Linux is still a mystery to most Windows and Mac OS users. But to those who have taken the time to use and understand Linux, they have experienced one of the most enjoyable operating systems out there. Often finding themselves never wanting to return to their former operating systems. While the operating system of Linux is generally the same, there are a variety of different versions of Linux like CentOS, CoreOS, Debian, Fedora, FreeBSD, OpenBSD, RedHat, and Ubuntu. Each of these versions has pros and cons and their own fan bases.
This article will not get into any of them specifically, rather it will discuss securing your server and focus on Ubuntu.
Since Linux is an open-source software, the source code is available for anyone and everyone to see. Making it less prone to viruses and malware. With a technology-based community of software developers, and designers, Linux comes with daily updates and upgrades, to patch bugs and vulnerabilities in the source code. With the minds and eyes constantly in the source code, Linux is generally considered the best and safest operating system. Linux distributions are all generally free, with some specialized possibly being distributed for a small fee, usually on disc.
Microsoft Windows and Mac OS X come with some of the top paid programmers in the world but Linux is a global community of volunteers who want the best and continue making the best. Hence the reason for so many versions of Linux as well as sub versions, like Arch, Bodhi, Elementary, Kubuntu, Mandriva, Mint, openSUSE, and NixOS. What makes each version different often ranges from what they are focused on.
Some Linux versions focus more on security, while others focus more on speed and performance. Others might be more specialized in processing scientific formulas or mathematical equations.
When it comes to security, however, all Linux distributions are primarily concerned with ensuring their security and sustainability and often come with a decent to large-sized community to continue supporting these operating systems. Thus, automatically, if you did nothing with your Linux install, you would likely be fine. However, there are still other things you can do to strengthen the security of your Linux server.
If you are using a service like RunCloud on your server, than you may have noticed it too, has its own security measures in place, for additional protection. RunCloud automatically closes and blocks every unused port from external access. In addition, a well-known program known as Fail2Ban is installed which usually blocks most hacking and unwanted attempts to your server. FirewallD, a dynamically managed firewall with support for network/firewall zones, and is included by default on multiple other Linux distributions, is also installed on the Ubuntu Linux server. A wonderful thing about using the RunCloud service is that it logs banned IP addresses within the dashboard, making it easy to unban false positives, as well as your own IP address, which is sometimes a problem, if your server bans you, which can and does happen.
With the understanding that Linux OS itself is secure and the RunCloud services adds even more security to the server, we can now understand some of the manual things that can be done to optimally secure your Linux server. This is an extensive, but not exhaustive list of all the things we will be doing to secure the server. To apply these, you will need SSH access.
WARNING: RunCloud support cannot help you with any of these steps and you acknowledge that you proceed at your own risk. All of these scripts are safe to install. RunCloud must be installed first.
1. Install RunCloud Software
After launching an instance, before you install anything, you must open up ports 22/tcp (SSH), 80/tcp (HTTP), 443/tcp (HTTPS), and 34210/tcp (RunCloud Communication Port). Paste the code RunCloud gives you into the desired SSH location and sit back while the software installs.
2. Install UFW Firewall
Although RunCloud installs its own firewall, it will not hurt to install additional security by installing the Uncomplicated Firewall, or UFW Firewall. This firewall is strictly command line, so enabling or disabling ports need to be entered via SSH.
Here are the commands that should be entered:
sudo apt-get install ufw
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow 443
sudo ufw allow 34210
sudo ufw enable
We are telling the firewall to allow ports 22, 443, 80, and 34210 which are required by RunCloud.
3. Secure Shared Memory
Log into this file by typing in:
sudo vi /etc/fstab
Add this line:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
After you’ve added the line, you will need to reboot the server.
Finally, test to ensure it is secure by entering in:
sudo mount -a
Shared Memory is mounted as read/write by default. When memory is shared between applications, it is vulnerable and can easily be exploited by using the write command. The code above will ensure it is read-only and ensure that other applications cannot write or overwrite to memory that other applications are using.
4. Prevent Source Routing of Incoming Packets
Enter in code:
sudo vi /etc/sysctl.conf
You may add or un-comment the following lines:
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
To get these to actually work, you will need to reload the changes by typing:
sudo sysctl -p
In a nutshell, we adjusted some settings for a better flow of incoming and outgoing traffic.
5. Prevent IP Spoofing
IP Spoofing is the creation of Internet Protocol packets with a false source IP address, for the purpose of impersonating another computing system.
Type in this command:
sudo vi /etc/host.conf
Add or edit these lines:
6. Install ModSecurity and Dependencies
sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev
ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
sudo apt-get install libapache2-mod-security2
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
After this is done, we need to activate the rules.
sudo vi /etc/modsecurity/modsecurity.conf
Add this line:
Edit the following lines to:
Download and install the latest OWASP (Open Web Application Security Project) Core Rule Set.
sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
sudo tar -zxvf SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/modsecurity/
sudo rm SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo rm -R SpiderLabs-owasp-modsecurity-crs-*
sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf
Next is a bit of a lengthy process, but we need to create symbiotic links to activate all these rules.
for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done
Next we need to update Apache2 to understand the new rules, but first, we will make everything align with RunCloud.
mv /etc/apache2/mods-available /etc/apache2-rc/mods-available
rm -rf /etc/apache2
sudo vi /etc/apache2-rc/mods-available/mod-security.conf
Add this line:
We are getting there, but there are just a few more steps! We need to check if what we did is actually working. You first need to ensure you have set a ServerName.
Add this line:
Next run the following command:
httpd -M | grep sec
If no error occurs, than you did everything just fine and ModSecurity is loaded.
6. Install ModEvasive and Dependencies
This will add additional protection agaisnt DDoS attacks.
Type in the following command and hit Y if asked.
sudo apt-get install libapache2-mod-evasive
sudo mkdir /var/log/mod_evasive
sudo vi /etc/apache2-rc/mods-available/mod-evasive.conf
Add this code:
Finally, run this command to restart Apache2.
systemctl restart apache2-rc
7. Install DenyHosts
If you left RunCloud alone with just Fail2Ban, you would be just fine. Fail2Ban will do its job and ban IP addresses and other hosts that attempt to brute-force or attack your server. However, an underestimated, but powerful software program that compliments Fail2Ban is DenyHosts.
sudo apt-get install denyhosts
DenyHosts will automatically do its job.
8. PSAD Intrusion Detection
sudo apt-get install psad
sudo vi /etc/psad/psad.conf
Add the following:
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG
Next we will update and reload PSAD.
9. Checking For Rootkits
There are two software programs here that basically do the same thing, but check for a variety of different signatures. A rootkit is a set of tools that hide the presence of an attacker. These programs will expose them to you. Running the last command may take up to 5 minutes depending on your system.
sudo apt-get install rkhunter chkrootkit
sudo rkhunter --propupd
sudo rkhunter --check
10. Scanning For Open Ports
NMap is security auditing software that scans open ports. The only ports that should be in use are 22/tcp (SSH), 80/tcp (HTTP), 81/tcp, 443/tcp (HTTPS), and 34210/tcp (RunCloud Communication Port), and 3306 (sql) if you have installed a database.
sudo apt-get install nmap
nmap -v -sT localhost
sudo nmap -v -sS localhost
11. Log Watch
If you like to receive daily updates about your server beyond the scope of RunCloud services, you will want to install this useful utility which will provide you with an account of brute force attempts and login attempts on your server.
sudo apt-get install logwatch libdate-manip-perl
To view your logs:
sudo logwatch | less
To email your logs. You can change the date between when logs are sent to you, which below, is set to one week between reports, in HTML format.
sudo logwatch --mailto firstname.lastname@example.org --output mail --format html --range 'between -7 days and today'
12. Install AppArmor
AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor’s security model is to bind access control attributes to programs rather than to users.
sudo apt-get install apparmor apparmor-profiles
Tiger is a security tool that can be used as a security audit and intrusion detection system.
sudo apt-get install tiger
sudo less /var/log/tiger/security.report.*
Running Tiger will take several minutes for the security audit to complete.
We are nearly complete with our complete security audit of the Linux server. The remaining items will require the RunCloud dashboard.
14. Generate and Add SSH Keys
The way to generate and add SSH keys can be found within the RunCloud documentation.
15. Create A Superuser — that is not Root
You will want to create a superuser with the same privelages as root, but is not root, followed by checking off Passwordless Login in the settings, and finally, you will want to Prevent Root Login which can also be found in the settings.
16. Use Hard-To-Guess Passwords
RunCloud itself has a very powerful password generator that lets you choose from 5 to 60 characters. When you go to the Database section, choose Add New Database User and click on Generate Password. You can leave it on the default, which is 32 characters, or you can go more or less. It is highly recommended that your password is at least 16 characters long.
Utilizing this powerful password tool provided by RunCloud for your RunCloud login, your WordPress login, any other CMS you use, your database password, along with anything else you can think of will guarantee the absolute hardened security of your server. Using the RunCloud password generator will guarantee that your password will take a computer working everyday, 24/7, without rest, a few million years just to crack the password.
While every step listed above will help toughen the security of your server, a weak password is like providing a hacker with the key to open the front door, so ensure that your passwords are not written down in a public email and you store it in a safe place.
The steps involved in this article were carefully chosen and tested with a new RunCloud installation. Installing or using any other tools to secure your server may risk breaking the RunCloud installation and you do so at your own risk. RunCloud support cannot help you. It is highly advised that you follow all of these steps on a new installation, and not currently on an existing server, unless you feel comfortable, or have made several backups of your existing data.
RunCloud nor the author of this blog post can be held responsible for any data loss that may occur, even if you have followed all the steps above.