Table of Contents
Linux Server Administration
HTTPS Security
You can check the security level of your web server with several web tools. For example https://www.ssllabs.com/ssltest. The report gives some actions to do to increase the security level.
Apache: disable SSLv3
This must be done in Apache configuration file in /etc/apache2/apache2.conf/. Add this line at the end of the file:
SSLProtocol All -SSLv2 -SSLv3
How to prevent DDOS attack
UFW
The first thing to do on a Linux server is to install a firewall with strict default rules. I use https://help.ubuntu.com/community/UFW (Uncomplicated FireWall) which is the default on Ubuntu:
sudo apt-get install ufw
UFW relies on iptables to manage easily network rules.
After installed, ufw is not yet enable. This is a good thing because it is better to add you IP on the white liste first, otherwise you could be locked outside your remote server. You also have to allow SSH port to access the server remotely.
# Allow your IP(xxx.xxx.xxx.xxx) sudo ufw allow from xxx.xxx.xxx.xxx # Allow SSH sudo ufw allow 22 # Allow also HTTP and HTTPS if you have a web server sudo ufw allow 80 sudo ufw allow 443
After that, you can safely enable the firewall:
sudo ufw enable
To check status:
sudo ufw status verbose
Then, to ban an IP:
sudo ufw deny from yyy.yyy.yyy.yyy
In fact, it is better to add rules at the beginning of the list, because for iptables and ufw, the first rule matching an IP is applied, and other are ignored. It means that if your deny rule is after a rule allowing a port for all IP, it will be ignored. To do that:
sudo ufw insert 1 deny from yyy.yyy.yyy.yyy
fail2ban and UFW
fail2ban is a server deamon that automatically ban attackers ip. To do that, fail2ban reads system logs (especially /var/log/auth.log and add a rule to block IP adress that try to access illegaly your server. It is usefull to block unwanted ssh access.
It is necessary, when installed with ufw, to configure fail2ban to work with ufw. Otherwise, there will be a conflict in iptables rules.
First create a action for ufw in fail2ban configuration:
- /etc/fail2ban/action.d/ufw-ssh.conf
[Definition] actionstart = actionstop = actioncheck = actionban = ufw insert 1 deny from <ip> to any app OpenSSH actionunban = ufw delete deny from <ip> to any app OpenSSH
Then activate ssh jail by modifying /etc/fail2ban/jail.conf. I also decided to ban for 1 year attackers:
... # Ignore my own IP in order to avoid being locked outside ignoreip = 127.0.0.1/8 xxx.xxx.xxx.xxx # "bantime" is the number of seconds that a host is banned. # 1 year bantime = 31536000 # Default banning action banaction = ufw-ssh # Activate ssh jail [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6 ...
Finally, reload configuration:
sudo service fail2ban restart
Under DDOS attack?
The following command can help you identify ddos attacks and IP adresses which are at the source of the attack:
netstat -ntu | awk '{if(NR>2)print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
It will print for each connected IP the count of open connections:
5 xxx.xxx.xxx.xxx 158 yyy.yyy.yyy.yyy
Usually when you have a high number of open connections, like here for yyy.yyy.yyy.yyy, it is probably that this ip tries to DDOS you. That's time to ban it using ufw.
nmd
No More DDOS (nmd) is a simple script that automatically ban ip when the number of connections exceed what is configured. See http://us.informatiweb-pro.net/system-admin/linux/17--debian-ubuntu-centos-block-ddos-attacks-with-no-more-ddos-formerly-ddos-deflate.html. (By Lionel Eppe)
I modified a little the script in order to use ufw to ban adresses. Also, there is an issue with the installed cron script:
- The name of the cron script must not contain dot (modify CRON variable in /usr/local/nmd/ndm.conf/agent.conf.
- The second cron command in the file miss the user root
The good cron script must look like this:
- /etc/cron.d/nmd
* * * * * root /usr/local/nmd/nmd-agent.sh >> /var/log/nmd-agent.log 2>&1 0 0 */7 * 0 root echo > /var/log/nmd-agent.log 2>&1
Use IPTables to limit NEW traffic on port 80 and 443
The idea is to limite new connections per minutes to avoid DDOS. This id done on ports 80 (HTTP) and 443 (HTTPS).
sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
Ban a IP adress using IPTables
iptables -A INPUT -s XXX.XXX.XXX.XXX -j DROP
To get the list of blocked IP:
iptables -L INPUT -v -n
Be sure your newly added rule is before ACCEPT all rules, otherwise it won't work. You can specify where to insert the new rule if necessary using the rule number:
iptables -A INPUT 3 -s XXX.XXX.XXX.XXX -j DROP
Save IPTable rules automatically and permantely
Use iptables-persistent package under ubuntu.
sudo apt-get install iptables-persistent
If you want to manually save rules:
sudo service iptables-persistent save
SSH
If your server has a SSH server running, it is obvious that people will try to ssh login with brute-force attacks. You can use sshguard to prevent this kind of attacks. sshguard will add new IPTables rules to ban IP address doing attacks. To install it, just:
sudo apt-get install sshguard
Note: ssh protection is also done by fail2ban. I don't know which is the best one, but it is probably not necessary to have both together.
Login with certificate
First generate a pair of keys on the client:
ssh-keygen
Then copy the public key on the server. The command ssh-copy-id does all the job for you:
ssh-copy-id user@server
After that, you should be able to login via ssh without the need of the password.
logwatch
Logwatch can send you a formatted view of system logs every morning by email. It is usefull to check everyday the health of your server.
First, copy default config file to change settings:
sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
Then, to receive by email the report modify the cron job and add –mailto option :
- /etc/cron.daily/00logwatch
#!/bin/bash #Check if removed-but-not-purged test -x /usr/share/logwatch/scripts/logwatch.pl || exit 0 #execute /usr/sbin/logwatch --output mail --mailto my.email@domain.tld
Slow server diagnostic
See a very good flow chart to help in slow server cases : http://blog.scoutapp.com/articles/2014/07/31/slow_server_flow_chart
Share this page:
References
- Official guide of french ANSSI for DDOS prevention : http://www.ssi.gouv.fr/uploads/2015/03/NP_Guide_DDoS.pdf