Hardening your Servers

A install gets 60-65 points not 100. The obvious is to update and upgrade software and install security hardening apps like firewalls, fail2ban, #ClamAV, #LMD. The first task is to make a plan that we call a IT Security Strategy. After a SSA you start fixing your #security #hardening.

Hardening your Servers
Photo by Nicholas Santoianni / Unsplash

Hardening Servers is mandatory, a fresh install gets 60-65 points not 100. The obvious is to update and upgrade software and install security hardening apps like firewalls, fail2ban, ClamAV, LMD. But also many small things need to be though of and therefore the first task is to make a plan and we call it a IT Security Strategy. In the blog Security Audit I Discussed how to do a SSA to validate you security.

General thoughts on Hardening Servers

There is some really good guides on this subject on the web. I recommend you read a few of them and then argument with your self what you want to do. Below a short list of things to do.
I will return to this in the next part of the series.

  • Don't use passwords. If you do, use long and complicated ones.
  • Uses different passwords on everything
  • Use a good password manager like Bitwarden
  • Don't run as root - create superusers
  • Block root on SSH
  • Use keys and tokens
  • Use 2FA as a minimum - even for the intranet
  • Don't open ports if you can avoid it
  • Encrypt all communication
  • Don't run old software or firmware
  • Kill unnecessary processes and severs
  • Pay attention to network security
  • Treat the intranet as the web - Prepare for a intrusion
  • Use VPN tunnels
  • Use firewalls - not the ISP junk but a real one
  • Add Malware and Virusprotection to your servers
  • Hard Drives encryption and partitioning
  • Do SSAs frequently
  • Read security blogs

Laptop displaying a pirate flag / jolly roger on a red screen, possibly indicating malware, hackers or a different computer problem. If you like that image, consider donating at https://sharethemeal.org/donate - thanks!
Photo by Michael Geiger / Unsplash

Installing Linux Malware Detect LMD

This is a quick guide how to do it. Please refer to the GitHub page or read more on Wikipedia page.

Why? Can Linux get attacked by malware? The answer is always yes. The question should be not if but when.

LMD can be used on Linux systems to scan, detect, and remove malware and be used as a backdoor scanner. You can use the LMD with another antivirus like ClamAV, see later in this blog.

Download the tarball

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Extract the tarball

tar -zxvf maldetect-current.tar.gz

Install LMD

Go to the directory and run the install script as sudo.

cd maldetect-1.6.5
sudo ./install.sh

Configure LMD

You need to change the following defaults and include your details by editing the conf.maldet file. It recommended to make a backup of it first bycp /usr/local/maldetect/conf.maldet /usr/local/maldetect/conf.maldet.orig

Then edit the file

You need to change some ot the defaults:

nano /usr/local/maldetect/conf.maldet

# Enable Email Alerting
email_alert="1"

# Email Address in which you want to receive scan reports
email_addr="[email protected]"

# Enable scanning for root-owned files. Set 1 to disable.
scan_ignore_root="0"

# Move threats to quarantine
quarantine_hits="1"

# Clean string based malware injections
quarantine_clean="1"

# Suspend user if malware found. 
quarantine_suspend_user="1"

# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"

Start using LMD

Use LMD to scan the users home directory. maldet -a /home

Assign a path to scan the system sudo maldet -a /path/to/home

Create a scan report from the scan ID sudo maldet --report 230517-1701.32923

Updates

Check for updates sudo maldet -u

Update the LMD sudo maldet -d

Other commands

Run the LMD daemon in the background sudo maldet -b -r /home/username/

Make an index of scanned and affected files sudo maldet -e list

Print the log file sudo maldet -l

To get more commands and user guide, you can check the LMD help index from the Linux terminal shell. lmd --help

You need to set up Postfix for emails alerts. See how I did it for Proxmox in this blog Start using Proxmox.


-

Installing ClamAV

This is a quick guide how to do it. Please refer to the homepage and on this Wikipedia Page.

ClamAV is not installed by default on Servers (Debian/Ubuntu or Proxmox nodes), you need to add it manually.

Start install

sudo apt-get install clamav clamav-daemon mailutils -y

After the installation, stop the daemon and update the ClamAV database manually.

sudo systemctl stop clamav-freshclam
sudo freshclam

Download the database signature file

When freshclam completes, download the latest database signature file with wget or curl.

sudo wget -P /var/lib/clamav https://database.clamav.net/daily.cvd

Or as a multistage process

sudo wget https://database.clamav.net/daily.cvd
sudo cp daily.cvd /var/lib/clamav/

Re-start the freshclam daemon

sudo systemctl start clamav-freshclam

How to set ClamAV to scan automatically

Create the file clamscan_daily.sh. With the following needed infos: DIRTOSCAN=TheDirToScan and who is the sender and who the receiver of email alerts. For this example we only use one /var/www/html. You need to create your strategy per Server and also for the nodes and some of the VM/CTs.

sudo nano /usr/local/bin/clamscan_daily.sh
 #!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached";
EMAIL_FROM="[email protected]";
EMAIL_TO="[email protected]";
DIRTOSCAN="/var/www/html";

for S in ${DIRTOSCAN}; do
DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);
echo "Starting scan of "$S" directory.
Directory size: "$DIRSIZE".";
clamscan -ri --remove --detect-pua=yes "$S" >> "$LOGFILE";
#find /var/log/clamav/ -type f -mtime +30 -exec rm {} ;
MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);

if [ "$MALWARE" -ne "0" ];then
echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";
fi

done

exit 0

Set crontab for automatic execution

  • Set the file permissions:
    sudo chmod u+x /usr/local/bin/clamscan_daily.sh
  • Create the cron job with the: sudo crontab -e
  • At the bottom, add this line to run the scan every day at 1 am:
    1 1 * * * /usrlocal/bin/clamscan_daily.sh > /dev/null 2>&1
  • Save and close the file.

At this point, ClamAV will automatically scan the /var/www/html directory for malicious files and alert you if it finds anything.

Manual Alerts

If your server isn’t set up to send out emails, you’ll then need to manually view the generated log file: less /var/log/clamav/clamav-DATE. Where DATE is the timestamp of the file you need to view. make sure you routinely check the ClamAV log file.

Automatic Alerts by eMail

For automatic email alerts You need to set up Postfix correctly.
See how I did it for Proxmox in this blog Start using Proxmox.


Final words

Hardening is a very wide and deep process in IT. It moves and changes and evolves daily - stay alert.
Today I addressed some part of it.
In the next part I will continue with even more things you should do.


References

Lynis Auditing system [1] Installing the Community version [2] Lynis on Github [3]
Kali Linux [4] is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security.
Multi-factor authentication (MFA), includind two-factor authentication (2FA), is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password. [5]
Check Rootkit (chkrootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits. It is a shell script using common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures and for comparing a traversal of the /proc filesystem with the output of the ps (process status) command to look for discrepancies. [6]
Rootkit hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular operating systems (Fedora, Debian, etc.) [7]
Clam Antivirus [8] (ClamAV) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses.
Other Host-based intrusion detection systems comparison [9] Computer security on Wikipedia [10]
Hardening Servers series [11]


  1. Cisofy the Lynis Home Page ↩︎

  2. Install the Community version page and this page ↩︎

  3. Lynis on GitHub Lynis Development Guid for Lynis Plugins ↩︎

  4. Kali Linux on Wikipedia and the Home page ↩︎

  5. Authenticatin security see this page ↩︎

  6. Check Rootkit on Wikipedia and the Home Page ↩︎

  7. Rootkit hunter on Wikipedia ant the Home page ↩︎

  8. Clam AntiVirus by Cisco Systems on Wikipedia and the Home Page ↩︎

  9. Host-based intrusion detection systems on Wikipedia and a long list of FOSS packages on this Wikipedia Page or this Page ↩︎

  10. Information security on Wikipedia Page ↩︎

  11. Security Audit and Hardening post Hardening your Servers blog Hardening Servers 3 blog Proxmox Backup Server blog Moitoring your Serversblog ↩︎