Building Professional Web Hosting Solution
<< Securing and Protecting Linux System Course
>> Linux Hardening Rules and IPtables Firewall Section
Implementing Security measures will be a major part of my Web Hosting Solution. Applying Linux Kernel Hardening Rules will be Security Layer1 before IPtables Stateful Firewall. Briefly, hardening your VPS System and Network configuration is a must step. Linux Kernel is your Linux OS core, it manages all Hardware or Virtual components such CPU, Memory, Storage and Network Rules, hence, that’s your first place to start with.
Objectives:
1. Understanding Linux Kernel Hardening
2. Applying Linux Latest Kernel Updates
3. Applying Linux Kernel Hardening Rules
Prerequisites:
A. Basic Debian and Red Hat System Knowledge
B. Login to your DigitalOcean or Vultr Account
C. Preparing Linux Script Startup Environment
Recommendations:
1. For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.
2. All public VPS Nodes must equipped with Web command line Interface, hence, login to the web interface and have it ready in case you need to stop the Firewall. Everything was tested and it should not lock you out or terminate the SSH session, but just to be on the safe side, have the web command line interface ready.
Table of Contents
Understanding Linux Kernel Hardening
The Linux kernel is the Core of every Linux system. With its extensive configuration options, it allows you to tweak specific settings to further harden your VPS system. In this Lab, I will focus on Linux kernel configuration entries that support additional hardening to your system, as well as how to apply and save the rules.
Kernel as Layer 1 Security of Defense
A broad System hardening consists of too many layers to harden, starting by Kernel Rules, keep the system updated, detection and prevention, minimizing services, removing unneeded services, and so on.
The main goal, is to prevent unauthorized users accessing your system, therefore, using layers of security is the best approach to protect your VPS. This strategy, will help you enforce security measures at different layers, and makes the protection process easier to apply or manage.
The Main Goal
The first thing comes to my mind is Web Hosting Services, and since I know that I am going to Harden “Web Hosting Solution”, the focus would be toward protecting the services that run the WHS. After going through the Hardening Rules, you will know what I am talking about. The Rules were picked especially for a Single Server that might run services needed by a Web Hosting Solution.
Therefore ,the various Labs will go into each layer of security measures needed, and show you the importance of knowing what you need to secure/harden and why. For instance, my first layer to protect my VPS would be kernel rules, second is Stateful Firewall, third is Intrusion Detection and Prevention, forth is Auditing, and so on.
Applying Linux Latest Kernel Updates
Note: First, let’s make sure you have the latest kernel update. Don’t upgrade to the latest distribution, just update. If you find kernel updates, install them and reboot. If it says Kernel is already the newest version, no need to reboot; continue the steps below.
Debian Based
Run the following steps (1 to 3)
1. Install DKMS (Dynamic Kernel Virtual Support)
apt-get update && apt-get install dkms build-essential
2. Install Latest Generic Kernel Image
apt-get install linux-image-`uname -r` linux-headers-$(uname -r) linux-headers-`uname -r`
3. Reboot If Kernel Updates Applied
reboot
Red Hat Based
Run the following steps (1 to 6)
1. Import the GPG keys
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
2. Install Updates
yum update
3. Install Development Tools
yum groupinstall 'Development Tools'
4. Install Dynamic Kernel Module Support
yum install dkms gcc make kernel-devel
5. Check for kernel Updates
yum install kernel*
6. Reboot If Kernel Updates Applied
reboot
Applying Linux Kernel Hardening Rules
The most 3 known methods to apply kernel rules:
- Method1: Straight at the command line – Rules got executed right a way.
- Method2: Edit /etc/sysctl.conf file – Save and execute all rules using one command.
- Method3: Apply Rules as Script at the startup – Flexible, can be executed after certain scripts.
Understanding Kernel Rules ON/OFF Switch
### Rules ON/OFF Switch Values ### # 0 (zero) -> Rule Disabled / OFF # 1 (one) -> Rule Enabled / ON
I am going to show you all methods. For instance, let’s say you want to disable pinging your VPS globally through any interface, you can use an ignore rule which will ignore ICMP response.
Method1: Straight at the command line
Run the following steps (1 to 3)
If you have worked on Cisco Routers or Switches, applying kernel Rules using command line is similar using Cisco config mode. The commands applied on the system right way the moment you hit enter.
1. First, view the Kernel Rule value
sysctl -a | grep -i net.ipv4.icmp_echo_ignore_all
The default value output should carry 0 value as shown below:
net.ipv4.icmp_echo_ignore_all = 0
2. Apply Ping Ignore Rule using 1 value
But before you apply, try to ping your VPS, see if it response. It should response, then apply the rule and try again.
TIP: If you are Windows User, open cmd type ping YOUR-VPS-IP-ADDRESS -t, the switch -t will keep the ping continuously running.
sysctl -w net.ipv4.icmp_echo_ignore_all=1
At my windows cmd command line, I got “Request time out” the moment I applied the rule.
3. Disable the Rule using 0 value
sysctl -w net.ipv4.icmp_echo_ignore_all=0
Now, try to ping your VPS again, “Reply from…” message indicates that pinging is going through. So, I just showed you method1, however, if your VPS Linux get restarted, you will lose the kernel rule configuration, therefore, at method 2 you will be able to save and apply the custom kernel rules if the VPS restarted.
Note: Method1 won’t give you the chance to save your rules, use method2 to save your rules in a configuration file, or method3 to run the rules as script every time the VPS reboots.
Method2: Edit /etc/sysctl.conf file
sysctl.conf file is the default location to add, save, and run kernel rules. Technically, it’s an Executable file dedicated only for Kernel Rules. Besides, it allows you to associate multiple values to a single rule if needed. For example, net.ipv4.ip_local_port_range = 2000 65000.
Run the following steps (1 to 3)
Assuming you tested Ping ignore rule and you ready to add it to sysctl.conf file:
1. Edit sysctl.conf file
nano /etc/sysctl.conf
2. Add Pinging Ignore Rule
Add it to the end of the file.
# Disable Globally Ping Response from Public or Private Networks.
net.ipv4.icmp_echo_ignore_all = 1
Save: Ctrl-X, Hit Y Key, and Enter
3. Apply The Rules
sysctl -p /etc/sysctl.conf
You will the see the output of applied rules.
Method3: Apply Rules as Script at the startup
I prefer Method3 since it allows me to run it after or before another script.
TIP: when it comes to multiple values using single kernel rule, I use echo command inside the script. You will notice the echo command being used when I need to associate multiple values with a single kernel rule.
Run the following steps (1 to 7)
1. Create IPtables Workspace Folder
Note: please keep the directory name iptables since all scripts will point to this directory.
mkdir -p /etc/network/iptables
2. Create a kernel-hardening-rules.sh Script
nano /etc/network/iptables/kernel-hardening-rules.sh
Click the following Kernel Rules Script, select all, copy, and paste its content inside the newly created script kernel-hardening-rules.sh window.
I recommend reading the Kernel Rules Script to further understand its functions.
Save: Ctrl-X, Hit Y Key, and Enter
3. Apply Execution Permission
chmod +x /etc/network/iptables/kernel-hardening-rules.sh
4. Allow Only Root Access to Scripts
chmod 700 -R /etc/network/iptables
5. Apply Kernel Hardening Rules
/etc/network/iptables/kernel-hardening-rules.sh
It should apply fine using KVM VPS, however, if you see any problems applying on OpenVZ VPS, then contact your OpenVZ VPS provider.
kernel.msgmnb = 65535 kernel.msgmax = 65535 fs.suid_dumpable = 0 kernel.randomize_va_space = 2 kernel.kptr_restrict = 1 net.ipv4.icmp_echo_ignore_all = 0 sysctl: cannot stat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose: No such file or directory net.netfilter.nf_conntrack_tcp_loose = 0 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.ip_forward = 0 net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv6.conf.all.forwarding = 0 net.ipv6.conf.default.forwarding = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.tcp_fin_timeout = 7 net.ipv4.tcp_keepalive_time = 300 net.ipv4.tcp_keepalive_probes = 5 net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.conf.all.bootp_relay = 0 net.ipv4.conf.all.proxy_arp = 0 net.ipv4.tcp_timestamps = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_rfc1337 = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv6.conf.default.router_solicitations = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.default.max_addresses = 1 net.ipv6.conf.all.autoconf = 0 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 net.ipv4.icmp_echo_ignore_all = 0
Note: cannot stat error related to the fact that ip_conntrack_tcp_loose is known by Ubuntu and CentOS as nf_conntrack_tcp_loose instead, so you can skip that error if you use Ubuntu or CentOS. If you look at the next line, you would find that the rule already was applied using nf_conntrack_tcp_loose.
6. Add Kernels Hardening Rules to Startup
By Adding the kernel Hardening Script path to the end of custom-scripts.sh file.
Edit custom-scripts.sh file
nano /etc/init.d/custom-scripts.sh
It should look like this:
#!/bin/bash ### BEGIN INIT INFO # Provides: custom-scripts # Required-Start: $local_fs $network # Required-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: custom-scripts # Description: Applying Customized Startup Scripts ### END INIT INFO echo echo "Applying Customized Startup Scripts..." echo ################################################# # Write down your script's path below # Kernel Hardening Rules /etc/network/iptables/kernel-hardening-rules.sh
Save: Ctrl-X, Hit Y Key, and Enter
7. Edit sysctl.conf Kernel Rules
Since I am going to use a script to apply Kernel Hardening Rules (Method3), I need to disable any enabled kernel rules inside sysctl.conf file. Go through the file slowly and look for any enabled kernel rules. Use hash sign to disable the rule. DigitalOcean or Vultr might have recommended rules, disable all of them using the hash sign.
nano /etc/sysctl.conf
E.g. the following rules are disabled by using the hash # sign.
# Do not accept IP source route packets (we are not a router) #net.ipv4.conf.all.accept_source_route = 0 #net.ipv6.conf.all.accept_source_route = 0 # Log Martian Packets #net.ipv4.conf.all.log_martians = 1
Save: Ctrl-X, Hit Y Key, and Enter
Subject Related
By Wikipedia Hardening Systems | Arch Hardening Best Practices | Debian Hardening Rules | SANS Institute | NixCraft
Building Professional Web Hosting Solution
<< Securing and Protecting Linux System Course
>> Linux Hardening Rules and IPtables Firewall Section
thank you!