tags: `Security` `Linux`

Easy guide to basic setting for harden the security of Debian based Linux

Assume you have install all of the required software in the server, and ready to hand it out for the devlopers, it would be recommended to install and perform the following step to harden you system.

1. Install hardbian-audit

What is this tools for:

This is a tool able to do the system auditing, and automatically hardern the system with one of the harden level based on STIG Red_Hat_Enterprise_Linux_7_V2R5 STIG Ubuntu V1R2, cisecurity.org and HardenedLinux community recommendations

Source code and Manual:

The software source code and further usage detail can be found in https://github.com/hardenedlinux/harbian-audit

Installation guide:

First, if you used Network install from a minimal CD option to installed Debian GNU/Linux, you need install packages before use the hardening tool, so may need sudo right if you are not root user:

apt-get install -y bc net-tools pciutils network-manager

For Redhat/CentOS, you need to install packages before use the hardening tool instead:

yum install -y bc net-tools pciutils NetworkManager epel-release

Then, run below code to install it:

$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
# cp etc/default.cfg /etc/default/cis-hardening
# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
# bin/hardening.sh --init

And then, you may apply auto-hardern level on the system based on your need, for example:

# bin/hardening.sh --set-hardening-level <level number>
# bin/hardening.sh --apply

It would be recommend to read the intruction from Github carefully if you try to use the harden level up to 4 or above.

I would recommend using level 2 if you don't know what is this or lazy from reading it, as level 2 usually won't broken any system or make you confuse on using the system afterward.

2. Install CHKrootkit, RKHunter, ClamAV, the finally LMD

Please install the above mentioned software with the titled following order.

Installation of CHKrootkit and RKHunter:

Their installation are quite direct without too many configuration you would mess up, so I won't talk it in detail here.

For the install guide of CHKRootKit: https://linuxhint.com/install_chkrootkit/

For downloading RKHunter:
https://rkhunter.sourceforge.net/

Installation of ClamAV:

For ClamAV, as you will need its' on-access scanning function of course, and if you mess up the installation, even the ordering, and try to reinstall too many times. ClamAV's update respority to temporary block your IP from accessing it, causing your installation leads to fail afterward. So if you install it fail over 3 times, I would recommend you wait for another 24 hours until you try to reinstall it again.

Install of ClamAV-Daemon:

To install it in a correct order, you should first install clamd, which is part of the clamav-daemon package, you may install it with:

sudo apt install clamav-daemon

After the installation is done, your system will get a clamav-daemon service installed afterward, which once you run the command:

systemctl status clamav-daemon

It may look like this:

● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/clamav-daemon.service.d
           └─extend.conf
   Active: active (running) since Sun 2021-06-20 14:41:15 CST; 5min ago
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/
 Main PID: 31942 (clamd)
    Tasks: 2 (limit: 4915)
   CGroup: /system.slice/clamav-daemon.service
           └─31942 /usr/sbin/clamd --foreground=true

There is a configuration file store in /etc/clamav/clamd.conf. You may want to read the manual of how to use it when you have time by:

man clamd.conf

You need to check if the ClamAV is installed correct by checking the connection between the clamavd socket:

clamdscan -p 3

If you see it response PONG, it means the connection is normal, other then that means the ClamAV is not installed correctly.

For further detailed or a Chinese guide by manually doing the scan, you may check:
https://officeguide.cc/linux-clamav-antivirus-clamd-daemon-installation-configuration-tutorial-examples/

Install of ClamAV On-Access service:

After the installation of ClamAV-Daemon, let us install the on-access service (Which means makes the ClamAV keeping scanning the idle files and incoming files, like normal Anti-Virus would did) in the system first.

First, you need to add the config in the config file /etc/clamav/clamd.conf:

# The Path of where On-Access will run on, inculding its' sub-folders and files
# You may add multiple line of it if you want it runs on multiple target 
OnAccessIncludePath /home

# Prevent the process accessing the infected files
OnAccessPrevention true

# Exculde the user clamav from on-access service
OnAccessExcludeUname clamav

# Monitor the whole root system disk
OnAccessMountPath /

# Exculde all root user
OnAccessExcludeRootUID yes

In my case, using ClamAV's default user "clamav" didn't work well for me. As this user and group cannot access to many folders. Of course you may install ACL tool to do the access right setting, because some people will concern running clamav with root is not safe for security concern. But I usually won't care because of multiple reasons. So I usually would change the the service running by root, by changing

User clamav

Into

User root

Then you can run below command create a folder served as quarantine, then turn the on-access service on:

sudo mkdir /root/quarantine
sudo clamonacc -F --log=/var/log/clamav/clamonacc --move=/root/quarantine

The command means that:
-F: forcely turn on or restart the on-access scanner
–log: logging all the on-access scanner log in specific folder
–move: move the infected file in the specific folder which have served as quarantine

For the reference Chinese guide, you may check:
https://officeguide.cc/linux-clamav-antivirus-clamonacc-installation-configuration-tutorial-examples/

Create a service to make On-Access function turns on when system boot:

BUT! You won't want to run it everytime the system being restarted, especially you will have a big chance forgot about it, doing it by save it as a shell script it run it with cron job would be a choice, but by my experience it usually would fail without reason, so the most stable way is to create you own service for it, and make it run on boot automatically.

Doing do is actually easy then you thought, you may add the Systemd configuration by adding a new file as /etc/systemd/system/clamav-onacc.service, then put this config inside of it:

[Unit]
Description=ClamAV On Access Service
Requires=clamav-daemon.service
After=clamav-daemon.service syslog.target network.target

[Timer]
OnBootSec=1min

[Service]
Type=simple
User=root
ExecStart=/usr/sbin/clamonacc -F --log=/var/log/clamav/clamonacc --move=/root/quarantine
Restart=on-failure
RestartSec=120s

[Install]
WantedBy=multi-user.target

Sometimes, clamonacc will be installed in /usr/bin instead, you may have a look and confirm. If you use root to run the On-Access function, then you need to pass the args "–fdpass" to avoid error, which means it will look like these instead:

[Unit]
Description=ClamAV On Access Service
Requires=clamav-daemon.service
After=clamav-daemon.service syslog.target network.target

[Timer]
OnBootSec=1min

[Service]
Type=simple
User=root
ExecStart=/usr/sbin/clamonacc -F --fdpass --log=/var/log/clamav/clamonacc --move=/root/quarantine
Restart=on-failure
RestartSec=120s

[Install]
WantedBy=multi-user.target

After that, you would enable the service start when boot up and being activate now with:

sudo systemctl enable clamav-onacc.service && sudo systemctl start clamav-onacc

Please make sure the service have being activated and running correct with error or warning by check its' status with:

systemctl status clamav-onacc

3. Install Fail2ban

A very easy to install and maintain solution to replace fail2ban has been found, called CrowdSec, which is open sourced with free to use for basic functions. If you are interested and have no concern will some of the information stored on cloud, you may visit:

https://hackmd.io/@mkaa/rkLSywvMR

for more details.

This is one of the best tool, which would detect some werid behavior on the system if it is connected to the internet and servce some service, like SSH or Web server, and ban the IP who try to burte force the password, doing injection, or simply being flagged on AbuseIPDB.

Install this thing is quite strict forward, just simply type:

apt install fail2ban

And it will turn on and works automatically with some useful default configuration.

if you try to do some customization, the configuration file is usually stored in /etc/fail2ban/jail.conf. You may better backup the jail.conf first, then amended the jail rules carefully as it have comment detailly told you what is it on every config lines.

To communicate with fail2ban, inculding unban someone, you may simply use fail2ban-client.

#Quick Manual
fail2ban-client --help

#Detailed Manual
man fail2ban-client

4. Config Firewall

Just a very basic concept, no matter you use IPTable, Firewalld or UFW, they are actually all the same as works as iptable from the very buttom level. Please block all the UDP traffic if it is not nessuaray, and reommend blocking all the incoming traffic by default, and whitelist the IP you want it able to access you system manually.

Remember go to /etc/ssh/sshd-config and config PermitRootLogin to No

tags: Security Linux