ShareWiz Ultra Secure Server Setup

Network Security

network

Secure the Network

Determine network interfaces

Obtain a list of all network interfaces, by issuing the following command:

sudo ip link show

...which should display something like: 

root@server1:~# sudo ip link show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0:  mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 08:00:27:70:a2:4b brd ff:ff:ff:ff:ff:ff
3: eth1:  mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 08:00:27:35:37:df brd ff:ff:ff:ff:ff:ff

lo exists on all machines and is used for communication between programs running on this machine.

top

Close down Open Ports

Obtain a list of all open ports, by issuing the following command:

sudo netstat -ntulp

...which should display something like: 

root@server1:~# sudo netstat -ntulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.0.11:22         0.0.0.0:*               LISTEN      1024/sshd
udp        0      0 192.168.1.1:123         0.0.0.0:*                           1371/ntpd
udp        0      0 192.168.0.11:123        0.0.0.0:*                           1371/ntpd
udp        0      0 127.0.0.0:123           0.0.0.0:*                           1371/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*                           1371/ntpd
udp6       0      0 fdff:f80e:a682:0:cd:123 :::*                                1371/ntpd
udp6       0      0 fdff:f80e:a682:0:a0:123 :::*                                1371/ntpd
udp6       0      0 fdff:f80e:a682:0:a0:123 :::*                                1371/ntpd
udp6       0      0 fe80::a00:27ff:fe70:123 :::*                                1371/ntpd
udp6       0      0 fdff:f80e:a682:0:8c:123 :::*                                1371/ntpd
udp6       0      0 fe80::a00:27ff:fe35:123 :::*                                1371/ntpd
udp6       0      0 :::123                  :::*                                1371/ntpd
udp6       0      0 ::1:123                 :::*                                1371/ntpd

To see which processes are running against these ports:

sudo netstat -tulp

...which should display something like: 

root@server1:~# sudo netstat -tulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 server1.sharewiz.ne:ssh *:*                     LISTEN      1024/sshd
udp        0      0 server1.sharewiz.lo:ntp *:*                                 1371/ntpd
udp        0      0 server1.sharewiz.ne:ntp *:*                                 1371/ntpd
udp        0      0 localhost:ntp           *:*                                 1371/ntpd
udp        0      0 *:ntp                   *:*                                 1371/ntpd
udp6       0      0 fdff:f80e:a682:0:cd:ntp [::]:*                              1371/ntpd
udp6       0      0 fdff:f80e:a682:0:a0:ntp [::]:*                              1371/ntpd
udp6       0      0 fdff:f80e:a682:0:a0:ntp [::]:*                              1371/ntpd
udp6       0      0 fe80::a00:27ff:fe70:ntp [::]:*                              1371/ntpd
udp6       0      0 fdff:f80e:a682:0:8c:ntp [::]:*                              1371/ntpd
udp6       0      0 fe80::a00:27ff:fe35:ntp [::]:*                              1371/ntpd
udp6       0      0 ip6-localhost:ntp       [::]:*                              1371/ntpd
udp6       0      0 [::]:ntp                [::]:*                              1371/ntpd

Stop any processes that are not supposed to be running.

top

Allow only certain domains

Add in entries which are allowed access to the system, i.e. the Local Network, and the external VPN.

Issue the following command:

sudo vi /etc/hosts.allow

For example, modify as:

ALL: 192.168.1.0/24 # Local network

ALL: 192.168.20.0/28 # VPN access

ALL: 192.168.100.0/24 # VPN access

Issue the following command:

sudo vi /etc/hosts.deny

and only have this line in it:

ALL:ALL

The /etc/hosts.allow file is checked before /etc/hosts.deny, so make sure the rules don’t conflict.

top

Disable IPV6 (Optional)

Issue the following command:

sudo vi /etc/default/grub

and change the following line:

GRUB_CMDLINE_LINUX_DEFAULT =” quite splash”

to:

GRUB_CMDLINE_LINUX_DEFAULT =” ipv6.disable=1 quite splash”

then execute the following command:

sudo update-grub2

then test by executing the following command:

sudo ip a | grep inet6

You may have to reboot the system for this to take effect.

An alternative method to disable IPV6 is to create a kernel module file:

sudo vi /etc/modprobe.d/bad_list

and add this line:

alias net-pf-10 off

NOTE: In Ubuntu 10.04 onwards, to check if IPv6 is disabled, run the following command:

sudo cat /proc/sys/net/ipv6/conf/all/disable_ipv6

where 0 means it's enabled and 1 is disabled.

To disable IPv6 in Ubuntu 10.04 onwards add the following lines to /etc/sysctl.conf:

#disable ipv6

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

net.ipv6.conf.lo.disable_ipv6 = 1

Then reboot and check if IPv6 has been disabled with the command in the beginning of the post.

top

Stop Spoofing Attacks

Make a backup of the existing /etc/sysctl.conf file, by executing the command:

sudo cp /etc/sysctl.conf /etc/sysctl.conf.orig

Now modify the sysctl file, by issueing the following command:

sudo vi /etc/sysctl.conf

and remove the hash sign in front of certain command lines to stop some spoofing attacks and enhance other security measures:

net.ipv4.conf.default.rp_filter=1

net.ipv4.conf.all.rp_filter=1

net.ipv4.tcp_syncookies=1

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv6.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.all.accept_source_route = 0

net.ipv6.conf.all.accept_source_route = 0

Save the /etc/sysctl.conf file.

Activate the kernel settings that you have modified by executing the following command to reload the sysctl parameters:

Issue the following command:

sudo sysctl -p

The Linux kernel is flexible, and you can even modify the way it works on the fly by dynamically changing some of its parameters using the sysctl command.

sysctl provides an interface that allows you to examine and change several hundred kernel parameters in Linux. Changes take effect immediately, and there’s even a way to make them persist after a reboot. sysctl is used to modify kernel parameters at runtime. The parameters available are those listed under /proc/sys/. Procfs is required for sysctl support in Linux. You can use sysctl to both read and write sysctl data. Many of the tunable performance items can be configured directly by the kernel. The command sysctl is used to view current kernel settings and adjust them.

IMPORTANT NOTE: Editing the sysctl.conf file might break your system - this is for advanced users only.

top

Check Network Interfaces

To ensure that only the necessary network interfaces are open execute the following command:

sudo ifconfig

...which should display something like: 

root@server1:~# sudo ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:70:a2:4b
          inet addr:192.168.0.11  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe70:a24b/64 Scope:Link
          inet6 addr: fdff:f80e:a682:0:a00:27ff:fe70:a24b/64 Scope:Global
          inet6 addr: fdff:f80e:a682:0:cd31:d05:ee48:f7e2/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8154 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5097 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2372404 (2.3 MB)  TX bytes:703314 (703.3 KB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:35:37:df
          inet addr:192.168.1.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe35:37df/64 Scope:Link
          inet6 addr: fdff:f80e:a682:0:8ca3:dc61:1e71:7c19/64 Scope:Global
          inet6 addr: fdff:f80e:a682:0:a00:27ff:fe35:37df/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1691 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:222896 (222.8 KB)  TX bytes:1174 (1.1 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2187 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2187 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:118448 (118.4 KB)  TX bytes:118448 (118.4 KB)

This will display your network address, usually against eth0 and eth1. This will probably be something like 192.168.0.11 and 192.168.1.1.

top

Do an NMAP check

Issue the following command:

sudo nmap –sTU 192.168.0.11

...which should display something like: 

root@server1:~# sudo nmap –sTU 192.168.0.11

Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-25 00:39 GMT
Failed to resolve "–sTU".
Nmap scan report for server1.sharewiz.net (192.168.0.11)
Host is up (0.0000040s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 12.72 seconds

This should only show port 22 being open, which is the one used by SSH.

If you see an open-port that you do not know about or think it’s not a necessary port, then you can try to deactivate the service that is open such a port, or configure your firewall to block such a port.

nmap is a network security tool that can find open ports on the system.

top

Install ArpWatch

Issue the following command:

sudo aptitude install arpwatch

Edit the default ArpWatch configuration file:

sudo vi /etc/default/arpwatch

and modify the ARGS parameter to:

ARGS="-N -p -m sysadmin@sharewiz.net -s /usr/sbin/sendmail"

Arpwatch keeps track of ethernet/ip address pairings. It syslogs activity and reports certain changes via email.

ArpWatch keeps a record in the file /var/lib/arpwatch/arp.dat.

top

Install fail2ban

fail2ban is a tool that observes login attempts to various services, e.g. SSH, FTP, SMTP, Apache, etc., and if it finds failed login attempts again and again from the same IP address or host, fail2ban stops further login attempts from that IP address/host by blocking it with an iptables firewall rule.

fail2Ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

fail2ban is similar to DenyHosts but unlike DenyHosts which focuses on SSH, fail2ban can be configured to monitor any service that writes login attempts to a log file and instead of using /etc/hosts.deny only to block IP addresses/hosts, fail2ban can use iptables and /etc/hosts.deny.

top

Install the Port Scan Attach Detector (PSAD), Recommended

Install psad by issueing the following command:

sudo aptitude install psad

Edit the default psad configuration file:

sudo vi /etc/psad/psad.conf

Enter the mail recipient…

EMAIL_ADDRESSES=sysadmin@sharewiz.net

and modify the setting for email confirmations…

ALERT-ALL = N

Restart psad:

sudo /etc/init.d/psad restart

The Port Scan Attack Detector (psad) is an excellent tool for detecting various types of suspicious traffic; including port scans from popular tools such as Nmap, DDoS attacks, and other efforts to brute force certain protocols on your system. By analyzing firewall logs, psad can not only pick up on certain attack patterns, but even manipulate firewall rules to properly respond to suspicious activity.

In addition, psad incorporates many of the tcp signatures included in Snort to detect highly suspect scans for:

  • various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven)
  • DDoS tools (mstream, shaft)
  • advanced port scans (FIN, NUL, XMAS) such as those made with nmap

PSAD Home Page

top

Remove Telnet

Issue the following command:

sudo aptitude remove telnet

Telnet is a very insecure program that allows users to remotely communicate with your system in clear text.

Telnet is probably not installed, but better to confirm that it actually is removed.

top

Configure Network Teaming / Bonding (Optional)

Install required software for network bonding

To have multiple NICs using a single IP address, install “ifenslave”.

Issue the following command:

sudo aptitude install ifenslave

Update the modprobe aliases file, by adding the following to the bottom of the /etc/modprobe.d/bonding.conf files:

alias bond0 bonding

options bonding mode=1 miimon=100

The options can include.

  • miimon N: check if the active interface(s) is alive every N milliseconds
  • downdelay N: wait N milliseconds after a detected link failure to consider the link down
  • updelay N: wait N milliseconds after a detected link restoration to consider the link up
  • mode N: means master/slave configuration, so there’s only one active master. If this link fails, then slave is used.

top

Edit the network config file "/etc/network/interfaces" again

Issue the following command:

sudo vi /etc/network/interfaces

and edit the file as follows:

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# The loopback network interface

auto lo

iface lo inet loopback

# The primary network interface

auto bond0

iface bond0 inet static

    bond-slaves none

    bond-mode 2

    bond-miimon 100

    address 192.168.0.11

    netmask 255.255.255.0

    network 192.168.0.0

    broadcast 192.168.0.254

    gateway 192.168.0.1

# dns-* options are implemented by the resolvconf package, if installed

    dns-nameservers 8.8.8.8   8.8.4.4

auto eth0

iface eth0 inet manual

    bond-master bond0

    bond-primary eth0   eth2

auto eth2

iface eth2 inet manual

    bond-master bond0

    bond-primary eth0   eth2

# The primary network interface

auto eth1

iface eth1 inet static

    address 192.168.1.1

    netmask 255.255.255.0

    network 192.168.1.0

    broadcast 192.168.1.255

To get the hostname from the IP address, issue the command:

sudo host 8.8.8.8

which should display:

8.8.8.8.in-addr.arpa domain name pointer google-public-dns-a.google.com.

This will query the name server and provide you with the hostname of the IP address.

By default it will query the nameserver listed in the /etc/resolv.conf file.

Alternatively, issue the command:

sudo nslookup 8.8.8.8

which should display:

Server: 8.8.8.8

Address: 8.8.8.8#53

Non-authoritative answer:

8.8.8.8.in-addr.arpa name = google-public-dns-a.google.com.

Authoritative answers can be found from:

This will query the name server and provide you with the hostname of the IP address.

By default it will query the nameserver listed in the /etc/resolv.conf file.

top

Restart the System

To enable the new network settings to be recognized, restart the system.

Issue the following command:

sudo reboot

...and log back in using Putty

top

Check status of network teaming / bonding

NOTE: eth0 and eth1 become slaves to bond0. This also allows eth0 to preempt eth1. You can see the status of it:

Issue the following commands:

sudo cat /proc/net/bonding/bond0

and

sudo cat /sys/class/net/bond0/link_mode

Another way to check that bonding is working is by issuing the following command:

ipconfig

This should show bond0 having the internet address allocated to the bond. It should show UP BROADCAST RUNNING MASTER MULTICAST.

It should also show both eth0 and eth1 as up with the bonding type used, for example UP BROADCAST RUNNING SLAVE MULTICAST.

top

Continue to the User Security...