Server Security

Owned by Raunaq Pradhan (Unlicensed)
Last updated: Aug 17, 2019 by Neha Verma
6 min read

Web server security is the protection of information assets that can be accessed from a Web server. Web server security is important for any organization that has a physical or virtual Web server connected to the Internet. It requires a layered defense and is especially important for organizations with customer-facing websites. Server security comes to being confidentially, integrity, availability of appropriate information and authentication. A leaky server can cause a vital harm to an organisation. So security is the most complex topic that the modern world is concerned about. A security breach incurs a cost for the organisation in the terms of money as well as good will. Databases store confidential and sensitive information. Hence, it is the most important task of an organisation to safeguard crucial information from being stolen and misused. here

  • SSH login (weak passwords).

  • Users login (Stale and Unnecessary Accounts).

  • Firewall ( open network ports ).

  • update (old software version).

  • Off pwd login/only allow SSH & Off Root login.

  • Fail2ban (block failed attempt).

  • CPU running (server's performance).

  • rkhunter(malware detection).

  • Port 8080 should not be shown

1. SSH Login

SSH is a secure protocol used as the primary means of connecting to Linux servers remotely. It provides a text-based interface by spawning a remote shell. After connecting, all commands you type in your local terminal are sent to the remote server and executed there. SSH stands for Secure Shell and provides a safe and secure way of executing commands, making changes, and configuring services remotely. When you connect through SSH, you log in using an account that exists on the remote server. here.

 

Whenever you create a user don't forget to set authentication to ssh.

2. User login

A user’s account details that show login details as well as what users are doing on the system. here

$ id is a simple command line utility for displaying a real and effective user and group IDs as follows.

$ groups command is used to show all the groups a user belongs to like this.

$ finger root command is used to search information about a user on Linux. It doesn’t come per-installed on many Linux systems. It shows a user’s real name; home directory; shell; login: name, time; and so much more

$ grep -i username /etc/passwd is a powerful pattern searching tool available on most if not all Linus systems. You can use it to find information about a specific user from the system accounts file: /etc/passwd .

$ last commands displays a list of last logged in users on the system.

$ users command shows the usernames of all users currently logged on the system .

$ who -u who command is used to display users who are logged on the system, including the terminals they are connecting from.

3. Firewall

Forgetting to secure and configure a dedicated server firewall is a common mistake and a huge security flaw. Firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet.Going into the firewall’s configuration allows you to remove unnecessary software that’s connected to the internet. This makes your server and its ports vulnerable to intrusion. here

sudo apt-get install ufw (Install the firewall to the server).

  • $ sudo ufw allow 80

  • $ sudo ufw allow 22

  • $ sudo ufw allow 8080

4. Update

Although having fully patched software does not necessarily mean your server is fully secure, it is still very important to update your operating system and any other software running on it with the latest security patches. Upto this day, hacking incidents still occur because hackers took advantage and exploited un-patched servers and software.

apt-get update doesn't actually install new versions of software. Instead, it updates the package lists for upgrades for packages that need upgrading, as well as new packages that have just come to the repositories.

5. Off pwd login/only allow SSH.

Open the ssh configuration file with the help of this command $ nano /etc/ssh/sshd_config and set all the configuration. This configure allow all the security features to the server.

  • PermitRootLogin no

  • PubkeyAuthentication yes

  • PasswordAuthentication no

If " PermitRootLogin " is set to No, it defines that you can't enter the server via the Root. You will have to enter only through the user. If set to YES defines you can enter through the root.

" PubkeyAuthentication " Yes define you need the private key to enter to the server, NO define you don't need Private key to enter the server. "PasswordAuthentication " No define server not require the sever password to login, it only opened via ssh Private key, YES defines it required the password to login. Then restart the ssh $ /etc/init.d/sshd restart .

6.Fail2ban

Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Linode. When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring.

This command helps to install fail2ban apt-get install fail2ban

Go to the fail2ban directory cd /etc/fail2ban

The jail.conf file will enable Fail2ban for SSH by default for Debian and Ubuntu, but not CentOS. All other protocols and configurations (HTTP, FTP, etc.) are commented out. If you want to change this, create a jail.local for editing:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Once the file is copied, we can open the original jail.conf file to see how things are set up by default

sudo nano /etc/fail2ban/jail.local

Make some changes to config the fail 2 ban according to your requirements

ignoreip = 127.0.0.1/8 xxx.x.x.xxx yyy.y.y.yyy (Fail2ban will not ban a host which matches an address in this list)

bantime = 3600 (the number of seconds that a host is banned)

findtime = 86400 (If ban the again try after this time period)

maxretry = 3 ( the number of failures before a host get banned)

destemail = root@localhost ( Destination email address used solely for the interpolations)

sender = root@localhost ( Sender email address used solely for some actions)

# SSH servers [sshd]

enabled = true

port = ssh

logpath = %(sshd_log)s

maxretry = 5

Afterwards, you can restart fail2ban to implement the wrapping rules: sudo sudo service fail2ban start

$ nano /var/mail/root

7. CPU running

The Linux kernel is an incredible circus performer, carefully juggling many processes and their resource needs to keep your server humming along. The kernel is also all about equity: when there is competition for resources, the kernel tries to distribute those resources fairly. A particular process might consume more CPU usage, and affects the performance of the whole system. Since that particular process consumes more CPU, you couldn’t do other tasks. You need to wait for the that process to finish before starting a new task.

top will display what is using your CPU. If you have it installed, htop allows you more fine-grained control, including filtering by—in your case—CPU.

$ sudo apt install cputool

use $ top command and see the process which takes too much cpu load. Find the PID (process id) of that process and put the limit of that process to use the cpu as you want 50% or 20%.

where 50 defines the target % of that process & 8275 defines the PID of that particular process.

8. RK_Hunter

(RootKill Hunter) Rootkits are software secretly installed by a malicious intruder to allow that user continued access to the server once security is breached. This is an extremely dangerous problem, because even after the entry vector that the user originally used to gain access is fixed, they can continue to enter the server using the rootkit they installed. here & here. Change to the root directory.

Configure and Use RKHunter and make some changes

  • CRON_DAILY_RUN=" true "

  • CRON_DB_UPDATE=" true "

  • DB_UPDATE_EMAIL=" true "

Open and configure one more file, this will send the mail to your mail id about the malware detection.

$ nano /etc/rkhunter.conf make some changes to this place.

Now update it with $ rkhunter --update

Now run the command to start the scan. $ rkhunter --check --sk

You can check the log file for warning $ nano /var/log/rkhunter.log

9. disable :8080 from URL

Check the link here for implementing the same.