Lets say I spin up an instance in AWS, or Linode, or install a new OS in a VM at home to be a server of...anything. Each time it's a little bit different, but generally its Linux, although much of this applies to BSDs as well. This is assuming you know how to connect to your machine and have setup a non-root user and strong password for that account.
Step 1
If I can, encrypt the disk. On AWS this is already the case and they have solid disk-erasing as far as I know (TODO: link to the blog/whitepaper where researchers found a bug and amazon fixed it platform-wide afaik). On Ubuntu this is baked into the install script, which you'll probably have to run yourself since most automated/one-click/prepackaged ones don't do it for you.
Step 2
See what's running on the system and listening on the network and kill anything unnecessary. I run ps -ef (process list), top/htop (resource usage), and netstat -ant (network listeners) to do this. FTP doesn't need to be on. It is negated in necessity by the next step.
Step 3
UPGRADE ALL THE THINGS!! This should already be done, but sudo apt-get update && sudo apt-get upgrade -y will be sure you have everything on Ubuntu.
Step 4
Once done installing, use SSH as the sole means of communication and disable root logins.
4.1 Disabling root logins:
4.2 Use ssh-copy-id to get your key trusted by the server.
4.3 Test that sftp is configured. This way you have both SCP and SFTP as options for moving large numbers of bits to/from your server.
Step 5
Install fail2ban: http://www.fail2ban.org/wiki/index.php/Main_Page
-- I'm pretty sure this is in Ubuntu and many other Linux package repos by default, so sudo apt-get install fail2ban should work.
5.1 I up my failed connections form a single IP to 6 from the default of three because sometimes I make bad mistakes.
Step 6
Increase auditing from Ubuntu's default of holding it monthly to hold a year's worth of audit logs on logins and other helpful stuff.
Step 7
After I'm happy with the server's setup I install google-authenticator for 2 factor authentication by following the short steps I detailed in a previous post here: http://fiascoaverted.blogspot.com/2014/03/configuring-two-factor-authentication.html
At this point all you should only need TCP port 22 listening on the network. If you want to keep your log attempts quieter, you can change SSH to listen to an alternate port, like 2222, but this is security through obscurity and only possibly protects you from major stupidity.
From here I install whatever the server needs. This post was how to get me to a clean, safe state, from here I start adding/enabling more stuff until the server is ready.
Thursday, October 23, 2014
NFSShell
How to build NFSShell on ubuntu:
wget http://www.cs.vu.nl/pub/leendert/nfsshell.tar.gz
cd nfs/
wget http://www.cs.vu.nl/pub/leendert/nfsshell.tar.gz
cd nfs/
comment out lines 25-28 #this disables solaris specific compilation
uncomment lines 36-38 #this makes it work on linux
#not sure if the following command is necessary:
sudo apt-get install libtirpc-dev libncurses-dev
uncomment lines 36-38 #this makes it work on linux
#not sure if the following command is necessary:
sudo apt-get install libtirpc-dev libncurses-dev
make
./nfs
The line numbers and stuff should Just Work(tm) since this is based off of the nfsshell from 1998.
Most that say they add nfsv3 support are broken and break some nfsv2 according to a friend, so they are not included here.
I should fix this up with a script later. And will add it to my github.
The line numbers and stuff should Just Work(tm) since this is based off of the nfsshell from 1998.
Most that say they add nfsv3 support are broken and break some nfsv2 according to a friend, so they are not included here.
I should fix this up with a script later. And will add it to my github.
Subscribe to:
Posts (Atom)