Jremi.com

Linux HOWTO

Linux Guides

now browsing by category

 

Securing SSH & Installing Fail2Ban

fail2ban

This is in my opinion the most important first step for any new linux server.  Now this is just a basic guide on securing your server from any malicious attackers trying to gain access to your server, and I will write another article on further hardening at a later date.

This is a loose continuation of my previous article, How to Installing the LAMP Stack.

SSH is the most common part of server management and is widely used by most website & servers out on the internet, because it is so common it is a easy target for attackers due to server admins failing to configure it properly against attack, so today I am going to teach you some easy ways to protect your own server with these easy steps.

Before we start, make sure your have nano installed on your system, most installs should already have this but if yours does not, go ahead and enter this:

sudo apt install nano -y

Step 1: Creating a login Banner & Motd

This is the most basic of security features meant soley for that 1% of attackers who see your site and think i’m going to try and hack it, or for you to show off to your friends to make your server look official. Whatever your reason it works as a basic first line of defense.

First lets create the initial banner that displays when you are prompted for your username/password

sudo echo "###############################################################
#                 Authorized access only!                     # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#  Your IP, Login Time, Username has been noted and has been  #
#              sent to the server administrator!              #
#                                                             #
#  Excess failed login attempts will result in an automated   #
#    notification being sent to your network administrator    #
#       with your ip, attempts, timestamps, and logs!         #
###############################################################" >/etc/issue.net

or

sudo nano /etc/issue.net

###############################################################
#                 Authorized access only!                     # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#  Your IP, Login Time, Username has been noted and has been  #
#              sent to the server administrator!              #
#                                                             #
#  Excess failed login attempts will result in an automated   #
#    notification being sent to your network administrator    #
#       with your ip, attempts, timestamps, and logs!         #
###############################################################

Ctrl + Y

After that lets create the banner that displays after a successful login

sudo echo"#######################################
#        Welcome to Testserver        #
# If you are not authorized to access #
#  or use this system disconnect now  #
#######################################">/etc/motd

or

sudo nano /etc/motd

#######################################
#        Welcome to Testserver        #
# If you are not authorized to access #
#  or use this system disconnect now  #
#######################################

Ctrl + Y

Step 2: Editing the SSH Servers config

Lets first start off by creating a backup, just in case

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

After thats out of the way lets start editing

sudo nano /etc/ssh/sshd_config

First thing you can do and this is totally optional (I personally do not do it) is change your ssh port.  I plan on doing a writeup in the future on how to install a honeypot which I will link here when I do, and if you want to run that then you would need to change this.  This is also the single easiest thing you can do to cut down somewhere around 90-95% of all the attacks against your ssh port since most attackers port scan blocks of ip for known ports and attack from that list, changing the default port would prevent your server from going on that list.

*NOTE* An SSH Honeypot is a false ssh server that can be configured to accept any username/password and allow the attacker to enter a false/fake filesystem to see what they try.

To change the port look for this line

Port 22

and change 22 to anything you want i.e.

Port 2022

Second this we need to do is disable root login.  This will prevent anyone from being able to login to the server using the root credentials, also no one should be using root let alone be allowed to login using it.

Locate this line

PermitRootLogin prohibit-password

and change it to this

PermitRootLogin no

The next 2 steps are optional, but still recommended

Third, we need to set a max idle time, this will kick users that idle longer then 10 minutes (adjustable).  ClientAliveInterval tells the server to check if the client is still alive every 300 seconds or 5 minutes (adjustable) after no data has been received.  ClientAliveCountMax is the amount of checks it will need to fail before it kicks the client (2×5 minutes).

ClientAliveInterval 300
ClientAliveCountMax 2

Fourth and final step is to limit the users that are allowed to ssh into your server.  This is very convenient if you plan on create users as a way of segregating web apps and/or data. (although there are other better alternatives but who am I to judge)

AllowUsers user1 user2 user3

Step 3: Installing and setting up Fail2Ban

Fail2Ban is great, it is a program that parses log files and bans ip’s that show malicious signs.  For our needs it will parse the ssh servers logs in real time looking for any attackers, once found it will not only ban them, but it can also send you a email notification as well as perform a few more tasks like also banning them from cloudflare, emailing you a whois report and logs, complaining to their ISP, and sending the ip to larger managed blocklists.

Lets start off by installing it

sudo apt install fail2ban -y

After it has been installed lets edit the config

sudo nano /etc/fail2ban/jail.conf

First thing we want to do is change the find time, to me 10 minutes isn’t really that long, but feel free to skip this step.

locate findtime = 600

and change to

findtime = 86400 ; 24 hours

Next we need to configure the notification and action section

Locate destemail = root@localhost

and change it to your own email address (note you may get a lot of emails)

Locate sender = root@localhost

This one doesn't matter as much, but I like to name them fail2ban@server.com, note if you run your own mail server make sure the server is authorized to send emails in your SPF record.

Next locate action = %(action_)s

By itself it will ban without notification

action = %(action_mw)s ; will ban and email you a whois report

action = %(action_mwl)s ; will ban and email you a whois + logs

action = %(action_xarf)s ; will ban and email both you and the ISP logs

action = %(action_cf_mwl)s ; will ban on cloudflare and email you a whois + logs

After you have set the notification details and chosen an action to perform, we can enable services to be monitored.  Right now since we have only have ssh and apache installed we will go ahead and enable those to be monitored as well as repeat offenders.

Locate [sshd] and in the blank space add
enabled = true

Do the same for [selinux-ssh], [apache-auth], and [recidive]

In [recidive] we have a few other things to change

bantime = -1; -1 = forever
findtime = 604800 ; 1 week, feel free to set this to anything you wish but 1 day minimum

We will go over the others in later guides, so don't worry about them now unless you know for a fact you have one of them installed and know what it does.

Ctrl + Y to save

Then

sudo service fail2ban reload to have to use the updated config

Congratulations, you have taken a good first step in securing your server.

I will link my article on further hardening once it is finished if you wish to take your security a few steps further.

Also if you have any topics you would like me to cover, please let me know down in the comments.

Install the latest LAMP stack on Ubuntu 16.04 Server

lamp stack

A guide on installing the latest Apache2, Mariadb-server, and PHP7+ on Ubuntu 16

Note: You will need sudo access for the commands in this article


Video Walk-through Available


Step 1: Update / Upgrade Ubuntu

First, update ubuntu’s package manager.

sudo apt-get update && sudo apt-get upgrade

Next we need to install some packages that allows us to add more repositories to apt

sudo apt-get install software-properties-common language-pack-en

After those have been installed we need to add a few repositories maintained by Ondrej.  They contain the latest packages as maintained by the Debian Apache/PHP/Nginx teams with a couple of compatibility patches on top.

sudo add-apt-repository ppa:ondrej/php
sudo add-apt-repository ppa:ondrej/apache2
sudo add-apt-repository ppa:ondrej/nginx

Once the new repositories have been added we need to update/upgrade the package manager again.

sudo apt-get update && sudo apt-get upgrade

After the latest packages have been installed we are finally ready to start installing the stack.

First we have Apache

sudo apt install apache2

Followed by php7 and the most common extensions I usually require.

Note: You can install any version of PHP from 5.6 to 7.2 by replacing 
the version number you want with 7.0
It is also not recommended to use 5.6 as it is EOL, and 7.1/7.2 may not be
supported by all packages out there

sudo apt install php7 php7.0-bcmath php7.0-curl php7.0-cli php7.0-gdphp7.0-mbstring php7.0-mcrypt php7.0-mysql php7.0-zip php7.0-json php7.0-tidy 

sudo apt install libapache2-mod-php7.0

Last part of the stack is MySQL server.  Here we are going to be installing Mariadb Server 10.  It is a drop in replacement for MySQL Server 5.7 and is regarded as a faster, more secure alternative 

sudo apt install mariadb-server

Followed by setting it up for the first time

sudo mysql_secure_installation

Here is the basic walk-through on the setup:

Enter current password for root - Press the Enter/Return key

Set root password? - Y
Type in a secure password twice - You are going to want something
secure here especially if you plan on using a webgui to manage your
databases

Remove anonymous users? - Y - This removed the default/test user
accounts

Disallow root login remotely? - Y - Makes root user only accessible from
localhost / 127.0.0.1

Remove test database and access to it? - Y - Remove test databases/tables, a security threat and not for production

Reload privilege tables now? - Y - Refreshes the authentication tables,
enforces the changes above

Congratulations, you have successfully install the LAMP stack.