, and if you are well protected, the pirate will go his way Portsentry is so nice if you want to complicate the task of the attacker: To configure it: Or : Comment the lines KILL_HOSTS_DENY Uncomment the line KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP" Thus, Portsentry will add a rule in the firewall (iptables) to reject the packets in case of scans We start the software (it must be run twice, for TCP and UDP): You can test all this with nmap (if you want to test locally, you need to modify the file portsentry.ignore by removing the localhost) If you want your settings to remain even after a new portentry is launched, you will need to modify the portsentry.ignore.static file Fail2ban (brute-force, dictionary, denial of service) As I said, the open ports on the machine are a priori without much protection, and subject to simple attacks such as attempting to connect by brute force or by dictionary (for example, testing all combinations of passes to log into ssh), denial of services (overloading the query server) or - more foolishly - searching for users without passwords If your machine is infiltrated so easily, the attacker will be really content Fail2ban is a small utility that relies on machine logs to look for repeated suspect actions (for example, password errors) in a given amount of time If it finds it, it will ban the IP of the attacker via iptables This type of software is indispensable because, although it is lightweight, it offers good protection against the basic attacks mentioned above For installation: For configuration: I encourage you to fill in the field below: Destmail: enter an email address if you want to receive alerts from fail2ban The protection level can be modulated via the following fields (note that the default configuration is normally sufficient): Bantime: time of banning suspicious IPs Maxretry: number of connection attempts allowed before banning Note that in the JAILS section (in nano: ctrl w => search JAILS) you will see all the services that fail2ban will monitor If you have changed the default ports, you must specify them here too For example, with ssh: Save and exit I encourage you to quickly go through the rest of the options to customize your app a little Finally, to reload the new configuration: Snort (intrusion detection) The problem when you start to secure is to know to stop at some point Snort is a very powerful tool that can actually detect most attacks that would escape a utility like fail2ban Of course, it will not be used in 90% of cases and as it is only a detection tool, it will be up to you to make the necessary measurements if it detects an intrusion Finally, since it analyzes the traffic in real time, it slows down necessarily a little flow The installation is therefore not essential, it depends on the degree of security sought! Monitor logs Most of the software mentioned above will send you email notifications in the event of an alert However, monitoring logs is important because they reflect the "life" of your server The most interesting logs are: /var/log/auth.log that contains all attempts to access the server It may be useful to filter the content, for example: cat /var/log/auth.log | grep authentication failure /var/log/message and /var/log/syslog contains a bit of everything (errors, bugs, information, etc) /var/log/fail2ban is the fail2ban alert log Search for: cat / var / log / fail2ban | grep ban /var/log/snort/alert will tell you Snort alert logs Testing server security It is well known that to test the security of its server, the simplest is still to put itself in the skin of a pirate Without going so far, there are nonetheless some interesting tools to determine whether there is a big fault or not Port Scanner nmap is the best port scan tool: it will attempt to open connections on a large number of ports on your machine to determine whether they are open or not As it is our server, it is best to perform the most incisive (and therefore least discreet) scan possible: You will then have the list of open ports You can also test a particular port with the -p port argument If you have taken steps to block (at best) the port scan, it is advisable to first disable the scan time (because an open port without you know it is a fault), and in a second time to play with nmap to see if your rules are effective or not .. .Security utility For Linux server Olivoy Edition Copyright © 2017 Olivoy All rights reserved Table of Contents... Fail2ban (brute-force, dictionary, denial of service) Snort (intrusion detection) Monitor logs Testing server security Port Scanner Introduction This guide will teach you how to secure a server and... bugs, information, etc) /var/log/fail2ban is the fail2ban alert log Search for: cat / var / log / fail2ban | grep ban /var/log/snort/alert will tell you Snort alert logs Testing server security