Tag Archives: secure

MySQL Server einfach einrichten

Um einen frischen MySQL-Server unter Linux ohne große stress einzurichten empfehle ich:
# mysql_secure_installation

Es kann damit das neue Root Password setzt werden und zugleich wird "test_db" entfernt. Wer will kannauch den Zugriff von extern ausschalten lassen. 🙂

Linux sicherer machen

Here you can find some stuff to make your Server more Secure.
Absolutely no warranty, use it at your own risk.

1.) Disable the Apache ServerSignature like this one

1
Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 mod_perl/2.0.2 Perl/v5.8.8

Put only these lines in your httpd.conf

1
# Disable ServerInfoServerSignature OffServerTokens Prod

2.) Disable Debugging functions
An attacker may use this flaw to trick your legitimate web users to give him their credentials. Add the following lines for each virtual host in your configuration file to disable the Debugging

1
RewriteEngine onRewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)RewriteRule .* - [F]

3.) Disable ProFTPD Banner
When you connect to your FTP-Server it looks like this

1
Verbindung mit 62.75.xx.xx wurde hergestellt.220 ProFTPD 1.3.0 Server (vsxxxxxx) [62.75.xx.xx]Benutzer (62.75.xx.xx:(none)):

Here can you see the ProFTPD Version -> 1.3.0 To Disable the Banner add, the following line to the proftpd.conf:

1
ServerIdent                    off

4.) Enable SSL in ProFTPD
For a secure File Transfer you can add SSL to your ProFTPD

Create a SSL Certificate:

1
openssl req -new -x509 -days 365 -nodes  -out /etc/proftpd/ssl.crt -keyout /etc/proftpd/ssl.key

Open your proftpd.conf to enable SSL

1
# vi /etc/proftpd/proftpd.conf

enable the last lines like this and set TLSEngine ‚on

1
## SSL via TLS#<IfModule mod_tls.c>TLSEngine                   onTLSLog                      /var/log/proftpd/ftp_ssl.logTLSProtocol                 SSLv23TLSOptions                  NoCertRequest TLSRSACertificateFile       /etc/proftpd/ssl.crt TLSRSACertificateKeyFile    /etc/proftpd/ssl.keyTLSVerifyClient             off </IfModule>

Restart proftpd to bring the effect:

1
# /etc/init.d/proftpd restart

5.) Change the SMTP-Banner
If you want to change this Postfix SMTP-Banner:

1
Connected to your-domain.tld.Escape character is '^]'.220 your-domain.tld. ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC2 OMEGA

Open your „/etc/postfix/main.cf“ and change the SMTP-Banner here to what you want

1
smtpd_banner = $myhostname ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC2 OMEGA

6. Install & Configure fail2ban
Fail2Ban automatic blocks an IP-Address after some failed Logins.
It works with Apache,SSH,FTP and Mail.

Install fail2ban per apt-get

1
# apt-get install fail2ban

After the installation you can configure fail2ban with these two configs under /etc/fail2ban/

1
/etc/fail2ban/fail2ban.conf/etc/fail2ban/jail.conf

Open your jail.conf to enable the blocks for some Services.

1
# vi /etc/fail2ban/jail.conf

Now you can enable or disable the Services you want to protect. By default SSH is enabled.

If you want to enable Apache,
change:

1
## HTTP servers#[apache]enabled = falseport    = httpfilter  = apache-authlogpath = /var/log/apache*/*access.logmaxretry = 6

to

1
## HTTP servers#[apache]enabled = trueport    = httpfilter  = apache-authlogpath = /var/log/apache*/*access.logmaxretry = 6

For FTP (proftpd)

1
[proftpd]enabled  = falseport     = ftpfilter   = proftpdlogpath  = /var/proftpd/proftp.logmaxretry = 6

change it to

1
[proftpd]enabled  = trueport     = ftpfilter   = proftpdlogpath  = /var/log/auth.logmaxretry = 3

You can change the maximal retry´s before ban with

1
maxretry = X

If you want to change the bantime,

1
bantime  = 600 (is set in seconds)

Warning: fail2ban use Firewall ruls to block the IP.
A ban is per default for 10 minutes active. After this time the IP is unblocked automatically.

The fail2ban Log is under

1
/var/log/fail2ban.log

7.) SSL for Mailservice (Courier)

First we need to install the courier-ssl packages.

1
# apt-get install courier-imap-ssl courier-pop-ssl

A default Certificate will be created during the installation. So we need to change them.

Open the /etc/courier/imapd.cnf

1
# vi /etc/courier/imapd.cnf

and change the attributes to your needs.
And then the same with /etc/courier/pop3d.cnf

1
# vi /etc/courier/pop3d.cnf

After these changes, first backup the old Certificate before we generate some new.

1
# cd /etc/courier/ && mv pop3d.pem pop3d.pem.orig && mv imapd.pem imapd.pem.orig

Now we can generate the new one:

1
# dpkg-reconfigure courier-pop-ssl && dpkg-reconfigure courier-imap-ssl

Done – your Mailservice is now ready for SSL.
Change your Client to use POP3-SSL on port 995 and IMAP-SSL on port 993

8.) Make SSH safer

Every Scriptkiddy checks your Server for a open Port 22 and test to login with the root account.
We will change these things to the good with an other Port and disable the root login via ssh.

First we need a user on the system for a later login. If there is already one, jump over to the next step. If not, create it:

1
# adduser new_username

Open your sshd_config to change the settings:

1
# vi /etc/ssh/sshd_config

Change the Port from

1
Port 22

to

1
Port 222

Change this line:

1
PermitRootLogin yes

to

1
PermitRootLogin no

Restart the SSH-Server

1
# /etc/init.d/ssh restart

Close your connection and connect again to your Server on Port 222 with your new Username.
To become root, only do a:

1
# su

9.) Prevent DOS-Attacks
To prevent simple Denial-of-Service attacks you can use the mod_evasive module. Download the actual version from http://www.zdziarski.com/projects/mod_evasive/ and unpack it. Make sure, that apache2-prefork-dev is installed.

1
# apt-get install apache2-prefork-dev# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz# tar -xzf mod_evasive_1.10.1.tar.gz# cd mod_evasive

Install it with Apache Extensions Module (apxs).

1
#  apxs2 -i -a -c mod_evasive20.c

The module will be built and installed into your httpd.conf.

Optionally you can change some specific directives in your /etc/apache2/apache2.conf file. Just add the following lines and change them to your needs.

1
<IfModule mod_evasive20.c>DOSHashTableSize    3097DOSPageCount        2DOSSiteCount        50DOSPageInterval     1DOSSiteInterval     1DOSBlockingPeriod   10</IfModule>

You can also add the following directives:

1
    DOSEmailNotify      you@yourdomain.comDOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"DOSLogDir           "/var/lock/mod_evasive"

After all, just restart your Apache to load the module.

1
# sudo /etc/init.d/apache2 restart

10.) Securing Open DNS server (BIND 9)After a clean install of a Debian server, dnsstuff.com reports the server as an open dns server(anyone can query the server about any domain => high load and high transfer). 2 steps for fixing this problem:

a. first edit /etc/bind/named.conf.options (or /etc/named/named.conf for other distros, options paragraph) and add:

1
recursion no;transfer-format many-answers; //this is for speed up the transfer to a secondary dns

b. we need to modify the template used by ISPCP to generate to zone files, on Debian this is /etc/ispcp/bind/parts/cfg_entry.tpl. The file after modification should looks like:

1
zone "{DMN_NAME}" {type    master;file    "{DB_DIR}/{DMN_NAME}.db";notify  YES;allow-query {any;};};

Restart BIND:

1
/etc/init.d/bind9 restart

You are done.