hsmiranda/server_hardening.md

## server_hardening.md

      
    Raw
  

              server_hardening.md
            
          
    Debian 8 Hardening


Update root's mail recipient. Open /etc/aliases replacing administrator@example.tld with an administrator's email address. This is where logs will be emailed.
root:     administrator@example.tld


Update the the default umask to 027. Edit the file /etc/init.d/rc and change the following setting:
umask 027


Install Cracklib for stronger passwords
sudo apt-get -y install libpam-cracklib


Update login definitions. Open the file /etc/login.defs in your favourite editor and change the settings below:
umask 027
PASS_MAX_DAYS 90
PASS_MIN_DAYS 2
PASS_WARN_AGE 7


Update password rules (optional). Edit the file /etc/pam.d/common-password - Password rules


Install Fail2bban


sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local


Setup fail2ban. Open the file /etc/fail2ban/jail.local and make the following changes

[ssh-ddos]
enabled  = true


Restart Fail2ban

sudo service fail2ban restart


Edit the network configuration. Open the file /etc/sysctl.conf and make the following changes.  Lynis info

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
kernel.kptr_restrict = 2
kernel.core_uses_pid = 1
net.ipv4.conf.all.rp_filter = 1


Reboot server inout of memory condition (optional)

vm.panic_on_oom = 1
kernel.panic = 10


Reload the network configuration

sudo sysctl --system


Install systat
sudo apt-get -y install sysstat


Enable systat. Open the file /etc/default/sysstat
set ENABLED=”true”


Update the systat cronjob. Open the file /etc/cron.d/sysstat and change cron job to every 2 minutes
# Activity reports every 10 minutes everyday
*/2 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1


Restart systat
sudo service sysstat restart


Install and enable process accounting
sudo apt-get -y install acct
sudo service acct start


Install and start the Logwatch service
sudo apt-get -y install logwatch
sudo mkdir /var/cache/logwatch
sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
sudo cp /usr/share/logwatch/default.conf/logfiles/http.conf /etc/logwatch/conf/logfiles/


Install Evasive Apache modules to secure against DDOS attacks
sudo apt-get -y install libapache2-mod-evasive
sudo mkdir -p /var/log/apache2/evasive
sudo chown -R www-data:root /var/log/apache2/evasive


Update the settings for the Evasive module. Open /etc/apache2/mods-available/evasive.conf
DOSHashTableSize        2048
DOSPageCount            20      # maximum number of requests for the same page
DOSSiteCount            300     # total number of requests for any object by the same client IP on the same listener
DOSPageInterval         1.0     # interval for the page count threshold
DOSSiteInterval         1.0     # interval for the site count threshold
DOSBlockingPeriod       10.0    # time that a client IP will be blocked for
DOSLogDir               /var/log/apache2/evasive
DOSEmailNotify          info@example.com


Install Auditd
sudo apt-get -y install auditd audispd-plugins


Update the auditd rules in /etc/audit/audit.rules. Add the following rules:
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1024

## Failure Mode
## Possible values are 0 (silent), 1 (printk, print a failure message),
## and 2 (panic, halt the system).
-f 1

## Audit the audit logs.
## successful and unsuccessful attempts to read information from the
## audit records; all modifications to the audit trail
-w /var/log/audit/ -k auditlog

## Auditd configuration
## modifications to audit configuration that occur while the audit
## collection functions are operating.
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig

## Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools

## special files
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles

## Mount operations
-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount
-a exit,always -F arch=b64 -S mount -S umount2 -k mount

## changes to the time
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time

## Use stunnel
-w /usr/sbin/stunnel -p x -k stunnel

## cron configuration & scheduled jobs
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -k cron

## user, group, password databases
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd

## monitor usage of passwd
-w /usr/bin/passwd -p x -k passwd_modification

#Monitor for use of tools to change group identifiers
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification

## login configuration and information
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login

## network configuration
-w /etc/hosts -p wa -k hosts
-w /etc/network/ -p wa -k network

## system startup scripts
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init

## library search paths
-w /etc/ld.so.conf -p wa -k libpath

## local time zone
-w /etc/localtime -p wa -k localtime

## kernel parameters
-w /etc/sysctl.conf -p wa -k sysctl

## modprobe configuration
-w /etc/modprobe.conf -p wa -k modprobe

## pam configuration
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa  -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam

## postfix configuration
-w /etc/aliases -p wa -k mail
-w /etc/postfix/ -p wa -k mail

## ssh configuration
-w /etc/ssh/sshd_config -k sshd

## changes to hostname
-a exit,always -F arch=b32 -S sethostname -k hostname
-a exit,always -F arch=b64 -S sethostname -k hostname

## changes to issue
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue

## this was to noisy currently.
# log all commands executed by an effective id of 0 aka root.
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd

## Capture all failures to access on critical elements
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess

## Monitor for use of process ID change (switching accounts) applications
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /etc/sudoers -p rw -k priv_esc

## Monitor usage of commands to change power state
-w /sbin/shutdown -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/halt -p x -k power

## Make the configuration immutable
-e 2


Purge old package configuration files
dpkg --list |grep "^rc" | cut -d " " -f 3 | xargs sudo dpkg --purge


Install & run Lynis
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 91CA5D5F
sudo bash -c 'echo "deb [arch=amd64] http://packages.cisofy.com/community/lynis/deb/ jessie main" > /etc/apt/sources.list.d/cisofy-lynis.list'
sudo apt install apt-transport-https
sudo apt update
sudo apt install lynis
sudo lynis audit system --quick --upload
sudo mkdir /var/log/lynis


Add a cronjob for Lynis. Add the following to /etc/cron.daily/lynis
#!/bin/sh

AUDITOR="automated"
DATE=$(date +%Y%m%d)
HOST=$(hostname)
LOG_DIR="/var/log/lynis"
REPORT="$LOG_DIR/report-${HOST}.${DATE}"
DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"

cd /usr/local/lynis
lynis audit system --auditor "${AUDITOR}" --upload --cronjob > ${REPORT}
mv /var/log/lynis-report.dat ${DATA}

# The End


Make the cronjob executable
sudo chmod +x /etc/cron.daily/lynis


Install Tripwire (optional), answering yes to all the questions and ensuring the use of a strong password for both the site key and local key. Instructions here
sudo apt-get -y install tripwire


Initialise the Tripwire database. You will be prompted for the site passphrase you configured earlier
sudo twadmin --create-polfile /etc/tripwire/twpol.txt


Run Tripwire
sudo tripwire --check --interactive