ShareWiz Ultra Secure Server Setup
Introduction
This document describes the process of installing an Ultra Secure Ubuntu Server.
The information provided is biased towards the Ubuntu Trusty Tahr (Ubuntu 14.04 LTS) Server version, but should work with other versions too - perhaps with a few tweaks.
Additional steps should then be taken to harden the server to ensure compatibility with PCI-DSS Compliance standards.
Ubuntu server is well designed, regularly updated and relatively secure. The Ubuntu Security Team manifests an ongoing effort to keep Ubuntu secure. Regular security updates are available and easy to implement.
By default, Ubuntu Servers are secured as follows:
- No open ports
- Role-based administration
- No X server
- Security updates
- Kernel and compiler hardening
Securing Ubuntu is not very different from securing any other system; In order to do it properly, you must first decide what you intend to do with it. After this, you will have to consider that the following tasks need to be taken care of if you want a really secure system.
The tasks can also be thought of as:
- Decide which services you need and limit your system to those. This includes deactivating / uninstalling unneeded services, and adding firewall-like filters, or tcpwrappers.
- Limit users and permissions in your system
- Harden offered services so that, in the event of a service compromise, the impact to your system is minimized
- Use appropriate tools to guarantee that unauthorized use is detected so that you can take appropriate measures
The Basic Security Tenet
The Basic Security Tenet is:
- Deny all except than which is specifically permitted
Hardening is a process which aims at securing a system; absolute security is impossible to reach but reducing the surface attack and reaching an equilibrium between security and cost (where with cost we refer to implementation, maintenance and usability costs) is possible.
Hardening a server means, at the practical level, reducing as much as possible the attack surface, and monitoring what is exposed to detect intrusion.
Hardening a system is much easier if you start from a minimalistic system and then add only the needed services. Hardening a complex system is possible but has a higher cost and is much more complicated, since it is easy to forget some (apparently) harmfulness piece of software somewhere in the machine. Even with modern packet managers, handling installed packages isn't an easy task.
Security requirements
To achieve a state of security:
- Identify the assets you want to protect
- Identify the risks to those assets
- Identify who & how assets are accessed
- Establish checks and balances
- Develop an enforceable security policies
- Use a layered approach
- Plan for disasters
- Get managements sign-off
Security Objectives
The system will include: system analysis, changing settings for additional hardening against attack, installing a firewall maintenance system, scanning for rootkits, and offering a regular maintenance regimen.
- Change settings for increased security
- Implement firewall settings using ufw or iptables
- Use denyhosts or fail2ban to automatically blacklist attackers
- Scan the system for vulnerabilities with tiger
- Detect attempted intrusions with psad
- Install nmap and hping3 to scan the system for open ports
- Check the system for rootkits with chkrootkit and rkhunter
- Monitor logs with logwatch
Requirements
To install such a system you will need the following:
The Ubuntu 14.04 LTS server CD, available here:
- //releases.ubuntu.com/releases/14.04/ubuntu-14.04-server-i386.iso (i386)
- //releases.ubuntu.com/releases/14.04/ubuntu-14.04-server-amd64.iso (x86_64)
A hard disk with a minimum of 20G capacity.
A fast Internet connection.
A server with at least two ethernet cards.
Note that these instructions can still be used if the server only has a single network card. Notes will indicate where minor changes needs to be made to accomodate this.
Having only a single network card will result in a slightly weaker system, but it should still be very secure, so not a major concern.
Decisions to Make
Items in RED should be changed to meet your requirements.
Decide on settings for the Administrator:
| Item | Details | Comments |
|---|---|---|
| Admin ID | administrator | This is the username of the primary administrator. |
| Admin Password | adminpass | Recommended to use a strong password. |
| Admin Group | admin | This is the group that all administrators will belong to. |
IMPORTANT: Do not use the user name admin for the Admin ID as it is a reserved name on Ubuntu 12.04.
Decide on settings for the Server
| Item | Details |
|---|---|
| Server name | server1 |
| Domain | sharewiz.net |
| Hostname | server1.sharewiz.net |
Decide on settings for the External Network (WAN), the one connected to the internet
| Item | Details |
|---|---|
| Interface | eth0 |
| IP Address | 192.168.0.11 |
| IP Subnet Mask | 255.255.255.0 |
| Broadcast | 192.168.0.255 |
| Network | 192.168.0.0 |
| Gateway | 192.168.0.1 |
The IP Address, Subnet Mask and Gateway will probably be provided by your ISP if you have a static IP Address.
If the IP address is returned by your router's DHCP server, then use those settings instead.
Decide on settings for the Internal Network (LAN)
| Item | Details |
|---|---|
| Interface | eth1 |
| IP Address | 192.168.1.1 |
| IP Subnet Mask | 255.255.255.0 |
| Broadcast | 192.168.1.255 |
| Network | 192.168.1.0 |
IMPORTANT: If the system only has one network card, then use eth0:0 as the Interface in place of the eth1 throughout this document unless specifically indicated otherwise.
Do not include a Gateway option onto the internal interface. With it in there, and being the 2nd default gateway that gets configured, it will likely replace or override the 1st gateway on eth0 when the system is initialized, and that path won't work through the router.
Decide on the External NameServers (WAN), the ones connected to the internet
| DNS Server | IP Address |
|---|---|
| External DNS Server1 | 8.8.8.8 |
| External DNS Server2 | 8.8.4.4 |
8.8.8.8 and 8.8.4.4 are Google's DNS servers. If you wish to use your ISP's DNS servers, use them here instead of Googles servers.
208.67.222.222 and 208.67.220.220 could also be used. They are the OpenDNS DNS servers.
Decide on the Internal NameServers (LAN), the ones connected to the internal network
| DNS Server | IP Address |
|---|---|
| Internal DNS Server1 | 192.168.1.201 |
| Internal DNS Server2 | 192.168.1.202 |
Multiple DNS servers are recommended to support if one goes down.
Decide on the following Network Bonding / Network Teaming settings (Optional)
These settings are only required if a network bonding / network teaming will also be used.
| Item | Details |
|---|---|
| bond-mode | active-backup |
| bond-miimon | 100 |
| bond-downdelay | 200 |
| bond-updelay | 200 |
| bond-primaries | eth0 eth2 |
Network bonding allows multiple network interface cards (NICS) to appear to be the same physical device and also to have the same MAC address. Linux uses a special kernel module called bonding to allow users to bond multiple network interfaces into a single channel.
Bonding effectively aggregates the bandwidth of multiple interfaces into a single connection.
Bonding is used primarily to provide network load balancing and fault tolerance; and is also a way to increase available bandwidth.
Network Bonding may also be called Network Teaming or occasionally Port Trunking.
The bond-primaries should include all interfaces connected to the WAN.
In order to use network bonding with this setup, at least 3 network interface cards need to exist. 2 to connect to the WAN, and at least 1 to the LAN.
Note that you cannot bond the WAN (eth0) and LAN (eth1).
Decide on the following Optional settings
These settings are only required if specific applications are installed.
| Item | Details | Comments |
|---|---|---|
| Primary Domain Controller | pdc.sharewiz.net | If using a Domain Controller this will point to the primary DC. |
| Secondary Domain Controller | sdc.sharewiz.net | If using a Domain Controller this will point to the secondary DC. |
| HTTP Proxy Server | http://192.168.5.6:3128 | If a proxy server is used for HTTP. |
| NTP Server IP Address | 192.168.5.6 | If using a NTP server to get standard date/time for the system. |
| Remote Email Server | 192.168.5.25 | If using a remote server to deliver emails. |
| Admin Email Address | admin@sharewiz.net | Email address of the System Administrator. |
| MySQL Root Password | mysqlrootpass | If using MySQL or Maria SQL. |
| Windows Share ID | windowsid | The ID to use to access the Windows share. |
| Windows Share Password | windowspass | The password to access the Windows Share. |
Decide on the Hard Drive partitions
Use a design that allows for dynamic growth and fine-tuning.
This prevents volumes becoming completely full, which is a definate no!
The Logical Volume Manager (LVM) is used, which lets you add disks, replace disks, copy and share contents from one disk to another without disrupting service (hot swapping).
The following volume will remain outside the LVM.
| Volume | File System | Size | Comments |
|---|---|---|---|
| /boot | /boot | 256 MB | boot volume - This will remain static in size. It is also the only space residing outside the Logical Volume Manager (LVM) |
The following volume will be within the LVM.
| Logical Volume | File System | Size | Comments |
|---|---|---|---|
| /dev/vg01/swap | swap | 4 GB | swap volume - Set to twice the amount of memory in the system. This should remain static in size, however, if the amount of RAM is adjusted, this should be adjusted as well. |
| /dev/vg01/root | / | 2 GB | root volume - Operating system and everything else which should remain fairly static. |
| /dev/vg01/usr | /usr | 2 GB | usr volume - Contains by far the largest share of data in the system. |
| /dev/vg01/var | /var | 2 GB | var volume - This is the database/log storage area and will continue to grow over time. |
| /dev/vg01/tmp | /tmp | 2 GB | tmp volume - This location will be used for temporary storage. Adjust size as required. |
| /dev/vg01/srv | /srv | 0.5 GB | srv volume - This will contain the files stored in the Samba share. |
| /dev/vg01/opt | /opt | 0.5 GB | opt volume - This location is occasionally used for specific software. |
| /dev/vg01/home | /home | 0.5 GB | home volume - This is where personal user files will be stored. |
| /dev/vg01/backup | /backup | 4 GB | backup volume - This will contain a local backup of any databases and other important data, so space needs to be around double /var. |
| /dev/vg01/sharewiz | /sharewiz | 0.5 GB | sharewiz volume - This will contain scripts used to administor the system, and should remain fairly static. |
Even though the above sizes will fill most of a 20GB hard drive, it it recommended to still use the same sizes even if you have a far bigger drive.
The system will auto grow the necessary partitions as required.
The exception to this is for the /var partition, which could be made much bigger if you know for instance that a large database will be installed into it.
If you do increase the size of the /var partition then remember to also increase the size of the /backup partition accordingly.
See Disk Security for further information.