#1 2016-07-03 23:23:18

cloverskull

Member

Registered: 2015-10-01

Posts: 348

Simple instructions for securing your BunsenLabs installation

Hey everyone,

The one thing I do immediately after installing any operating system into any hardware (or even a VM!) is to secure it. By default, Windows and OSX have certain "de facto" protections in place which are actually pretty effective. We fans of linux, gnu, FOSS, or what have you, prefer doing things our own way, which oftentimes means that additional security precautions must be adhered to through manual configurations.

What this howto is: A simple yet robust way to harden your OS through a combination of firewall, IDS (intrusion detection system), log monitoring, and malware/rootkit monitoring.

What this howto isn't: A cure-all or panacea for cyber security issues. It's a relatively secure starting point.

Considerations: We will lock down everything that "comes with" a baseline BunsenLabs installation. That includes server daemons installed as options in bl-welcome (apache2, sshd, mysql). If you don't install any of these options, you can probably skip most of this and focus simply on the firewall portion. Additionally, we will assume everyone is using bog standard port definitions (80/443 for apache2, 22 for ssh)

Steps:

1. Firewall - ufw

2. MySQL hardening

3. Securing phpMyAdmin

4. Intrusion Detection System (IDS) - fail2ban

5. Log monitoring - psad

6. Malware / rootkit monitoring - rkhunter

Step 1 - Firewall - ufw

Q - What is ufw?
A - ufw is, in my own words, a human readable interpretation and interface for dealing with iptables.

Install ufw

sudo apt-get update
sudo apt-get install ufw

Turn ufw on

sudo ufw enable

This will turn ufw on for this session and all future sessions. To learn how to dynamically enable/disable, see the ufw manpage.

Let's see what rules are in place now, with

sudo ufw status verbose

Likely there are no rules. We'll have to configure them. The first thing we'll want to do is blanket deny incoming traffic while blanket allowing outgoing traffic.

sudo ufw default deny incoming
sudo ufw default allow outgoing

You may want to check the status to see if your rules are in place.

If you don't want to run any servers like ssh or apache2, you can wrap it up here!

Next, let's allow ssh connections.

sudo ufw allow ssh

Moving on, we will allow apache2

sudo ufw allow www
sudo ufw allow https

IF you want to allow FTP connections, which I highly discourage, you can also

sudo ufw allow ftp

ufw is a very robust piece of software, and I recommend further reading if you'd like to learn how to create custom rulesets. For now, we've reached the extent of the "basic" level instructions which should work for most people.

Step 2 - MySQL Hardening

Naming convention - for the purposes of this howto, MySQL and mariadb should more than likely be completely synonymous

By default MySQL has some security issues which we'll need to remedy before they are exploited. I won't get into detail what they are, because the intent of this howto is simply to secure your system quickly.

First, let's create a directory layout for our databases

sudo mysql_install_db

Next, we can secure it with a handy script

sudo mysql_secure_installation

During this portion, make sure you set smart and sane passwords. You should be able to answer "Y" for yes to all questions. This will take away the anonymous user, among other tings.

Next, let's make sure that mysql is only accepting connections from our own local machine's loopback device.

sudo nano /etc/mysql/my.cnf

Under the [mysqld] heading, make sure the following is set

bind-address = 127.0.0.1

Optional but recommended step: Let's disable exposure of the local underlying filesystem. Make sure the following option is set

local-infile=0

There is a lot more you can do to turn on more verbose logging and point a monitor at the logs, however this should be sufficient for most. I still recommend further reading and research.

Step 3 - Securing phpMyAdmin

If you've got a full LAMP stack installed, phpMyAdmin is probably something that's pretty handy to have. Personally, I think it exposes you to some security risk, but it is very useful. My recommendation is that if you choose to use it, you do so as smartly and securely as possible. This portion of the howto will help with taking some security precautions.

First, let's make sure phpmyadmin is installed

sudo apt-get update
sudo apt-get install phpmyadmin

Make sure you select apache2 in the configuration. Additionally, say yes when it asks if you want to use dbconfig-common. Next, you'll be prompted for the secure password for the MySQL administrator (which we set in the MySQL hardening portion). Finally, you can set a unique password strictly for the phpMyAdmin administrator. Recommendation here is to use something secure yet different from your database admin password.

Next, we'll enable the php5-mcrypt extension and bounce apache2 so it picks it up.

sudo php5enmod mcrypt
sudo service apache2 restart

Open up a web browser and point it to http://localhost/phpmyadmin

Once there, log in as the phpMyAdmin admin user. We need to further secure this because it is a common target for attackers.

What we're going to do is enable .htaccess authentication in apache2. Again, this doc is surface level, so we won't get into detail what it does. Further reading recommended!

sudo nano /etc/apache2/conf-available/phpmyadmin.conf

Under the <Directory of /usr/share/phpmyadmin> portion, add a line that says AllowOverride All. For example, the top several lines of that section should resemble something like

<Directory /usr/share/phpmyadmin>
    Options FollowSymLinks
    DirectoryIndex index.php
    AllowOverride All

Go ahead and bounce apache2 so it picks up the configuration change.

sudo service apache2 restart

Now we will create an .htaccess file. This will make apache2 require a password which it will compare to an encrypted password on disk before it grants access to the incoming GET request coming from a web browser. Basically, it password protects the web page being served.

sudo nano /usr/share/phpmyadmin/.htaccess

Inside this file, enter the following

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user

We've created the .htaccess file, and now we need to create the encrypted password in /etc/phpmyadmin/.htpasswd. We'll need to install apache2-utils

sudo apt-get update
sudo apt-get install apache2-utils

And let's create the .htpasswd file

sudo htpasswd -c /etc/phpmyadmin/.htpasswd username

Replace username above with whatever you want to use. This username is arbitrary and not tied to any other resource anywhere else; you can use your own name or make up some gibberish. Just remember what it is.

Now when you try to hit phpMyAdmin in a web browser, you'll get a username/password prompt before phpMyAdmin's own internal login screen. This additional layer of security is highly recommended and quite secure.

Step 4 - Intrusion Detection System (IDS) - fail2ban

Q - What is fail2ban?
A - My own personal summary is that you can think of fail2ban as a service that creates firewall rules on the fly. It monitors incoming connection attempts and smartly bans IPs. It's so effective at doing so that properly configured it could actually speed up your network connectivity. We will be configuring it at a very basic level. Further reading and research is recommended.

Install fail2ban

sudo apt-get update
sudo apt-get install fail2ban

Configure fail2ban for your servers. We will create our own local settings, because when fail2ban updates, the bundled jail.conf will be overwritten. We want our changes to be sticky so we will use an alternate configuration file. That said, in the future, always work with jail.local instead of jail.conf!

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Let's change some settings in this file. First we'll whitelist our own local machine

ignoreip = 127.0.0.1/8

We'll skip over some of the minutiae here, but read the configuration file. You can (optionally) set up mailing and configure specific ban times. It's quite intuitive and probably outside the scope of this howto beyond most defaults therein. We'll focus on individual services. Scroll down in the file and find any services we've installed (SSH, for example). Just make the "enabled" line set to "true" for each service. Finally, let's take a look at our IPTABLES

sudo iptables -S

And then we can turn fail2ban on

sudo service fail2ban start

And after several minutes, we can check our IPTABLES to see that fail2ban entries have been created

sudo iptables -S

You can test banning policies, but once again, further reading encouraged. Otherwise you can expect these settings to most likely be working fine.

FURTHER STEPS COMING SOON...

cloverskull

Member

Registered: 2015-10-01

Posts: 348

Re: Simple instructions for securing your BunsenLabs installation

Placeholder for more info

cloverskull

Member

Registered: 2015-10-01

Posts: 348

Re: Simple instructions for securing your BunsenLabs installation

Placeholder #2 for more info

ohnonot

...again

Registered: 2015-09-29

Posts: 5,592

Re: Simple instructions for securing your BunsenLabs installation

thanks fo the quick how-to!

a question:
i notice in /etc/fail2ban/jail.local:

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 600
maxretry = 3

my interpretation is that if i for example ssh into my server more than 3 times within 10 minutes, i get banned.
is this interpretation correct?
it seems way too strict to me.