Hacking defence

How to secure Linux web server

November 20, 2017 Hacking defence

This is basic steps to secure your apache based web server. We are working with CentOS 7 vm in this particular tutorial.

Change ssh default port number
Open ssh configuration file and change default port number 22 to 222 or any other port that is available.

vi /etc/ssh/sshd_conf
Port 222

Install fail2ban
Install epel-release

yum install epel-release

Install fail2ban

yum install fail2ban

Enable fail2ban

systemctl enable fail2ban

Edit jail.conf and change ssh port number to 222 which is the one we are using for ssh connections.

vi /etc/fail2ban/jail.local
enabled = true
port = 222
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400

Start the service

systemctl enable fail2ban
systemctl start fail2ban 

Run command below to see all ban IP address.

fail2ban-client status sshd

OSSEC Host Intrusion Detection system installation
Lets install OSSEC in local mode. Meaning you running only one OSSEC system and don’t have dedicated servers to run it.

firewall-cmd --permanent --zone=public --add-port=1514/udp
 firewall-cmd --reload
yum install mysql-devel postgresql-devel gcc
wget -U ossec https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz 
tar -zxvf ossec-hids-2.8.3.tar.gz 
cd ossec-hids-2.8.3 cd ossec-hids-2.8.3 

We pretty much allow all defaults, and when asked what type of installation choose local unless you run dedicated ossec server

 What kind of installation do you want (server, agent, local, hybrid or help)? server 

We will now add our web root directory so it can be scanned for changes. We assuming our webroot is located under /var/www/html. Please note you will need same amount of space or more for ossec to create all diff. files.

vi /var/ossec/etc/ossec.conf

Please follow this link to add webroot to ossec scan

Firewalld configuration
We will need to open ports for http and https traffic and also allow access via alternative ssh port as well as access for nagios monitoring and ossec.

firewall-cmd --zone=public --permanent --add-service=http\udp
firewall-cmd --zone=public --permanent --add-port=https\udp
firewall-cmd --zone=public --permanent --add-port=1514\udp
firewall-cmd --zone=public --permanent --add-port=5666\tcp
firewall-cmd --zone=public --permanent --add-port=222\tcp
firewall-cmd --reload

Securing /tmp directory
In order to secure tmp directory we created separate partition during install 1GB size.

fdisk -l
Disk /dev/mapper/centos-tmp: 1048 MB, 1048576000 bytes, 2048000 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

We will be mounting /tmp partiiotn with noexec, nosuid and nodev options from fstab

cat /etc/fstab
/dev/mapper/centos-tmp  /tmp                    xfs     rw,loop,noexec,nosuid,nodev        0 0

Secure web permissions
Assuming our webroot will be under /var/html/mysite. We will assigh following users and permissions to web root directory

chown -R apache.apache /var/www/html/mysite/
chmod -R 755 /var/www/html/mysite

Install rkhunter

yum install rkhunter
rkhunter --checkall

Scan for rootkits with rkhunter on CentOS 7

November 1, 2017 Hacking defence

Installing and scanning with rkhunter on CentOS 7 system
1. Intstall rkhunter

yum install rkhunter

2. Run a scan on your system

rkhunter --checkall

Secure tmp directory CentOS 7

October 16, 2017 Hacking defence

This is quick how to on basic steps securing /tmp directory on CentOS 7

dd if=/dev/zero of=/dev/tmpDIR bs=1024 count=1000000
/sbin/mkfs.ext3 /dev/tmpDIR
cp -Rpf /tmp /tmpbak

Mount /tmp directory

mount -o loop,noexec,nosuid,rw /dev/tmpDIR /tmp

Adjust permissions on /tmp directory

chmod 1777 /tmp

Copy backup files back to /tmp directory

cd /tmpbak
cp -Rpf * /tmp/

Add the following line to /etc/fstab file

/dev/tmpDIR /tmp	 ext3	loop,nosuid,noexec,rw	 0 0

Secure /var/tmp

mv /var/tmp /var/tmpbak
ln -s /tmp /var/tmp
cp -pR /var/tmpbak/* /tmp

The other way is to mount it on tmpfs
Add below to your /etc/fstab file

tmpfs /tmp tmpfs size=512m,loop,nosuid,noexec,mode=1777,rw 0 0
tmpfs /dev/shm	tmpfs	defaults,nodev,nosuid,noexec	0 0
/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0

Basic ssh security on Linux servers with password based authentication

September 25, 2017 Hacking defence

Most common are dictionary attacks against an SSH server. The attacker uses the fact that SSH servers usually offer their services on port 22 and that every Linux server has a root account. This can easily be mitigated by few simple steps.

  • Disable root login
  • Configure non-default port for SSH to listen on
  • Allow specific users only to log in on SSH
  • Disable root login

    vi /etc/ssh/sshd_config
    #PermitRootLogin yes
    PermitRootLogin no
    systemctl restart sshd

    Configure non-default port for SSH to listen on

    vi /etc/ssh/sshd_config
    #Port 22
    Port 222
    systemctl restart sshd

    Note: if selinux is running you may need to make some adjustments

    semanage port -a -t ssh_port_t -p tcp 2022 

    Note: correct firewall port also must be open

    firewall-cmd --add-port=222/tcp --permanent

    Allow specific users only to log in on SSH

    vi /etc/ssh/sshd_config
    AllowUsers user1 user2 user3
    systemctl restart sshd

    Note: this is good option to restrict only specific users to be able to login it will overwrite PermitRootLogin option and will still allow to su as root.

    How to use firewalld

    April 7, 2017 Hacking defence

    How to restrict access to port from specific source IP

    firewall-cmd --permanent --zone=public --add-rich-rule='
      rule family="ipv4"
      source address=""
      port protocol="tcp" port="3000" accept'
    cat /etc/firewalld/zones/public.xml
    firewall-cmd --reload

    Intrusion Detection Systems

    November 21, 2016 Hacking defence

    Intrusion Detection System or IDS is a system that gathers and analyse information that passes across the network or host. It is designed to report or stop any violation or misuse. In its core IDS is a packet sniffer with set of rules build into it.

    DOS Basic defence

    November 8, 2016 Hacking defence

    Some of the basic defensive strategies against DOS include but not limited to:

    Run postfix in chrooted environment on Linux systems

    September 28, 2016 Hacking defence

    In some cases you will want to secure postfix by running it in chrooted environment. he processes run at a fixed low privilege and with file system access limited to the Postfix queue directories (/var/spool/postfix). This provides a significant barrier against intrusion.