10 Jun 2011

Ubuntu Server - The simple four stage security lockdown

Server security can make or break a web business and todays hackers aren't getting any less intrusive, nor is the data we publish on line geting any less sensitive, in fact quite the opposite. There is no such thing as a totally secure computer system, no matter what anyone may tell you, however at base level there is a simple four-stage configuration you can implement which will substantially increase your chances of protection from the vast majority of attacks.

The following four point system is applicable to the Linux (Ubuntu) server platform.

1. Disable ssh access for the root account. 

This is a no brainer. I have the superb OSSEC HIDS installed on my main web boxes which logs, blocks and informs me of any and all activity relating to system changes and attempted intrusions, the majority of which are attempted ssh brute force attacks to, yes, the root account. Disabling ssh root access is quick and easy. Simply edit as follows and change the option for PermitRootLogin to No. Save and close.
$ sudo nano /etc/ssh/sshd_config
2. Block the IP addresses of ssh attacks. 

This is easily achieved with denyhosts. Install as follows (config is automatic)
$ sudo aptitude -y install denyhosts
…..and to view blocked IP's
$ sudo less /etc/hosts.deny
3. Install, configure and enable the Linux Ubuntu IP Tables (Firewall).

Simply done by using the wonderful Uncomplicated Firewall utility (ufw). Once enabled the ufw, by default, blocks all incoming ports. Installation and config for basic ssh & http access is as follows.
$ sudo aptitude -y install ufw
$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw enable
4. Don't enable, use or configure FTP (Port 21). 

FTP is quite long in the tooth these days and a predominant attack point for intrusion attempts. Secure FTP (SFTP) is inherently more secure and also much easier to install and configure as it comes ready to roll as a component of ssh. With ssh installed simply connect using SFTP on port 22 using a dedicated admin account.

And, finally, implement and use a secure password policy. Something so obvious I'm reluctant to even list as an entry, but if you really do need help I suggest you read the following advisory from Symantec - 

Of course this is server security at its most basic, even so you would be surprised how many people will power up a server with default settings, install their website and immediately publish to the internet. Just by following these four basic procedures you will be inherently more secure.

As mentioned I would also highly recommend the superb OSSEC HIDS system. OSSEC is free, open source and offers out of the box protection and alerting through a powerful correlation and analysis engine, integrating log analysis, file integrity checking, centralised policy enforcement, rootkit detection, real-time alerting and active response.

If you have security concerns about your virtual or local Linux server platform by all means get in touch. Here at Cirronix we have a proven history of Linux security patching and would be more than happy to help you 'tighten up'.

No comments:

Post a Comment