Security
Linux
Assume you have install all of the required software in the server, and ready to hand it out for the devlopers, it would be recommended to install and perform the following step to harden you system.
This is a tool able to do the system auditing, and automatically hardern the system with one of the harden level based on STIG Red_Hat_Enterprise_Linux_7_V2R5 STIG Ubuntu V1R2, cisecurity.org and HardenedLinux community recommendations
The software source code and further usage detail can be found in https://github.com/hardenedlinux/harbian-audit
First, if you used Network install from a minimal CD option to installed Debian GNU/Linux, you need install packages before use the hardening tool, so may need sudo right if you are not root user:
For Redhat/CentOS, you need to install packages before use the hardening tool instead:
Then, run below code to install it:
And then, you may apply auto-hardern level on the system based on your need, for example:
It would be recommend to read the intruction from Github carefully if you try to use the harden level up to 4 or above.
I would recommend using level 2 if you don't know what is this or lazy from reading it, as level 2 usually won't broken any system or make you confuse on using the system afterward.
Please install the above mentioned software with the titled following order.
Their installation are quite direct without too many configuration you would mess up, so I won't talk it in detail here.
For the install guide of CHKRootKit: https://linuxhint.com/install_chkrootkit/
For downloading RKHunter:
https://rkhunter.sourceforge.net/
For ClamAV, as you will need its' on-access scanning function of course, and if you mess up the installation, even the ordering, and try to reinstall too many times. ClamAV's update respority to temporary block your IP from accessing it, causing your installation leads to fail afterward. So if you install it fail over 3 times, I would recommend you wait for another 24 hours until you try to reinstall it again.
To install it in a correct order, you should first install clamd, which is part of the clamav-daemon package, you may install it with:
After the installation is done, your system will get a clamav-daemon service installed afterward, which once you run the command:
It may look like this:
There is a configuration file store in /etc/clamav/clamd.conf. You may want to read the manual of how to use it when you have time by:
You need to check if the ClamAV is installed correct by checking the connection between the clamavd socket:
If you see it response PONG, it means the connection is normal, other then that means the ClamAV is not installed correctly.
For further detailed or a Chinese guide by manually doing the scan, you may check:
https://officeguide.cc/linux-clamav-antivirus-clamd-daemon-installation-configuration-tutorial-examples/
After the installation of ClamAV-Daemon, let us install the on-access service (Which means makes the ClamAV keeping scanning the idle files and incoming files, like normal Anti-Virus would did) in the system first.
First, you need to add the config in the config file /etc/clamav/clamd.conf:
In my case, using ClamAV's default user "clamav" didn't work well for me. As this user and group cannot access to many folders. Of course you may install ACL tool to do the access right setting, because some people will concern running clamav with root is not safe for security concern. But I usually won't care because of multiple reasons. So I usually would change the the service running by root, by changing
Into
Then you can run below command create a folder served as quarantine, then turn the on-access service on:
The command means that:
-F: forcely turn on or restart the on-access scanner
–log: logging all the on-access scanner log in specific folder
–move: move the infected file in the specific folder which have served as quarantine
For the reference Chinese guide, you may check:
https://officeguide.cc/linux-clamav-antivirus-clamonacc-installation-configuration-tutorial-examples/
BUT! You won't want to run it everytime the system being restarted, especially you will have a big chance forgot about it, doing it by save it as a shell script it run it with cron job would be a choice, but by my experience it usually would fail without reason, so the most stable way is to create you own service for it, and make it run on boot automatically.
Doing do is actually easy then you thought, you may add the Systemd configuration by adding a new file as /etc/systemd/system/clamav-onacc.service, then put this config inside of it:
Sometimes, clamonacc will be installed in /usr/bin instead, you may have a look and confirm. If you use root to run the On-Access function, then you need to pass the args "–fdpass" to avoid error, which means it will look like these instead:
After that, you would enable the service start when boot up and being activate now with:
Please make sure the service have being activated and running correct with error or warning by check its' status with:
A very easy to install and maintain solution to replace fail2ban has been found, called CrowdSec, which is open sourced with free to use for basic functions. If you are interested and have no concern will some of the information stored on cloud, you may visit:
https://hackmd.io/@mkaa/rkLSywvMR
for more details.
This is one of the best tool, which would detect some werid behavior on the system if it is connected to the internet and servce some service, like SSH or Web server, and ban the IP who try to burte force the password, doing injection, or simply being flagged on AbuseIPDB.
Install this thing is quite strict forward, just simply type:
And it will turn on and works automatically with some useful default configuration.
if you try to do some customization, the configuration file is usually stored in /etc/fail2ban/jail.conf. You may better backup the jail.conf first, then amended the jail rules carefully as it have comment detailly told you what is it on every config lines.
To communicate with fail2ban, inculding unban someone, you may simply use fail2ban-client.
Just a very basic concept, no matter you use IPTable, Firewalld or UFW, they are actually all the same as works as iptable from the very buttom level. Please block all the UDP traffic if it is not nessuaray, and reommend blocking all the incoming traffic by default, and whitelist the IP you want it able to access you system manually.
Remember go to /etc/ssh/sshd-config and config PermitRootLogin to No