Recent Posts

    Authors

    Published

    Tag Cloud

    301 302 404 accessibility accounts ACLs advertising aggregation Agile Analytics android APP Article attachments awards backup BCM beta browser business continuity Calendar case-study categories Chrome citigroup cms codes coding standards Complaints contact management software control panel crm CSS customer management software customer relationship system customize database DataModel DDoS demo design designer device compatibility difference distribute a published article via email DND DNS documents drag & drop Editor email EOL erp event Excel featured feeds file manager file sharing file volume Firefox Firewall HA hack Handlebar how-to HTML HTML5 HTTP HTTPS iCal IE Instructions intranet iOS iPad Java JavaScript JDBC JDK Jenkins Job Track Journal JSON JVM landing-page launcher layered database layout logging login mac marketing menu meta Microsoft Outlook mobile module modules mustache navigation NTLM offline page painter password passwords PCI policy poll pricing privacy PROXY publish publisher publsher PWA redirect Redundancy release release-notes Report Tool Reports Responsive ReST RESTFul Rich text RSS Safari sandbox sanity schedule scrum search security SEO sessions setup shipping site builder source spell SQL Injection SSL SSO standards store stSoftware support survey Swagger Task template testimonial Threads timezone tinyMCE Transaction Search trigger twitter twitter bootstrap Ubuntu unit tests unsubscribe URL validation WC3 AAA web folders web services webdav windows 8 wizard workflow WYSIWYG XLS XLST XML XPath XSS

    What is the recommended configuration for a Linux server?

    How to Lock down a Linux and run the web server as a low privileged user.

    Overview

    All Linux servers are locked down to the highest security standards possible. All services are off by default and all ports shut. Only the required services started. 

    To lock down a server:-

    Install only the required packages

    sudo add-apt-repository ppa:webupd8team/java
    sudo apt-get update
    sudo apt-get install openssh-server denyhosts vim oracle-java7-installer postgresql landscape-client htop lynx-cur

    Firewalll close all ports and open as required, this reduces the attack vector.

    Ubuntu has a simple firewall configuration tool called ufw which is really just a simplified iptables interface.

    sudo ufw allow ssh
sudo ufw allow imap
sudo ufw allow http
sudo ufw allow https
sudo ufw disable
sudo ufw enable

    Redirect the high permission ports 80 (http) and 443 (https) up to a port range that can accessed by the low permission user running the web service. Redirection of the ports can be done by the following iptable rules

    -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
    -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

    Create low permission user to run the web server

    Avoid running any custom code or the web server as a high permission user. A security floor in either the web server or your code will be run as the user that runs the web server.

    sudo groupadd www-data

    sudo useradd -g www-data -m -s /bin/bash webapps

    Prevent direct access to functional accounts including ROOT

    Never allow direct ssh access to the ROOT account or any other functional account such as webapps. Each admistrator that should have access to these accounts must login under their own user accont and then sudo to the correct functional account.

    To block all SSH access to ROOT add the option "PermitRootLogin no" to /etc/ssh/sshd_config

    sudo vi /etc/ssh/sshd_config <--- PermitRootLogin no

    Increase the file handles for the user that runs the web server

    This will help handle DOS attacks, and cope with a large number of slow clients.

    Set the system wide maximum file handles:-

    sudo vi /etc/sysctl.conf 

    fs.file-max=65535

    Set the low permission user 'webapps' to allow the maximum possible files open.

    sudo vi /etc/security/limits.conf

    @www-data          soft     nofile         65535
    @www-data          hard     nofile        65535

    After rebooting check the max number of files have been increased.

    sudo -u webapps -i "ulimit -a" 

    core file size (blocks, -c) 0
    data seg size (kbytes, -d) unlimited
    scheduling priority (-e) 0
    file size (blocks, -f) unlimited
    pending signals (-i) 386171
    max locked memory (kbytes, -l) 64
    max memory size (kbytes, -m) unlimited
    open files (-n) 65535
    pipe size (512 bytes, -p) 8
    POSIX message queues (bytes, -q) 819200
    real-time priority (-r) 0
    stack size (kbytes, -s) 8192
    cpu time (seconds, -t) unlimited
    max user processes (-u) 386171
    virtual memory (kbytes, -v) unlimited
    file locks (-x) unlimited