Based on CIS and my experience
Contents
SSHD Settings
# /etc/ssh/sshd_config
PermitRootLogin no
Port 1022
$ service ssh reload
Limit Access to SU cmd
$ dpkg-statoverride --update --add root sudo 4750 /bin/su
Network Security Systcl
# /etc/sysctl.d/10-network-security.conf
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
$ service procps start
Firewall with UFW
# install packegs
$ apt-get install ufw
$ ufw status verbose
$ ufw default allow incoming
$ ufw default allow outgoing
$ ufw enable
# add rules
$ ufw allow ssh
$ ufw allow 1022/tcp
$ ufw allow from 192.168.1.1
$ ufw allow 80/tcp
$ ufw default deny incoming
# resetting all rules to defauls
$ ufw reset
PHP Settings
# /etc/php5/apache2/php.ini
disable_functions = show_source,system,shell_exec,passthru,exec,phpinfo,popen,proc_open,allow_url_fopen
expose_php = off
display_errors = off
track_errors = off
html_errors = off
Apache Settings
# /etc/apache2/conf-enabled/security.conf
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header unset ETag
FileETag None
$ a2enmod headers
$ service apache2 restart
Install Apache ModSecurity
# http://habrahabr.ru/post/228339/
$ apt-get install libapache2-mod-security2
$ mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
# /etc/modsecurity/modsecurity.conf
SecRuleEngine On
SecRequestBodyLimit 16384000
SecRequestBodyInMemoryLimit 16384000
# Install OWASP ModSecurity Core Rule Set
$ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/owasp-modsecurity/
$ mv /etc/owasp-modsecurity/modsecurity_crs_10_setup.conf.example /etc/owasp-modsecurity/modsecurity_crs_10_setup.conf
ls /etc/owasp-modsecurity/base_rules | xargs -I {} ln -s /etc/owasp-modsecurity/base_rules/{} /etc/modsecurity/activated_rules/{}
ls /etc/owasp-modsecurity/optional_rules | xargs -I {} ln -s /etc/owasp-modsecurity/optional_rules/{} /etc/modsecurity/activated_rules/{}
# /etc/apache2/mods-available/owasp-modsecurity.conf
Include "/etc/owasp-modsecurity/activated_rules/*.conf"
$ service apache2 restart
Install Apache ModEvasive
$ apt-get install libapache2-mod-evasive
$ mkdir /var/log/mod_evasive
$ chown www-data:www-data /var/log/mod_evasive
# /etc/apache2/mods-available/evasive.conf
DOSSystemCommand
DOSEmailNotify admin@domain.com
DOSWhitelist 111.111.111.111
DOSPageCount 20
DOSSiteCount 100
DOSBlockingPeriod 300
$ a2enmod mod-evasive
# for test
$ perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl
Install Rootkit Checkers
$ apt-get install rkhunter chkrootkit
# /etc/chkrootkit.conf
RUN_DAILY="true"
# /etc/default/rkhunter
CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"
$ mv /etc/cron.weekly/rkhunter /etc/cron.weekly/rkhunter_update
$ mv /etc/cron.daily/rkhunter /etc/cron.weekly/rkhunter_run
$ mv /etc/cron.daily/chkrootkit /etc/cron.weekly/
Install Logwatch
$ apt-get install logwatch
$ mv /etc/cron.daily/00logwatch /etc/cron.weekly/
# /etc/cron.weekly/00logwatch
/usr/sbin/logwatch --output mail --range 'between -7 days and -1 days'
Automatic Security Updates
# ONLY if you really know what you are doing
$ dpkg-reconfigure -plow unattended-upgrades
Process Accounting
$ apt-get install acct
$ touch /var/log/wtmp
# /etc/cron.weekly/acct-report
#!/bin/bash
echo "USERS' CONNECT TIMES"
echo ""
ac -d -p
echo ""
echo "COMMANDS BY USER"
echo ""
users=$(cat /etc/passwd | awk -F ':' '{print $1}' | sort)
for user in $users ; do
comm=$(lastcomm --user $user | awk '{print $1}' | sort | uniq -c | sort -nr)
if [ "$comm" ] ; then
echo "$user:"
echo "$comm"
fi
done
echo ""
echo "COMMANDS BY FREQUENCY OF EXECUTION"
echo ""
sa | awk '{print $1, $6}' | sort -n | head -n -1 | sort -nr