https://www.raphael-muench.de/docs/vserver.html

Linux vServer Tips (Debian 9.3)

This is work in progress, there's some content now and expect more in 2018 :-)

Deny SSH Root access
SSH Login Banner
Hiding the SSH service version
A simple firewall script
Enabling Fail2Ban
Enabling HTTP 2.0 in Apache
Enabling HTTP Strict Transport Security in Apache
Enabling Perfect Forward Secrecy in Apache
Choosing stronger ciphers in Apache
Enabling modsecurity in Apache
Setting up an email server with Postfix, spam detection and imap access
Hiding Apache Version and other sensitive information
Setting up Mutt for accessing emails
Setting up an expire header in Apache
Disable Apache2 status
Linux Kernel Security Hardening






Deny SSH Root Access

In "/etc/ssh/sshd_config" you have to add these lines :
PermitRootLogin no
AllowUsers youruser

SSH Login Banner

In "/etc/ssh/sshd_config" you have to add these lines :
Banner /etc/ssh/sshd-banner
You have to create a simple text file and add an text like this :
============================================
==                                        ==
==                                        ==
==       www.raphael-muench.de            ==
==                                        ==
==                                        ==
============================================


ALERT! You are entering into a secured area!
============================================

Your IP, Login Time, Username has been noted
and has been sent to the server administrator!

This service is restricted to authorized users
only. All activities on this system are logged.

Unauthorized access will be fully investigated
and reported to the appropriate law enforcement
agencies.

Hiding the SSH service version

In "/etc/ssh/sshd_config" you have to do add these lines :
DebianBanner no

A simple firewall script file


My Linux Server is a virtual one and I'm not allowed to build kernel modules.
So iptables with module geoblocking won't work.
Therefore I wrote a small c++ program which downloads 2 files with German networks (IPv4 and IPv6).
My aim is to allow incoming traffic for http, https and smtp, but restrict access for management traffic from foreign countries.
You can download my programm here

Enabling Fail2Ban


apt-get install fail2ban
This is my jail.conf :
# Fail2Ban configuration file.

[DEFAULT]

ignoreip = 127.0.0.1/8

bantime  = 600

findtime = 600
maxretry = 3

backend = auto

usedns = yes

banaction = iptables-multiport

protocol = tcp

chain = INPUT

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

Enabling HTTP 2.0 in Apache


The point is : In Debian Jessie the apache2 version is 2.4.10, but HTTP/2 was addid in version 2.4.17. So we have to install the apache2 package from debian testing. You have to run following commands :
sudo su -c 'echo "deb http://http.debian.net/debian testing main" > /etc/apt/sources.list.d/testing.list'  
sudo apt-get update  

sudo bash -c 'cat >/etc/apt/preferences.d/testing' <<EOF  
Package: *  
Pin: release a=testing  
Pin-Priority: 300  
EOF  

sudo apt-get install -y -t testing apache

sudo a2enmod http2  
sudo apachectl -t && sudo systemctl restart apache2 
Within the <VirtualHost> configuration you have to add the line :
Protocols h2 h2c http/1.1

Enabling HTTP Strict Transport Security


See here

You have to add this line to your <VirtualHost> :
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Also you have to execute an "a2enmod headers"

Enabling Perfect Forward Secrecy in Apache


You have to add this line to your <VirtualHost> :

SSLHonorCipherOrder     on

Choosing stronger ciphers in Apache


You have to add this line to your <VirtualHost> :

SSLHonorCipherOrder on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol TLSv1.2

Enabling modsecurity in Apache



Setting up an email server with Postfix, spam detection and imap access


Have a look here

Hiding Apache Version and other sensitive information


open /etc/apache2/apache2.conf and add the lines below:
ServerTokens Prod
ServerSignature Off

Setting up Mutt for accessing emails


This is the configuration of my ~/.muttrc :
Fstab


Setting up an expire header in Apache

sudo a2enmod expires
open your vserver configuration file and add the lines below:

ExpiresActive On
ExpiresByType image/gif "access plus 1 months"
ExpiresByType image/jpg "access plus 1 months"
ExpiresByType image/jpeg "access plus 1 months"
ExpiresByType image/png "access plus 1 months"
ExpiresByType image/vnd.microsoft.icon "access plus 1 months"
ExpiresByType image/x-icon "access plus 1 months"
ExpiresByType image/ico "access plus 1 months"
ExpiresByType application/javascript "now plus 1 months"
ExpiresByType application/x-javascript "now plus 1 months"
ExpiresByType text/javascript "now plus 1 months"
ExpiresByType text/css "now plus 1 months"
ExpiresDefault "access plus 1 days"
then :
/etc/init.d/apache2 restart

Disable Apache2 status

a2dismod status

Linux Kernel Security Hardening

These are some more advanced security options. The kernel is complicated and performs micro-level operations.
If you have to divide it down from security perspective, then it can include file systems, networking, processes,
debugging, and more. Hardening the system in these areas are dependent upon the kernel you are using.

By using system control interface, we can change the settings of the kernel. You can use sysctl command or edit the “/etc/sysctl.conf” file.

Open the “/etc/sysctl.conf” file:
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1

# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Turn on execshield for reducing worm or other automated remote attacks 
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# Tune IPv6 
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

# Increase system file descriptor limit    
fs.file-max = 65535

# Allow for more PIDs (Prevention of fork() failure error message) 
kernel.pid_max = 65536

# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000

# Tuning Linux network stack to increase TCP buffer size. Set the max OS send buffer size (wmem) and receive buffer size (rmem) to 12 MB for queues on all protocols.
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608

# set minimum size, initial size and max size
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912 

# Value to set for queue on the INPUT side when incoming packets are faster then the kernel process on them. 
net.core.netdev_max_backlog = 5000

# For increasing transfer window, enable window scaling
net.ipv4.tcp_window_scaling = 1



Copyright (c) 2017, 2018 Raphael Münch, last change: 2018-10-10
Valid HTML 5.0