linux server hardening - steps by steps
TRANSCRIPT
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 1 of 80
Server Hardening
Loo Chia Feng G1301352L
Sunil Paudel G1400834A
Abdul Rachman G1400808F
Wang Bo G1301325H
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 2 of 80
Table of Contents 1. Keep the server Up-to-date .......................................................................................................... 4
2. Ports ........................................................................................................................................... 5
3. Firewall ....................................................................................................................................... 7
4. Configuring the firewall on Startup ............................................................................................. 12
4.1. Save the firewall rules to a file ................................................................................................. 12
4.2. Make changes to /etc/network/interfaces................................................................................ 12
5. Set BIOS Password: .................................................................................................................... 15
6. Setting GRUB Password .............................................................................................................. 16
7. Disable Alt+Ctrl+Del ................................................................................................................... 18
8. Apache Web Server hardening.................................................................................................... 19
8.1. Basics of Apache Server in Metasploitable2 .............................................................................. 19
8.2. Check if apache web server is running ...................................................................................... 19
8.3. Secure and Hardening Apache Web Server ............................................................................... 21
8.3.1. Hide Apache Version and OS Identity from Errors ............................................................... 21
8.3.2. Restrict access to root and others directory, except only 1 website named “NewWebsite” (Use
Allow and Deny) and disable Overwriting using .htaccess ............................................................. 23
8.3.3. Disable Directory Listing, Apache’s following of Symbolic Links and Overwriting using .htaccess
of a “NewWebsite” folder .......................................................................................................... 26
8.3.4. Keep updating Apache Regularly ....................................................................................... 28
8.3.5. Disable Unnecessary Modules ........................................................................................... 30
8.3.6. Run Apache as separate User and Group............................................................................ 32
8.3.7. Limit Request Size for “NewWebsite” ................................................................................ 34
8.3.8. Limiting the size of an XML Body ....................................................................................... 35
8.3.9. Turn off Server Side Includes and CGI Execution for “NewWebsite” ..................................... 36
8.3.10. Protect DDOS attacks and Hardening ............................................................................... 37
8.3.11. Enable Apache Logging.................................................................................................... 38
8.3.12. Protect binary and configuration directory permission for “NewWebsite”.......................... 40
8.3.13. Disable Trace HTTP Request ............................................................................................ 41
8.3.14.Restricting Access by IP (Set only intranet) can access “NewWebsite” – Designed for
example.com ............................................................................................................................. 43
8.3.15. Securing “NewWebsite” with SSL Certificates ................................................................... 44
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 3 of 80
9. User and Group hardening ......................................................................................................... 51
9.1. Change msfadmin password and username .............................................................................. 51
9.2. Change password complexity................................................................................................... 53
9.3. Add user and group................................................................................................................. 56
9.4. Force users to change their password upon first login ............................................................... 58
9.5. Configure Password Aging ....................................................................................................... 59
9.6. Limit password reuse on Linux ................................................................................................. 60
9.7. Verify No Accounts Have Empty Passwords .............................................................................. 61
9.8. Make Sure No Non-Root Accounts Have UID Set To 0................................................................ 62
9.9. Restrict User and Group Access ............................................................................................... 63
9.9.1. Create and Maintain a Group for All Authorized Users ........................................................ 63
9.9.2 Restrict Access .................................................................................................................. 63
9.10. Disable root account ............................................................................................................. 65
10. Secure /etc/fstab ................................................................................................................... 66
10.1. Securing /var/tmp ................................................................................................................. 66
10.2. Securing tmpfs ...................................................................................................................... 67
11. Encrypt File Systems............................................................................................................... 68
11.1. Encrypt and decrypt file with password .................................................................................. 68
11.2. Encrypt folder or directory..................................................................................................... 72
12. Disable the Ipv6 protocol ........................................................................................................ 74
13. Log Files ................................................................................................................................ 75
13.1. Monitor Suspicious Log Messages with Logwatch ................................................................... 76
14. Setting AIDE (Advanced Intrusion Detection Environment) ....................................................... 78
15. Limitations............................................................................................................................. 79
16. References............................................................................................................................. 80
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 4 of 80
1. Keep the server Up-to-date Command: sudo apt-get update
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 5 of 80
2. Ports The IP address of the virtual machine is 10.0.2.15.
The ports are scanned using nmap.
Open Ports are shown below:
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 6 of 80
These ports and services have to be closed. We need to set up the rules in the firewall to allow only http
and https services to run and close all other services.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 7 of 80
3. Firewall The bash script firewall_rules.sh is created as below.
#!/bin/bash
IPT=/sbin/iptables
$IPT - F #flushes the previously defined script
#write the policies now
$IPT -P OUTPUT ACCEPT # allow the output
$IPT -P INPUT DROP #Default policy for the input chain is drop
$IPT -P FORWARD DROP #Default policy for the forward chain is also drop
#allowed inputs
#$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -j ACCEPT -p tcp --dport 80
$IPT -A INPUT -j ACCEPT -p tcp --dport 443
#Allow established sessions
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#Anti-spoofing
#$IPT -A INPUT --in-interface!lo --source 127.0.0.0/8 -j DROP
#Blocking spoofed Addresses
$IPT -A INPUT -i external_interface -s 192.168.0.0/24 -j REJECT
#Limit Ping Requests
$IPT -A INPUT -p icmp -m icmp -m limit -limit 1/second -j ACCEPT
# Drop all invalid packets
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP
# Stop smurf attacks
$IPT -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 8 of 80
$IPT -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
$IPT -A INPUT -p icmp -m icmp -j DROP
# Drop excessive RST packets to avoid smurf attacks
$IPT -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
# Preventing Pings
$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
Fig: No firewalls set
Now run the bash shell.
Command: sudo bash firewall_rules.sh
After the bash script is run (which contains the firewall rules), firewall rules are set which can be viewed
using the following command:
Command: sudo iptables –L|less
Fig: Run the bash file and set the firewall rules
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 9 of 80
Fig: Firewall Rules Set
The ports are scanned again after setting the rules in firewall and only two ports are shown:
Services Port State
http 80 open
https 443 closed
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 10 of 80
Fig: nmap after setting the firewall rules
The services telnet and mysql are in filtered state.
Command: nmap -sS -p23 10.0.2.15
Command: nmap -sS -p 3306 10.0.215
If nmap is run to scan the whole port, only two ports (80 and 443) are displayed.
If namp is run to scan the particular port (23 and 3306), it shows that they are filtered.
But if we run netstat, it still shows that the ports (23 and 3306) are listening.
Command: sudo netstat -lpn |grep 23|less
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 11 of 80
So we need to stop the services.
Command: sudo /etc/init.d mysql stop
Let’s look at the service (mysql:3306) using netstat.
Command: sudo netstat -lpn |grep 23| less
Fig: after killing the service, mysql is not showing in netstat
Let’s do the nmap.
Command: nmap –sS –p 3306 10.0.2.15|less
The port is still shown as filtered. This proves that no need to kill the services individually even though
they might be shown as LISTENING while finding the services using NETSTAT. The firewall rules take care
of them.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 12 of 80
4. Configuring the firewall on Startup
4.1. Save the firewall rules to a file Command: sudo sh -c “iptables-save > /etc/iptables.rules”
Command: sudo sh -c “iptables-save > /etc/iptables.downrules”
4.2. Make changes to /etc/network/interfaces We need to make changes to the specific interface. The below screen shot shows that our server has
only one interface – eth0 and no wireless.
Command: iwconfig
Now, edit /etc/network/interfaces and add the fol lowing.
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-restore < /etc/iptables.downrules
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 13 of 80
Now let's restart the server and check if the iptables are configured on startup.
Let’s do the namp now. (Kindly note that the ip address has been changed as the network adapter has
been changed to “host-only”).
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 14 of 80
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 15 of 80
5. Set BIOS Password: Setting the Password in BIOS prevents any unauthorized changes in BIOS.
To access the BIOS setup screen, edit the virtual machine’s configuration (.vmx) and add the following:
bios.forceSetupOnce = "TRUE"
BIOS Password: C16230 (for both User Password and Supervisor Password)
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 16 of 80
6. Setting GRUB Password Command: grub-md5-crypt | tee password.txt
Password: C16230
Edit /boot/grub/menu.lst and edit the line as below.
Password --md5 $1$XXXXX(the output of md5crypt which is stored in the file password.txt)
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 17 of 80
To prevent everyone except root from reading /boot/grub/menu.lst, use the following command.
Command: sudo chmod 600 /boot/grub/menu.lst
Reboot the system to check if the grub is asking for the password.
Type the password, C16230.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 18 of 80
7. Disable Alt+Ctrl+Del Anyone that has the physical access to the keyboard can simply hit Alt+Ctrl+Del and reboot the system.
So edit the file /etc/event.d/control-alt-delete
Command: sudo vi /etc/event.d/control-alt-delete
Uncomment the below line.
exec /sbin/shutdown -r now "Control-Alt-Delete pressed"
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 19 of 80
8. Apache Web Server hardening
8.1. Basics of Apache Server in Metasploitable2 Document root Directory: /var/www
New website Directory: /var/www/NewWebsite
Main Configuration file: /etc/apache/apache2.conf
Default HTTP Port: 80 TCP
Default HTTPS Port: 443 TCP
Test your Configuration file settings and syntax: apache2 –t
Check apache version: apache2 -v
Access Log files of Web Server: /var/log/apache2/access_log
Error Log files of Web Server: /var/log/apache2/error_log
Add a sample index.html into NewWebsite folder once server harden for testing
8.2. Check if apache web server is running Command: ifconfig
The IP address of current machine showed as below.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 20 of 80
Open browser and enter http://your_ip_address
Apache web server running successfully
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 21 of 80
8.3. Secure and Hardening Apache Web Server
8.3.1. Hide Apache Version and OS Identity from Errors
Before
Open browser and enter http://your_ip_address/abcdef
Implementation
Command: nano /etc/apache2/apache2.conf
Modify the following settings:
ServerSignature = Off
ServerTokens = Prod
Command: apache2ctl restart
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 22 of 80
Verification
Refresh the website and missing information will be shown as shown in Figure.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 23 of 80
8.3.2. Restrict access to root and others directory, except only 1 website named
“NewWebsite” (Use Allow and Deny) and disable Overwriting using .htaccess
Before
Open browser and enter http://your_ip_address
Implementation
# cd /var/www
# mkdir NewWebsite
# cd NewWebsite
# touch helloworld
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 24 of 80
Command: nano/etc/apache2/sites-enabled/000-default
Modify the following settings under <Directory /> and <Directory “var/www”>
Options None
Order deny,allow
AllowOverride None
Deny from all
Make sure there is a Directory settings for “var/www/NewWebsite”
Description of the settings
Options “None” – This option will not allow users to enable any optional features.
Order deny, allow – This is the order in which the “Deny” and “Allow” directives will be
processed. Here it will “deny” first and “allow” next.
AllowOverride “None” – This option disable the overriding any options using .htaccess
Deny from all – This will deny request from everybody to the root directory, nobody will be able
to access root directory.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 25 of 80
Verification
Refresh the website and you will not be able to the view the files in the root folder.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 26 of 80
8.3.3. Disable Directory Listing, Apache’s following of Symbolic Links and Overwriting using
.htaccess of a “NewWebsite” folder
Before
Open browser and enter http://your_ip_address/NewWebsite
Implementation
Command: nano/etc/apache2/sites-enabled/000-default
Modify the following settings under <Directory “/var/www/NewWebsite”>
Options -Indexes -FollowSymLinks
AllowOverride None
# apache2ctl restart
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 27 of 80
Verification
Refresh the website and you will not be able to the view the files in the folder.
Place an index.html file inside NewWebsite folder
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 28 of 80
8.3.4. Keep updating Apache Regularly
Before
Command: apache2 -v
Implementation
Command: apt-get install apache2
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 29 of 80
Verification
Command: apache2 -v
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 30 of 80
8.3.5. Disable Unnecessary Modules
Before
Find out the modules loaded into apache and disable it
Command: apache2ctl -M
Implementation
Disable mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex (if
exist) by running the command a2dismod <module name>
Command: a2dismod <module name>
Command: apache2ctrl restart (Execute only once all the modules are disabled)
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 31 of 80
Verification
For Ubuntu v8.04, mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi,
mod_autoindex are not preloaded, so no disable of this is required.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 32 of 80
8.3.6. Run Apache as separate User and Group
Before
Default apache user and group is www-data
Implementation
Modify the following settings:
APACHE_RUN_USER = http-web
APACHE_RUN_GROUP = http-web
Command: groupadd http-web
Command: useradd -d /var/www/ -g http-web -s /bin/nologin http-web
Command: nano /etc/apache2/envvars
Command: apache2ctl restart
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 33 of 80
Verification
Proceed again to check if apache web server is running.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 34 of 80
8.3.7. Limit Request Size for “NewWebsite”
By default Apache has no limit on the total size of the HTTP request i.e. unlimited and when you allow
large requests on a web server it’s possible that you could be a victim of Denial of service attacks. We
can limit the requests size of an Apache directive “LimitRequestBody” with the directory tag.
You can set the value in bytes from 0 (unlimited) to 2147483647 (2GB) that are allowed in a request
body. You can set this limit according to your site needs, suppose you have a site where you allows
uploads and you want to limit the upload size for a particular directory.
In this hardening process, we are putting a limit of 500K for this.
Implementation
Command: nano /etc/apache2/sites-enabled/000-default
Add in the following lines to 000-default.
Command: apache2ctl restart
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 35 of 80
8.3.8. Limiting the size of an XML Body
The LimitXMLRequestBody directive default value is 1 million bytes (approx 1mb).
Implementation
Command: nano /etc/apache2/sites-enabled/000-default
Modify the following settings under <Directory “/var/www/NewWebsite”>
LimitXMLRequestBody 10485760
Command: apache2ctl restart
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 36 of 80
8.3.9. Turn off Server Side Includes and CGI Execution for “NewWebsite”
To prevent from client injection using scripts via browser.
Implementation
Command: nano /etc/apache2/sites-enabled/000-default
Modify the following settings under <Directory “/var/www/NewWebsite”>
Options -Includes -ExecCGI
Command: apache2ctrl restart
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 37 of 80
8.3.10. Protect DDOS attacks and Hardening
Implementation
Command: nano /etc/apache2/apache2.conf
Find the following settings and modify accordingly.
TimeOut : By default Apache timed-out value is 300 seconds, which can be victim of Slow Loris
attack and DoS. To mitigate this you can lower the timeout value to maybe 60 seconds.
KeepAlive: Set to Off to make it a request per connection would prevent from single PC
connection DoS attacking.
MaxClients : This directive allows you to set the limit on connections that will be served
simultaneously. Every new connection will be queued up after this limit. It is available with
Prefork and Worker both MPM. The default value of it is 256. To mitigate this you can lower the
MaxClients value to maybe 20.
KeepAliveTimeout : It’s the amount of time the server will wait for a subsequent request before
closing the connection. Default value is 15 secs. To mitigate this you can lower the
KeepAliveTimeout value to maybe 5.
Error responses: By default, apache does not turn on error responses. In the process to harden,
this should be turn off to prevent attackers from knowing what exact error they encountered.
Command: apache2ctl restart
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 38 of 80
8.3.11. Enable Apache Logging
Apache allows you to logging independently of your OS logging. It is wise to enable Apache logging,
because it provides more information, such as the commands entered by users that have interacted with
your Web server.
Implementation
Command: nano /etc/apache2/apache2.conf
Modify the following settings:
LogLevel = debug
Logs Description
emerg: Emergency situations where the system is in an unusable state.
alert: Severe situation where action is needed promptly.
crit: Important problems that need to be addressed.
error: An Error has occurred. Something was unsuccessful.
warn: Something out of the ordinary happened, but not a cause for concern.
notice: Something normal, but worth noting has happened.
info: An informational message that might be nice to know.
debug: Debugging information that can be useful to pinpoint where a problem is occurring.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 39 of 80
Verification
Visit the new website again, logs can be found at
Command: cd /var/log/apache2
Command: nano access.log (For Website Access Log)
Command: nano error.log (Web Server Error Log)
Command: nano error.log.1 (For Web Server Error Log) – When file is full, it will auto create with
numeric +1 incremental numbering of the log file
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 40 of 80
8.3.12. Protect binary and configuration directory permission for “NewWebsite”
Website executables are placed in bin and configuration settings are placed in conf. To protect from
modification from attackers, we will owner of the folder.
Implementation
Command: cd /var/www/NewWebsite
Command: mkdir bin
Command: mkdir conf
Command: chown -R 750 bin conf
Verification
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 41 of 80
8.3.13. Disable Trace HTTP Request
Before
Command: telnet localhost 80
TRACE / HTTP/1.1
Host: test
Enter <twice> here
Implementation
Command: nano /etc/apache2/apache2.conf
Add the following settings:
TraceEnable off
Command: apache2ctl restart
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 42 of 80
Verification
Command: telnet localhost 80
TRACE / HTTP/1.1
Host: test
Enter <twice> here
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 43 of 80
8.3.14.Restricting Access by IP (Set only intranet) can access “NewWebsite” – Designed for
example.com
Before
Implementation
Command: nano /etc/apache2/sites-enabled/000-default
Modify the following settings under <Directory “/var/www/NewWebsite”>
Deny from all
Allow from 172.0.0.1
Verification
Running from outside external network
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 44 of 80
8.3.15. Securing “NewWebsite” with SSL Certificates
Before
Implementation
Command: a2enmod ssl
Command: apache2ctl restart
Command: openssl genrsa -des3 -out example.com.key 1024
Command: openssl req -new -key example.com.key -out example.csr
Command: openssl x509 -req -days 365 -in example.csr -signkey example.com.key -out example.crt
Remarks: Follow the instructions to fill in the details of your company etc.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 45 of 80
SSL certification created successfully.
Command: nano /etc/apache2/sites-enabled/000-default
Add in the following lines to 000-default.
ServerName localhost
SSLEngine on
SSLCertifcateFile /etc/apache2/example.crt
SSLCerificateKeyFile /etc/apache2/example.com.key
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 46 of 80
Command: apache2ctl restart
Remarks: Enter pass phrase which is created during certificate creation
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 47 of 80
Verification
- Not added to trusted exception
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 48 of 80
- Added to security trusted exception
- Certificate Information
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 49 of 80
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 50 of 80
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 51 of 80
9. User and Group hardening
9.1. Change msfadmin password and username
Command: passwd msfadmin
Enter new UNIX password: Supply a new password
Retype new UNIX password: Supply the same new password
Change username of msfadmin to suadm
Command: usermod -l suadm msfadmin
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 52 of 80
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 53 of 80
9.2. Change password complexity
Install libpam-cracklib PAM module to enable cracklib support.
Command: apt-get install libpam-cracklib
Command: nano /etc/pam.d/common-password
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 54 of 80
Change the lines as highlighted in below screenshot.
Put following two lines into the file.
Password required pam_cracklib.so retry = 3 minlen = 10 difok=3 ucredit =1 dcredit =1 ocredit =1
Password required pam_unix.so use_authok unllok sha512
Description
retry=3 : Prompt user at most 3 times before returning with error
minlen=10 : minimum length allowed for an account password is set to 10 characters. This is
the minimum simplicity count for a good password. And you are allowed only 2 times using
retry option.
difok=3: How many characters can be the same in the new password relative to the old.
User will see error - BAD PASSWORD: is too similar to the old one
dcredit=1 : At least contains1 digits character
ucredit=1 : At least contains 1 upper character
ocredit=1 : At least contains 1 other character
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 55 of 80
The screenshot after changes applied:
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 56 of 80
9.3. Add user and group
Command: adduser <username>
New UNIX password: Supply a password
New UNIX password: Supply the same password
List all groups
Command: cat /etc/group
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 57 of 80
List the users in a group,
Command: members <group name>
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 58 of 80
9.4. Force users to change their password upon first login
Use chage command to force users to chage their password upon first login
Command: chage -d 0 jacklee
Now, login as “JackLee” and force to change the password.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 59 of 80
9.5. Configure Password Aging
Run following command to change the password aging of user “jacklee”
Command: chage -M 60 -m 7 -W 7 jacklee
-m: The minimum number of days required between password changes i.e. the number of
days left before the user is allowed to change his/her password.
-M: The maximum number of days the password is valid (after that user is forced to change
his/her password).
-W : The number of days before password is to expire that user is warned that his/her
password must be changed.
To list current aging type chage command as follows:
Command: chage -l jacklee
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 60 of 80
9.6. Limit password reuse on Linux
Open your /etc/pam.d/common-password file
Command: nano /etc/pam.d/common-password
Edit/add password line and append remember=13 to prevent a user from re-using any of his or her last
13 passwords
Command: password sufficient pam_unix.so use_authtok md5 shadow remember=13
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 61 of 80
9.7. Verify No Accounts Have Empty Passwords
Command: awk -F: ‘($2 == “”) {print}’ /etc/shadow
Lock all empty password accounts
Command: passwd -l accountName
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 62 of 80
9.8. Make Sure No Non-Root Accounts Have UID Set To 0
Only root account has UID 0 with full permissions to access the system. Type the following command to
display all accounts with UID set to 0.
Command: awk –F: ‘($3 == “0”) {print}’ /etc/passwd
You should only see one line as follows:
root: x:0:0:root:/root:/bin/bash
If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 63 of 80
9.9. Restrict User and Group Access
9.9.1. Create and Maintain a Group for All Authorized Users
Create a group named “normalusers”
Command: groupadd normalusers
Add all authorized users to appsonly
Command: usermod -aG { groupName } {username}
-a : Add the user to the supplemental group(s) i.e. appends the user to the current
supplementary group list.
-G : A list of supplementary groups which the user is also a member of
9.9.2 Restrict Access
Now a group of user had been created. Next, use the chgrp command to change the group of
/opt/apps/start to normalusers group
Command: chgrp normalusers /opt/apps
Disable the file permission for others
Command: chmod 0640 /opt/apps
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 64 of 80
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 65 of 80
9.10. Disable root account
Disable root login
Command: sudo passwd -l root
Disable root login over SSH
Edit file /etc/ssh/sshd_config change PermitRootLogin to no
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 66 of 80
10. Secure /etc/fstab Temporary storage directories such as /tmp, /var/tmp, and /dev/shm provide storage place for the
hackers to execute the malicious codes. So we have to secure them.
10.1. Securing /var/tmp Command: sudo vi /etc/fstab
Append the following line:
/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0
Meanings:
noexec – Do not set execution of any binaries on this partition
nodev - Do not allow character or special devices on this partition
nosuid – Do not set SUID/SGID access on this partition(prevent the setuid bit)
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 67 of 80
10.2. Securing tmpfs Command: Sudo vi /etc/fstab
Append the following:
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 68 of 80
11. Encrypt File Systems
11.1. Encrypt and decrypt file with password Showing the content of the file
Command: more test.txt
openssl
Used 256-bit AES in CBC mode with password for this sample and the command will create new file
called test.out
Command: sudo openssl enc –aes-256-cbc –salt –in test.txt –out test.out
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 69 of 80
mcrypt
Command is created a new file with extension .nc and required password
Command: sudo mcrypt test.out
gnupg
Encrypt data and create digital signature. This command is created a new file with extension .gpg
Command: sudo gpg -c test.out.nc
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 70 of 80
After all encryption the file is showing like this
Command: ls is to show all file in the current directory.
Deleting original file and unnecesery file priviously if needed. In this sample we used three steps to
delete all previous file.
Command: rm filename
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 71 of 80
Decrypt last extension file with openssl, mcrypt and gnupg command. To open one file we need to
decrypt three times. Don’t forget to remember the password when you encrypt the file.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 72 of 80
11.2. Encrypt folder or directory In this screenshot, the folder still can access by using command cd
To encrypt folder or directory, we need to install encfs
Command: sudo apt-get install encfs
Select folder and start encrypt the folder after install encfs, this required password to encrypt. In this
sample folder testing2 is the target
Command: sudo encfs ~/.testing1 ~/testing2
checking if we can still access the folder after encrypt and the result in permission denied
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 73 of 80
In order to access thi folder again we can use this.
Command: fusermount –u ~/testing2
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 74 of 80
12. Disable the Ipv6 protocol To increase browsing speed and security you need to disable the Ipv6 protocol because by default on
LINUX is enable.
Command: sudo vi /etc/modprobe.d/aliases
Find the line called “alias net-pf-10 ipv6” and replace with “alias net-pf-10 off” and “alias ipv6 off” after
that save and close the file.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 75 of 80
13. Log Files You need to configure logging and auditing to collect all hacking and cracking attempts. By default syslog
stores data in /var/log/ directory. It is also required to find any software misconfiguration.
Common Linux log files names and usage
/var/log/messages : General message and system related stuff
/var/log/auth.log : Authenication logs
/var/log/kern.log : Kernel logs
/var/log/cron.log : Crond logs (cron job)
/var/log/maillog : Mail server logs
/var/log/qmail/ : Qmail log directory (more files inside this directory)
/var/log/httpd/ : Apache access and error logs directory
/var/log/lighttpd/ : Lighttpd access and error logs directory
/var/log/boot.log : System boot log
/var/log/mysqld.log : MySQL database server log file
/var/log/secure or /var/log/auth.log : Authentication log
/var/log/utmp or /var/log/wtmp : Login records file
/var/log/yum.log : Yum command log file.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 76 of 80
13.1. Monitor Suspicious Log Messages with Logwatch Install logwatch using “sudo apt-get install logwatch”.
Configuration shouldn't be edited in the install directory (/usr/share/logwatch). Copy logwatch.conf to
/etc/logwatch before editing:
Command: sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 77 of 80
Edit logwatch.conf to put in the e-mail where you want the report sent:
MailTo = [email protected]
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 78 of 80
14. Setting AIDE (Advanced Intrusion Detection Environment) It provides software integrity checking and it can detect that intrusions (system binaries modification)
have taken place. It is a replacement for the well-known Tripwire integrity checker.
Install AIDE using the following command:
Command: sudo apt-get install aide
The default configuration is acceptable for many environments.
/etc/aide/aide.conf and /etc/aide/aide.conf.d/ - Default AIDE configuration files. /var/lib/aide/aide.db - Default location for AIDE database. /var/lib/aide/aide.db.new - Default location for newly-created AIDE database.
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 79 of 80
15. Limitations Metasploitable 2 is based on Ubuntu 8.04 –Hardy Version
Grub is 1.5
CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser
Page 80 of 80
16. References http://www.tecmint.com/apache-security-tips/
http://www.themiddlewareshop.com/2013/09/30/apache-web-server-hardening-and-
security/
http://www.petefreitag.com/item/505.cfm
http://www.cyberciti.biz/tips/linux-security.html