securedebina1.pdf
TRANSCRIPT
-
8/10/2019 securedebina1.pdf
1/19
Connect using SSH
Change root password
Debian 7 Wheezy Dedicated WebServer Setup Step by Step
May 16th, 2013 136,411
Debian7.0 Wheezy has been officially released on May 5, 2013.
Wheezy is powered by Linux kernel 3.2 and multiarch support.
Concerning LAMP software, Apache 2.2.22 MySQL 5.5.30 and
PHP 5.4.4 are included. Debian 7 supports systemd. More
information here.
In this post I describe a dedicated server setup, using Debian
Wheezy. It is a Hetzner EX4Sdedicated server with IP
144.76.70.100 My blog, my company website and some other web
projects will be hosted in this server.
I use Dyn.comfor all my DNS and e-MAIL needs, so I will not
setup bindname server or a full blown mail server. Default Debian
MTA (exim4) is enough for the server to send emails.
I selected a minimal Debian amd64 server (basic Debian system
and SSH). Thanks to Hetzner staff, the server was up and running
in less than an hour. As usual, they sent me the IP and root
password. Below I describe the whole procedure after this point.
This is the first and should be the last time you are remotely
connected with the server as root:
Use:
About the author
Christos Pontikis
452 followers
Follow
1 ssh 144.76.70.100 -l root
1 passwd
Find us on Facebook
pontikis.net
3,456 people like pontikis.net.
Facebook social plugin
LikeLike
pontikis.net Tech blog &Web labs
Home Blog Tips Labs About
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
2/19
remove /robot.sh
Perform a full system update
Update files database
Color Bash Prompt
This step concerns only Hetznerservers.
/etc/rc2.d/S99Zrobot(symbolic link to/robot.sh) is just for reporting
a successful install and should normally have been removedimmediately. Remove them in case has been not automatically
removed.
If/robot.shis present, apt-getwill fail with the following message
Using apt-get:
Use:
To add color to bash prompt, you can follow this guide, where a
global solution is provided (recommended).
As an alternative:
To add color to common user prompt:
uncomment #force_color_prompt=yes
To add red color to root prompt:
12
mv /robot.sh /robot.sh.bakrm /etc/rc2.d/S99Zrobot
1 insserv: warning: script 'S99Zrobot' missing LSB
1 apt-get update && apt-get -V upgrade
1 updatedb
12
cd /home/pontikisnano .bashrc
123
...force_color_prompt=yes...
1 cd /root
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
2 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
3/19
Customize nanotext editor
Install systemd
Install ntp(Network Time Protocol)
Set server timezone
Set PS1as follows:
Also, find # You may uncomment the following lines if you want `ls'
to be colorized:and uncomment the following lines
To see the changes you have to logoff and login again, or go to
home and give
To dislpay line numbers, uncomment # set const
Use:
Update gruband reboot
Modify GRUB_CMDLINE_LINUX_DEFAULTadding init=/bin
/systemd
Finally
Using apt-get
2 nano .bashrc
1 PS1='${debian_chroot:+($debian_chroot)}\[\033[01;
1 . .bashrc
1 nano /etc/nanorc
12
# set constset const
1 apt-get install systemd
1 nano /etc/default/grub
1 GRUB_CMDLINE_LINUX_DEFAULT="nomodeset init=/bin/s
1 update-grub && reboot
1 apt-get install ntp
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
3 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
4/19
Install webmin
Create common user
Using dpkg
From http://wiki.debian.org/TimeZoneChanges
Restarting Daemons and Long-Running Programs
After the zoneinfo files are updated, you may need to restartdaemons and other long-running programs to get them to
use the new zone information. Examples of such programs
include apache, bind, cron, fetchmail -d, inetd, mailman,
sendmail, and sysklogd. A common symptom of this problem
is seeing incorrect timestamps mixed in with the correct
timestamps in your log files (e.g. /var/log/syslog). Even
interactive programs like "mutt" may continue to use the old
timezone information until they are restarted.
For example, restart cron
An easier way is to restart your system
REMARK: Server date and time settings are very important for
services like Amazon S3 backup, OpenVPN, NFS etc, where
"client" and "server" machines must have the same settings.
Add the following lines to/etc/apt/sources.list
Add aptkey:
Finally
You can use webmin interface (recommended)
1 dpkg-reconfigure tzdata
1 systemctl restart cron.service
1 reboot
12
deb http://download.webmin.com/download/repositordeb http://webmin.mirror.somersettechsolutions.co
123
cd /rootwget http://www.webmin.com/jcameron-key.ascapt-key add jcameron-key.asc
12 apt-get updateapt-get install webmin
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
4 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
5/19
Harden SSH
SSH key based authentication
Otherwise, you can use adduser srcipt
or the original linux commands
It is also important to create a Webmin user (pontikisin my case),
to avoid login to Webmin as root.
Edit SSH configuration:
Make the following changes
Restart SSH
To connect from workstation to server machine, add your public
key to server.
1234567
891011121314151617
adduser pontikisAdding user `pontikis' ...Adding new group `pontikis' (1001) ...Adding new user `pontikis' (1001) with group `poCreating home directory `/home/pontikis' ...Copying files from `/etc/skel' ...Enter new UNIX password:
Retype new UNIX password:passwd: password updated successfullyChanging the user information for pontikisEnter the new value, or press ENTER for the def Full Name []: Christos Pontikis Room Number []: Work Phone []: Home Phone []: Other []:Is the information correct? [Y/n] y
123
groupadd pontikisuseradd -m -g pontikis -s /bin/bash pontikispasswd pontikis
1 nano /etc/ssh/sshd_config
1234567
...PermitRootLogin no...X11Forwarding no...AllowUsers pontikis ......
1 systemctl restart ssh.service
1 ssh-copy-id -i ~/.ssh/id_rsa.pub 144.76.70.100
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
5 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
6/19
Change hostname
Harden kernel using /etc/sysctl.conf
Add the hostname (cosmos.medisign.com in my case) to
/etc/hostnameand/etc/hostsso local address(es) resolves with the
new system name and reboot.
It was a pleasant surprise to see that Hetzner default installation
was included important changes to/etc/sysctl.conf:
I will only add
Just in case, default Debian/etc/sysctl.confis a text file with all
extra settings commented. See here.
If you want to make changes, you have two options:
First method (recommended): create a file/etc/sysctl.d
/local.confand reboot
Alternative method: make direct changes to/etc/sysctl.conf
and activate them with sysctl -p (without reboot.)
The contents of/etc/sysctl.d/local.confshould be:
123456
789
10111213141516171819202122
2324
### Hetzner Online AG installimage# sysctl config#net.ipv4.ip_forward=1net.ipv4.conf.all.rp_filter=1net.ipv4.icmp_echo_ignore_broadcasts=1# ipv6 settings (no autoconfiguration)
net.ipv6.conf.default.autoconf=0net.ipv6.conf.default.accept_dad=0net.ipv6.conf.default.accept_ra=0net.ipv6.conf.default.accept_ra_defrtr=0net.ipv6.conf.default.accept_ra_rtr_pref=0net.ipv6.conf.default.accept_ra_pinfo=0net.ipv6.conf.default.accept_source_route=0net.ipv6.conf.default.accept_redirects=0net.ipv6.conf.default.forwarding=0net.ipv6.conf.all.autoconf=0net.ipv6.conf.all.accept_dad=0net.ipv6.conf.all.accept_ra=0net.ipv6.conf.all.accept_ra_defrtr=0net.ipv6.conf.all.accept_ra_rtr_pref=0net.ipv6.conf.all.accept_ra_pinfo=0net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_redirects=0net.ipv6.conf.all.forwarding=0
1 net.ipv4.tcp_syncookies = 1
12
# Turn on Source Address Verification in all int# prevent some spoofing attacks
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
6 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
7/19
Install exim4 MTA
Using apt-get:
Configure exim
Change default option "local delivery only" to "internet site"
Set system mail name: (cosmos.medisign.com in my case)
Accept the default settings in the remaining steps.
3456789
101112
13141516171819202122232425262728293031323334
#net.ipv4.conf.default.rp_filter=1net.ipv4.conf.all.rp_filter=1
# ADD THE LINE# ignore echo broadcast requests to prevent beinnet.ipv4.icmp_echo_ignore_broadcasts=1
# Uncomment the next line to enable TCP/IP SYN c# See http://lwn.net/Articles/277146/# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1net.ipv4.tcp_syncookies=1
# ipv6 settings (no autoconfiguration)net.ipv6.conf.default.autoconf=0net.ipv6.conf.default.accept_dad=0net.ipv6.conf.default.accept_ra=0net.ipv6.conf.default.accept_ra_defrtr=0net.ipv6.conf.default.accept_ra_rtr_pref=0net.ipv6.conf.default.accept_ra_pinfo=0net.ipv6.conf.default.accept_source_route=0net.ipv6.conf.default.accept_redirects=0net.ipv6.conf.default.forwarding=0net.ipv6.conf.all.autoconf=0net.ipv6.conf.all.accept_dad=0net.ipv6.conf.all.accept_ra=0net.ipv6.conf.all.accept_ra_defrtr=0net.ipv6.conf.all.accept_ra_rtr_pref=0net.ipv6.conf.all.accept_ra_pinfo=0net.ipv6.conf.all.accept_source_route=0net.ipv6.conf.all.accept_redirects=0net.ipv6.conf.all.forwarding=0
1 apt-get install exim4
1 dpkg-reconfigure exim4-config
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
7 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
8/19
Forward root mail
iptables firewall
(click the thumb for full image)
It is important as various software and services send mail to inform
root for results or errors (cronfor example).
Then, rebuild aliases:
Using webmin
or using command line
this is just an example with the most common rules
1 nano /etc/aliases
12
...root:[email protected]
1 newaliases
1 nano /etc/iptables-up.rules
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
8 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
9/19
REMARK: rules -A INPUT -j LOGand -A FORWARD -j LOGforce
iptables to keep log and needed if psadis used. See details in this
post.
To load these rules to iptables firewall:
To save iptables firewall active rules:
To load these rules on startup:
add to eth0 interface
123456789
10
11121314151617181920212223242526272829303132333435363738394041
4243
# Generated by iptables-save v1.4.14 on Fri May*filter:INPUT DROP [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [189:103951]-A INPUT ! -i eth0 -j ACCEPT-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j AC-A INPUT -m state --state ESTABLISHED -j ACCEPT-A INPUT -m state --state RELATED -j ACCEPT-A INPUT -p udp -m udp --sport 53 --dport 1024:6
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEP-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEP-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEP-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEP-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEP-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEP-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT-A INPUT -p tcp -m tcp -m multiport --dports 25,-A INPUT -p tcp -m tcp --dport 10000:10010 -j AC-A INPUT -j LOG-A FORWARD -j LOGCOMMIT# Completed on Fri May 17 20:09:12 2013# Generated by iptables-save v1.4.14 on Fri May*mangle:PREROUTING ACCEPT [49770:4531554]:INPUT ACCEPT [49770:4531554]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [48931:39133213]:POSTROUTING ACCEPT [48931:39133213]COMMIT# Completed on Fri May 17 20:09:12 2013# Generated by iptables-save v1.4.14 on Fri May*nat:PREROUTING ACCEPT [4223:278291]:INPUT ACCEPT [1650:94585]:OUTPUT ACCEPT [2836:192019]:POSTROUTING ACCEPT [2836:192019]
COMMIT# Completed on Fri May 17 20:09:12 2013
1 iptables-restore < /etc/iptables.up.rules
1 iptables-save > /etc/iptables.up.rules
1 nano /etc/network/interfaces
12
...post-up iptables-restore < /etc/iptables.up.rules
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
9 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
10/19
MySQL community database server
Install Apache web server
Using apt-get:
After installation, run:
mysql_secure_installation sets a root password (if not exists),removes anonymous users, disables non-local root access,
removes the test database and access rules related to it and finally
reloads privileges.
REMARK: restart MySQL using systemctl restart mysql.service
Using apt-get:
Enable mod_rewrite and mod_deflate (gzip compression)
Config virtual hosts (settings may vary according to your needs)
Add your IP
Create virtual hosts. This is just an example:
1 apt-get install mysql-server
1 mysql_secure_installation
1 apt-get install apache2 apache2-mpm-prefork
12
a2enmod rewritea2enmod deflate
1 nano /etc/apache2/ports.conf
1 NameVirtualHost 144.76.70.100:80
1 nano /etc/apache2/sites-available/www.pontikis.ne
123456789
10
1112131415161718192021
ServerName www.pontikis.net ServerAdmin [email protected] DocumentRoot /var/www/pontikis.net
Options FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all
ErrorLog ${APACHE_LOG_DIR}/pontikis.net_error. LogLevel warn CustomLog ${APACHE_LOG_DIR}/pontikis.net_acces
ErrorDocument 404 /404/
SetOutputFilter DEFLATE SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|b
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
0 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
11/19
Awstats log analyzer
php
Enable site
Restart Apache
Using apt-get:
Details in a future post soon.
Using apt-get:
Enable php error log. Log file must be writable from Apache. So:
Edit php.ini
uncomment ;error_log:
Remember to rotate/var/log/php/php_errors.log:
add the following:
Install MySQL Native Driver (mysqlnd)
22232425262728
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont
BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/h
1 a2ensite www.pontikis.net
1 systemctl restart apache2.service
1 apt-get install awstats
1 apt-get install php5
1
2
mkdir /var/log/php
chown www-data /var/log/php
1 nano /etc/php5/apache2/php.ini
1 error_log = /var/log/php/php_errors.log
1 nano /etc/logrotate.d/php
1234567
/var/log/php/php_errors.log { weekly missingok rotate 4 notifempty create}
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
1 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
12/19
Install memcached
REMARK: If, for any reason, you don't want mysqlnd, try apt-get
install php5-mysql instead.
Install php adodb extension.
Install php GD library
Config mbstring
Harden PHP setup (settings may vary according to your needs)
Restart Apache
Using apt-get:
Install phpMemcachedAdmin(optional):
You may want to restrict access to this directory using .htaccess
1 apt-get install php5-mysqlnd
1 apt-get install php5-adodb
1 apt-get install php5-gd
1 nano /etc/php5/conf.d/mbstring-settings.ini
123456789
[mbstring]mbstring.language = Englishmbstring.internal_encoding = UTF-8mbstring.encoding_translation = Onmbstring.http_input = UTF-8,SJIS,EUC-JPmbstring.http_output = UTF-8mbstring.detect_order = UTF-8,ASCII,JIS,SJIS,EUC-mbstring.substitute_character = nonembstring.func_overload = 0
1 nano /etc/php5/conf.d/security.ini
12345678
allow_url_include = Offallow_url_fopen = Offsession.use_only_cookies = 1session.cookie_httponly = 1expose_php = Offdisplay_errors = Offregister_globals = Offdisable_functions = escapeshellarg, escapeshellc
1 systemctl restart apache2.service
12
apt-get install memcached php5-memcachedsystemctl restart apache2.service
123456
mkdir /var/www/phpMemcachedAdmincd /var/www/phpMemcachedAdminwget http://phpmemcacheadmin.googlecode.com/filestar -xvzf phpMemcachedAdmin-1.2.2-r262.tar.gzchmod +r *chmod 0777 Config/Memcache.php
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
2 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
13/19
Install Alternative PHP Cache (APC)
Install database manager
Install git
Install s3cmdfor Amazon backup
Using apt-get:
Edit configuration (optional)
After extension=apc.so, add the following (modify them according
to your needs)
Restart Apache
phpMyAdminand adminerare popular. I prefer adminer:
You may want to restrict access to this directory using .htaccess
Using apt-get:
Using apt-get:
REMARK: There is a serious BUGwith current Debian version of
s3cmd (1.1.0-beta3) in multipart uploads to Amazon S3 (mainly
using cron). Some changes must be done to/usr/share/s3cmd
1 apt-get install php-apc
1 nano /etc/php5/conf.d/20-apc.ini
12345678
extension=apc.so
apc.enabled=1apc.shm_size=128Mapc.ttl=3600apc.user_ttl=7200apc.gc_ttl=3600apc.max_file_size=1M
1 systemctl restart apache2.service
12
mkdir /var/www/adminerwget http://downloads.sourceforge.net/adminer/ad
1 apt-get install git
1 apt-get install s3cmd
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
3 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
14/19
Various tools
Deploy Projects
Backup software
Simple system monitoring tools
/S3/S3.py. The patch is available here.
Configure s3cmd with your Amazon credentials
Using apt-get:
I use gitand Githubto deploy my projects (either public or
private). For example to deploy my blog in the new server:
Furthermore, to update this project in the future:
User pontikispublic rsa key must be added to github. Details here.
There are many backup solutions available. I use bash-cloud-
backup.
bash-cloud-backup is a set of bash scripts, which can be used to
automate local and cloud backup in Linux/Unix machines. I use
Amazon S3 as cloud backup solution.
Get email notifications for updates
More details in this post.
12
cd /roots3cmd --configure
1 apt-get install mc p7zip-full htop sysstat
123
chown -R pontikis:pontikis /var/wwwcd /var/wwwgit clone [email protected]:pontikis/pontikis.net.gi
123
cd /var/www/pontikis.netgit fetchgit merge origin/master
123
apt-get install apticronapt-get install update-notifier-commonapt-get install debian-goodies
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
4 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
15/19
Simple intrusion detection techniques
Simple intrusion prevention techniques
Security and system auditing tool
Logwatch
Logwatchis a customizable log analysis system. Logwatch parses
through your system's logs and creates a report analyzing areas
that you specify.
Using apt-get:
Configuration:
rkhunter
fail2ban
fail2banscans log files and bans IPs that show the malicious
signs, for example too many password failures, seeking for
exploits, etc.
Find details in this post.
psad
psadanalyze iptables log messages to detect port scans and other
suspicious traffic.
Find details in this post.
Install Lynisusing apt-get:
1 apt-get install logwatch
123
mkdir /var/cache/logwatchcp /usr/share/logwatch/default.conf/logwatch.confnano /etc/logwatch/conf/logwatch.conf
12
#Output = stdoutOutput = mail
1 apt-get install rkhunter
1 apt-get install fail2ban
1 apt-get install psad
1 apt-get install lynis
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
5 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
16/19
-
8/10/2019 securedebina1.pdf
17/19
Your comments are welcomed!
This site actively encourages commenting on any post. Comments are not pre-moderated, but this community does
not tolerate direct or indirect attacks, name-calling or insults. Please, read terms of useand Comment Policy at
privacy policy.
Sign-upfor our free email newsletter. Get updateswhen
new tutorials and tips are published. You can unsubscribe
anytime with a click.
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
7 sur 19 16/10/2014 20
-
8/10/2019 securedebina1.pdf
18/19
-
8/10/2019 securedebina1.pdf
19/19
Memcached Installation and Configuration with PHP on Debian server Install
and Config Fail2Ban in Debian 7 Wheezy
Terms Privacy Contact us Home Blog Tips Labs About
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-we
9 sur 19 16/10/2014 20