• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • Create a VM ($25 Credit)
  • Buy a Domain
  • 1 Month free Back Blaze Backup
  • Other Deals
    • Domain Email
    • Nixstats Server Monitoring
    • ewww.io Auto WordPress Image Resizing and Acceleration
  • About
  • Links

IoT, Code, Security, Server Stuff etc

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

  • Cloud
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • How to buy a new domain and SSL cert from NameCheap, a Server from Digital Ocean and configure it.
    • Setting up a Vultr VM and configuring it
    • All Cloud Articles
  • Dev
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • How to setup pooled MySQL connections in Node JS that don’t disconnect
    • NodeJS code to handle App logins via API (using MySQL connection pools (1000 connections) and query parameters)
    • Infographic: So you have an idea for an app
    • All Development Articles
  • MySQL
    • Using the free Adminer GUI for MySQL on your website
    • All MySQL Articles
  • Perf
    • PHP 7 code to send object oriented sanitised input data via bound parameters to a MYSQL database
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • Measuring VM performance (CPU, Disk, Latency, Concurrent Users etc) on Ubuntu and comparing Vultr, Digital Ocean and UpCloud – Part 1 of 4
    • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
    • Setting up a website to use Cloudflare on a VM hosted on Vultr and Namecheap
    • All Performance Articles
  • Sec
    • Using the Qualys FreeScan Scanner to test your website for online vulnerabilities
    • Using OWASP ZAP GUI to scan your Applications for security issues
    • Setting up the Debian Kali Linux distro to perform penetration testing of your systems
    • Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare
    • PHP implementation to check a password exposure level with Troy Hunt’s pwnedpasswords API
    • Setting strong SSL cryptographic protocols and ciphers on Ubuntu and NGINX
    • Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
    • All Security Articles
  • Server
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • All Server Articles
  • Ubuntu
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • Useful Linux Terminal Commands
    • All Ubuntu Articles
  • VM
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • All VM Articles
  • WordPress
    • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
    • Installing and managing WordPress with WP-CLI from the command line on Ubuntu
    • How to backup WordPress on a host that has CPanel
    • Moving WordPress to a new self managed server away from CPanel
    • Moving a CPanel domain with email to a self managed VPS and Gmail
    • All WordPress Articles
  • All

Weakness

I thought my website was hacked. Here is how I hardened my Linux servers security with Lynis Enterprise

October 24, 2020 by Simon

Disclaimer

I have waited a year before posting this, and I have tried my best to hide the bank’s identity as I never got a good explanation back from them about they the were whitelisting my website.

Background

I was casually reading Twitter one evening and found references to an awesome service (https://publicwww.com/) that allows you to find string references in CSS, JS, CSP etc files on websites.

Search engine that searches the web for the source code of the sites, not the content of them: https://t.co/G7oYQZ4Cbp

— @mikko (@mikko) March 8, 2018

https://t.co/DUyxFD4QbV is one of my new favorite search tools. Finally I can search for html/css/js and see which websites are using it. Really powerful when you think of the right searches…

— Allan Thraen (@athraen) April 26, 2019

See how people are using the publicwww service on Twitter.

I searched https://publicwww.com/ for “https://fearby.com“. I was expecting to only see only resources that were loading from my site.

I was shocked to see a bank in Asia was whistling my website and my websites CDN (hosted via ewww.io) in it’s Content Security Policy.

Screenshot of publicwww.com scan of "fearby.com

I was not hosting content for a bank and they should not be whitelisting my site?

Were they hacked? Was I hacked and delivering malware to their customers? Setting up a Content Security Policy (CSP) is not a trivial thing to do and I would suggest you check out https://report-uri.com/products/content_security_policy (by Scott Helme) for more information on setting up a good Content Security Policy (CSP).

Were we both hacked or was I serving malicious content?

Hacked Koala meme

I have written a few blog posts on creating Content Security Policies, and maybe they did copy my starter Content Security Policy and added it to their site?

I do have a lot of blog readers from their country.

Analytics map of Asia

I went to https://www.securityheaders.com and scanned their site and yes they have whitelisted my website and CDN. This was being sent in a header from their server to any connecting client.

I quickly double-checked the banks Content Security Policy (CSP) with https://cspvalidator.org/ and they too confirmed the bank was telling their customers that my website was ok to load files from.

I would not be worried if a florist’s website had white-listed my website but a bank that has 250 physical branches, 2,500 employees in a country that has 29 million people.

Below is the banks Content Security Policy.

https://cspvalidator.org/ screenshot of the banks csp

I thought I had been hacked into so I downloaded my Nginx log files (with MobaXTerm,) and scanned them for hits to my site from their website.

Screenshot of a years nginx logs.

After I scanned the logs I could see that I had zero traffic from their website

I sent a direct message to Scott Helme on Twitter (CSP Guru) and he replied with advice on the CSP.

Blocking Traffic

As a precaution, I edited my /etc/nginx/sites-available/default file and added this to block all traffic from their site.

if ($http_referer ~* "##########\.com") {
        return 404;
}

I tested and reloaded my Nginx config and restarted my web server

nginx -t
nginx -s reload
/etc/init.d/nginx restart

I also emailed my website CDN’s admin at https://ewww.io/ and asked them to block traffic from the bank as a precaution. They responded quickly as said this was done and they enabled extra logging in case more information was needed data.

If you need a good and fast WordPress Content Delivery Network (CDN) check out https://ewww.io/. They are awesome. Read my old review of ewww.io here.

I contacted the Bank

I searched the bank’s website for a way to contact them, their website was slow, their contact page was limited, they have a chat feature but I needed to log in with FaceBook (I don’t use FaceBook)

I viewed their contact us web page and they had zero dedicated security contacts listed. The CIO was only contactable via phone only.

They did not have a security.txt file on their website.

http://www.bankdomain.com/.well-known/security.txt file not found

TIP: If you run a website, please consider creating a security.txt file, information here.

I then viewed their contact us page and emailed everyone I could.

I asked if they could..

  • Check their logs for malicious files loaded from my site
  • Please remove the references to my website and CDN from their CSP.
  • Hinted they may want to review your CI/CD logs to see why this happened

My Server Hardening (to date)

My website was already hardened but was my site compromised?

Hardening actions to date..

  • Using a VPS firewall, Linux firewall 2x software firewalls
  • I have used the free Lynis Scan
  • Whitelisting access to port 22 to limited IP’s
  • Using hardware 2FA keys on SSH and WordPress Logins
  • Using the WordFence Security Plugin
  • Locked down unwanted ports.
  • I had a strong HTTPS certificate and website configuration (test here)
  • I have set up appropriate security headers (test here). I did need to re-setup a Content Security Policy (keep reading)
  • Performed many actions (some blogged a while ago) here: https://fearby.com/article/securing-ubuntu-cloud/
  • etc

I had used the free version of Lynis before but now is the time to use the Lynis Enterprise.

A free version of Lynis can be installed from Github here: https://github.com/CISOfy/lynis/

What is Lynis Enterprise?

Lynis Enterprise software is commercial auditing, system hardening, compliance testing tool for AIX, FreeBSD, HP-UX, Linux, macOS, NetBSD, OpenBSD, Solaris etc. The Enterprise version is a paid version (with web portal). Lynis Enterprise has more features over the free version.

Snip from here: “Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open-source software with the GPL license and available since 2007.”

Visit the Lynis Enterprise site here: https://cisofy.com/solutions/#lynis-enterprise.

I created a Lynis Enterprise Trial

I have used the free version of Lynis in the past (read here), but the Enterprise version offers a lot of extra features (read here).

Screenshot of https://cisofy.com/lynis-enterprise/why-upgrade/

View the main Lynis Enterprise site here and the pricing page here

View a tour of features here: https://cisofy.com/lynis-enterprise/

Create a Cisofy Trial Account

You can request a trial of Lynis Enterprise here: https://cisofy.com/demo/

Request a Lynis Enterprise trial screenshot

After the trial account was set up I logged in here. Upon login, I was prompted to add a system to my account (also my licence key was visible)

Lynis portal  main screen

Install Lynis (Clone GIT Repo/latest features)

I am given 3 options to install Lynis from the add system page here.

  1. Add the software repository and install the client (The suggested and easiest way to install Lynis and keep it up-to-date).
  2. Clone the repository from Github (The latest development version, containing the most recent changes)
  3. Manually install or activate an already installed Lynis.

I will clone a fresh install from Github as I prefer seeing the latest issues, latest changes from GitHub notifications. I like getting notifications about security.

I logged into my server via SSH and ran the following command(s).

sudo apt-get instal git
mkdir /thefolder
cd /thefolder
git clone https://github.com/CISOfy/lynis

Cloning into 'lynis'...
remote: Enumerating objects: 7, done.
remote: Counting objects: 100% (7/7), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 10054 (delta 0), reused 1 (delta 0), pack-reused 10047
Receiving objects: 100% (10054/10054), 4.91 MiB | 26.60 MiB/s, done.
Resolving deltas: 100% (7387/7387), done.

I logged into https://portal.cisofy.com/ and clicked ‘Add’ system to find my API key

I noted my licence key.

I then changed to my Lynis folder

cd lynis

I then created a “custom.prf” file

touch custom.prf

I ran this command to activate my licence (I have replaced my licence with ########’s).

View the documentation here.

./lynis configure settings license-key=########-####-####-####-############:upload-server=portal.cisofy.com

Output:

Configuring setting 'license-key'
Setting changed
Configuring setting 'upload-server'
Setting changed

I performed my first scan and uploaded the report.

TIP: Make sure you have curl installed

./lynis audit system --upload

After the scan is complete, make sure you see the following.

Data upload status (portal.cisofy.com) [ OK ]

I logged into https://portal.cisofy.com/enterprise/systems/ and I could view my systems report.

You can read the basic Lynis documentation here: https://cisofy.com/documentation/lynis/

Manual Lynis Scans

I can run a manual scan at any time

cd /thefolder/lynis/
sudo ./lynis audit system --upload

To view results I can login to https://portal.cisofy.com/

Automated Lynis Scans

I have created a bash script that updates Lynis (basically running ‘sudo /usr/bin/git pull origin master’ in the lynis folder)

#!/bin/bash

sendemail -f [email protected] -t [email protected] -u "CRON: Updating Lynis (yourserver.com) START" -m "/folder/runlynis.sh" -s smtp.gmail.com:587 -o tls=yes -xu [email protected] -xp ***my*google*gsuite*email*app*password***

echo "Changing Directory to /folder/lynis"
cd /folder/lynis

echo "Updating Lynis"
sudo /usr/bin/git pull origin master

sendemail -f [email protected] -t [email protected] -u "CRON: Updated Lynis (yourserver.com) END" -m "/folder/runlynis.sh" -s smtp.gmail.com:587 -o tls=yes -xu [email protected] -xp ***my*google*gsuite*email*app*password***

This is my bash script that runs Lynis scans and emails the report

#!/bin/bash

sendemail -f [email protected] -t [email protected] -u "CRON: Run Lynis (yourserver.com) START" -m "/folder/runlynis.sh" -s smtp.gmail.com:587 -o tls=yes -xu [email protected] -xp ***my*google*gsuite*email*app*password***

echo "Running Lynis Scan"
cd /utils/lynis/
sudo /utils/lynis/lynis audit system --upload > /folder/lynis/lynis.txt

sendemail -f [email protected] -t [email protected] -u "CRON: Run Lynis (yourserver.com) END" -m "/folder/runlynis.sh" -s smtp.gmail.com:587 -o tls=yes -xu [email protected] -xp ***my*google*gsuite*email*app*password***  -a /folder/lynis/lynis.txt

I set up two cron jobs to update Lynis (from Git) and to scan with Lynis every day.

#Lynis Update 11:55PM
55 21 * * * /bin/bash /folder/runlynis.sh && curl -fsS --retry 3 https://hc-ping.com/########-####-####-####-############ > /dev/null

#Lynis Scan 2AM
0 2 * * * /bin/bash /folder/runlynis.sh && curl -fsS --retry 3 https://hc-ping.com/########-####-####-####-############ > /dev/null

Thanks to sendemail I get daily emails

I have set up cronjob motoring and emails at the start and end of the bash scripts.

The attachment is not a pretty text file report but a least I can see the output of the scan (without logging into the portal).

Maybe I add the following file also

/var/log/lynis.log

Lynis Enterprise (portal.cisofy.com)

Best of all Lynis Enterprise comes with a great online dashboard available at
https://portal.cisofy.com/enterprise/dashboard/.

Lynis Enterprise Portal

Dashboard (portal.cisofy.com)

Clicking the ‘Dashboard‘ button in the toolbar at the top of the portal reveals a summary of your added systems, alerts, compliance, system integrity, Events and statistics.

Dashboard button

The dashboard has three levels

  • Business (less information)
  • Operational
  • Technical (more information)

Read about the differences here.

three dashboard breadcrumbs

Each dashboard has a limited number of elements, but the technical dashboard has all the elements.

Technical Dashboard

Lynis Enterprise Dashboard https://portal.cisofy.com/enterprise/dashboard/

From here you can click and open server scan results (see below)

Server Details

If you click on a server name you can see detailed information. I created 2 test servers (I am using the awesome UpCloud host)

A second menu appears when you click on a server

Linus Menu

Test Server 01: Ubuntu 18.04 default Scan Results (66/100)

Ubuntu Server Score 66/100

Test Server 02: Debian 9.9 default Scan Results (65/100)

Server

It is interesting to see Debian is 1 point below Ubuntu.

The server page will give a basic summary and highlights like the current and previous hardening score, open ports, firewall status, installed packages, users.

When I click the server name to load the report I can click to see ‘Warnings’ or ‘Suggestions’ to resolve

Suggested System Hardening Actions

I had 47 system hardening recommendations on one system

Lynis identified quick wins.

Some of the security hardening actions included the following.

e.g

  • Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules
  • Incorrect permissions for file /root/.ssh
  • A reboot of the system is most likely needed
  • Found some information disclosure in SMTP banner (OS or software name)
  • Configure maximum password age in /etc/login.defs
  • Default umask in /etc/login.defs could be more strict like 027
  • Add a legal banner to /etc/issue.net, to warn unauthorized users
  • Check available certificates for expiration
  • To decrease the impact of a full /home file system, place /home on a separate partition
  • Install a file integrity tool to monitor changes to critical and sensitive files
  • Check iptables rules to see which rules are currently not used
  • Harden compilers like restricting access to root user only
  • Disable the ‘VRFY’ command
  • Add the IP name and FQDN to /etc/hosts for proper name resolving
  • Purge old/removed packages (59 found) with aptitude purge or dpkg –purge command. This will clean up old configuration files, cron jobs and startup scripts.
  • Remove any unneeded kernel packages
  • Determine if automation tools are present for system management
  • etc

Hardening Suggestion (Ignore or Solve)

If you click ‘Solve‘ Cisofy will provide a link to detailed information to help you solve issues.

Suggested fix: ACCT-9630 Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules

I will not list every suggested problem and fix but here are some fixes below.

ACCT-9630 Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules (fixed)

TIP: If you don’t have auditd installed run this command below to install it

sudo apt-get install auditd
/etc/init.d/auditd start
/etc/init.d/auditd status

I added the following to ‘/etc/audit/rules.d/audit.rules‘ (thanks to the solution recommendations on the Cisofy portal.

# This is an example configuration suitable for most systems
# Before running with this configuration:
# - Remove or comment items which are not applicable
# - Check paths of binaries and files

###################
# Remove any existing rules
###################

-D

###################
# Buffer Size
###################
# Might need to be increased, depending on the load of your system.
-b 8192

###################
# Failure Mode
###################
# 0=Silent
# 1=printk, print failure message
# 2=panic, halt system
-f 1

###################
# Audit the audit logs.
###################
-w /var/log/audit/ -k auditlog

###################
## Auditd configuration
###################
## Modifications to audit configuration that occur while the audit (check your paths)
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig

###################
# Monitor for use of audit management tools
###################
# Check your paths
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools

###################
# Special files
###################
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles

###################
# Mount operations
###################
-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount
-a exit,always -F arch=b64 -S mount -S umount2 -k mount

###################
# Changes to the time
###################
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
-w /etc/localtime -p wa -k localtime

###################
# Use of stunnel
###################
-w /usr/sbin/stunnel -p x -k stunnel

###################
# Schedule jobs
###################
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -k cron

## user, group, password databases
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd

###################
# Monitor usage of passwd command
###################
-w /usr/bin/passwd -p x -k passwd_modification

###################
# Monitor user/group tools
###################
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification

###################
# Login configuration and stored info
###################
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login

###################
# Network configuration
###################
-w /etc/hosts -p wa -k hosts
-w /etc/network/ -p wa -k network

###################
## system startup scripts
###################
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init

###################
# Library search paths
###################
-w /etc/ld.so.conf -p wa -k libpath

###################
# Kernel parameters and modules
###################
-w /etc/sysctl.conf -p wa -k sysctl
-w /etc/modprobe.conf -p wa -k modprobe
###################

###################
# PAM configuration
###################
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam

###################
# Puppet (SSL)
###################
#-w /etc/puppet/ssl -p wa -k puppet_ssl

###################
# Postfix configuration
###################
#-w /etc/aliases -p wa -k mail
#-w /etc/postfix/ -p wa -k mail
###################

###################
# SSH configuration
###################
-w /etc/ssh/sshd_config -k sshd

###################
# Hostname
###################
-a exit,always -F arch=b32 -S sethostname -k hostname
-a exit,always -F arch=b64 -S sethostname -k hostname

###################
# Changes to issue
###################
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue

###################
# Log all commands executed by root
###################
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd

###################
## Capture all failures to access on critical elements
###################
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/local/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess

###################
## su/sudo
###################
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /etc/sudoers -p rw -k priv_esc

###################
# Poweroff/reboot tools
###################
-w /sbin/halt -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/shutdown -p x -k power

###################
# Make the configuration immutable
###################
-e 2

# EOF

I reloaded my audit daemon config

auditctl -R /etc/audit/rules.d/audit.rules

Further configuration can be added (read this), read the auditd man page here or read logs you can use the ‘auditsearch‘ tool (read the Ubuntu Man Page here)

Here is a great guide on viewing audit events.

Because we have this rule ( ‘-w /etc/passwd -p wa -k etcpasswd ) to monitor the passwords file, If I read the contents of \etc\passwd it will show up in the audit logs.

We can verify the access of this file by running this command

ausearch -f /etc/passwd

Output

ausearch -f /etc/passwd
----
time->Mon Jun 10 16:58:13 2019
type=PROCTITLE msg=audit(##########.897:3639): proctitle=##########################
type=PATH msg=audit(##########.897:3639): item=1 name="/etc/passwd" inode=1303 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(##########.897:3639): item=0 name="/etc/" inode=12 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(##########.897:3639): cwd="/root"
type=SYSCALL msg=audit(##########.897:3639): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556241ea9650 a2=441 a3=1b6 items=2 ppid=1571 pid=1572 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=446 comm="nano" exe="/bin/nano" key="etcpasswd"

I might write a list of handy ausearech commands and blog about this in the future

SSH Permissions (fixed)

to fish the ssh permissions warning I ran the command to show the issue on my server

./lynis show details FILE-7524
2019-05-25 23:00:04 Performing test ID FILE-7524 (Perform file permissions check)
2019-05-25 23:00:04 Test: Checking file permissions
2019-05-25 23:00:04 Using profile /utils/lynis/default.prf for baseline.
2019-05-25 23:00:04 Checking /etc/lilo.conf
2019-05-25 23:00:04   Expected permissions:
2019-05-25 23:00:04   Actual permissions:
2019-05-25 23:00:04   Result: FILE_NOT_FOUND
2019-05-25 23:00:04 Checking /root/.ssh
2019-05-25 23:00:04   Expected permissions: rwx------
2019-05-25 23:00:04   Actual permissions: rwxr-xr-x
2019-05-25 23:00:04   Result: BAD
2019-05-25 23:00:04 Warning: Incorrect permissions for file /root/.ssh [test:FILE-7524] [details:-] [solution:-]
2019-05-25 23:00:04 Using profile /utils/lynis/custom.prf for baseline.
2019-05-25 23:00:04 Checking permissions of /utils/lynis/include/tests_homedirs
2019-05-25 23:00:04 File permissions are OK
2019-05-25 23:00:04 ===---------------------------------------------------------------===

I tightened permissions on the /root/.ssh folder with this command

chmod 700 /root/.ssh

Configure minimum/maximum password age in /etc/login.defs (fixed)

I set a maximum and minimum password age in ‘/etc/login.defs‘

Defaults

PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7

Add a legal banner to /etc/issue, to warn unauthorized users (fixed)

I edited ‘/etc/issue’ on Ubuntu and Linux

Ubuntu 18.04 default

Ubuntu 18.04.2 LTS \n \l

Debian Default

Debian GNU/Linux 9 \n \l

Cisofy said this “Define a banner text to inform both authorized and unauthorized users about the machine and service they are about to access. The purpose is to share your policy before an access attempt is being made. Users should know that there privacy might be invaded, due to monitoring of the system and its resources, to protect the integrity of the system. Also unauthorized users should be deterred from trying to access it in the first place.“

Done

Default umask in /etc/login.defs could be more strict like 027 (fixed)

Related files..

  • /etc/profile
  • /etc/login.defs
  • /etc/passwd

I edited ‘/etc/login.defs’ and set

UMASK           027

I ran

umask 027 /etc/profile
umask 027 /etc/login.defs
umask 027 /etc/passwd

Check iptables rules to see which rules are currently not used (fixed)

I ran the following command to review my firewall settings

iptables --list --numeric --verbose

TIP: Scan for open ports with ‘nmap’

Watch this handy video if you are not sure how to use nmap

Install nmap

sudo apt-get install nmap

I do set firewall rules in ufw (guide here) and ufw is a front end for iptables.

Scan for open ports with nmap

nmap -v -sT localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-12 22:09 AEST
Initiating Connect Scan at 22:09
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 443/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 8080/tcp on 127.0.0.1
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Completed Connect Scan at 22:09, 0.02s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
8080/tcp open  http-proxy

Everything looked good.

Harden compilers like restricting access to root user only (fixed)

Cicofy said

Compilers turn source code into binary executable code. For a production system a compiler is usually not needed, unless package upgrades are performed by means of their source code (like FreeBSD ports collection). If a compiler is found, execution should be limited to authorized users only (e.g. root user).

To solve this finding, remove any unneeded compiler or change the file permissions. Usually chmod 700 or chmod 750 will be enough to prevent normal users from using a compiler. Related compilers are as, cc, ld, gcc, go etc. To determine what files are affected, check the Lynis log file, then chmod these files.

I ran

chmod 700 /usr/bin/as
chmod 700 /usr/bin/gcc

Turn off PHP information exposure (fixed)

Cisofy siad

Disable the display of version information by setting the expose_php option to 'Off' in php.ini. As several instances of PHP might be installed, ensure that all related php.ini files have this setting turned off, otherwise this control will show up again.

This was already turned off but a unused php.ini may have been detected.

I searched for all php.ini files

find / -name php.ini

Output

/etc/php/7.3/apache2/php.ini
/etc/php/7.3/fpm/php.ini
/etc/php/7.3/cli/php.ini

yep, the cli version of php.ini had the following

expose_php = On

I set this to Off

Purge old/removed packages (59 found) with aptitude purge or dpkg –purge command. This will cleanup old configuration files, cron jobs and startup scripts. (fixed)

Cisofy said

While not directly a security concern, unpurged packages are not installed but still have remains left on the system (e.g. configuration files). In case software is reinstalled, an old configuration might be applied. Proper cleanups are therefore advised.

To remove the unneeded packages, select the ones marked with the 'rc' status. This means the package is removed, but the configuration files are still there.

I ran the following recommended command

dpkg -l | grep "^rc" | cut -d " " -f 3 | xargs dpkg --purge

Done

Install debsums utility for the verification of packages with known good database. (fixed)Cisofy said

Install the debsums utility to do more in-depth auditing of your packages.

I ran the following suggested command

apt-get install debsums

I googled and found this handy page

I scanned packages and asked ‘debsums” to only show errors with this command

sudo debsums -s

The only error was..

debsums: missing file /usr/bin/pip (from python-pip package)

I did not need pip so I removed it

apt-get remove --purge python-pip

Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc (fixed)

I ignore this as I do not allow logins via password and only I have an account (it’s not a multi user system).

I white list logins to IP’s.

I only allow ssh access with a private key and long passphrase.

I have 2FA OTP enabled at logins.

I have cloudflare over my domain.

I setup fail2ban to auto block logins using this guide

Reboot (fixed)

I restated the server

shutdown -r now

Done

Check available certificates for expiration (fixed)

I tested my SSL certificate with https://dev.ssllabs.com

https://dev.ssllabs.com/ scan of my site

Add legal banner to /etc/issue.net, to warn unauthorized users (fixed)

Cisofy said…

Define a banner text to inform both authorized and unauthorized users about the machine and service they are about to access. The purpose is to share your policy before an access attempt is being made. Users should know that there privacy might be invaded, due to monitoring of the system and its resources, to protect the integrity of the system. Also unauthorized users should be deterred from trying to access it in the first place.

Do not reveal sensitive information, like the specific goal of the machine, or what can be found on it. Consult with your legal department, to determine appropriate text.

I edited the file ‘/etc/issue.net’ and added a default pre login message (same as ‘/etc/issue’).

Install Apache mod_evasive to guard webserver against DoS/brute force attempts (ignored)

I ignored this message and I don’t use the Apache (I use the Nginx web server). I have added Apache to be blocked from installing.

I clicked Ignore in the Cisofy portal.

Ignore Button

Install Apache modsecurity to guard webserver against web application attacks (ignored)

I clicked Ignore for this one too

Ignore Button

Check your Nginx access log for proper functioning (reviewed)

Cisofy said…

Disabled logging:
Check in the Lynis log for entries which are disabled, or in the nginx configuration (access_log off).

Missing logging:
Check for missing log files. They are references in the configuration of nginx, but not on disk. The Lynis log will reveal to what specific files this applies.

I checked my Nginx config (‘/etc/nginx/nginx.conf‘) for all log references and ensured the logs were writing to disk (OK).

I checked my ‘/etc/nginx/sites-available/default‘ config and I did have 2 settings of ‘access_log off ‘ (this was added during the setup for two sub reporting subfolders for the Nixstats agent.

I restarted Nginx

nginx -t
nginx -s reload
/etc/init.d/nginx restart

Check what deleted files are still in use and why. (fixed)

Cisofy said..

Why it matters
Deleted files may sometimes be in use by applications. Normally this should not happen, as an application should delete a file and release the file handle. This test might discover malicious software, trying to hide its presence on the system. Investigate the related files by determining which application keeps it open and the related reason.

Details
The following details have been found as part of the scan.

/lib/systemd/systemd-logind(systemd-l)
/tmp/ib1ekCtf(mysqld)
/tmp/ibhuK1At(mysqld)
/tmp/ibmTO5F5(mysqld)
/tmp/ibR0dkxD(mysqld)
/tmp/ibvf69KH(mysqld)
/tmp/.ZendSem.gq3mnz(php-fpm7.)
/usr/bin/python3.6(networkd-)
/usr/bin/python3.6(unattende)
/var/log/mysql/error.log.1(mysqld)

I ran the following command to show deleted files in use

lsof | grep deleted

I noticed on my database server a php-fpm service was using files. I don’t have a webserver enabled on this server, so I uninstalled the web-based services.

I have separate web and database servers.

sudo apt-get remove apache*
sudo apt-get remove -y --purge nginx*
sudo apt-get remove -y --purge php7*
sudo apt autoremove

Check DNS configuration for the dns domain name (fixed)

Cisofy said..

Some software can work incorrectly when the system can't resolve itself. 
Add the IP name and fully qualified domain name (FQDN) to /etc/hosts. Usually this is done with an entry of 127.0.0.1, or 127.0.1.1 (to leave the localhost entry alone). 

I edited my ‘/etc/hosts’ file

I added a domain name to the end of the localhost entry and added a new line with my server(s) IP and domain name

Disable the ‘VRFY’ command (fixed)

I was advised to run this command

postconf -e disable_vrfy_command=yes

(Debian) Enable sysstat to collect accounting (no results) (fixed)

Cisofy said..

The sysstat is collection of utilities to provide system information insights. While one should aim for the least amount of packages, the sysstat utilities can be a good addition to help recording system details. They can provide insights for performance monitoring, or guide in discovering unexpected events (like a spam run). If you already use extensive system monitoring, you can safely ignore this control.

I ran the suggested commands

apt-get install sysstat
sed -i 's/^ENABLED="false"/ENABLED="true"/' /etc/default/sysstat

More info on sysstat here.

Consider running ARP monitoring software (arpwatch,arpon) (fixed)

Cisofy said

Networks are very dynamic, often with devices come and go as they please. For sensitive machines and network zones, you might want to know what happens on the network itself. An utility like arpwatch can help tracking changes, like new devices showing up, or others leaving the network.

I read this page to setup and configure arpwatch

sudo apt-get install arpwatch
/etc/init.d/arpwatch start

I will add more on how to use arpwatch soon

Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft (fixed)

Cosofy siad..

Disable drivers like USB storage when not used. This helps preventing unauthorized storage, data copies, or data theft.

I ran the suggested fix

echo "# Block USB storage" >> /etc/modprobe.d/disable-usb-storage.conf
echo "install usb-storage /bin/false" >> /etc/modprobe.d/disable-usb-storage.conf

Determine if automation tools are present for system management (ignored)

I ignored this one

Ignore Button

One or more sysctl values differ from the scan profile and could be tweaked

Cisofy said..

By means of sysctl values we can adjust kernel related parameters. Many of them are related to hardening of the network stack, how the kernel deals with processes or files. This control is a generic test with several sysctl variables (configured by the scan profile).

I was advised to adjust these settings

  • net.ipv4.conf.all.send_redirects=0
  • net.ipv4.conf.default.accept_source_route=0
  • kernel.sysrq=0
  • net.ipv4.conf.all.log_martians=1
  • net.ipv4.conf.default.log_martians=1
  • kernel.core_uses_pid=1
  • kernel.kptr_restrict=2
  • fs.suid_dumpable=0
  • kernel.dmesg_restrict=1

I edited ‘/etc/sysctl.conf‘ and made the advised changes along with these (I Googled each item first)

Install a file integrity tool to monitor changes to critical and sensitive files (fixed)

Cisofy said..

To monitor for unauthorized changes, a file integrity tool can help with the detection of such event. Each time the contents or the properties of a file change, it will have a different checksum. With regular checks of the related integrity database, discovering changes becomes easy. Install a tool like AIDE, Samhain or Tripwire to monitor important system and data files. Additionally configure the tool to alert system or security personnel on events.

It also gave a solution

# Step 1: Install package with appropriate command
apt-get install aide
yum install aide

# Step 2: Initialise database
aide --init
# If this fails: try aideinit

# Step 3: Copy newly created database (/var/lib/aide)
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

# Step 4:
aide --check

I installed ‘aide’ (read the guide here).

TIP: Long story but the steps above were not exactly correct. Thanks to this post for I was able to set up aide. without seeing this error.

Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db.new for writing

This is how I installed aide

apt-get install aide
apt-get install aide-common

I initialised aide.

aideinit

This was the important part (I was stuck for hours on this one)

aide.wrapper --check

I can run the following to see what files have changed.

I could see many files have changed since the initial scan (e.g mysql, log files nano search history).

Nice

Now lets schedule daily checks and create a cron job.

cat /folder/runaide.sh
#!/bin/bash

sendemail -f [email protected] -t [email protected] -u "CRON: AIDE Run (yourserver.com) START" -m "/folder/runaide.sh" -s smtp.gmail.com:587 -o tls=yes -xu [email protected] -xp ***my*google*gsuite*email*app*password***

MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/bin/aide.wrapper --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -100 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME

#/usr/bin/mail -s"$MYFILENAME `date`" [email protected] < /tmp/$MYFILENAME

sendemail -f [email protected] -t [email protected] -u "CRON: AIDE Run (yourserver.com) END" -m "/folder/runaide.sh" -s smtp.gmail.com:587 -o tls=yes -xu [email protected] -xp ***my*google*gsuite*email*app*password*** -a /tmp/$MYFILENAME -a /tmp/myAide.txt

Above thanks to this post

I setup a cron job to run this daily

#Run AIDE
0 6 * * * /folder/runaide.sh && curl -fsS --retry 3 https://hc-ping.com/######-####-####-####-############> /dev/null

ACCT-9622 – Enable process accounting. (fixed)

Solution:

Install “acct” process and login accounting.

sudo apt-get install acct

Start the “acct” service

/etc/init.d/acct start
touch /var/log/pacct
chown root /var/log/pacct
chmod 0644 /var/log/pacct
accton /var/log/pacct 

Check the status

/etc/init.d/acct status
* acct.service - LSB: process and login accounting
   Loaded: loaded (/etc/init.d/acct; generated)
   Active: active (exited) since Sun 2019-05-26 19:42:15 AEST; 4min 42s ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 0 (limit: 4660)
   CGroup: /system.slice/acct.service

May 26 19:42:15 servername systemd[1]: Starting LSB: process and login accounting...
May 26 19:42:15 servername acct[27419]: Turning on process accounting, file set to '/var/log/account/pacct'.
May 26 19:42:15 servername systemd[1]: Started LSB: process and login accounting.
May 26 19:42:15 servername acct[27419]:  * Done.

Run CISOfy recommended commands

touch /var/log/pacct
chown root /var/log/pacct
chmod 0644 /var/log/pacct
accton /var/log/pacct 

Manual Scan of Lynis

I re-ran an audit of the system (and uploaded the report to the portal) so I can see how I am progressing.

./lynis audit system --upload

I then checked the error status and the warnings were resolved.

Progress?

I rechecked my servers and all warnings are solved, now I just need to work on information level issues

Warning level errors fixed,  and informational to go

Cisofy Portal Overview

Quick breakdown of the Cisofy Portal

Overview Tab (portal.cisofy.com)

The Overview lab displays any messages, change log, API information, add a new system link, settings etc.

Lynis Overview tab

Dashboard Tab (portal.cisofy.com)

The dashboard tab will display compliant systems any outdated systems, alerts and events.

Lynis Dashboard screenshot https://portal.cisofy.com/enterprise/dashboard/

TIP: If you have a system that reports “Outdated” run the following command.

./lynis audit system --upload

Systems Tab (portal.cisofy.com)

The systems tab shows all systems, OS version, warnings, information counts, the date the system’s client last uploaded a report and the client version.

Systems tab shows all systems, OS version, warnings, information counts, date client last uploaded a report update and client version

If you are making many changes and manual Lynis scans keep an eye on your upload credits, You can see by the above and below image, I have lowered my suggested actions to harden my servers (red text).

Lynis scans reached

Clicking a host name reveals a summary of the system.

Clicking a system reveals a summary of the system.

Remaining information level issues are listed.

I can click Solve and see more information about the issue to resolve.

TIP: I thought it would be a good idea to copy this list to a spreadsheet for detailed tracking.

Spreadsheet listing issues to complete and done

I had another issue appear a few days later.

Compliance Tab (portal.cisofy.com)

A lot of information is listed here.

Compliance Tab

Best practice guides are available

best practice ghttps://portal.cisofy.com/compliance/udes

I could go on an on but https://cisofy.com/ is awesome.

TIP: Manually updating Lynis

from the command line I can view the Linus version with this command

./lynis --version
2.7.4

To update the Lynis git repository from the Lynis folder run this command

git pull
Already up to date.

Automatically updating and running Lynis scans

I added the following commands to my crontab to update then scan and report Lynis results to the portal.

TIP: Use https://crontab.guru/ to choose the right time to run commands (I chose 5 mins past 1 AM every day to update and 5 mins past 2 AM to run a scan.


#Lynis Update
5 1 * * * root -s /bin/bash -c 'cd /utils/lynis && /usr/bin/git pull origin master'

#Lynis Scan
5 2 * * * root -s /bin/bash -c '/utils/lynis/lynis audit system --upload'

Troubleshooting

fyi: Lynis Log file location: /var/log/lynis.log

Cisofy Enterprise Conclusion

Pros:

  • I can learn so much about securing Linux just from the Cisofy Fix recommendations.
  • I have secured my server beyond what I thought possible.
  • Very active development on Github: https://github.com/CISOfy/lynis/
  • Cisofy has a very good inteface and updates often.
  • New security issues are synced down and included in new scans (if you update)

Cons:

  • I am unable to pay for this for my servers here in Australia (European legal issues).
  • Needs Hardware 2FA

Tips

Make sure you have curl installed to allow reports to upload. I had this error on Debian 9.4.

View the latest repository version information here.

I added my Lynis folder to the Linux $PATH variable

export PATH=$PATH:/folder/lynis

Fatal: can’t find curl binary. Please install the related package or put the binary in the PATH. Quitting..

Lynis Enterprise API

View the Lynis Enterprise API documentation here

Lynis Enterprise Support

Support can be found here, email support [email protected].

Getting started guide is found here.

Bonus: Setting Up Content Security Policy and reporting violations to https://report-uri.com/

I have a few older posts on Content Security Policies (CSP) but they are a bit dated.

  • 2016 – Beyond SSL with Content Security Policy, Public Key Pinning etc
  • 2018 – Set up Feature-Policy, Referrer-Policy and Content Security Policy headers in Nginx

Wikipedia Definition of a Content Security Policy

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.[1] It is a Candidate Recommendation of the W3C working group on Web Application Security,[2] widely supported by modern web browsers.[3] CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

If you want to learn about to setup CSP’s head over to https://report-uri.com/products/content_security_policy or https://report-uri.com/home/tools and read more.

I did have Content Security Policies (CSP) set up a few years back, but I had issues with broken resources. A lack of time on my behalf to investigate the issues forced me to disable the Content Security Policy (CSP). I should have changed the “Content-Security-Policy” header to “Content-Security-Policy-Report-Only.”

I will re-add the Content Security Policy (CSP) to my site but this time I will not disable it and will report to https://report-uri.com/, and if need be I will change the header from “content-security-policy” to “content-security-policy-report-only”. That way a broken policy won’t take down my site in future.

If you want to set up a Content Security Policy header and with good reporting of any violations of your CSP policy simply head over to https://report-uri.com/ and create a new account.

Read the official Report URI help documents here: https://docs.report-uri.com/.

Create a Content Security Policy

The hardest part of creating a Content Security Policy is knowing what to add where.

You could generate your own Content Security Policy by heading here (https://report-uri.com/home/generate) but that will take a while.

Create a CSP

TIP: Don’t make your policy live straight away by using the “Content-Security-Policy” header, instead use the “Content-Security-Policy-Report-Only” header.

To create a content Security Policy faster I would recommend you to use this Firefox plugin to generate a starter Content Security Policy.

Screenshot of https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/

Install this plugin to Firefox, enable it and click the Plugins icon and ensure “Record this site…” is ticked.

Laboratory plugin inFirefix

Then simply browse to your site (browse as many pages as possible) and a Content Security Policy will be generated based on the content on the page(s) loaded.

TIP: Always review the generated CSP, it allows everything needed to display your site.

Export the CSP from the Firefox plugin to the clipboard

This is the policy that was generated for me in 5 minutes browsing 20 pages.

default-src 'none'; connect-src 'self' https://onesignal.com/api/v1/apps/772f27ad-0d58-494f-9f06-e89f72fd650b/icon https://onesignal.com/api/v1/notifications https://onesignal.com/api/v1/players/67a2f360-687f-4513-83e8-f477da085b26 https://onesignal.com/api/v1/players/67a2f360-687f-4513-83e8-f477da085b26/on_session https://yoast.com/feed/widget/; font-src 'self' data: https://fearby-com.exactdn.com https://fonts.gstatic.com; form-action 'self' https://fearby.com https://syndication.twitter.com https://www.paypal.com; frame-src 'self' https://en-au.wordpress.org https://fearby.com https://googleads.g.doubleclick.net https://onesignal.com https://platform.twitter.com https://syndication.twitter.com https://www.youtube.com; img-src 'self' data: https://a.impactradius-go.com https://abs.twimg.com https://fearby-com.exactdn.com https://healthchecks.io https://pagead2.googlesyndication.com https://pbs.twimg.com https://platform.twitter.com https://secure.gravatar.com https://syndication.twitter.com https://ton.twimg.com https://www.paypalobjects.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://adservice.google.com.au/adsid/integrator.js https://adservice.google.com/adsid/integrator.js https://cdn.onesignal.com/sdks/OneSignalPageSDKES6.js https://cdn.onesignal.com/sdks/OneSignalSDK.js https://cdn.syndication.twimg.com/tweets.json https://fearby-com.exactdn.com/wp-content/cache/fvm/1553589606/out/footer-45a3439e.min.js https://fearby-com.exactdn.com/wp-content/cache/fvm/1553589606/out/footer-e6604f67.min.js https://fearby-com.exactdn.com/wp-content/cache/fvm/1553589606/out/footer-f4213fd6.min.js https://fearby-com.exactdn.com/wp-content/cache/fvm/1553589606/out/header-1583146a.min.js https://fearby-com.exactdn.com/wp-content/cache/fvm/1553589606/out/header-823c0a0e.min.js https://fearby-com.exactdn.com/wp-content/piwik.js https://onesignal.com/api/v1/sync/772f27ad-0d58-494f-9f06-e89f72fd650b/web https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js https://pagead2.googlesyndication.com/pagead/js/r20190610/r20190131/show_ads_impl.js https://pagead2.googlesyndication.com/pub-config/r20160913/ca-pub-9241521190070921.js https://platform.twitter.com/js/moment~timeline~tweet.a20574004ea824b1c047f200045ffa1e.js https://platform.twitter.com/js/tweet.73b7ab8a56ad3263cad8d36ba66467fc.js https://platform.twitter.com/widgets.js https://s.ytimg.com/yts/jsbin/www-widgetapi-vfll-F3yY/www-widgetapi.js https://www.googletagservices.com/activeview/js/current/osd.js https://www.youtube.com/iframe_api; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://onesignal.com/sdks/ https://platform.twitter.com/css/ https://ton.twimg.com/tfw/css/; worker-src 'self' 

I can truncate starter Content Security Polity and remove some elements. Remove duplicated entries to separate files on a remote server add a wildcard (if I trust the server).

I truncated the policy with the help of the sublime text editor and Report URI CSP Generator.

I added this to the file ‘/etc/nginx/sites-available/default’

add_header "Content-Security-Policy-Report-Only" "default-src 'self' https://fearby.com/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://adservice.google.com.au https://adservice.google.com https://cdn.onesignal.com https://cdn.syndication.twimg.com https://fearby-com.exactdn.com https://onesignal.com https://pagead2.googlesyndication.com https://platform.twitter.com https://s.ytimg.com https://www.googletagservices.com https://www.youtube.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://onesignal.com https://platform.twitter.com https://ton.twimg.com; img-src 'self' data: https://a.impactradius-go.com https://abs.twimg.com https://fearby-com.exactdn.com https://healthchecks.io https://pagead2.googlesyndication.com https://pbs.twimg.com https://platform.twitter.com https://secure.gravatar.com https://syndication.twitter.com https://ton.twimg.com https://www.paypalobjects.com; font-src 'self' data: https://fearby-com.exactdn.com https://fonts.gstatic.com; connect-src 'self' https://onesignal.com https://yoast.com; object-src https://fearby.com/; frame-src 'self' https://en-au.wordpress.org https://fearby.com https://googleads.g.doubleclick.net https://onesignal.com https://platform.twitter.com https://syndication.twitter.com https://www.youtube.com; worker-src 'self'; form-action 'self' https://fearby.com https://syndication.twitter.com https://www.paypal.com; report-uri https://fearby.report-uri.com/r/d/csp/reportOnly";

I added the following to the file ‘/etc/nginx/sites-available/default‘ (inside the server node).

Any issues with the Content Security policy will be reported to my web browsers development console and to https://report-uri.com/.

My Chrome development console reports an issue with a graphic not loading from Namecheap.

Namecleap icon not loading

The event was also reported to the Report URI server.

Screenshot of reports at https://report-uri.com/account/reports/csp/

Don’t forget to check the reports often. When you have no more issues left you can make the Policy live by renaming the “Content-Security-Policy-Report-Only” header to “Content-Security-Policy”.

FYI: I had directive reports of ‘script-src-elem’ and it looks like they are new directives added to Chrome 75.

Don’t forget to visit the Report URI setup page and get a URL for where live reports get sent to.

Screenshot of https://report-uri.com/account/setup/

If you go to the Generate CSP page and import your website’s policy you can quickly add new exclusions to your policy

After a few months of testing and tweaking the policy, I can make it live (‘Content-Security-Policy’).

Lynis Enterprise

I have learned so much by using Lynis Enterprise from https://cisofy.com/

I am subscribed to issues notifications at https://github.com/CISOfy/lynis/issues/ and observe about 20 notifications a day in this GitHub community. Maybe one day I will contribute to this project?

Finally, Did the Bank reply?

Yes but it was not very informative.

Dear Simon,

Thank you very much  for the information and we have completely removed the reference that you have raised concern.
We are extremely sorry and apology for the inconvenience caused due to this mistake.

We are thankful for the information and support you have extended.

I tried to inquire how this happened and each time the answer was vague.

Thank you for your support. This was mistakenly used during the testing and we have warned the vendor as well.
I like to request you to close the ticket for this as we have already removed this.

We like to assure such things won’t happen in future.

It looks like the bank used my blog post to create their CSP.

Oh well at least I have a secured my servers.

Thanks for reading.

 

 

Version:

v1.1 – Changed the URL, Removed Ads and added a Lynis Enterprise Conclusion

v1.01 – Fixed the URL

v1.0 – Initial Version

Filed Under: 2nd Factor, CDN, Content Security Policy, Cron, Database, Debian, NGINX, One Signal, PHP, Security, Ubuntu, Vulnerabilities, Vulnerability, Weakness, Website Tagged With: Bank, Cisofy, Content Security Policy, Hacked, Linus

Strengths and weaknesses

August 10, 2017 by Simon

What are your strengths and weaknesses? Are you avoiding doing something because of your personality type or focusing on something else?

I thought this post would be helpful to a number of people as the Technology industry is filled with endless new frameworks and activities that require grit and focus. Sites like Udemy, Lynda.com, Pluralsight and others allow you to learn new technology but this might all be for nought if you can’t communicate well. Skills, education and experience are acquired but we use our personality daily to communicate and interact. Some say you cannot change your personality but knowing your personality type can help you interact or develop applications better. Knowing your personality type can help you interact better with family, friends, clients and colleagues.

It is important how you interact with people and personalities is part of it (along with age, sex, religion, rapport, trust etc).

Personality Types

View the 16 Personality Types https://www.16personalities.com/personality-types  (ISTJ, ISFJ, INFJ, INTJ, ISTP, ISFP, INFP, INTP, ESTP, ESFP, ENFP, ENTP, ESTJ, ESFJ, ENFJ, ENTJ).

Read about the background of the personality types on 16 personalities here.

The Myers and Briggs Foundation have a good breakdown on the 16 personality types.

Take a Personality Test

https://www.16personalities.com/free-personality-test is a good site that allows you to take a 30min quiz and show your personality. I have tested myself, family and kids and it is bang on. Take the test here.

How to use the test results

  • How to talk and listen at work
  • How to talk with family
  • How to talk to children
  • How to talk to spouses.
  • How to understand your self and family better.

My Personality Type

I am an INTJ-T and proud of it. Here is a breakdown of my personality type https://www.16personalities.com/intj-personality

  • “Innovative inventors with an unquenchable thirst for knowledge.” (snip from 16personalities.com).
  • “The INTP personality type is fairly rare, making up only three per cent of the population, which is definitely a good thing for them, as there’s nothing they’d be more unhappy about than being “common”. INTPs pride themselves on their inventiveness and creativity, their unique perspective and vigorous intellect. Usually known as the philosopher, the architect, or the dreamy professor, INTPs have been responsible for many scientific discoveries throughout history.” (snip from 16personalities.com).
  • INTPs are known for their brilliant theories and unrelenting logic – in fact, they are considered the most logically precise of all the personality types (snip from 16personalities.com).

My supposed personality strengths are..

  • Quick, Imaginative and Strategic Mind
  • High Self-Confidence
  • Independent and Decisive
  • Hard-working and determined
  • Open-minded
  • Jacks-of-all-Trades

My supposed personality weaknesses are..

  • Very Private and Withdrawn
  • Insensitive
  • Absent-minded
  • Condescending
  • Loathe Rules and Guidelines
  • Second-Guess Themselves

Natural Reaction to my personality types

My natural reaction is to accept my strengths and reject my weaknesses but knowing your weaknesses can help you plan better or improve skills or interactions.

What is normal? 

JPSears talking about what is normal..


Positive Thinking

I am not a motivator so I will encourage you to read (or listen to) the books  The Obstacle is the Way by Ryan Holiday , Ego is the Enemy by Ryan Holiday and Grit: The Power of Passion and Perseverance by Angela Duckworth (Thanks, Zach) if you want to self-improve.

Psychology

Snip from (Wikipedia) “Personality is a set of individual differences that are affected by the development of an individual: values, attitudes, personal memories, social relationships, habits, and skills. Different personality theorists present their own definitions of the word based on their theoretical positions. The term “personality trait” refers to enduring personal characteristics that are revealed in a particular pattern of behaviour in a variety of situations.”

Who are you, really? The puzzle of personality | Brian Little is a good video on who we are and how we interact.

Psychology Dimensions = (Openness, Continuous, Extroversion, Agreeably, Neuroticism) = Wellbeing.

Being Understood

Here is a great video on being understood (great for INTP-T’s).

Personality Psychology

Snip (from Wikipedia): Personality also refers to the pattern of thoughts, feelings, social adjustments, and behaviours consistently exhibited over time that strongly influences one’s expectations, self-perceptions, values, and attitudes. It also predicts human reactions to other people, problems, and stress. Knowing your personality type can allow you to use on your strength and focus on your weaknesses.

Alan Watts Psychology of Consciousness HQ talks about the evolution of psychology and applications and shallowness.

Psychology

What is Psychology? (Snip from  Wikipedia ).”Carl Gustav Jung was a Swiss psychiatrist and psychoanalyst who founded analytical psychology. His work has been influential not only in psychiatry but also in anthropology, archaeology, literature, philosophy, and religious studies.”

SWOT Analysis

Direction and focus with SWOT Analysis technique.

Tips

  • Work to your strengths.
  • Plan around your weaknesses (use tools to plan better or don’t endlessly research solutions and not deliver).
  • Know other peoples personality (if they agree)..
  • Consider doing a SWOT Analysis with projects (or yourself).

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]v1.4 added info on being normal

Filed Under: Advice, Planning, Psychology, Weakness Tagged With: (ISTJ, 16 personalities, ENFJ, ENFP, ENTJ), ENTP, ESFJ, ESFP, ESTJ, ESTP, INFJ, INFP, INTJ, INTP, ISFJ, ISFP, ISTP, swot

Securing Ubuntu in the cloud

August 9, 2017 by Simon

It is easy to deploy servers to the cloud within a few minutes, you can have a cloud-based server that you (or others can use). ubuntu has a great guide on setting up basic security issues but what do you need to do.

If you do not secure your server expects it to be hacked into. Below are tips on securing your cloud server.

First, read more on scanning your server with Lynis security scan.

Always use up to date software

Always use update software, malicious users can detect what software you use with sites like shodan.io (or use port scan tools) and then look for weaknesses from well-published lists (e.g WordPress, Windows, MySQL, node, LifeRay, Oracle etc). People can even use Google to search for login pages or sites with passwords in HTML (yes that simple).  Once a system is identified by a malicious user they can send automated bots to break into your site (trying millions of passwords a day) or use tools to bypass existing defences (Security researcher Troy Hunt found out it’s child’s play).

Portscan sites like https://mxtoolbox.com/SuperTool.aspx?action=scan are good for knowing what you have exposed.

You can also use local programs like nmap to view open ports

Instal nmap

sudo apt-get install nmap

Find open ports

nmap -v -sT localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-08 23:57 AEST
Initiating Connect Scan at 23:57
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 9101/tcp on 127.0.0.1
Discovered open port 9102/tcp on 127.0.0.1
Discovered open port 9103/tcp on 127.0.0.1
Completed Connect Scan at 23:57, 0.05s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00020s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
9101/tcp open  jetdirect
9102/tcp open  jetdirect
9103/tcp open  jetdirect

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Limit ssh connections

Read more here.

Use ufw to set limits on login attempts

sudo ufw limit ssh comment 'Rate limit hit for openssh server'

Only allow known IP’s access to your valuable ports

sudo ufw allow from 123.123.123.123/32 to any port 22

Delete unwanted firewall rules

sudo ufw status numbered
sudo ufw delete 8

Only allow known IP’s to certain ports

sudo ufw allow from 123.123.123.123 to any port 80/tcp

Also, set outgoing traffic to known active servers and ports

sudo ufw allow out from 123.123.123.123 to any port 22

Don’t use weak/common Diffie-Hellman key for SSL certificates, more information here.

openssl req -new -newkey rsa:4096 -nodes -keyout server.key -out server.csr
 
Generating a 4096 bit RSA private key
...

More info on generating SSL certs here and setting here and setting up Public Key Pinning here.

Intrusion Prevention Software

Do run fail2ban: Guide here https://www.linode.com/docs/security/using-fail2ban-for-security

I use iThemes Security to secure my WordPress and block repeat failed logins from certain IP addresses.

iThemes Security can even lock down your WordPress.

You can set iThemes to auto lock out users on x failed logins

Remember to use allowed whitelists though (it is so easy to lock yourself out of servers).

Passwords

Do have strong passwords and change the root password provided by the hosts. https://howsecureismypassword.net/ is a good site to see how strong your password is from brute force password attempts. https://www.grc.com/passwords.htm is a good site to obtain a strong password.  Do follow Troy Hunt’s blog and twitter account to keep up to date with security issues.

Configure a Firewall Basics

You should install a firewall on your Ubuntu and configure it and also configure a firewall with your hosts (e.g AWS, Vultr, Digital Ocean).

Configure a Firewall on AWS

My AWS server setup guide here. AWS allow you to configure the firewall here in the Amazon Console.

Type Protocol Port Range Source Comment
HTTP TCP 80 0.0.0.0/0 Opens a web server port for later
All ICMP ALL N/A 0.0.0.0/0 Allows you to ping
All traffic ALL All 0.0.0.0/0 Not advisable long term but OK for testing today.
SSH TCP 22 0.0.0.0/0 Not advisable, try and limit this to known IP’s only.
HTTPS TCP 443 0.0.0.0/0 Opens a secure web server port for later

Configure a Firewall on Digital Ocean

Configuring a firewall on Digital Ocean (create a $5/m server here).  You can configure your Digital Ocean droplet firewall by clicking Droplet, Networking then Manage Firewall after logging into Digital Ocean.

Configure a Firewall on Vultr

Configuring a firewall on Vultr (create a $2.5/m server here).

Don’t forget to set IP rules for IPV4 and IPV6, Only set the post you need to allow and ensure applications have strong passwords.

Ubuntu has a firewall built in (documentation).

sudo ufw status

Enable the firewall

sudo ufw enable

Adding common ports

sudo ufw allow ssh/tcp
sudo ufw logging on
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 53
sudo ufw allow 443
sudo ufw allow 873
sudo ufw enable
sudo ufw status
sudo ufw allow http
sudo ufw allow https

Add a whitelist for your IP (use http://icanhazip.com/ to get your IP) to ensure you won’t get kicked out of your server.

sudo ufw allow from 123.123.123.123/24 to any port 22

More help here.  Here is a  good guide on ufw commands. Info on port numbers here.

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

If you don’t have a  Digital Ocean server for $5 a month click here and if a $2.5 a month Vultr server here.

Backups

rsync is a good way to copy files to another server or use Bacula

sudo apt install bacula

Basics

Initial server setup guide (Digital Ocean).

Sudo (admin user)

Read this guide on the Linux sudo command (the equivalent if run as administrator on Windows).

Users

List users on an Ubuntu OS (or compgen -u)

cut -d: -f1 /etc/passwd

Common output

cut -d: -f1 /etc/passwd
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-timesync
systemd-network
systemd-resolve
systemd-bus-proxy
syslog
_apt
lxd
messagebus
uuidd
dnsmasq
sshd
pollinate
ntp
mysql
clamav

Add User

sudo adduser new_username

e.g

sudo adduser bob
Adding user `bob' ...
Adding new group `bob' (1000) ...
Adding new user `bob' (1000) with group `bob' ...
Creating home directory `/home/bob' ...
etc..

Add user to a group

sudo usermod -a -G MyGroup bob

Show users in a group

getent group MyGroup | awk -F: '{print $4}'

This will show users in a group

Remove a user

sudo userdel username
sudo rm -r /home/username

Rename user

usermod -l new_username old_username

Change user password

sudo passwd username

Groups

Show all groups

compgen -ug

Common output

compgen -g
root
daemon
bin
sys
adm
tty
disk
lp
mail
proxy
sudo
www-data
backup
irc
etc

You can create your own groups but first, you must be aware of group ids

cat /etc/group

Then you can see your systems groups and ids.

Create a group

groupadd -g 999 MyGroup

Permissions

Read this https://help.ubuntu.com/community/FilePermissions

How to list users on Ubuntu.

Read more on setting permissions here.

Chmod help can be found here.

Install Fail2Ban

I used this guide on installing Fail2Ban.

apt-get install fail2ban

Check Fail2Ban often and add blocks to the firewall of known bad IPs

fail2ban-client status

Best practices

Ubuntu has a guide on basic security setup here.

Startup Processes

It is a good idea to review startup processes from time to time.

sudo apt-get install rcconf
sudo rcconf

Accounts

  • Read up on the concept of least privilege access for apps and services here.
  • Read up on chmod permissions.

Updates

Do update your operating system often.

sudo apt-get update
sudo apt-get upgrade

Minimal software

Only install what software you need

Exploits and Keeping up to date

Do keep up to date with exploits and vulnerabilities

  • Follow 0xDUDE on twitter.
  • Read the GDI.Foundation page.
  • Visit the Exploit Database
  • Vulnerability & Exploit Database
  • Subscribe to the Security Now podcast.

Secure your applications

  • NodeJS: Enable logging in applications you install or develop.

Ban repeat Login attempts with FailBan

Fail2Ban config

sudo nano /etc/fail2ban/jail.conf
[sshd]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3

Hosts File Hardening

sudo nano /etc/host.conf

Add

order bind,hosts
nospoof on

Add a whitelist with your ip on /etc/fail2ban/jail.conf (see this)

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not                          
# ban a host which matches an address in this list. Several addresses can be                             
# defined using space separator.
                                                                         
ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8

Restart the service

sudo service fail2ban restart
sudo service fail2ban status

Intrusion detection (logging) systems

Tripwire will not block or prevent intrusions but it will log and give you a heads up with risks and things of concern

Install Tripwire.

sudo apt-get install tiger tripwire

Running Tripwire

sudo tiger

This will scan your system for issues of note

sudo tiger
Tiger UN*X security checking system
   Developed by Texas A&M University, 1994
   Updated by the Advanced Research Corporation, 1999-2002
   Further updated by Javier Fernandez-Sanguino, 2001-2015
   Contributions by Francisco Manuel Garcia Claramonte, 2009-2010
   Covered by the GNU General Public License (GPL)

Configuring...

Will try to check using config for 'x86_64' running Linux 4.4.0-89-generic...
--CONFIG-- [con005c] Using configuration files for Linux 4.4.0-89-generic. Using
           configuration files for generic Linux 4.
Tiger security scripts *** 3.2.3, 2008.09.10.09.30 ***
20:42> Beginning security report for simon.
20:42> Starting file systems scans in background...
20:42> Checking password files...
20:42> Checking group files...
20:42> Checking user accounts...
20:42> Checking .rhosts files...
20:42> Checking .netrc files...
20:42> Checking ttytab, securetty, and login configuration files...
20:42> Checking PATH settings...
20:42> Checking anonymous ftp setup...
20:42> Checking mail aliases...
20:42> Checking cron entries...
20:42> Checking 'services' configuration...
20:42> Checking NFS export entries...
20:42> Checking permissions and ownership of system files...
--CONFIG-- [con010c] Filesystem 'fuse.lxcfs' used by 'lxcfs' is not recognised as a valid filesystem
20:42> Checking for indications of break-in...
--CONFIG-- [con010c] Filesystem 'fuse.lxcfs' used by 'lxcfs' is not recognised as a valid filesystem
20:42> Performing rootkit checks...
20:42> Performing system specific checks...
20:46> Performing root directory checks...
20:46> Checking for secure backup devices...
20:46> Checking for the presence of log files...
20:46> Checking for the setting of user's umask...
20:46> Checking for listening processes...
20:46> Checking SSHD's configuration...
20:46> Checking the printers control file...
20:46> Checking ftpusers configuration...
20:46> Checking NTP configuration...
20:46> Waiting for filesystems scans to complete...
20:46> Filesystems scans completed...
20:46> Performing check of embedded pathnames...
20:47> Security report completed for simon.
Security report is in `/var/log/tiger/security.report.simon.170809-20:42'.

My Output.

sudo nano /var/log/tiger/security.report.username.170809-18:42

Security scripts *** 3.2.3, 2008.09.10.09.30 ***
Wed Aug  9 18:42:24 AEST 2017
20:42> Beginning security report for username (x86_64 Linux 4.4.0-89-generic).

# Performing check of passwd files...
# Checking entries from /etc/passwd.
--WARN-- [pass014w] Login (bob) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (root) is disabled, but has a valid shell.
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync).
--WARN-- [pass012w] Home directory /nonexistent exists multiple times (3) in
         /etc/passwd.
--WARN-- [pass012w] Home directory /run/systemd exists multiple times (2) in
         /etc/passwd.
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck
         -r).

# Performing check of group files...

# Performing check of user accounts...
# Checking accounts from /etc/passwd.
--WARN-- [acc021w] Login ID dnsmasq appears to be a dormant account.
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not
         accessible.

# Performing check of /etc/hosts.equiv and .rhosts files...

# Checking accounts from /etc/passwd...

# Performing check of .netrc files...

# Checking accounts from /etc/passwd...

# Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab...
--WARN-- [root001w] Remote root login allowed in /etc/ssh/sshd_config

# Performing check of PATH components...
--WARN-- [path009w] /etc/profile does not export an initial setting for PATH.
# Only checking user 'root'

# Performing check of anonymous FTP...

# Performing checks of mail aliases...
# Checking aliases from /etc/aliases.

# Performing check of `cron' entries...
--WARN-- [cron005w] Use of cron is not restricted

# Performing check of 'services' ...
# Checking services from /etc/services.
--WARN-- [inet003w] The port for service ssmtp is also assigned to service
         urd.
--WARN-- [inet003w] The port for service pipe-server is also assigned to
         service search.

# Performing NFS exports check...

# Performing check of system file permissions...
--ALERT-- [perm023a] /bin/su is setuid to `root'.
--ALERT-- [perm023a] /usr/bin/at is setuid to `daemon'.
--ALERT-- [perm024a] /usr/bin/at is setgid to `daemon'.
--WARN-- [perm001w] The owner of /usr/bin/at should be root (owned by daemon).
--WARN-- [perm002w] The group owner of /usr/bin/at should be root.
--ALERT-- [perm023a] /usr/bin/passwd is setuid to `root'.
--ALERT-- [perm024a] /usr/bin/wall is setgid to `tty'.

# Checking for known intrusion signs...
# Testing for promiscuous interfaces with /bin/ip
# Testing for backdoors in inetd.conf

# Performing check of files in system mail spool...

# Performing check for rookits...
# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
--WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit installation
Possible Linux/Ebury - Operation Windigo installetd

# Performing system specific checks...
# Performing checks for Linux/4...

# Checking boot loader file permissions...
--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group
         permissions. Should be 0600
--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world
         permissions. Should be 0600
--WARN-- [boot06] The Grub bootloader does not have a password configured.

# Checking for vulnerabilities in inittab configuration...

# Checking for correct umask settings for init scripts...
--WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS

# Checking Logins not used on the system ...

# Checking network configuration
--FAIL-- [lin013f] The system is not protected against Syn flooding attacks
--WARN-- [lin017w] The system is not configured to log suspicious (martian)
         packets

# Verifying system specific password checks...

# Checking OS release...
--WARN-- [osv004w] Unreleased Debian GNU/Linux version `stretch/sid'

# Checking installed packages vs Debian Security Advisories...

# Checking md5sums of installed files

# Checking installed files against packages...
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.dep' does not
         belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.alias.bin' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.devname' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.softdep' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.alias' does not
         belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.symbols.bin'
         does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.builtin.bin'
         does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.symbols' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.dep.bin' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.dep' does not
         belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.alias.bin' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.devname' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.softdep' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.alias' does not
         belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.symbols.bin'
         does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.builtin.bin'
         does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.symbols' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.dep.bin' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/udev/hwdb.bin' does not belong to any package.

# Performing check of root directory...

# Checking device permissions...
--WARN-- [dev003w] The directory /dev/block resides in a device directory.
--WARN-- [dev003w] The directory /dev/char resides in a device directory.
--WARN-- [dev003w] The directory /dev/cpu resides in a device directory.
--FAIL-- [dev002f] /dev/fuse has world permissions
--WARN-- [dev003w] The directory /dev/hugepages resides in a device directory.
--FAIL-- [dev002f] /dev/kmsg has world permissions
--WARN-- [dev003w] The directory /dev/lightnvm resides in a device directory.
--WARN-- [dev003w] The directory /dev/mqueue resides in a device directory.
--FAIL-- [dev002f] /dev/rfkill has world permissions
--WARN-- [dev003w] The directory /dev/vfio resides in a device directory.

# Checking for existence of log files...
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660
--FAIL-- [logf007f] Log file /var/log/messages does not exist

# Checking for correct umask settings for user login shells...
--WARN-- [misc021w] There is no umask definition for the dash shell
--WARN-- [misc021w] There is no umask definition for the bash shell

# Checking symbolic links...

# Performing check of embedded pathnames...
20:47> Security report completed for username.

More on Tripwire here.

Hardening PHP

Hardening PHP config (and backing the PHP config it up), first create an info.php file in your website root folder with this info

<?php
phpinfo()
?>

Now look for what PHP file is loadingPHP Config

Back that your PHP config file

TIP: Delete the file with phpinfo() in it as it is a security risk to leave it there.

TIP: Read the OWASP cheat sheet on using PHP securely here and securing php.ini here.

Some common security changes

file_uploads = On
expose_php = Off
error_reporting = E_ALL
display_errors          = Off
display_startup_errors  = Off
log_errors              = On
error_log = /php_errors.log
ignore_repeated_errors  = Off

Don’t forget to review logs, more config changes here.

Antivirus

Yes, it is a good idea to run antivirus in Ubuntu, here is a good list of antivirus software

I am installing ClamAV as it can be installed on the command line and is open source.

sudo apt-get install clamav

ClamAV help here.

Scan a folder

sudo clamscan --max-filesize=3999M --max-scansize=3999M --exclude-dir=/www/* -i -r /

Setup auto-update antivirus definitions

sudo dpkg-reconfigure clamav-freshclam

I set auto updates 24 times a day (every hour) via daemon updates.

tip: Download manual antivirus update definitions. If you only have a 512MB server your update may fail and you may want to stop fresh claim/php/nginx and mysql before you update to ensure the antivirus definitions update. You can move this to a con job and set this to update at set times over daemon to ensure updates happen.

sudo /etc/init.d/clamav-freshclam stop

sudo service php7.0-fpm stop
sudo /etc/init.d/nginx stop
sudo /etc/init.d/mysql stop

sudo freshclam -v
Current working dir is /var/lib/clamav
Max retries == 5
ClamAV update process started at Tue Aug  8 22:22:02 2017
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 1152
Software version from DNS: 0.99.2
Retrieving http://db.au.clamav.net/main.cvd
Trying to download http://db.au.clamav.net/main.cvd (IP: 193.1.193.64)
Downloading main.cvd [100%]
Loading signatures from main.cvd
Properly loaded 4566249 signatures from new main.cvd
main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Querying main.58.82.1.0.C101C140.ping.clamav.net
Retrieving http://db.au.clamav.net/daily.cvd
Trying to download http://db.au.clamav.net/daily.cvd (IP: 193.1.193.64)
Downloading daily.cvd [100%]
Loading signatures from daily.cvd
Properly loaded 1742284 signatures from new daily.cvd
daily.cvd updated (version: 23644, sigs: 1742284, f-level: 63, builder: neo)
Querying daily.23644.82.1.0.C101C140.ping.clamav.net
Retrieving http://db.au.clamav.net/bytecode.cvd
Trying to download http://db.au.clamav.net/bytecode.cvd (IP: 193.1.193.64)
Downloading bytecode.cvd [100%]
Loading signatures from bytecode.cvd
Properly loaded 66 signatures from new bytecode.cvd
bytecode.cvd updated (version: 308, sigs: 66, f-level: 63, builder: anvilleg)
Querying bytecode.308.82.1.0.C101C140.ping.clamav.net
Database updated (6308599 signatures) from db.au.clamav.net (IP: 193.1.193.64)

sudo service php7.0-fpm restart
sudo /etc/init.d/nginx restart
sudo /etc/init.d/mysql restart 

sudo /etc/init.d/clamav-freshclam start

Manual scan with a bash script

Create a bash script

mkdir /script
sudo nano /scripts/updateandscanav.sh

# Include contents below.
# Save and quit

chmod +X /scripts/updateandscanav.sh

Bash script contents to update antivirus definitions.

sudo /etc/init.d/clamav-freshclam stop

sudo service php7.0-fpm stop
sudo /etc/init.d/nginx stop
sudo /etc/init.d/mysql stop

sudo freshclam -v

sudo service php7.0-fpm restart
sudo /etc/init.d/nginx restart
sudo /etc/init.d/mysql restart

sudo /etc/init.d/clamav-freshclam start

sudo clamscan --max-filesize=3999M --max-scansize=3999M -v -r /

Edit the crontab to run the script every hour

crontab -e
1 * * * * /bin/bash /scripts/updateandscanav.sh > /dev/null 2>&1

Uninstalling Clam AV

You may need to uninstall Clamav if you don’t have a lot of memory or find updates are too big.

sudo apt-get remove --auto-remove clamav
sudo apt-get purge --auto-remove clamav

Setup Unattended Ubuntu Security updates

sudo apt-get install unattended-upgrades
sudo unattended-upgrades -d

At login, you should receive

0 updates are security updates.

Other

  • Read this awesome guide.
  • install Fail2Ban
  • Do check your log files if you suspect suspicious activity.

Check out the extensive Hardening a Linux Server guide at thecloud.org.uk: https://thecloud.org.uk/wiki/index.php?title=Hardening_a_Linux_Server

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.92 added hardening a linux server link

Filed Under: Ads, Advice, Analitics, Analytics, Android, API, App, Apple, Atlassian, AWS, Backup, BitBucket, Blog, Business, Cache, Cloud, Community, Computer, CoronaLabs, Cost, CPI, DB, Development, Digital Ocean, DNS, Domain, Email, Feedback, Firewall, Free, Git, GitHub, GUI, Hosting, Investor, IoT, JIRA, LetsEncrypt, Linux, Malware, Marketing, mobile app, Monatization, Monetization, MongoDB, MySQL, Networking, NGINX, NodeJS, NoSQL, OS, Planning, Project, Project Management, Psychology, push notifications, Raspberry Pi, Redis, Route53, Ruby, Scalability, Scalable, Security, SEO, Server, Share, Software, ssl, Status, Strength, Tech Advice, Terminal, Transfer, Trello, Twitter, Ubuntu, Uncategorized, Video Editing, VLOG, VM, Vultr, Weakness, Web Design, Website, Wordpress Tagged With: antivirus, brute force, Firewall

Primary Sidebar

Poll

What would you like to see more posts about?
Results

Support this Blog

Create your own server today (support me by using these links

Create your own server on UpCloud here ($25 free credit).

Create your own server on Vultr here.

Create your own server on Digital Ocean here ($10 free credit).

Remember you can install the Runcloud server management dashboard here if you need DevOps help.

Advertisement:

Tags

2FA (9) Advice (17) Analytics (9) App (9) Apple (10) AWS (9) Backup (21) Business (8) CDN (8) Cloud (49) Cloudflare (8) Code (8) Development (26) Digital Ocean (13) DNS (11) Domain (27) Firewall (12) Git (7) Hosting (18) HTTPS (6) IoT (9) LetsEncrypt (7) Linux (20) Marketing (11) MySQL (24) NGINX (11) NodeJS (11) OS (10) PHP (13) Scalability (12) Scalable (14) Security (44) SEO (7) Server (26) Software (7) SSH (7) ssl (17) Tech Advice (9) Ubuntu (39) Uncategorized (23) UpCloud (12) VM (44) Vultr (24) Website (14) Wordpress (25)

Disclaimer

Terms And Conditions Of Use All content provided on this "www.fearby.com" blog is for informational purposes only. Views are his own and not his employers. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. Never make changes to a live site without backing it up first.

Advertisement:

Footer

Popular

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Setup two factor authenticator protection at login on Ubuntu or Debian
  • Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
  • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Add Google AdWords to your WordPress blog

Security

  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Setup two factor authenticator protection at login on Ubuntu or Debian
  • Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
  • Setting up DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare
  • Set up Feature-Policy, Referrer-Policy and Content Security Policy headers in Nginx
  • Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
  • Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare
  • Using the Qualys FreeScan Scanner to test your website for online vulnerabilities
  • Beyond SSL with Content Security Policy, Public Key Pinning etc
  • Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins
  • Run an Ubuntu VM system audit with Lynis
  • Securing Ubuntu in the cloud
  • No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider

Code

  • How to code PHP on your localhost and deploy to the cloud via SFTP with PHPStorm by Jet Brains
  • Useful Java FX Code I use in a project using IntelliJ IDEA and jdk1.8.0_161.jdk
  • No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider
  • How to setup PHP FPM on demand child workers in PHP 7.x to increase website traffic
  • Installing Android Studio 3 and creating your first Kotlin Android App
  • PHP 7 code to send object oriented sanitised input data via bound parameters to a MYSQL database
  • How to use Sublime Text editor locally to edit code files on a remote server via SSH
  • Creating your first Java FX app and using the Gluon Scene Builder in the IntelliJ IDEA IDE
  • Deploying nodejs apps in the background and monitoring them with PM2 from keymetrics.io

Tech

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • US v Huawei: The battle for 5G
  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Is OSX Mojave on a 2014 MacBook Pro slower or faster than High Sierra
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..
  • The case of the overheating Mac Book Pro and Occam’s Razor
  • Useful Linux Terminal Commands
  • Useful OSX Terminal Commands
  • Useful Linux Terminal Commands
  • What is the difference between 2D, 3D, 360 Video, AR, AR2D, AR3D, MR, VR and HR?
  • Application scalability on a budget (my journey)
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Why I will never buy a new Apple Laptop until they fix the hardware cooling issues.

Wordpress

  • Replacing Google Analytics with Piwik/Matomo for a locally hosted privacy focused open source analytics solution
  • Setting web push notifications in WordPress with OneSignal
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..
  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins
  • Wordfence Security Plugin for WordPress
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Installing and managing WordPress with WP-CLI from the command line on Ubuntu
  • Moving WordPress to a new self managed server away from CPanel
  • Moving WordPress to a new self managed server away from CPanel

General

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • US v Huawei: The battle for 5G
  • Using the WinSCP Client on Windows to transfer files to and from a Linux server over SFTP
  • Connecting to a server via SSH with Putty
  • Setting web push notifications in WordPress with OneSignal
  • Infographic: So you have an idea for an app
  • Restoring lost files on a Windows FAT, FAT32, NTFS or Linux EXT, Linux XFS volume with iRecover from diydatarecovery.nl
  • Building faster web apps with google tools and exceed user expectations
  • Why I will never buy a new Apple Laptop until they fix the hardware cooling issues.
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..

Copyright © 2023 · News Pro on Genesis Framework · WordPress · Log in

Some ads on this site use cookies. You can opt-out if of local analytics tracking by scrolling to the bottom of the front page or any article and clicking "You are not opted out. Click here to opt out.". Accept Reject Read More
GDPR, Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT