Skip to content

cap-5.md

Latest commit

 

History

History
406 lines (305 loc) · 9.51 KB

cap-5.md

File metadata and controls

406 lines (305 loc) · 9.51 KB

Chapter 5: Server Hardening

Table of Contents:

Warning

This is not a security guarantee. This is damage reduction. You are responsible for your own infrastructure. These configurations will break things. Test before production. No support provided.

SSH Hardening

Disable root login and password authentication

# Edit /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Protocol 2
Port 2222
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers yourusername

Restart SSH service

sudo systemctl restart sshd

or

sudo systemctl restart ssh.service

Validation

sudo sshd -t
grep -E "^(PermitRootLogin|PasswordAuthentication|Port)" /etc/ssh/sshd_config

Secure Shared Memory

fstab Hardening:

Modify /etc/fstab to include the line:

        tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0.

This prevents execution of code from shared memory and disables set-user-identifier or set-group-identifier bits

Kernel Security (sysctl)

Harden your Linux kernel security by configuring sysctl parameters. You can either add rules directly to /etc/sysctl.conf or, preferably, create /etc/sysctl.d/99-security.conf and input this rules there.

Apply settings

sudo sysctl -p /etc/sysctl.d/99-security.conf

Validation

sudo sysctl -a | grep -E "rp_filter|accept_redirects|send_redirects|accept_source_route|log_martians|icmp_echo_ignore|tcp_syncookies"

User Privileges and sudo

# Only allow specific users to use sudo
sudo visudo

Dann in der Datei (am besten ganz unten) sowas eintragen:

# Only allow your user(s)
yourusername ALL=(ALL:ALL) ALL

Und ggf. sudo für andere Gruppen deaktivieren (z. B. wheel oder sudo group):

sudo deluser <username> sudo

Validation

sudo -l
getent group sudo

Disable unused accounts

# First check what accounts exist and their purpose
cat /etc/passwd | grep -E "nobody|daemon|bin|sys|sync|games|man|lp|mail|news|uucp|proxy|www-data|backup|list|irc"

# Only disable accounts you actually don't need
# Common candidates for most setups:
sudo usermod -L -s /bin/false games
sudo usermod -L -s /bin/false news
sudo usermod -L -s /bin/false uucp
sudo usermod -L -s /bin/false irc

# CAREFUL - these might be needed depending on your services:
# www-data (web server - DO NOT disable if running Apache/Nginx)
# mail (mail services)
# proxy (proxy services) 
# backup (backup scripts)
# nobody (some services use this)
# daemon (system services)

Validation

cat /etc/passwd | grep -E "nobody|daemon|bin|sys|sync|games|man|lp|mail|news|uucp|proxy|www-data|backup|list|irc"
sudo -l

Firewall Configuration

If you've already configured your firewall rules according to this guide, you do not need to rewrite them. Refer to the Basic Firewall Rules (UFW) for Local & Secure Server Setups for the recommended setup.

UFW Basic Setup for Public Servers

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

Advanced iptables rules

# Drop invalid packets
sudo iptables -A INPUT -m state --state INVALID -j DROP

# Rate limit SSH connections
sudo iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

# Log dropped packets
sudo iptables -A INPUT -j LOG --log-prefix "DROPPED: "

Validation

sudo ufw status verbose
sudo iptables -L -n -v

Apache Security

Edit /etc/apache2/conf-available/security.conf

# Hide version information
ServerTokens Prod
ServerSignature Off

# Basic Security headers

Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"


# Disable server status

Enable security configuration

sudo a2enconf security
sudo systemctl reload apache2

Hide sensitive files

# Add to .htaccess or apache config
<Files ~ "^\.">
    Require all denied
</Files>

<Files ~ "(\.bak|\.config|\.sql|\.log)$">
    Require all denied
</Files>

Validation

curl -I http://127.0.0.1 | grep -E "Server:|X-"
apache2ctl -t
Advanced security tipps (be carful!)

Logging and Monitoring

Configure rsyslog for centralized logging

# Edit /etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none    /var/log/messages
authpriv.*                                  /var/log/secure
mail.*                                      /var/log/maillog
cron.*                                      /var/log/cron
*.emerg                                     *

Set up logrotate

# Create /etc/logrotate.d/security
/var/log/secure {
    weekly
    rotate 4
    compress
    delaycompress
    missingok
    notifempty
    create 0600 root root
}

Basic intrusion detection

# Install fail2ban
sudo apt install fail2ban

# Create /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

[apache-auth]
enabled = true
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3
bantime = 3600

Validation

sudo systemctl status rsyslog
sudo systemctl status fail2ban
sudo fail2ban-client status
tail -f /var/log/auth.log

File System Security

Set proper permissions

# Secure /etc/passwd and /etc/shadow
sudo chmod 644 /etc/passwd
sudo chmod 600 /etc/shadow

# Secure SSH keys
sudo chmod 700 ~/.ssh
sudo chmod 600 ~/.ssh/authorized_keys

# Secure web directories
sudo chmod 755 /var/www
sudo chmod 644 /var/www/html/*
sudo chown -R www-data:www-data /var/www/html

Remove unnecessary packages

sudo apt autoremove
sudo apt purge telnet ftp rsh-client rsh-redone-client

Validation

ls -la /etc/passwd /etc/shadow
ls -la ~/.ssh/
find /var/www -type f -exec ls -la {} \;

Network Security

Disable unused services

sudo systemctl disable cups
sudo systemctl disable avahi-daemon
sudo systemctl disable bluetooth
sudo systemctl stop cups
sudo systemctl stop avahi-daemon
sudo systemctl stop bluetooth

Check listening ports

sudo netstat -tulpn | grep LISTEN
sudo ss -tulpn | grep LISTEN

Validation

sudo systemctl list-units --type=service --state=running
nmap -sS -O localhost

Manual Verification Points

Open your SSH config. If you find PermitRootLogin yes, you failed.

Check your firewall. If you see Status: inactive, you failed.

Review your Apache headers. If you see full version information, you failed.

Examine your user accounts. If daemon users have login shells, you failed.

Check your kernel parameters. If IP forwarding is enabled without purpose, you failed.

Review your log files. If they are not being rotated, you failed.

Final validation command

# Run this comprehensive check
echo "=== SSH Config ==="
grep -E "^(PermitRootLogin|PasswordAuthentication|Port)" /etc/ssh/sshd_config

echo "=== Firewall Status ==="
sudo ufw status

echo "=== Listening Services ==="
sudo ss -tulpn | grep LISTEN

echo "=== Failed Login Attempts ==="
sudo grep "Failed password" /var/log/auth.log | tail -5

echo "=== System Updates ==="
apt list --upgradable

🏁 You made it!

Thanks for surviving this beautifully chaotic tutorial.
If you learned something, laughed once, or just feel 2% smarter — drop a ⭐.

If you’re planning to fork it, test it, break it — even better.

Remember:
You are not secure. You are just less vulnerable than yesterday.

🤖 Special thanks

Big shoutout to all the AIs who helped debug, sort data, and keep me (mostly) sane during this ride —
even when they occasionally dumped more output than the poor server could handle.
Still, without you: this repo would be half the madness it is now. Respect.

☕ Wanna say thanks?

If you ever get rich:
Three coffees would be cool.
If not — respect. We're in the same Batboat.

📚 Chapters

Volkan S. Kücükbudak