Basic security for web servers (Linux Ubuntu)

July 28, 2020 | by iaur | posted as LAMP, WordPress

Firewall

# limit how many time something connects

@root

sudo apt-get update  

# update apache # to poke holes before enabling firewall
sudo apt-get install ufw  

# install firewall
sudo ufw limit 22/tcp  

# limit udp\tcp port
sudo ufw allow 80/tcp sudo ufw allow 443/tcp  

# allow web ports
sudo ufw enable  

# enable firewall
sudo ufw status  

# verify firewall status
case — bernje.lu@wordpress: — SSh bern 
ie.l 
hedai 
IOits.cc 
-S sudO install ufw 
Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
ufw is already the newest version (Ø.36-ØLbunu.18.Ø4.1). 
upgraded, newly installed, to and not upgraded. 
Ibernie. -S sudO ufw status 
Status: active 
To 
22/tcp 
80/tcp 
4-43/tcp 
22/tcp (v6) 
80/tcp (v6) 
443/tcp (v6) 
Action 
LIMIT 
ALLm 
AL LCM 
LIMIT 
ALLm 
ALLm 
Fran 
06) 
Anywhere 06) 
06)

Global Blocks

sudo ufw default deny incoming  

# deny all incoming traffic aside from ssh/443/80
sudo ufw default allow outgoing  

# allow all outgoing traffic aside from ssh/443/80
 sudo ufw reload  

# reload firewall if you have updated the rule
case — bernie.lu@wordpress: — ssh bernie.lu@thedailyexploits.ct 
Ibemie. S sudo ufw default deny incoming 
Default incming policy changed to 'deny' 
(be sure to update your rules accordingly) 
Ibemie. $ sudo ufw default allow outgoing 
Default outgoing policy changed to 'allow' 
(be sure to update your rules accordingly) 
Ibemie. $ sudo ufw reload

Disabling password auth of ssh

# this will deny other ssh auth make sure to back up private key (id_rsa)

# you can use https://anonpaste.org/

# or generate other key from another machine before advancing

@root

 sudo nano /etc/ssh/sshd_config  

#  modify below line
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no PermitRootLogin no
#    

sudo systemctl restart sshd  

# refreshes sshd_config

Prevent IP Spoof

Updated:

Outdated:

  • Since GCP already prevent IP spoofing on a CSP-level this is deemed unnecessary but still a good practice
  • Updated versions of LAMP has this feature in some reiteration

@root

# the useful scenario would be banning IP address, you don’t want that bad actor to use another IP to get in to your web server
 
 sudo nano /etc/host.conf  

# note this are system files so be cautious
# change the order and mirror below  

order bind,hosts
nospoof on  
 

ase — Bern* 
is only by old OF C library. 
m somf

Install Fail2Ban

@root

# read incoming request and ban it if found malicious, example are DDOS attacks  

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo systemctl status

 
  case — bernie.lu word ress 
[ bernie. 1 
sudo Qt install fai12ban 
Reading package lists. 
Building dependency tree 
Reading state information... Done 
fai12ban is already the newest version (0.1Ø.2-2). 
upgraded, newly 
bernie.lu@thedailyexploits.c 
[bernie. 
S sudo systemctl enable fai12ban 
Synchronizing state 
e script with /lib/: 
u. 
Executing: /lib/sys 
12ban 
S suü) systemctl start fai12ban 
[bernie. : 
S sudo s stemctl status fai12ban 
[bernie. : 
• fai12ban.service - 
at an erwtce 
Loaded : 
loaded (/1ib/systemd/system/fai12ban.service; enabled; vendor pn 
Active: 
active since Sat 2020-07-25 UTC; Ih 54min ago 
Docs: man: fai12ban(1) 
Main PID: 
2981 (fai12ban-server) 
Tasks : 
3 (limit: 638) 
CGroup: /system.s1ice/fai12ban.service  

Enable security feature via sysctl.conf

@root

 sudo nano /etc/sysctl.conf  

# uncomment the ff  

net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# prevent “Man in the Middle” (MITM) attack  

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0  


# prevent traffic request address for routers (as you are a web server!)  

net.ipv4.conf.all.log_martians = 1

# log Martian packets
 
case— 
GNU nano 2.9.3 
SSI 7 
/etc/sysctl . conf 
# See http://lwn.net/Artic1es/277146/ 
# Note: This may impact IPv6 TCP sessions too 
#net. ipv4. 
# Unccyment the next line to enable packet forwarding for IPv4 
#net. ipv4. 
# Uncament the next line to enable packet forwarding for IPv6 
# Enabling this option disables Stateless Address Autoconfiguration 
# based on Router Advertisements for this host 
#net. ipv6. conf. all. forwarding—I 
# Additional settings - these settings can irnprove the netnork 
# security of the host and prevent against sane network attacks 
# including spoofing attacks and man in the middle attacks through 
# redi rection. Same network envi roments, however, require that these 
set tngs are I sao 
so review a ena e 
as neea 
Do not accept ICMP redi rects (prevent MI TM attacks) 
. ipv4. conf-all. accept—redirects ø 
.ipv6.conf.at1.accept—redirects — ø 
_or_ 
Accept ICMP redirects only for gateways listed in our default 
gateway list (enabled by default) 
net. ipv4.conf .all.secure_redirects 1 
Do not 
send ICMP redirects (we are not a router) 
. ipv4.conf.a11.send-redirects 
accept IP source route packets (we are not a router) 
Do not 
. ipv4.conf Ø 
. ipv6.conf ø    

sudo sysctl -p  

# refresh or display changes made to sysctl.conf