Security utility For Linux server

Table of Contents

  

Introduction

  This guide will teach you how to secure a server and thus introduce you to the topics of computer security. How is it important? By definition, a server is open to the world, so a minimum of security is the most simplistic attacks.

  The procedure will be as follows: presentation of flaws.

Filter traffic through the firewall Presentation

  The firewall is the indispensable element to secure its server. It will filter all the traffic in allowing only the exchanges permitted by the administrator. Without a correctly set firewall, all traffic is more or less (that is, an attacker can do what he wants in your home) and this kind of flaw is detectable by simply scanning ports.

  However, the Linux kernel already provides a firewall to the user,

Declaration of rules integral filtering

  Note that the command iptables -L -v will allow you to view the current rules.

  1. Let's create the script:

  We indicate with the -m and --state parameters not to close the connections that are already established.

  5. We allow the loopback (we will not block ourselves!)

  Note : lo means localhost (the server itself).

  Everything is blocked, we just have to open the ports used.

  

without specifying the argument -A ... but next our precision policy, it would

be an error because there are values other than INPUT and OUTPUT for which we do not want to allow traffic (FORWARD for example).

  All you have to do is specify all the necessary rules. Here is a small table to help you (this is the default data):

  service listening protocol port ssh

  22 Tcp

  80 Tcp

  Web/HTTP FTP 20 and 21 Tcp

  25 Tcp

  Mail/SMTP

Starting the firewall

  Finally, we will launch our firewall:

  It is important to load this script when the machine starts up so that a

  Example of script

Advanced configuration Flood or denial of service

  This kind of attack aims to overload the query machine. It is possible to guard itself quite directly at the level of the firewall: The TCP syn flags generate connection requests, and the purpose of this rule is to limit them to one per second (limit fields).

  Banned an IP

  If you find a suspicious IP address in the logs or other, you can banish it easily at the firewall via the command:

Preventing intrusions

  Currently, the firewall will block any attempts of connections on the closed ports. But what about open ports? In order to control more precisely what is going on, the firewall is not sufficient and we will have to use other tools, called IDS (Intrusion Detection

  System) and IPS (Intrusion Prevention System). These two categories of software will -as their name suggests - monitor any intrusion attempts on the server.

Portsentry (port scan)

  This utility allows to block in real time most of the known port scans (even very discrete and escaping the rules of filtering of the basic firewall). I recall in passing that scanning ports means testing all the ports of a machine in order to determine which ones are open (wholesale input gates). However, do not panic if your server is the target of a simple port scan, this will be common, and if you are well protected, the pirate will go his way.

  Portsentry is so nice if you want to complicate the task of the attacker: If you want your settings to remain even after a new portentry is launched, you will need to modify the portsentry.ignore.static file.

Fail2ban (brute-force, dictionary, denial of service)

  As I said, the open ports on the machine are a priori without much protection, and subject to simple attacks such as attempting to connect by brute force or by dictionary (for example, testing all combinations of passes to log into ssh), denial of services (overloading the query server) or - more foolishly - searching for users without passwords ... If your machine is infiltrated so easily, the attacker will be really content . Note that in the JAILS section (in nano: ctrl w => search JAILS) you

will see all the services that fail2ban will monitor. If you have changed the

default ports, you must specify them here too. For example, with ssh: Save and exit.

Snort (intrusion detection)

  The problem when you start to secure is to know to stop at some point. Snort is a very powerful tool that can actually detect most attacks that would escape a utility like fail2ban. Of course, it will not be used in 90% of cases and as it is only a detection tool, it will be up to you to make the necessary measurements if it detects an intrusion. Finally, since it analyzes the traffic in real time, it slows down necessarily a little flow. The installation is therefore not essential, it depends on the degree of security sought!

Monitor logs

  Most of the software mentioned above will send you email notifications in the event of an alert. However, monitoring logs is important because they reflect the "life" of your server. The most interesting logs are:

  /var/log/auth.log that contains all attempts to access the server. It may be useful to filter the content, for example: cat /var/log/auth.log | grep

Testing server security

  It is well known that to test the security of its server, the simplest is still to put itself in the skin of a pirate. Without going so far, there are nonetheless some interesting tools to determine whether there is a big fault or not.

Port Scanner

  nmap is the best port scan tool: it will attempt to open connections on a large number of ports on your machine to determine whether they are open or not.

  As it is our server, it is best to perform the most incisive (and