Recent Posts

    Authors

    Published

    Tag Cloud

    What is the recommended configuration for a Linux server?

    How to Lock down a Linux and run the web server as a low privileged user.

    Overview

    All Linux servers are locked down to the highest security standards possible. All services are off by default and all ports shut. Only the required services started. 

    To lock down a server:-

    Install only the required packages

    sudo add-apt-repository ppa:webupd8team/java
    sudo apt-get update
    sudo apt-get install openssh-server denyhosts vim oracle-java7-installer postgresql landscape-client htop lynx-cur

    Firewalll close all ports and open as required, this reduces the attack vector.

    Ubuntu has a simple firewall configuration tool called ufw which is really just a simplified iptables interface.

    sudo ufw allow ssh
    sudo ufw allow imap
    sudo ufw allow http
    sudo ufw allow https
    sudo ufw disable
    sudo ufw enable

    Redirect the high permission ports 80 (http) and 443 (https) up to a port range that can accessed by the low permission user running the web service. Redirection of the ports can be done by the following iptable rules

    -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
    -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

    Create low permission user to run the web server

    Avoid running any custom code or the web server as a high permission user. A security floor in either the web server or your code will be run as the user that runs the web server.

    sudo groupadd www-data

    sudo useradd -g www-data -m -s /bin/bash webapps

    Prevent direct access to functional accounts including ROOT

    Never allow direct ssh access to the ROOT account or any other functional account such as webapps. Each admistrator that should have access to these accounts must login under their own user accont and then sudo to the correct functional account.

    To block all SSH access to ROOT add the option "PermitRootLogin no" to /etc/ssh/sshd_config

    sudo vi /etc/ssh/sshd_config <--- PermitRootLogin no

    Increase the file handles for the user that runs the web server

    This will help handle DOS attacks, and cope with a large number of slow clients.

    Set the system wide maximum file handles:-

    sudo vi /etc/sysctl.conf 

    fs.file-max=65535

    Set the low permission user 'webapps' to allow the maximum possible files open.

    sudo vi /etc/security/limits.conf

    @www-data          soft     nofile         65535
    @www-data          hard     nofile        65535

    After rebooting check the max number of files have been increased.

    sudo -u webapps -i "ulimit -a" 

    core file size (blocks, -c) 0
    data seg size (kbytes, -d) unlimited
    scheduling priority (-e) 0
    file size (blocks, -f) unlimited
    pending signals (-i) 386171
    max locked memory (kbytes, -l) 64
    max memory size (kbytes, -m) unlimited
    open files (-n) 65535
    pipe size (512 bytes, -p) 8
    POSIX message queues (bytes, -q) 819200
    real-time priority (-r) 0
    stack size (kbytes, -s) 8192
    cpu time (seconds, -t) unlimited
    max user processes (-u) 386171
    virtual memory (kbytes, -v) unlimited
    file locks (-x) unlimited