Hardening Ubuntu 12.04 LTS on Linode
In reference to this article below I was wondering if there would be any problems with enabling any/several of the following security measures. I am on a single LEMP (Ubuntu/NGINX) linode deployed for serving only wordpress sites.
1) Do I need to bother with shared memory protection? Does it have a performance issues if enabled?
2) Have any of you tried SELinux - Apparmor (#17)? does it interfere with kernels maintained by Linode?
3) What is your recommendation/opinion or anything about:,
a) hardening sysctl - i really have no idea what these do(#5) and if any conflict with Linode network
b) Disabling Open DNS recursion (#6)
c) Prevent IP Spoofing (#7),
d) Harding PHP (#8) and restricting Apache Info leakage (#9). I don't run Apache. I use Fast CGI but can still get php info.
e) ModSecurity #10
f) Auditing with Tiger (#18). Overkill/Conflict if OSSEC installed?
I realize you may only have answers to one or a few of these so anything you can add would be helpful.. Thank you.
About my server:
1) I have OSSEC installed and it seems to work well. I don't know how to manipulate OSSEC to my needs. Just learned to add the wordpress/nginx logs to it. I am NOT happy with the tons of iptables denied 1002 errors I received but learned its better to leave level 2 errors on in case anything else is going on. In the end I feel its not enough because I don't know how to control it and apparently it has no response or even knowledge of iptables denied errors just reports it every freaking 5 minutes. Plus it has a static 600s timeout. That is all. I am guessing OSSEC needs a backup security in place anyways. To that end I have looked at and/or even attempted installing snort, psad, deny hosts, RKHunter, and fail2ban but the installation process/configuration/maintenance of those scare me and it is hard to find answers on their integration with OSSEC or if anyone has even tried (I guess not).
2) root login is disabled
3) authentication keys are enabled //ordinary password login turned off
4) ssh port is not the default 22 and under 1024.
5) my firewall has all ports "closed" or filtered" so only 2 remain open to the www 80 and my SSH port.
6) su is limited only to the admin group
7) sushosin is installed.
8) NGINX has some protections htpassword enabled for wp-admin
9) Apache doesn't run in my set up. Fast-CGI is used.
10) mail handled by Google Apps. Postfix hands it off.
3 Replies
1) Yes, you should do the shared memory protection. It shouldn't make any performance difference.
2) I don't know SELinux or Apparmor, but I don't think Apparmor will interfere with any Linode built kernels. It could be a bigger PITA than you might like.
a) Those sysctl recommendations are fine and they definitely won't hurt you or interfere with Linode network. I've made those changes on my Linodes (as well as other changes to default system settings) and have no problems.
b) You should do this if you run bind. Other DNS servers may be able to handle recursion properly but you should verify. Personally I just use the Linode DNS for some of my domains and AWS Route 53 for others depending on the needs of the domain. It's just a lot easier than running your own DNS.
d) Can't really help with #8 because my approach to PHP security is "burn it with fire"
server_tokens off;
although this just removes the nginx version number. If you want to go a step further you need to build Nginx from source and either remove the server header before building or use the "headers-more" module that lets you do things like:
more_set_headers 'Server: Unknown';
e) This is probably a good idea if you are running Wordpress and especially if you load a bunch of third-party WP plugins. The Nginx equivalent is naxsi
f) I don't know Tiger, but it looks like overkill with OSSEC.
About your server:
1) OSSEC is good. Snort and PSAD are probably only needed if you have a high threat model (such as bitcoin wallet on your linode or something like that). If you can figure out how to install and configure them you shouldn't need denyhosts or fail2ban. RKHunter can't hurt and won't conflict with OSSEC. I use chkrootkit myself but forget why vs. rkhunter… I think I just liked it's interaction with cron better. As for the "iptables denied" reports you should be able to fix that with your firewall rules, i.e. don't LOG denied packets … just go right to DROP.
2) Good. I also like to add google-authentication to PAM to try and add another layer of defense for someone trying to login as root via LISH.
3 & 4) Good.
5) Shouldn't you have port 443 open as well?
6 & 7) Good.
8 ) Behind https right?
9) My understanding is if you are running PHP behind Nginx that php5-fpm is preferred over fastcgi.
10) I presume this is just for small amounts of admin type mail like those coming from OSSEC?
Thank you so much for responding. I find your commentary and feedback on my questions incredibly helpful. I was also just about to re-configure Nginx so thanks for those tips also.
As far as your comments and questions on my server set go:
" ..If you can figure out how to install and configure them you shouldn't need denyhosts or fail2ban.."
I used vpsbible.com to set up the server 2 years ago and have slowly been learning the ropes as you might have guessed. I just discovered today that the vpsbible site was just refreshed and includes new tutorials on getting snort and other security measures set up so I'm looking forward to that.
"Good. I also like to add google-authentication to PAM to try and add another layer of defense for someone trying to login as root via LISH."
Google/2 Factor Authentication to PAM sounds cool. I didn't know anyone else except the linode user could access lish for my server like that. I have 2-factor enabled on my linode account and thought that took care of everything, so I will look into that.
"Shouldn't you have port 443 open as well?"
I guess port 443 is working, as I haven't had any problems with it. An nmap scan from hackertarget.com says its "443/tcp closed https" and is the only other port mentioned other than 80 and my SSH port. All others HT says are either closed or filtered.
"Behind https right?"
None of my wordpress sites are https. So wouldn't configuring wp-admin as a https make the whole wordpress site resolve to https? As it stands now if you tried to visit wp-admin on my wordpress sites, the browser would ask you for the server htpassword username/password before you could even try to logging into wordpress.
By coincidence, I tried to uncomment out the htpassword protection for wp-admin yesterday since so many people/bots are trying to log into or bruteforce some of my sites. It would make me feel a lot better if my wordpress plugin (Wordfence) could catch them and put them on the 2 month login timeout I have set up rather than OSSEC catching them first and putting them on a measly 600s time out. My sites still ask for the htpasswd however, not sure why. Here is my "global restrictions" file for NGINX in case you are wondering. It is used as an include on all the vHost files. I got some of these tips from
########################################
###Global Restrictions Configuration File ###
############################################
# Designed to be included in any server {} block.
location = /favicon.ico {
log_not_found off;
access_log off;
}
#Turn off logging of robots.txt
#HOLD OF ON UNCOMMENTING, DO I WANT THIS?
#location = /robots.txt {
#allow all;
#log_not_found off;
#access_log off;
#}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Deny access to any files with a .php extension in the uploads directory
location ~* ^/wp-content/uploads/.*.php$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to any files with a .php extension in the uploads directory for multisite
location ~* /files/(.*).php$ {
deny all;
access_log off;
log_not_found off;
}
####################################################
###### DIRECTIVES ABOVE FROM NGINX WORDPRESS CODEX ##########
## OTHER DIRECTIVES BELOW I FOUND ELSEWHERE ON THE INTERNETS##
####################################################
#Forbid Access to All Subversion Files and Folders
location ~ /\.svn/* {
deny all;
}
#Password Protect The WordPress Admin Folder
#location ^~ /wp-admin{
# auth_basic "Restricted Access";
# auth_basic_user_file /usr/local/nginx/.htpasswd;
#}
#Password Protect The Ossec Wui Folder
location ^~ /ossec-wui{
auth_basic "Restricted Access";
auth_basic_user_file /usr/local/nginx/.htpasswd;
}
#Prevent access to any files starting with a $ (usually temp files)
location ~ ~$ { access_log off; log_not_found off; deny all; }
#Common deny or internal locations, to help prevent access to areas of
#the site that should not be public
location ~* wp-includes/theme-compat/ { deny all; }
location ~* wp-includes/js/tinymce/langs/.*\.php { deny all; }
###DO NOT UNCOMMENT - WORKING ON
###THE TWO DIRECTIVES BELOW BLOCK NORMAL IMAGES SHOWING IN BROWSER
## location /wp-content/ { internal; }
##location /wp-includes/ { internal; }
#Redirect server error pages to my customized static page
error_page 403 /error403.html;
location = /error403.html {
root html;
}
"My understanding is if you are running PHP behind Nginx that php5-fpm is preferred over fastcgi."
You are right, I am running php5-fpm. I was getting PHP5 and FastCGI confused. I had to look at the php info tab on one my wordpress sites to be sure. I haven't messed with PHP really or tried learning more about it yet. I was recently getting a ton of errors regarding "fast cgi sent in stderr," so not sure why it references fast-cgi. Regardless, after some research I found it may have been related to an APC bug so I uninstalled it and the errors disappeared. I haven't replaced or tried installing another caching system since. I figure once I get to the point of having major traffic on one my wordpress sites I might be earning enough to just go managed and not have to deal with any of this stuff again. It's been an adventure running my own server for sure but only to save money on having decently performing wordpress sites.
"I presume this is just for small amounts of admin type mail like those coming from OSSEC?" "As for the "iptables denied" reports you should be able to fix that with your firewall rules, i.e. don't LOG denied packets … just go right to DROP."
Yes, postfix is set up for the few programs that need to send me mail which includes any live wordpress site contact form submissions, logwatch, logrotate, and OSSECs 200+ emails daily.. not small amounts by any means haha. So thanks for the tip on turning off logging for IPtables denied errors. Not sure why the vpsbible guide had them set to on. Installing OSSEC was my idea so turning iptables denied errors off is a simple solution that I will definitely be taking advantage of.
Thanks again!
However, as the Linode docs show, there is a special ssh path into LISH – that will bypass 2FA built into your pam-ssh setup. The only way to harden LISH via this path is to set Keys only (no password) under the profile settings. Otherwise, if a password is permiitted, then someone needs your password into LISH, then another (or the same if that's your habit) password into an account that accepts ssh (again, 2FA if you have it set up with ssh will be bypassed).
Just try all this and see the results.