securedebina1.pdf

8/10/2019 securedebina1.pdf

1/19

Connect using SSH

Change root password

Debian 7 Wheezy Dedicated WebServer Setup Step by Step

May 16th, 2013 136,411

Debian7.0 Wheezy has been officially released on May 5, 2013.

Wheezy is powered by Linux kernel 3.2 and multiarch support.

Concerning LAMP software, Apache 2.2.22 MySQL 5.5.30 and

PHP 5.4.4 are included. Debian 7 supports systemd. More

information here.

In this post I describe a dedicated server setup, using Debian

Wheezy. It is a Hetzner EX4Sdedicated server with IP

144.76.70.100 My blog, my company website and some other web

projects will be hosted in this server.

I use Dyn.comfor all my DNS and e-MAIL needs, so I will not

setup bindname server or a full blown mail server. Default Debian

MTA (exim4) is enough for the server to send emails.

I selected a minimal Debian amd64 server (basic Debian system

and SSH). Thanks to Hetzner staff, the server was up and running

in less than an hour. As usual, they sent me the IP and root

password. Below I describe the whole procedure after this point.

This is the first and should be the last time you are remotely

connected with the server as root:

Use:

About the author

Christos Pontikis

452 followers

Follow

1 ssh 144.76.70.100 -l root

1 passwd

Find us on Facebook

pontikis.net

3,456 people like pontikis.net.

Facebook social plugin

LikeLike

pontikis.net Tech blog &Web labs

Home Blog Tips Labs About

Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we

sur 19 16/10/2014 20


2/19

remove /robot.sh

Perform a full system update

Update files database

Color Bash Prompt

This step concerns only Hetznerservers.

/etc/rc2.d/S99Zrobot(symbolic link to/robot.sh) is just for reporting

a successful install and should normally have been removedimmediately. Remove them in case has been not automatically

removed.

If/robot.shis present, apt-getwill fail with the following message

Using apt-get:

Use:

To add color to bash prompt, you can follow this guide, where a

global solution is provided (recommended).

As an alternative:

To add color to common user prompt:

uncomment #force_color_prompt=yes

To add red color to root prompt:

12

mv /robot.sh /robot.sh.bakrm /etc/rc2.d/S99Zrobot

1 insserv: warning: script 'S99Zrobot' missing LSB

1 apt-get update && apt-get -V upgrade

1 updatedb

12

cd /home/pontikisnano .bashrc

123

...force_color_prompt=yes...

1 cd /root


2 sur 19 16/10/2014 20


3/19

Customize nanotext editor

Install systemd

Install ntp(Network Time Protocol)

Set server timezone

Set PS1as follows:

Also, find # You may uncomment the following lines if you want `ls'

to be colorized:and uncomment the following lines

To see the changes you have to logoff and login again, or go to

home and give

To dislpay line numbers, uncomment # set const

Use:

Update gruband reboot

Modify GRUB_CMDLINE_LINUX_DEFAULTadding init=/bin

/systemd

Finally

Using apt-get

2 nano .bashrc

1 PS1='${debian_chroot:+($debian_chroot)}\[\033[01;

1 . .bashrc

1 nano /etc/nanorc

12

# set constset const

1 apt-get install systemd

1 nano /etc/default/grub

1 GRUB_CMDLINE_LINUX_DEFAULT="nomodeset init=/bin/s

1 update-grub && reboot

1 apt-get install ntp


3 sur 19 16/10/2014 20


4/19

Install webmin

Create common user

Using dpkg

From http://wiki.debian.org/TimeZoneChanges

Restarting Daemons and Long-Running Programs

After the zoneinfo files are updated, you may need to restartdaemons and other long-running programs to get them to

use the new zone information. Examples of such programs

include apache, bind, cron, fetchmail -d, inetd, mailman,

sendmail, and sysklogd. A common symptom of this problem

is seeing incorrect timestamps mixed in with the correct

timestamps in your log files (e.g. /var/log/syslog). Even

interactive programs like "mutt" may continue to use the old

timezone information until they are restarted.

For example, restart cron

An easier way is to restart your system

REMARK: Server date and time settings are very important for

services like Amazon S3 backup, OpenVPN, NFS etc, where

"client" and "server" machines must have the same settings.

Add the following lines to/etc/apt/sources.list

Add aptkey:

Finally

You can use webmin interface (recommended)

1 dpkg-reconfigure tzdata

1 systemctl restart cron.service

1 reboot

12

deb http://download.webmin.com/download/repositordeb http://webmin.mirror.somersettechsolutions.co

123

cd /rootwget http://www.webmin.com/jcameron-key.ascapt-key add jcameron-key.asc

12 apt-get updateapt-get install webmin


4 sur 19 16/10/2014 20


5/19

Harden SSH

SSH key based authentication

Otherwise, you can use adduser srcipt

or the original linux commands

It is also important to create a Webmin user (pontikisin my case),

to avoid login to Webmin as root.

Edit SSH configuration:

Make the following changes

Restart SSH

To connect from workstation to server machine, add your public

key to server.

1234567

891011121314151617

adduser pontikisAdding user `pontikis' ...Adding new group `pontikis' (1001) ...Adding new user `pontikis' (1001) with group `poCreating home directory `/home/pontikis' ...Copying files from `/etc/skel' ...Enter new UNIX password:

Retype new UNIX password:passwd: password updated successfullyChanging the user information for pontikisEnter the new value, or press ENTER for the def Full Name []: Christos Pontikis Room Number []: Work Phone []: Home Phone []: Other []:Is the information correct? [Y/n] y

123

groupadd pontikisuseradd -m -g pontikis -s /bin/bash pontikispasswd pontikis

1 nano /etc/ssh/sshd_config

1234567

...PermitRootLogin no...X11Forwarding no...AllowUsers pontikis ......

1 systemctl restart ssh.service

1 ssh-copy-id -i ~/.ssh/id_rsa.pub 144.76.70.100


5 sur 19 16/10/2014 20


6/19

Change hostname

Harden kernel using /etc/sysctl.conf

Add the hostname (cosmos.medisign.com in my case) to

/etc/hostnameand/etc/hostsso local address(es) resolves with the

new system name and reboot.

It was a pleasant surprise to see that Hetzner default installation

was included important changes to/etc/sysctl.conf:

I will only add

Just in case, default Debian/etc/sysctl.confis a text file with all

extra settings commented. See here.

If you want to make changes, you have two options:

First method (recommended): create a file/etc/sysctl.d

/local.confand reboot

Alternative method: make direct changes to/etc/sysctl.conf

and activate them with sysctl -p (without reboot.)

The contents of/etc/sysctl.d/local.confshould be:

123456

789

10111213141516171819202122

2324

### Hetzner Online AG installimage# sysctl config#net.ipv4.ip_forward=1net.ipv4.conf.all.rp_filter=1net.ipv4.icmp_echo_ignore_broadcasts=1# ipv6 settings (no autoconfiguration)

net.ipv6.conf.default.autoconf=0net.ipv6.conf.default.accept_dad=0net.ipv6.conf.default.accept_ra=0net.ipv6.conf.default.accept_ra_defrtr=0net.ipv6.conf.default.accept_ra_rtr_pref=0net.ipv6.conf.default.accept_ra_pinfo=0net.ipv6.conf.default.accept_source_route=0net.ipv6.conf.default.accept_redirects=0net.ipv6.conf.default.forwarding=0net.ipv6.conf.all.autoconf=0net.ipv6.conf.all.accept_dad=0net.ipv6.conf.all.accept_ra=0net.ipv6.conf.all.accept_ra_defrtr=0net.ipv6.conf.all.accept_ra_rtr_pref=0net.ipv6.conf.all.accept_ra_pinfo=0net.ipv6.conf.all.accept_source_route=0

net.ipv6.conf.all.accept_redirects=0net.ipv6.conf.all.forwarding=0

1 net.ipv4.tcp_syncookies = 1

12

# Turn on Source Address Verification in all int# prevent some spoofing attacks


6 sur 19 16/10/2014 20


7/19

Install exim4 MTA

Using apt-get:

Configure exim

Change default option "local delivery only" to "internet site"

Set system mail name: (cosmos.medisign.com in my case)

Accept the default settings in the remaining steps.

3456789

101112

13141516171819202122232425262728293031323334

#net.ipv4.conf.default.rp_filter=1net.ipv4.conf.all.rp_filter=1

# ADD THE LINE# ignore echo broadcast requests to prevent beinnet.ipv4.icmp_echo_ignore_broadcasts=1

# Uncomment the next line to enable TCP/IP SYN c# See http://lwn.net/Articles/277146/# Note: This may impact IPv6 TCP sessions too

#net.ipv4.tcp_syncookies=1net.ipv4.tcp_syncookies=1

# ipv6 settings (no autoconfiguration)net.ipv6.conf.default.autoconf=0net.ipv6.conf.default.accept_dad=0net.ipv6.conf.default.accept_ra=0net.ipv6.conf.default.accept_ra_defrtr=0net.ipv6.conf.default.accept_ra_rtr_pref=0net.ipv6.conf.default.accept_ra_pinfo=0net.ipv6.conf.default.accept_source_route=0net.ipv6.conf.default.accept_redirects=0net.ipv6.conf.default.forwarding=0net.ipv6.conf.all.autoconf=0net.ipv6.conf.all.accept_dad=0net.ipv6.conf.all.accept_ra=0net.ipv6.conf.all.accept_ra_defrtr=0net.ipv6.conf.all.accept_ra_rtr_pref=0net.ipv6.conf.all.accept_ra_pinfo=0net.ipv6.conf.all.accept_source_route=0net.ipv6.conf.all.accept_redirects=0net.ipv6.conf.all.forwarding=0

1 apt-get install exim4

1 dpkg-reconfigure exim4-config


7 sur 19 16/10/2014 20


8/19

Forward root mail

iptables firewall

(click the thumb for full image)

It is important as various software and services send mail to inform

root for results or errors (cronfor example).

Then, rebuild aliases:

Using webmin

or using command line

this is just an example with the most common rules

1 nano /etc/aliases

12

...root:[email protected]

1 newaliases

1 nano /etc/iptables-up.rules


8 sur 19 16/10/2014 20


9/19

REMARK: rules -A INPUT -j LOGand -A FORWARD -j LOGforce

iptables to keep log and needed if psadis used. See details in this

post.

To load these rules to iptables firewall:

To save iptables firewall active rules:

To load these rules on startup:

add to eth0 interface

123456789

10

11121314151617181920212223242526272829303132333435363738394041

4243

# Generated by iptables-save v1.4.14 on Fri May*filter:INPUT DROP [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [189:103951]-A INPUT ! -i eth0 -j ACCEPT-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j AC-A INPUT -m state --state ESTABLISHED -j ACCEPT-A INPUT -m state --state RELATED -j ACCEPT-A INPUT -p udp -m udp --sport 53 --dport 1024:6

-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEP-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEP-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEP-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEP-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEP-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEP-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT-A INPUT -p tcp -m tcp -m multiport --dports 25,-A INPUT -p tcp -m tcp --dport 10000:10010 -j AC-A INPUT -j LOG-A FORWARD -j LOGCOMMIT# Completed on Fri May 17 20:09:12 2013# Generated by iptables-save v1.4.14 on Fri May*mangle:PREROUTING ACCEPT [49770:4531554]:INPUT ACCEPT [49770:4531554]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [48931:39133213]:POSTROUTING ACCEPT [48931:39133213]COMMIT# Completed on Fri May 17 20:09:12 2013# Generated by iptables-save v1.4.14 on Fri May*nat:PREROUTING ACCEPT [4223:278291]:INPUT ACCEPT [1650:94585]:OUTPUT ACCEPT [2836:192019]:POSTROUTING ACCEPT [2836:192019]

COMMIT# Completed on Fri May 17 20:09:12 2013

1 iptables-restore < /etc/iptables.up.rules

1 iptables-save > /etc/iptables.up.rules

1 nano /etc/network/interfaces

12

...post-up iptables-restore < /etc/iptables.up.rules


9 sur 19 16/10/2014 20


10/19

MySQL community database server

Install Apache web server

Using apt-get:

After installation, run:

mysql_secure_installation sets a root password (if not exists),removes anonymous users, disables non-local root access,

removes the test database and access rules related to it and finally

reloads privileges.

REMARK: restart MySQL using systemctl restart mysql.service

Using apt-get:

Enable mod_rewrite and mod_deflate (gzip compression)

Config virtual hosts (settings may vary according to your needs)

Add your IP

Create virtual hosts. This is just an example:

1 apt-get install mysql-server

1 mysql_secure_installation

1 apt-get install apache2 apache2-mpm-prefork

12

a2enmod rewritea2enmod deflate

1 nano /etc/apache2/ports.conf

1 NameVirtualHost 144.76.70.100:80

1 nano /etc/apache2/sites-available/www.pontikis.ne

123456789

10

1112131415161718192021

ServerName www.pontikis.net ServerAdmin [email protected] DocumentRoot /var/www/pontikis.net

Options FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all

ErrorLog ${APACHE_LOG_DIR}/pontikis.net_error. LogLevel warn CustomLog ${APACHE_LOG_DIR}/pontikis.net_acces

ErrorDocument 404 /404/

SetOutputFilter DEFLATE SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|

SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|b


0 sur 19 16/10/2014 20


11/19

Awstats log analyzer

php

Enable site

Restart Apache

Using apt-get:

Details in a future post soon.

Using apt-get:

Enable php error log. Log file must be writable from Apache. So:

Edit php.ini

uncomment ;error_log:

Remember to rotate/var/log/php/php_errors.log:

add the following:

Install MySQL Native Driver (mysqlnd)

22232425262728

SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont

BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/h

1 a2ensite www.pontikis.net

1 systemctl restart apache2.service

1 apt-get install awstats

1 apt-get install php5

1

2

mkdir /var/log/php

chown www-data /var/log/php

1 nano /etc/php5/apache2/php.ini

1 error_log = /var/log/php/php_errors.log

1 nano /etc/logrotate.d/php

1234567

/var/log/php/php_errors.log { weekly missingok rotate 4 notifempty create}


1 sur 19 16/10/2014 20


12/19

Install memcached

REMARK: If, for any reason, you don't want mysqlnd, try apt-get

install php5-mysql instead.

Install php adodb extension.

Install php GD library

Config mbstring

Harden PHP setup (settings may vary according to your needs)

Restart Apache

Using apt-get:

Install phpMemcachedAdmin(optional):

You may want to restrict access to this directory using .htaccess

1 apt-get install php5-mysqlnd

1 apt-get install php5-adodb

1 apt-get install php5-gd

1 nano /etc/php5/conf.d/mbstring-settings.ini

123456789

[mbstring]mbstring.language = Englishmbstring.internal_encoding = UTF-8mbstring.encoding_translation = Onmbstring.http_input = UTF-8,SJIS,EUC-JPmbstring.http_output = UTF-8mbstring.detect_order = UTF-8,ASCII,JIS,SJIS,EUC-mbstring.substitute_character = nonembstring.func_overload = 0

1 nano /etc/php5/conf.d/security.ini

12345678

allow_url_include = Offallow_url_fopen = Offsession.use_only_cookies = 1session.cookie_httponly = 1expose_php = Offdisplay_errors = Offregister_globals = Offdisable_functions = escapeshellarg, escapeshellc


12

apt-get install memcached php5-memcachedsystemctl restart apache2.service

123456

mkdir /var/www/phpMemcachedAdmincd /var/www/phpMemcachedAdminwget http://phpmemcacheadmin.googlecode.com/filestar -xvzf phpMemcachedAdmin-1.2.2-r262.tar.gzchmod +r *chmod 0777 Config/Memcache.php


2 sur 19 16/10/2014 20


13/19

Install Alternative PHP Cache (APC)

Install database manager

Install git

Install s3cmdfor Amazon backup

Using apt-get:

Edit configuration (optional)

After extension=apc.so, add the following (modify them according

to your needs)

Restart Apache

phpMyAdminand adminerare popular. I prefer adminer:

You may want to restrict access to this directory using .htaccess

Using apt-get:

Using apt-get:

REMARK: There is a serious BUGwith current Debian version of

s3cmd (1.1.0-beta3) in multipart uploads to Amazon S3 (mainly

using cron). Some changes must be done to/usr/share/s3cmd

1 apt-get install php-apc

1 nano /etc/php5/conf.d/20-apc.ini

12345678

extension=apc.so

apc.enabled=1apc.shm_size=128Mapc.ttl=3600apc.user_ttl=7200apc.gc_ttl=3600apc.max_file_size=1M


12

mkdir /var/www/adminerwget http://downloads.sourceforge.net/adminer/ad

1 apt-get install git

1 apt-get install s3cmd


3 sur 19 16/10/2014 20


14/19

Various tools

Deploy Projects

Backup software

Simple system monitoring tools

/S3/S3.py. The patch is available here.

Configure s3cmd with your Amazon credentials

Using apt-get:

I use gitand Githubto deploy my projects (either public or

private). For example to deploy my blog in the new server:

Furthermore, to update this project in the future:

User pontikispublic rsa key must be added to github. Details here.

There are many backup solutions available. I use bash-cloud-

backup.

bash-cloud-backup is a set of bash scripts, which can be used to

automate local and cloud backup in Linux/Unix machines. I use

Amazon S3 as cloud backup solution.

Get email notifications for updates

More details in this post.

12

cd /roots3cmd --configure

1 apt-get install mc p7zip-full htop sysstat

123

chown -R pontikis:pontikis /var/wwwcd /var/wwwgit clone [email protected]:pontikis/pontikis.net.gi

123

cd /var/www/pontikis.netgit fetchgit merge origin/master

123

apt-get install apticronapt-get install update-notifier-commonapt-get install debian-goodies


4 sur 19 16/10/2014 20


15/19

Simple intrusion detection techniques

Simple intrusion prevention techniques

Security and system auditing tool

Logwatch

Logwatchis a customizable log analysis system. Logwatch parses

through your system's logs and creates a report analyzing areas

that you specify.

Using apt-get:

Configuration:

rkhunter

fail2ban

fail2banscans log files and bans IPs that show the malicious

signs, for example too many password failures, seeking for

exploits, etc.

Find details in this post.

psad

psadanalyze iptables log messages to detect port scans and other

suspicious traffic.

Find details in this post.

Install Lynisusing apt-get:

1 apt-get install logwatch

123

mkdir /var/cache/logwatchcp /usr/share/logwatch/default.conf/logwatch.confnano /etc/logwatch/conf/logwatch.conf

12

#Output = stdoutOutput = mail

1 apt-get install rkhunter

1 apt-get install fail2ban

1 apt-get install psad

1 apt-get install lynis


5 sur 19 16/10/2014 20


16/19


17/19

Your comments are welcomed!

This site actively encourages commenting on any post. Comments are not pre-moderated, but this community does

not tolerate direct or indirect attacks, name-calling or insults. Please, read terms of useand Comment Policy at

privacy policy.

Sign-upfor our free email newsletter. Get updateswhen

new tutorials and tips are published. You can unsubscribe

anytime with a click.


7 sur 19 16/10/2014 20


18/19


19/19

Memcached Installation and Configuration with PHP on Debian server Install

and Config Fail2Ban in Debian 7 Wheezy

Terms Privacy Contact us Home Blog Tips Labs About


9 sur 19 16/10/2014 20

securedebina1.pdf

Documents