Blue Team

User Security

Add a user to a group

usermod -aG group user

Check user groups

groups user

Secure SSH Server

Install SSH

sudo apt install openssh-client

SSH Configuration File

nano /etc/ssh/sshd_config

Here you can edit your SSH configuration file:

• change default port
• PermitRootLogin no
• PasswordAuthentication no ( this will allow us to connect to the SSH just with the id_rsa )

Restart Service

sudo systemctl restart ssh

Prevent BruteForce

Method 1:
Implement two-factor authentication:

sudo apt install libpam-google-authenticator

Configure SSH to user the Authenticator by adding the following line to the /etc/pam.d/sshd file:

...
auth required pam_google_authenticator.so

Restart the service:

sudo systemctl restart sshd.service

Edit the sshd_config file by changing the ChallengeResponseAuthentication variable from no to yes:

Run the google_authenticator command next and respond to the configuration questions as follows:
Make tokens time-based?                 Yes
Update the .google_authenticator file?        Yes
Disallow multiple uses?                 Yes
Allow extra token before and after current time?    No
Enable rate-limiting?                     Yes

Method 2:
Limit access using iptables rules:
If you will always be connecting to your server from the same IP address, you can firewall off port 22 to everything EXCEPT your own IP address.

iptables -A INPUT -p tcp -d 0/0 -s YOUR.IP.GOES.HERE --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -d 0/0 --dport 22 -j DROP

Then run:

iptables-save

Method 3:
Install SSHGuard:

sudo apt update
sudo apt install sshguard

Once installed, the SSHGuard service starts automatically, and you can verify this using the command:

sudo systemctl status sshguard

You can modify the sshguard configuration file using:

sudo vim /etc/sshguard/sshguard.conf

Install UFW and then:

sudo vim etc/ufw/before.rules

Add the following line just after allow all on loopback:

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# hand off control for sshd to sshguard
:sshguard - [0:0]
-A ufw-before-input -p tcp --dport 22 -j sshguard

Save the file and restart UFW:

sudo systemctl restart ufw

Now attempt logging into the server from a different system with the wrong credentials and notice that you will be locked out for 120 seconds after the first failed login attempt.

You can verify this by checking the auth.log log file:

sudo tail -f  /var/log/auth.log

Method 4:
Fail2ban:

sudo systemctl enable fail2ban.service

In /etc/fail2ban we will create a file called jail.local

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
ignoreip = 127.0.0.1

Start server:

sudo systemctl restart fail2ban.service
sudo systemctl status fail2ban.service

Configuring SUDO Access

Make a backup of the sudo’s configuration file:

sudo cp --archive /etc/sudoers /etc/sudoers-COPY-$(date +"%Y%m%d%H%M%S")

Edit the sudo’s configuration file:

visudo /etc/sudoers

Limit who can use su

Create a group

sudo groupadd suusers

Add accounts to the group

sudo usermod -a -G suusers user1
sudo usermod -a -G suusers user2
sudo usermod -a -G suusers  ...

Only users in this group can execute /bin/su

sudo dpkg-statoverride --update --add root suusers 4750 /bin/su

Run Application in a sandbox with FireJail

Install the software

sudo apt install firejail firejail-profiles

Allow an application ( installed in /usr/bin or /bin ) to run only in a sandbox

sudo ln -s /usr/bin/firejail /usr/local/bin/google-chrome-stable
sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
sudo ln -s /usr/bin/firejail /usr/local/bin/chromium
sudo ln -s /usr/bin/firejail /usr/local/bin/evolution
sudo ln -s /usr/bin/firejail /usr/local/bin/thunderbird

Run the application as usual (via terminal or launcher) and check if is running in a jail

firejail --list

Allow a sandboxed app to run again as it was before (example: firefox)

sudo rm /usr/local/bin/firefox

Anti-Virus Scanning with ClamAV

Install ClamAV

sudo apt install clamav clamav-freshclam clamav-daemon

Make a backup of clamav-freshclam‘s configuration file /etc/clamav/freshclam.conf

sudo cp --archive /etc/clamav/freshclam.conf /etc/clamav/freshclam.conf-COPY-$(date +"%Y%m%d%H%M%S")

clamav-freshclam‘s default settings are probably good enough but if you want to change them, you can either edit the file /etc/clamav/freshclam.conf or use dpkg-reconfigure

sudo dpkg-reconfigure clamav-freshclam

Start the clamav-freshclam service

sudo service clamav-freshclam start

Make sure clamav-freshclam is running

sudo service clamav-freshclam status

Scanning Files/Folders

• To scan files/folders use the clamscan program.
• clamscan runs as the user it is executed as so it needs read permissions to the files/folders it is scanning.
• Using clamscan as root is dangerous because if a file is in fact a virus there is risk that it could use the root privileges.
• To scan a file: clamscan /path/to/file.
• To scan a directory: clamscan -r /path/to/folder.
• You can use the -i switch to only print infected files.
• Check clamscan‘s man pages for other switches/options.

logwatch - system log analyzer and reporter

Install logwatch

sudo apt install logwatch

Usage

sudo /usr/sbin/logwatch --output stdout --format text --range yesterday --service all

Lynis - Linux Security Auditing

Install Lynis

sudo apt install apt-transport-https ca-certificates host
sudo wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -
sudo echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
sudo apt update
sudo apt install lynis host

Update it

sudo lynis update info

Run a security audit - This will scan your server, report its audit findings, and at the end it will give you suggestions.

sudo lynis audit system

Secure Apache2 - wordpress example

Installation

sudo apt install apache2

Location

ls -al /var/www/

Solve Directory Listing

File Location

sudo nano /etc/apache2/apache2.conf

Now add:

<Directory /var/www/>
	Options -Indexes
	Require all granted
</Directory>

<Directory /var/www/wordpress>
	AllOverride All
	Options -Indexes ( get rid of indexing )
	ServerSignature off
</Directory>

If it’s still displaying the indexing create a .htacess file

AcessFileName .htaccess

Edit .htaccess file

cd /var/www/wordpress/
sudo nano .htaccess

Options -Indexes

Change permissions of the .htaccess file

sudo chown www-data:www-data .htaccess

Restart the service

sudo systemctl restart apache2

Add password to view the webserver

sudo apt-get install apache2-utils
cd /etc/apache2
sudo htpasswd -c /etc/apache2/.htpasswd dev
cd /var/www/wordpress/
sudo nano .htaccess
	AuthType Basic
	AuthName "Development In Progress"
	AuthUserFile /etc/apache2/.htpasswd
	Require valid-user

Secure nginx

sudo apt install -y nginx apache2-utils
systemctl enable nginx
sytemctl status nginx

Location

ls -al /var/www/html/

Conf File

sudo nano /etc/nginx/nginx.conf

Edit the file and add

... below Virtual Host Configs
server {
	listen 80;
	server_name localhost;
	location /var/www/html {
		root /var/www/html;
	}
}

... below Basic Settings
server_tokens off

... above Virtual Host Configs
proxy_hide_header X-Powered-By;
add_header X-Frame-Options SAMEORIGIN; - protected from click-jacking attacks

Add password to view the webserver

sudo htpasswd -c /etc/nginx/.htpasswd dev
sudo nano /etc/nginx/nginx.conf

... below Virtual Host Configs
server {
	listen 80;
	server_name localhost;
	auth_basic "Development Team Only";
	auth_basic_user_file /etc/nginx/.htpasswd;
	location /var/www/html {
		auth_basic on;
		root /var/www/html;
	}
}