ShareWiz Ultra Secure Server Setup

Initial Configuration

config

Update VIM

Install vim-nox (Recommended)

Issue the following command:

sudo aptitude install vim-nox

The default vi package installed on Debian and Ubuntu is vim-tiny, which is really restricted and only really appropriate for very small environments.

To update to the full vim package, install vim-nox.

Of course, different text editor such as joe or nano can be installed as well.

top

Update APT Sources

Update the Linux Installation

Edit the /etc/apt/sources.list file. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled.

Issue the following command:

sudo vi /etc/apt/sources.list

It should look like this:

#

 

# deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ dists/precise/main/binary-i386/

# deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ dists/precise/restricted/binary-i386/

# deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ precise main restricted

 

#deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ dists/precise/main/binary-i386/

#deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ dists/precise/restricted/binary-i386/

#deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ precise main restricted

 

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to

# newer versions of the distribution.

deb http://de.archive.ubuntu.com/ubuntu/ precise main restricted

deb-src http://de.archive.ubuntu.com/ubuntu/ precise main restricted

 

## Major bug fix updates produced after the final release of the

## distribution.

deb http://de.archive.ubuntu.com/ubuntu/ precise-updates main restricted

deb-src http://de.archive.ubuntu.com/ubuntu/ precise-updates main restricted

 

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu

## team. Also, please note that software in universe WILL NOT receive any

## review or updates from the Ubuntu security team.

deb http://de.archive.ubuntu.com/ubuntu/ precise universe

deb-src http://de.archive.ubuntu.com/ubuntu/ precise universe

deb http://de.archive.ubuntu.com/ubuntu/ precise-updates universe

deb-src http://de.archive.ubuntu.com/ubuntu/ precise-updates universe

 

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu

## team, and may not be under a free licence. Please satisfy yourself as to

## your rights to use the software. Also, please note that software in

## multiverse WILL NOT receive any review or updates from the Ubuntu

## security team.

deb http://de.archive.ubuntu.com/ubuntu/ precise multiverse

deb-src http://de.archive.ubuntu.com/ubuntu/ precise multiverse

deb http://de.archive.ubuntu.com/ubuntu/ precise-updates multiverse

deb-src http://de.archive.ubuntu.com/ubuntu/ precise-updates multiverse

 

## N.B. software from this repository may not have been tested as

## extensively as that contained in the main release, although it includes

## newer versions of some applications which may provide useful features.

## Also, please note that software in backports WILL NOT receive any review

## or updates from the Ubuntu security team.

deb http://de.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse

deb-src http://de.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse

 

deb http://security.ubuntu.com/ubuntu precise-security main restricted

deb-src http://security.ubuntu.com/ubuntu precise-security main restricted

deb http://security.ubuntu.com/ubuntu precise-security universe

deb-src http://security.ubuntu.com/ubuntu precise-security universe

deb http://security.ubuntu.com/ubuntu precise-security multiverse

deb-src http://security.ubuntu.com/ubuntu precise-security multiverse

 

## Uncomment the following two lines to add software from Canonical's

## 'partner' repository.

## This software is not part of Ubuntu, but is offered by Canonical and the

## respective vendors as a service to Ubuntu users.

# deb http://archive.canonical.com/ubuntu precise partner

# deb-src http://archive.canonical.com/ubuntu precise partner

 

## Uncomment the following two lines to add software from Ubuntu's

## 'extras' repository.

## This software is not part of Ubuntu, but is offered by third-party

## developers who want to ship their latest software.

# deb http://extras.ubuntu.com/ubuntu precise main

# deb-src http://extras.ubuntu.com/ubuntu precise main

Save the file, then issue the following command:

sudo aptitude update

to update the apt package database and...

sudo aptitude safe-upgrade

to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:

sudo reboot

top

Further Configuration

Change the Default Shell

Issue the following command:

sudo dpkg-reconfigure dash

When asked "Install dash as /bin/sh?" specify “No”.

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash:

The reason that dash was set as the default is that dash provides faster boot times. It does not however have the full feature set offered by bash. On a modern server this speed difference in booting is negligable; and not too important as servers usually are not booted very often.

top

Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet.

Issue the following command:

sudo aptitude install ntp ntpdate

Configure ntpd as necessary, by issuing the command:

sudo vi /etc/ntp.conf

Add or remove server lines as required:

# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board

# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for

# more information.

server 0.ubuntu.pool.ntp.org

server 1.ubuntu.pool.ntp.org

server 2.ubuntu.pool.ntp.org

server 3.ubuntu.pool.ntp.org

After changing the config file reload ntpd, by issuing the following command:

sudo /etc/init.d/ntp restart

Check the ntp status, by issuing the following command:

sudo ntpq -p

which should display something like: 

root@server1:~# sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 ran.as65342.net 192.36.144.23    2 u   40   64    3   35.756   14.750   3.722
 orgin.sorch.inf 91.189.94.4      3 u   39   64    3   15.234   14.823   3.803
 portal.kt.kg    89.109.251.23    2 u   37   64    3  139.980   14.118   2.702
 i4DF67E84.pool. .PPSb.           1 u   38   64    3   37.265   16.166  91.399
 europium.canoni 131.188.3.220    2 u   39   64    3   15.170   14.873   4.720
root@server1:~#

Ubuntu offers two ways of updating the time, i.e. ntpdate and ntpd. ntpdate is a bit of a blunt instrument - it adjusts the time in one big correction. The ntp daemon ntpd is far more subtle. It calculates the drift of your system clock and continuously adjusts it, so there are no large corrections that could lead to inconsistent logs for instance. The cost of using ntpd against ntpdate is a little processing power and memory, but for a modern server this is negligible, however ntpd runs as a service.

Note that for PCI-DSS compliance, we should not be running NTP as a service, unless this specific server is going to be used as a NTP server. The reason being that PCI-DSS stipulates that each server in the network should only run a single external service, and as NTP could be classified as a service, this same server could not then be used for any other service, such as mysql.

If we don’t want this to run as a service, we should only use ntpdate.

Issue the following commands in this case:

sudo aptitude install ntpdate

and test by issuing the command:

sudo ntpdate pool.ntp.org

which should display something like:

22 Jun 00:06:43 ntpdate[3032]: adjust time server 87.106.21.237 offset 0.000174 sec

To use a different NTP Server such as pdc.sharewiz.net, modify the configuration file /etc/default/ntpdate if required:

NTPDATE_USE_NTP_CONF=no

NTPSERVERS="pdc.sharewiz.net"

and test again by issuing the command:

sudo ntpdate pdc.sharewiz.net

Create a cron job to regularly keep the system’s time in sync, by issuing the command:

sudo vi /etc/cron.hourly/ntpdate

and populate with the following contents:

#!/bin/bash

#

# Calls ntpdate-debian to syncronize the time

ntpdate-debian

and finally make the cron job executable, by issuing the following command:

sudo chmod 755 /etc/cron.hourly/ntpdate

and your system time will always be in sync.

The cron job calls the ntpdate-debian function instead of simply the ntpdate function. The ntpdate function could be used, but the actual NTP server has to be passed as a parameter.

ntpdate-debian does not need a parameter and uses the time-servers recorded within the /etc/default/ntpdate file.

top

Update crontab times

Issue the following command:

sudo vi /etc/crontab

and modify the contents as per the following:

# /etc/crontab: system-wide crontab

# Unlike any other crontab you don't have to run the `crontab'

# command to install the new version when you edit this file

# and files in /etc/cron.d. These files also have username fields,

# that none of the other crontabs do.

 

SHELL=/bin/sh

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

 

# m h dom mon dow user command

#17 * * * * root cd / && run-parts --report /etc/cron.hourly

#25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )

#47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )

#52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

0 * * * * root cd / && run-parts --report /etc/cron.hourly

0 0 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )

0 0 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )

0 0 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

#

For some strange reason, the default hour when the daily, weekly, and monthly cron jobs are run is around 6am in the morning.

The hour is modified to be close to midnight so that we can ensure that jobs are run at the start of a new day.

This also helps with log rotation, in that new daily logs are started at the beginning of each day instead of at 6am.

NOTE: Slight differences between the minutes of each individual cron job could ensure that jobs run by different parts of cron don’t conflict.

top

Protect files

Issue the following command:

sudo vi /etc/profile

and add the following to the bottom of the file:

alias cp='cp -i'

alias mv='mv -i'

alias rm='rm -i'

This switches on interactive mode for these commands; which will prompt before overwriting.

top

Allow colour prompts for the root and sudo users (highly recommended)

Issue the following command:

sudo vi /root/.bashrc

and remove the hash from the begin of the force_color_prompt line:

force_color_prompt=yes

This functionality is not required, but does makes it a lot easier to see whats going on, so recommended.

top

Allow colour prompts for the administrator

Issue the following command:

sudo vi /home/administrator/.bashrc

and remove the hash from the begin of the force_color_prompt line:

force_color_prompt=yes

top

Restart the System

To enable the changes to be recognized, restart the system.

Issue the following command:

sudo reboot

...and log back in using Putty

top

Continue to Add Software...