LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-23-2017, 12:58 AM   #1
FedoraPete
LQ Newbie
 
Registered: Feb 2017
Posts: 19

Rep: Reputation: Disabled
Harden an Ubuntu 17.04 server


Hi Guys,

I'm really getting into Linux - whenever I have spare time I try to learn something new about the OS.
I've finally reached the stage where I feel somewhat confidence to host a Linux server - this is more for learning purposes, but also providing some useful functionality to myself by also running Nextcloud.

So I recently created an Ubuntu 17.04 VM in Azure, running Nextcloud 11.

Question 1. How can I harden the security on this server?

I know little on this topic, and here is what I've done so far:
Azure
Open ports include HTTPS inbound and outbound, and ssh inbound.

UFW
I recently enabled Uncomplicated Firewall.
- IPv6 is enabled, ufw is supporting IPv6

Rules:
- sudo ufw default deny incoming
- sudo ufw default allow outgoing
- sudo ufw allow ssh
- sudo ufw allow https
(I would like to do this via IP tables, but I'm not there yet. I have a lot to read up on and learn.)

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)


Question 2. Can I do more to secure the server, i.e. a friend mentioned to use Snort? Any good guides to follow?

Question 3. I ran the server without ufw (firewall) enabled for 24 hours, should I be worried? Would the Azure rules have protected my server?

Thanks heaps for any advice. I'm really enjoying reading up on this topic and learning.
 
Old 05-23-2017, 09:10 AM   #2
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
The first thing that I would do is to install OpenVPN, with certificates and tls-auth, and put sshd, in particular, behind it, with firewall rules making it impossible for that daemon to reach-out or to be-reached except through the tunnel.

Don't expose any "shell" to the outside world.

That's like leaving a terminal connected to your company's innermost network outside in the parking lot, with a big sign taped over it: "HACK ME!"

Obviously, such a terminal should be on the inside, such that you have to have a b-a-d-g-e to even reach it. And, that's exactly what OpenVPN does.

When deployed in this way, OpenVPN's presence cannot be detected, and it is impossible to enter unless you possess two(!) digital certificates – one of them being "one of a kind," with-or-without password encryption. Your certificate is individually issued to you and can be individually revoked.

Your computer will appear to have exactly one open port (TCP/IP socket): "HTTPS." (And you should periodically scan it to be sure that this is so.)

Quote:
Number of unauthorized access attempts: Z-e-r-o.
My LQ blog now contains several entries relating to this.

Last edited by sundialsvcs; 05-23-2017 at 09:16 AM.
 
Old 05-23-2017, 10:28 AM   #3
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237
Blog Entries: 2

Rep: Reputation: Disabled
I would download/use all this

Samhain (HIDS)
Psad+FWSnort (NIDS; considered a light-weight alternative to Snort)
AppArmor (mandatory access control)
OpenVPN
Suricata (supplemental security)
Fail2Ban (blocks unauthorized access attempts)
Linux Malware Detect
ClamAV
Elk-Stack
KeepassX
Duplicity (encrypted backups)
Chrootkit
Rkhunter
IPFire (a modular GRsecurity enhanced firewall distro)
OpenDNS
Firejail (application sandboxing)
Macchanger

Last edited by justmy2cents; 05-23-2017 at 10:36 AM.
 
Old 05-23-2017, 10:44 AM   #4
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 16,897
Blog Entries: 10

Rep: Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026Reputation: 5026
the first thing that I would do would be to use an LTS version of ubuntu.
https://wiki.ubuntu.com/Releases
 
Old 05-23-2017, 11:18 AM   #5
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
If it's anything like AWS...
I'm not sure enabling UFW on an Azure Server is even effective, or necessary.
 
Old 05-23-2017, 12:32 PM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
"To my way of thinking," most of the preceding suggestions seem to presume that "that terminal (somehow) must remain out there in the parking lot, complete with that 'HACK ME!' sign!"

Think outside the box!

When you walk into the front-door of your employer's place of business, "what happens?" Is there really someone sitting there, demanding that each one of you must "say 'the magic word?'" ...?

"Hell N-O!" To get even one step beyond the front door, you must (swipe | scan | present): ... ... "your (one of a kind ...) b-a-d-g-e!!"

- - -

"Therefore, 'go and do likewise!!'"

OpenVPN allows you to "issue one-of-a-kind badges" to each-and-every person who should be permitted to access your systems.

Furthermore, it is able to conceal(!) itself from any potential supplicant who cannot pro-actively(!) demonstrate ... by their apparent possession of(!!) a tls-auth digital certificate ... that "they actually might be an authorized user."

Without that pro-active evidence, the OpenVPN server does not even deign to reply. It remains "anonymous." ... "Invisible!!"

Uh huh ... "hundreds of thousands of 'script kiddies,' worldwide ..." ... ... are screwed. So far as they can ever perceive, "there is nothing there(!)" ...

Last edited by sundialsvcs; 05-23-2017 at 12:35 PM.
 
Old 05-31-2017, 11:39 PM   #7
FedoraPete
LQ Newbie
 
Registered: Feb 2017
Posts: 19

Original Poster
Rep: Reputation: Disabled
Thanks guys for your advice - I have been evaluating each software mentioned above one by one, and installing when it meets my use case.

Also from what I've read here and elsewhere, it seems using a VPN is the most important must-have when running a server online. There should be a VPN on the front line.
There seems to be two approaches to implementing a VPN solution:

1. Use the cloud provided VPN.
E.g. in Azure it's called a Point-to-Site connection to a VNet
Unfortunately Azure VPN currently only allow Windows clients to connect. This is very limiting if your client is Linux, Android, Mac...
I will look into Amazon AWS or Google Cloud Platform.

2. DIY your own VPN solution
E.g. Spin up a linux VM in the cloud, install OpenVPN and run your own VPN server. Your other servers would be sitting behind this server.
A friend advised against this. Using linux (or any OS actually) to run VPN software has disadvantages. The OS would have vulnerabilities, and it would also have a large attack surface when compared to a dedicated VPN solution.

So I'm still reading up. Any thoughts on which way to go for a VPN solution? Am I incorrect somewhere or have I missed something?

Last edited by FedoraPete; 06-01-2017 at 05:49 AM. Reason: Made it easier to read and understand
 
Old 06-01-2017, 09:41 AM   #8
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
Originally Posted by FedoraPete View Post
Thanks guys for your advice - I have been evaluating each software mentioned above one by one, and installing when it meets my use case.

Also from what I've read here and elsewhere, it seems using a VPN is the most important must-have when running a server online. There should be a VPN on the front line.
There seems to be two approaches to implementing a VPN solution:

1. Use the cloud provided VPN.
E.g. in Azure it's called a Point-to-Site connection to a VNet
Unfortunately Azure VPN currently only allow Windows clients to connect. This is very limiting if your client is Linux, Android, Mac...
I will look into Amazon AWS or Google Cloud Platform.

2. DIY your own VPN solution
E.g. Spin up a linux VM in the cloud, install OpenVPN and run your own VPN server. Your other servers would be sitting behind this server.
A friend advised against this. Using linux (or any OS actually) to run VPN software has disadvantages. The OS would have vulnerabilities, and it would also have a large attack surface when compared to a dedicated VPN solution.

So I'm still reading up. Any thoughts on which way to go for a VPN solution? Am I incorrect somewhere or have I missed something?
Those dedicated VPN solutions you talk about are also running Linux, but they are a just more trimmed down version of it.. You can if you like make your own "trimmed down" version of Linux, which means you make it less capable (which reduces the attack surface) by having it only contain the drivers, software, etc that you need and nothing else..

Last edited by justmy2cents; 06-01-2017 at 04:25 PM.
 
Old 06-01-2017, 11:27 PM   #9
mralk3
Senior Member
 
Registered: May 2015
Distribution: Slackware, OpenBSD
Posts: 1,551

Rep: Reputation: 869Reputation: 869Reputation: 869Reputation: 869Reputation: 869Reputation: 869Reputation: 869
Harden an Ubuntu 17.04 server

A tool I use for compliance is called "lynis". It is not an end all solution, but it's a great security audit tool, similar to rkhunter and chkrootkit. It gives you a great starting point for hardening your systems. It is configurable for different environments and security thresholds.
 
Old 06-08-2017, 12:45 AM   #10
FedoraPete
LQ Newbie
 
Registered: Feb 2017
Posts: 19

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by justmy2cents View Post
Those dedicated VPN solutions you talk about are also running Linux, but they are a just more trimmed down version of it.. You can if you like make your own "trimmed down" version of Linux, which means you make it less capable (which reduces the attack surface) by having it only contain the drivers, software, etc that you need and nothing else..
Thanks. I've gone with a Ubuntu 17.04 running OpenVPN on Azure. With unattended security updates, reboots.
And applying most of the security tools and techniques mentioned in this thread, e.g. securing shared memory, preventing IP spoofing, AppArmor, UFW, ClamAV, 2 factor (Google) auth...
 
Old 06-08-2017, 12:45 AM   #11
FedoraPete
LQ Newbie
 
Registered: Feb 2017
Posts: 19

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by mralk3 View Post
A tool I use for compliance is called "lynis". It is not an end all solution, but it's a great security audit tool, similar to rkhunter and chkrootkit. It gives you a great starting point for hardening your systems. It is configurable for different environments and security thresholds.
I will check this tool out next, thanks!
 
Old 06-08-2017, 12:56 AM   #12
FedoraPete
LQ Newbie
 
Registered: Feb 2017
Posts: 19

Original Poster
Rep: Reputation: Disabled
I'm now running my VPN server (on Azure, an Ubuntu VM, running OpenVPN), should I be worried that the shell is exposed to the outside world via the SSH port?

I'm using SSH public/private key rather than username/password.

Also, the Azure and Ubuntu server firewall rules (which are the same) are: Allow UDP/1194, TCP/22

Last edited by FedoraPete; 06-08-2017 at 05:33 AM.
 
Old 06-08-2017, 07:16 AM   #13
mralk3
Senior Member
 
Registered: May 2015
Distribution: Slackware, OpenBSD
Posts: 1,551

Rep: Reputation: 869Reputation: 869Reputation: 869Reputation: 869Reputation: 869Reputation: 869Reputation: 869
Quote:
Originally Posted by FedoraPete View Post
I'm now running my VPN server (on Azure, an Ubuntu VM, running OpenVPN), should I be worried that the shell is exposed to the outside world via the SSH port?
The whole point of openvpn is so you can run services like openssh on the subnet provided by the vpn. Set openssh to listen on the gateway internal ip of your vpn service. You can have openvpn listen on both interfaces while you test the vpn connection and ssh works. Once you are certain you can connect without issue, turn off the public interface in the openssh config. To test if it works, connect to OpenVPN and then ssh into your box.

Be careful though, since you could get locked out of your server.

https://www.cyberciti.biz/tips/howto...p-address.html

Quote:

I'm using SSH public/private key rather than username/password.

Also, the Azure and Ubuntu server firewall rules (which are the same) are: Allow UDP/1194, TCP/22
You tell us if this is secure enough for you. If you are still receiving brute force attempts and other bot attacks, then this may not be the solution. Check your logs.
 
Old 06-08-2017, 10:48 PM   #14
FedoraPete
LQ Newbie
 
Registered: Feb 2017
Posts: 19

Original Poster
Rep: Reputation: Disabled
I'm new to this, thanks.

mralk3 - thank you I now understand and have put the sshd behind the VPN.

sundialsvcs - thanks for your blog on Dwarvish Doors. Love it!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How to harden Apache web server with mod_security and mod_evasive on CentOS LXer Syndicated Linux News 0 09-10-2014 02:51 AM
Help me harden our self-hosted Apache2 OwnCloud server ness2616 Linux - Security 10 05-12-2014 06:40 PM
Slim & Harden Ubuntu 12.04 VM for Digital Wallets JoseCuervo Linux - Newbie 3 12-29-2013 04:07 PM
[SOLVED] How to harden Jboss? szboardstretcher Linux - Software 1 08-01-2011 08:19 PM
LXer: How To Harden PHP5 With Suhosin (Debian Etch/Ubuntu) LXer Syndicated Linux News 0 04-03-2007 06:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration