Building a Secure Server from Default Ubuntu
October 28th, 2011 by peter.bassill
I have been asked on a few occasions if I would put together an outline on how to build a secure server from scratch. Having thought the topic through on a number of occasions and having tried to write this blog article on what is probably nearer 20 times I finally bit the bullet and got on with it.
In this post, I will explore how to take a default Ubuntu install, in this case it is 11.04 server, and build it as a secure web server.
This is an outline on how I went about building a secure, sudo self defending web server using a default ubuntu install with LAMP.
Packages
Starting with a default install, the first step is to update all the packages to latest.
apt-get update && apt-get upgrade
Then echo all installed packages into a file so we can create a file of packages to remove.
Next remove from the file all the packages you want to keep, then loop the file through apt
for i in `cat installed-packages`;do apt-get –purge remove $i ; done
Cleaning up the default installed system
Remove unwanted users from system
games,news,uucp,proxy,backup,list,irc
Remove unwanted group from system
dialout fax voice cdrom floppy tape audio dip operator src video staff users
Set SSH to not permit root login in /etc/ssh/sshd_config
PermitRootLogin no
Host Firewall
Install iptables via apt-get install iptables
dpkg –get-selections|awk -F’ ‘ ‘{print $1}’>>installed-packages
Configure IPTables to suite YOUR enviornment. If you are unsure on how to configure IPTables, take a look at FWBuilder. Here is the output from my IPTables script:
# Rule 0 (eth0)
#
echo “Rule 0 (eth0)”
#
$IPTABLES -N Cid4436X6108.0
$IPTABLES -A INPUT -i eth0 -s 1.0.0.1 -j Cid4436X6108.0
$IPTABLES -A INPUT -i eth0 -s 127.0.0.1 -j Cid4436X6108.0
$IPTABLES -N In_RULE_0
$IPTABLES -A Cid4436X6108.0 -d 1.0.0.1 -j In_RULE_0
$IPTABLES -A Cid4436X6108.0 -d 127.0.0.1 -j In_RULE_0
$IPTABLES -A In_RULE_0 -j LOG –log-level info –log-prefix “RULE 0 — DENY “
$IPTABLES -A In_RULE_0 -j DROP
#
# Rule 1 (eth0)
#
echo “Rule 1 (eth0)”
#
# DShield recommended drop list from blacklist feed.
$IPTABLES -N In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 14.45.144.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 31.3.225.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 58.64.139.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 58.251.50.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 59.60.30.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 62.193.228.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 70.85.140.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 74.84.202.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 82.197.70.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 94.102.15.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 95.59.140.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 121.188.244.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 150.164.91.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 150.164.92.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 182.84.98.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 187.109.205.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 200.250.33.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 217.221.165.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 218.10.17.0/24 -j In_RULE_1
$IPTABLES -A INPUT -i eth0 -s 222.171.135.0/24 -j In_RULE_1
$IPTABLES -A In_RULE_1 -j LOG –log-level info –log-prefix “RULE 1 — DENY “
$IPTABLES -A In_RULE_1 -j DROP
#
# Rule 2 (lo)
#
echo “Rule 2 (lo)”
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#
# Rule 3 (eth0)
#
echo “Rule 3 (eth0)”
#
# Drop chatty protocols that like to consume log space.
$IPTABLES -A INPUT -i eth0 -p udp -m udp -m multiport –dports 68,67,138,137,139 -j DROP
#
# Rule 4 (eth0)
#
echo “Rule 4 (eth0)”
#
# Tracks the number of connections and drops more than 2 per minute.
$IPTABLES -N In_RULE_4
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp –dport 22 -m recent –rcheck –seconds 60 –hitcount 2 -j In_RULE_4
$IPTABLES -A In_RULE_4 -j LOG –log-level info –log-prefix “RULE 4 — DENY “
$IPTABLES -A In_RULE_4 -j DROP
#
# Rule 5 (eth0)
#
echo “Rule 5 (eth0)”
#
# Permits SSH if the IP does not have more than two connections per minute.
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp –dport 22 -m recent –set -m state –state NEW -j ACCEPT
#
# Rule 6 (global)
#
echo “Rule 6 (global)”
#
# Permit HTTP and Ping (for monitoring)
$IPTABLES -A INPUT -p icmp -m icmp –icmp-type 0/0 -m state –state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -m multiport –dports 80,443 -m state –state NEW -j ACCEPT
#
# Rule 7 (global)
#
echo “Rule 7 (global)”
#
# server needs DNS to back-resolve clients IPs.
# Even if it does not log host names during its
# normal operations, statistics scripts such as
# webalizer need it for reporting.
$IPTABLES -A OUTPUT -p tcp -m tcp -m multiport –dports 53,80,443 -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m udp –dport 53 -m state –state NEW -j ACCEPT
#
# Rule 8 (global)
#
echo “Rule 8 (global)”
#
# this rule allows the server to send
# statistics and reports via email. Disable
# this rule if you do not need it.
$IPTABLES -A OUTPUT -p tcp -m tcp –dport 25 -m state –state NEW -j ACCEPT
#
# Rule 9 (global)
#
echo “Rule 9 (global)”
#
# this rejects auth (ident) queries that remote
# mail relays may send to this server when it
# tries to send email out.
$IPTABLES -A INPUT -p tcp -m tcp –dport 113 -j REJECT
#
# Rule 10 (global)
#
echo “Rule 10 (global)”
#
# Drop everything else.
$IPTABLES -N RULE_10
$IPTABLES -A INPUT -j RULE_10
$IPTABLES -A RULE_10 -j LOG –log-level info –log-prefix “RULE 10 — DENY “
$IPTABLES -A RULE_10 -j DROP
Continue testing and checking and testing and checking until you are very certain that your rule base works.
- No Comments »
- Posted in audit, Awareness Training, Hacking, Penetration Testing