Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm really getting into Linux - whenever I have spare time I try to learn something new about the OS.
I've finally reached the stage where I feel somewhat confidence to host a Linux server - this is more for learning purposes, but also providing some useful functionality to myself by also running Nextcloud.
So I recently created an Ubuntu 17.04 VM in Azure, running Nextcloud 11.
Question 1. How can I harden the security on this server?
I know little on this topic, and here is what I've done so far: Azure
Open ports include HTTPS inbound and outbound, and ssh inbound.
UFW
I recently enabled Uncomplicated Firewall.
- IPv6 is enabled, ufw is supporting IPv6
Rules:
- sudo ufw default deny incoming
- sudo ufw default allow outgoing
- sudo ufw allow ssh
- sudo ufw allow https
(I would like to do this via IP tables, but I'm not there yet. I have a lot to read up on and learn.)
sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
Question 2. Can I do more to secure the server, i.e. a friend mentioned to use Snort? Any good guides to follow?
Question 3. I ran the server without ufw (firewall) enabled for 24 hours, should I be worried? Would the Azure rules have protected my server?
Thanks heaps for any advice. I'm really enjoying reading up on this topic and learning.
The first thing that I would do is to install OpenVPN, with certificates and tls-auth, and put sshd, in particular,behind it, with firewall rules making it impossible for that daemon to reach-out or to be-reached except through the tunnel.
Don't expose any "shell" to the outside world.
That's like leaving a terminal connected to your company's innermost network outside in the parking lot, with a big sign taped over it: "HACK ME!"
Obviously, such a terminal should be on the inside, such that you have to have a b-a-d-g-e to even reach it. And, that's exactly what OpenVPN does.
When deployed in this way, OpenVPN's presence cannot be detected, and it is impossible to enter unless you possess two(!) digital certificates – one of them being "one of a kind," with-or-without password encryption. Your certificate is individually issued to you and can be individually revoked.
Your computer will appear to have exactly one open port (TCP/IP socket): "HTTPS." (And you should periodically scan it to be sure that this is so.)
Quote:
Number of unauthorized access attempts: Z-e-r-o.
My LQ blog now contains several entries relating to this.
Last edited by sundialsvcs; 05-23-2017 at 09:16 AM.
"To my way of thinking," most of the preceding suggestions seem to presume that "that terminal (somehow) must remain out there in the parking lot, complete with that 'HACK ME!' sign!"
Think outside the box!
When you walk into the front-door of your employer's place of business, "what happens?" Is there really someone sitting there, demanding that each one of you must "say 'the magic word?'" ...?
"Hell N-O!" To get even one step beyond the front door, you must (swipe | scan | present): ... ... "your(one of a kind ...)b-a-d-g-e!!"
- - -
"Therefore, 'go and do likewise!!'"
OpenVPN allows you to "issue one-of-a-kind badges" to each-and-every person who should be permitted to access your systems.
Furthermore, it is able to conceal(!) itself from any potential supplicant who cannot pro-actively(!) demonstrate ... by their apparent possessionof(!!) a tls-auth digital certificate ... that "they actually might be an authorized user."
Without that pro-active evidence, the OpenVPN server does not even deign to reply. It remains "anonymous." ... "Invisible!!"
Uh huh ... "hundreds of thousands of 'script kiddies,' worldwide ..." ... ... are screwed. So far as they can ever perceive, "there is nothing there(!)" ...
Last edited by sundialsvcs; 05-23-2017 at 12:35 PM.
Thanks guys for your advice - I have been evaluating each software mentioned above one by one, and installing when it meets my use case.
Also from what I've read here and elsewhere, it seems using a VPN is the most important must-have when running a server online. There should be a VPN on the front line.
There seems to be two approaches to implementing a VPN solution:
1. Use the cloud provided VPN.
E.g. in Azure it's called a Point-to-Site connection to a VNet
Unfortunately Azure VPN currently only allow Windows clients to connect. This is very limiting if your client is Linux, Android, Mac...
I will look into Amazon AWS or Google Cloud Platform.
2. DIY your own VPN solution
E.g. Spin up a linux VM in the cloud, install OpenVPN and run your own VPN server. Your other servers would be sitting behind this server.
A friend advised against this. Using linux (or any OS actually) to run VPN software has disadvantages. The OS would have vulnerabilities, and it would also have a large attack surface when compared to a dedicated VPN solution.
So I'm still reading up. Any thoughts on which way to go for a VPN solution? Am I incorrect somewhere or have I missed something?
Last edited by FedoraPete; 06-01-2017 at 05:49 AM.
Reason: Made it easier to read and understand
Thanks guys for your advice - I have been evaluating each software mentioned above one by one, and installing when it meets my use case.
Also from what I've read here and elsewhere, it seems using a VPN is the most important must-have when running a server online. There should be a VPN on the front line.
There seems to be two approaches to implementing a VPN solution:
1. Use the cloud provided VPN.
E.g. in Azure it's called a Point-to-Site connection to a VNet
Unfortunately Azure VPN currently only allow Windows clients to connect. This is very limiting if your client is Linux, Android, Mac...
I will look into Amazon AWS or Google Cloud Platform.
2. DIY your own VPN solution
E.g. Spin up a linux VM in the cloud, install OpenVPN and run your own VPN server. Your other servers would be sitting behind this server.
A friend advised against this. Using linux (or any OS actually) to run VPN software has disadvantages. The OS would have vulnerabilities, and it would also have a large attack surface when compared to a dedicated VPN solution.
So I'm still reading up. Any thoughts on which way to go for a VPN solution? Am I incorrect somewhere or have I missed something?
Those dedicated VPN solutions you talk about are also running Linux, but they are a just more trimmed down version of it.. You can if you like make your own "trimmed down" version of Linux, which means you make it less capable (which reduces the attack surface) by having it only contain the drivers, software, etc that you need and nothing else..
Last edited by justmy2cents; 06-01-2017 at 04:25 PM.
A tool I use for compliance is called "lynis". It is not an end all solution, but it's a great security audit tool, similar to rkhunter and chkrootkit. It gives you a great starting point for hardening your systems. It is configurable for different environments and security thresholds.
Those dedicated VPN solutions you talk about are also running Linux, but they are a just more trimmed down version of it.. You can if you like make your own "trimmed down" version of Linux, which means you make it less capable (which reduces the attack surface) by having it only contain the drivers, software, etc that you need and nothing else..
Thanks. I've gone with a Ubuntu 17.04 running OpenVPN on Azure. With unattended security updates, reboots.
And applying most of the security tools and techniques mentioned in this thread, e.g. securing shared memory, preventing IP spoofing, AppArmor, UFW, ClamAV, 2 factor (Google) auth...
A tool I use for compliance is called "lynis". It is not an end all solution, but it's a great security audit tool, similar to rkhunter and chkrootkit. It gives you a great starting point for hardening your systems. It is configurable for different environments and security thresholds.
I'm now running my VPN server (on Azure, an Ubuntu VM, running OpenVPN), should I be worried that the shell is exposed to the outside world via the SSH port?
I'm using SSH public/private key rather than username/password.
Also, the Azure and Ubuntu server firewall rules (which are the same) are: Allow UDP/1194, TCP/22
Last edited by FedoraPete; 06-08-2017 at 05:33 AM.
I'm now running my VPN server (on Azure, an Ubuntu VM, running OpenVPN), should I be worried that the shell is exposed to the outside world via the SSH port?
The whole point of openvpn is so you can run services like openssh on the subnet provided by the vpn. Set openssh to listen on the gateway internal ip of your vpn service. You can have openvpn listen on both interfaces while you test the vpn connection and ssh works. Once you are certain you can connect without issue, turn off the public interface in the openssh config. To test if it works, connect to OpenVPN and then ssh into your box.
Be careful though, since you could get locked out of your server.
I'm using SSH public/private key rather than username/password.
Also, the Azure and Ubuntu server firewall rules (which are the same) are: Allow UDP/1194, TCP/22
You tell us if this is secure enough for you. If you are still receiving brute force attempts and other bot attacks, then this may not be the solution. Check your logs.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.