ShareWiz Ultra Secure Server Setup

Introduction

linux security

This document describes the process of installing an Ultra Secure Ubuntu Server.

The information provided is biased towards the Ubuntu Trusty Tahr (Ubuntu 14.04 LTS) Server version, but should work with other versions too - perhaps with a few tweaks.

Additional steps should then be taken to harden the server to ensure compatibility with PCI-DSS Compliance standards.

Ubuntu server is well designed, regularly updated and relatively secure. The Ubuntu Security Team manifests an ongoing effort to keep Ubuntu secure. Regular security updates are available and easy to implement.

By default, Ubuntu Servers are secured as follows:

  • No open ports
  • Role-based administration
  • No X server
  • Security updates
  • Kernel and compiler hardening

Securing Ubuntu is not very different from securing any other system; In order to do it properly, you must first decide what you intend to do with it. After this, you will have to consider that the following tasks need to be taken care of if you want a really secure system.

The tasks can also be thought of as:

  • Decide which services you need and limit your system to those. This includes deactivating / uninstalling unneeded services, and adding firewall-like filters, or tcpwrappers.
  • Limit users and permissions in your system
  • Harden offered services so that, in the event of a service compromise, the impact to your system is minimized
  • Use appropriate tools to guarantee that unauthorized use is detected so that you can take appropriate measures

top

The Basic Security Tenet

security tenet

The Basic Security Tenet is:

  • Deny all except than which is specifically permitted

Hardening is a process which aims at securing a system; absolute security is impossible to reach but reducing the surface attack and reaching an equilibrium between security and cost (where with cost we refer to implementation, maintenance and usability costs) is possible.

Hardening a server means, at the practical level, reducing as much as possible the attack surface, and monitoring what is exposed to detect intrusion.

Hardening a system is much easier if you start from a minimalistic system and then add only the needed services. Hardening a complex system is possible but has a higher cost and is much more complicated, since it is easy to forget some (apparently) harmfulness piece of software somewhere in the machine. Even with modern packet managers, handling installed packages isn't an easy task.

top

Security requirements

To achieve a state of security:

  • Identify the assets you want to protect
  • Identify the risks to those assets
  • Identify who & how assets are accessed
  • Establish checks and balances
  • Develop an enforceable security policies
  • Use a layered approach
  • Plan for disasters
  • Get managements sign-off

top

Security Objectives

The system will include: system analysis, changing settings for additional hardening against attack, installing a firewall maintenance system, scanning for rootkits, and offering a regular maintenance regimen.

  • Change settings for increased security
  • Implement firewall settings using ufw or iptables
  • Use denyhosts or fail2ban to automatically blacklist attackers
  • Scan the system for vulnerabilities with tiger
  • Detect attempted intrusions with psad
  • Install nmap and hping3 to scan the system for open ports
  • Check the system for rootkits with chkrootkit and rkhunter
  • Monitor logs with logwatch

top

Requirements

requirement

To install such a system you will need the following:

The Ubuntu 14.04 LTS server CD, available here:

A hard disk with a minimum of 20G capacity.

A fast Internet connection.

A server with at least two ethernet cards.

Note that these instructions can still be used if the server only has a single network card. Notes will indicate where minor changes needs to be made to accomodate this.

Having only a single network card will result in a slightly weaker system, but it should still be very secure, so not a major concern.

top

Decisions to Make

decision

Items in RED should be changed to meet your requirements.

Decide on settings for the Administrator:

ItemDetailsComments
Admin IDadministratorThis is the username of the primary administrator.
Admin PasswordadminpassRecommended to use a strong password.
Admin GroupadminThis is the group that all administrators will belong to.

IMPORTANT: Do not use the user name admin for the Admin ID as it is a reserved name on Ubuntu 12.04.

top

Decide on settings for the Server

ItemDetails
Server nameserver1
Domainsharewiz.net
Hostnameserver1.sharewiz.net

top

Decide on settings for the External Network (WAN), the one connected to the internet

ItemDetails
Interfaceeth0
IP Address192.168.0.11
IP Subnet Mask255.255.255.0
Broadcast192.168.0.255
Network192.168.0.0
Gateway192.168.0.1

The IP Address, Subnet Mask and Gateway will probably be provided by your ISP if you have a static IP Address.

If the IP address is returned by your router's DHCP server, then use those settings instead.

top

Decide on settings for the Internal Network (LAN)

ItemDetails
Interfaceeth1
IP Address192.168.1.1
IP Subnet Mask255.255.255.0
Broadcast192.168.1.255
Network192.168.1.0

IMPORTANT: If the system only has one network card, then use eth0:0 as the Interface in place of the eth1 throughout this document unless specifically indicated otherwise.

Do not include a Gateway option onto the internal interface. With it in there, and being the 2nd default gateway that gets configured, it will likely replace or override the 1st gateway on eth0 when the system is initialized, and that path won't work through the router.

top

Decide on the External NameServers (WAN), the ones connected to the internet

DNS ServerIP Address
External DNS Server18.8.8.8
External DNS Server28.8.4.4

8.8.8.8 and 8.8.4.4 are Google's DNS servers. If you wish to use your ISP's DNS servers, use them here instead of Googles servers.

208.67.222.222 and 208.67.220.220 could also be used. They are the OpenDNS DNS servers.

top

Decide on the Internal NameServers (LAN), the ones connected to the internal network

DNS ServerIP Address
Internal DNS Server1192.168.1.201
Internal DNS Server2192.168.1.202

Multiple DNS servers are recommended to support if one goes down.

top

Decide on the following Network Bonding / Network Teaming settings (Optional)

These settings are only required if a network bonding / network teaming will also be used.

ItemDetails
bond-modeactive-backup
bond-miimon100
bond-downdelay200
bond-updelay200
bond-primarieseth0 eth2

Network bonding allows multiple network interface cards (NICS) to appear to be the same physical device and also to have the same MAC address. Linux uses a special kernel module called bonding to allow users to bond multiple network interfaces into a single channel.

Bonding effectively aggregates the bandwidth of multiple interfaces into a single connection.

Bonding is used primarily to provide network load balancing and fault tolerance; and is also a way to increase available bandwidth.

Network Bonding may also be called Network Teaming or occasionally Port Trunking.

The bond-primaries should include all interfaces connected to the WAN.

In order to use network bonding with this setup, at least 3 network interface cards need to exist. 2 to connect to the WAN, and at least 1 to the LAN.

Note that you cannot bond the WAN (eth0) and LAN (eth1).

top

Decide on the following Optional settings

These settings are only required if specific applications are installed.

ItemDetailsComments
Primary Domain Controllerpdc.sharewiz.netIf using a Domain Controller this will point to the primary DC.
Secondary Domain Controllersdc.sharewiz.netIf using a Domain Controller this will point to the secondary DC.
HTTP Proxy Serverhttp://192.168.5.6:3128If a proxy server is used for HTTP.
NTP Server IP Address192.168.5.6If using a NTP server to get standard date/time for the system.
Remote Email Server192.168.5.25If using a remote server to deliver emails.
Admin Email Addressadmin@sharewiz.netEmail address of the System Administrator.
MySQL Root PasswordmysqlrootpassIf using MySQL or Maria SQL.
Windows Share IDwindowsidThe ID to use to access the Windows share.
Windows Share PasswordwindowspassThe password to access the Windows Share.

top

Decide on the Hard Drive partitions

Use a design that allows for dynamic growth and fine-tuning.

This prevents volumes becoming completely full, which is a definate no!

The Logical Volume Manager (LVM) is used, which lets you add disks, replace disks, copy and share contents from one disk to another without disrupting service (hot swapping).

The following volume will remain outside the LVM.

VolumeFile SystemSizeComments
/boot/boot256 MBboot volume - This will remain static in size. It is also the only space residing outside the Logical Volume Manager (LVM)

Recent versions of Linux and Ubuntu do support having the /boot volume within the LVM. See Grub2.

The following volume will be within the LVM.

Logical VolumeFile SystemSizeComments
/dev/vg01/swapswap4 GBswap volume - Set to twice the amount of memory in the system. This should remain static in size, however, if the amount of RAM is adjusted, this should be adjusted as well.
/dev/vg01/root/2 GBroot volume - Operating system and everything else which should remain fairly static.
/dev/vg01/usr/usr2 GBusr volume - Contains by far the largest share of data in the system.
/dev/vg01/var/var2 GBvar volume - This is the database/log storage area and will continue to grow over time.
/dev/vg01/tmp/tmp2 GBtmp volume - This location will be used for temporary storage. Adjust size as required.
/dev/vg01/srv/srv0.5 GBsrv volume - This will contain the files stored in the Samba share.
/dev/vg01/opt/opt0.5 GBopt volume - This location is occasionally used for specific software.
/dev/vg01/home/home0.5 GBhome volume - This is where personal user files will be stored.
/dev/vg01/backup/backup4 GBbackup volume - This will contain a local backup of any databases and other important data, so space needs to be around double /var.
/dev/vg01/sharewiz/sharewiz0.5 GBsharewiz volume - This will contain scripts used to administor the system, and should remain fairly static.

Even though the above sizes will fill most of a 20GB hard drive, it it recommended to still use the same sizes even if you have a far bigger drive.

The system will auto grow the necessary partitions as required.

The exception to this is for the /var partition, which could be made much bigger if you know for instance that a large database will be installed into it.

If you do increase the size of the /var partition then remember to also increase the size of the /backup partition accordingly.

See Disk Security for further information.

top

Continue to the Initial Setup...