Upload
independent
View
1
Download
0
Embed Size (px)
Citation preview
Configuring and Securing Ubuntu Server
Installasi Ubuntu Server
[ oke ]
Paket Manajemen dpkg # dpkg -l # ---> listing paket yg diinstall # dpkg -L # ---> listing file2 yg di install dari suatu paket # dpkg -S # ---> melihat suatu file termasuk dalam paket apa # dpkg -i # ---> install file paket .deb # dpkg -r # ---> remove paket tertentu yg sudah diinstall
apt-get # apt-get install <nama paket> # ---> install paket # apt-get remove <nama paket> # ---> remove paket # apt-get upgrade # ---> upgrade paket2 dlm server
# apt-get update # ---> update index source repository (/etc/apt/sources.list) log file ada di /var/log/dpkg.log
Aptitude Manajemen paket secara menu.
Setting Extra repository ( /etc/apt/source.list ), contoh :
deb http://archive.ubuntu.com/ubuntu natty universe multiversedeb-src http://archive.ubuntu.com/ubuntu natty universe multiversedeb http://us.archive.ubuntu.com/ubuntu/ natty universedeb-src http://us.archive.ubuntu.com/ubuntu/ natty universedeb cdrom:[Ubuntu 11.04 _Natty Narwhal_ - Release i386 (20070419.1)]/ natty main restricted
unattended-upgrades digunakan untuk menginstall update, atau hanya menginstall update security saja, penggunaannya adalah :
# sudo apt-get install unattended-upgrades
konfigurasinya ada di file : /etc/apt/apt.conf.d/50unattended-upgrades
( silakan di buka dan disimak isinya )apticron
Paket ini berguna untuk mengkonfigurasikan cron, kemudian memberitahu administrator lewat email, apabila ada update baru, untuk melakukan installasi apticron silakan ketikkan :
# apt-get install apticronReading package lists... DoneBuilding dependency tree Reading state information... DoneThe following extra packages will be installed: apt-listchangesSuggested packages: x-terminal-emulator python-glade2 python-gtk2The following NEW packages will be installed: apt-listchanges apticron0 upgraded, 2 newly installed, 0 to remove and 153 not upgraded.Need to get 61.1 kB of archives.After this operation, 378 kB of additional disk space will be used.Do you want to continue [Y/n]? YGet:1 http://id.archive.ubuntu.com/ubuntu/ precise/universe apticron all 1.1.52 [13.9 kB]Get:2 http://id.archive.ubuntu.com/ubuntu/ precise/main apt-listchanges all 2.85.8ubuntu2 [47.2 kB]Fetched 61.1 kB in 2s (22.7 kB/s) Preconfiguring packages ...Selecting previously unselected package apticron.(Reading database ... 43303 files and directories currently installed.)Unpacking apticron (from .../apticron_1.1.52_all.deb) ...Selecting previously unselected package apt-listchanges.Unpacking apt-listchanges (from .../apt-listchanges_2.85.8ubuntu2_all.deb) ...Processing triggers for man-db ...Setting up apticron (1.1.52) ...
Creating config file /etc/apticron/apticron.conf with new version
Creating config file /etc/cron.d/apticron with new versionSetting up apt-listchanges (2.85.8ubuntu2) ...
Creating config file /etc/apt/listchanges.conf with new version
silakan buka file /etc/apticron/apticron.confganti dgn email anda, misal :
EMAIL="[email protected]"
PROSES
update-rc.d
update-rc.d --helpusage: update-rc.d [-n] [-f] <basename> remove update-rc.d [-n] <basename> defaults [NN | SS KK] update-rc.d [-n] <basename> start|stop NN runlvl [runlvl] [...] . update-rc.d [-n] <basename> disable|enable [S|2|3|4|5] -n: not really -f: force
The disable|enable API is not stable and might change in the future.
# ps ax
# lsof -i tcp# lsof -i udp
Setting default runlevel : /etc/init/rc-sysinit.confbaris :env DEFAULT_RUNLEVEL=2
perhatikan file2 yg di load diawali dgn hurus S :/etc/rc2.dutk disable, diawali dgn huruf K
NETWORKING
Melihat ethernet yg tersedia, beserta MAC Addressnya :
# ifconfig -a | grep etheth0 Link encap:Ethernet HWaddr 00:50:8d:77:01:8c
atau ketikkan :
# lshw -class networkPCI (sysfs) *-network description: Ethernet interface product: SiS900 PCI Fast Ethernet vendor: Silicon Integrated Systems [SiS] physical id: 4 bus info: pci@0000:00:04.0 logical name: eth0 version: 91 serial: 00:50:8d:77:01:8c size: 100Mbit/s capacity: 100Mbit/s width: 32 bits clock: 33MHz capabilities: pm bus_master cap_list rom ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation configuration: autonegotiation=on broadcast=yes driver=sis900 driverversion=v1.08.10 Apr. 2 2006 duplex=full ip=10.11.11.223 latency=32 link=yes maxlatency=11 mingnt=52 multicast=yes port=MII speed=100Mbit/s resources: irq:19 ioport:d800(size=256) memory:e1103000-e1103fff memory:30000000-3001ffff
tools lain yg cukup berguna adalah ethtools, utk melakukan installasi silakan ketikkan :
root@server:~# apt-get install ethtoolReading package lists... DoneBuilding dependency tree Reading state information... DoneThe following NEW packages will be installed: ethtool0 upgraded, 1 newly installed, 0 to remove and 153 not upgraded.Need to get 91.6 kB of archives.After this operation, 293 kB of additional disk space will be used.Get:1 http://id.archive.ubuntu.com/ubuntu/ precise/main ethtool i386 1:3.1-1 [91.6 kB]Fetched 91.6 kB in 3s (28.4 kB/s) Selecting previously unselected package ethtool.(Reading database ... 43330 files and directories currently installed.)Unpacking ethtool (from .../ethtool_1%3a3.1-1_i386.deb) ...Processing triggers for man-db ...Setting up ethtool (1:3.1-1) ...
contoh penggunaan :
root@server:~# ethtool eth0Settings for eth0: Supported ports: [ TP MII ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Supported pause frame use: No Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Advertised pause frame use: No Advertised auto-negotiation: Yes Link partner advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Link partner advertised pause frame use: Symmetric Link partner advertised auto-negotiation: Yes Speed: 100Mb/s Duplex: Full Port: MII PHYAD: 9 Transceiver: internal Auto-negotiation: on Supports Wake-on: pg Wake-on: d Current message level: 0x000000c5 (197) drv link rx_err tx_err Link detected: yes
kegunaan dari ethtool diantaranya untuk mengkonfigurasikan/locking ethernet di 1000Mbps,
# /usr/sbin/ethtool -s eth0 speed 1000 duplex full
atau bisa juga di tambahkan di /etc/network/interfaces
auto eth0iface eth0 inet staticpre-up /usr/sbin/ethtool -s eth0 speed 1000 duplex full
IP ADDRESSING
Konfig ip address :
# ifconfig eth0 10.0.0.100 netmask 255.255.255.0atau# ip address add address 10.0.0.100/24
DEFAULT ROUTE :# route add default gw 10.0.0.1 eth0atau# ip route add default via 10.0.0.1
lihat tabel routing :
# route -n
atau
# ip route show
flushing konfigurasi IP address :
# ip addr flush eth0
setting DNS Server mana yg akan kita gunakan :
edit file /etc/resolv.conf , isinya :
domain domainkita.com # ---> domain kitasearch domain.com domain2.com # ---> domain yg akan di cari apabila suatu host tertentu tidak ketemunameserver 8.8.8.8 # ---> menggunakan DNS Server 8.8.8.8
Request IP ke DHCP Server :
pastikan di /etc/network/interfaces :
auto eth0iface eth0 inet dhcp
kemudian down, dan up kan kembali eth0 dgn mengetikkan :
# ifdown eth0# ifup eth0
Setting IP Address static :
auto eth0iface eth0 inet staticaddress 10.0.0.100netmask 255.255.255.0gateway 10.0.0.1
static hostname :
file /etc/hosts
127.0.0.1 localhost127.0.1.1 ubuntu-server10.0.0.11 server1 vpn s1.contoh.com10.0.0.12 server2 mail s2.contoh.com10.0.0.13 server3 www s3.contoh.com10.0.0.14 server4 file s4.contoh.com
NAMESERVER SWITCH CONFIGURATION
filenya : /etc/nsswitch.conf.
perhatikan baris :hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
• files first tries to resolve static hostnames di /etc/hosts.• mdns4_minimal resolve nama dgn menggunakan Multicast DNS.
• [NOTFOUND=return] jika sampai disini tidak ketemu, tidak usah dilanjutkan mencari jawaban resolve hostnamenya• dns legacy unicast DNS query.• mdns4 Multicast DNS query.
BRIDGING
paket yg dibutuhkan :
bridge-utils
root@server:/etc/network# dpkg -l | grep bridgeii bridge-utils 1.5-2ubuntu6 Utilities for configuring the Linux Ethernet bridgeii ebtables 2.0.9.2-2ubuntu2 Ethernet bridge frame table administration
kemudian edit /etc/network/interfaces :
auto loiface lo inet loopback
auto br0iface br0 inet staticaddress 192.168.0.10network 192.168.0.0netmask 255.255.255.0broadcast 192.168.0.255gateway 192.168.0.1bridge_ports eth0bridge_fd 9bridge_hello 2bridge_maxage 12bridge_stp off
untuk mengkontrol, menggunakan brctl :
root@server:/etc/network# brctl --helpUsage: brctl [commands]commands: addbr <bridge> add bridge delbr <bridge> delete bridge addif <bridge> <device> add interface to bridge delif <bridge> <device> delete interface from bridge hairpin <bridge> <port> {on|off} turn hairpin on/off setageing <bridge> <time> set ageing time setbridgeprio <bridge> <prio> set bridge priority setfd <bridge> <time> set bridge forward delay sethello <bridge> <time> set hello time setmaxage <bridge> <time> set max message age setpathcost <bridge> <port> <cost> set path cost setportprio <bridge> <port> <prio> set port priority show [ <bridge> ] show a list of bridges showmacs <bridge> show a list of mac addrs showstp <bridge> show bridge stp info stp <bridge> {on|off} turn stp on/off
DHCP SERVER
paket yg dibutuhkan dhcp3-server
utk installasi :
# apt-get install dhcp3-server
konfigurasi ada di /etc/dhcpd.conf
# Sample /etc/dhcpd.conf# (add your comments here)default-lease-time 600;max-lease-time 7200;option subnet-mask 255.255.255.0;option broadcast-address 192.168.1.255;option routers 192.168.1.254;option domain-name-servers 192.168.1.1, 192.168.1.2;option domain-name "domainku.com";subnet 192.168.1.0 netmask 255.255.255.0 {range 192.168.1.10 192.168.1.100;range 192.168.1.150 192.168.1.200;}
running dhcp server :# dhcpd -cf /etc/dhcpd.conf
utk setting netbios name server, bisa juga anda tambahkan baris sbb :
option netbios-name-servers 192.168.1.1;
NTP SERVERsinkronisasi waktu berdasar ntp server :
root@server:/var/run# dateTue Jan 1 00:00:02 WIT 1980root@server:/var/run# ntpdate -s ntp.ubuntu.comroot@server:/var/run# dateMon Sep 3 15:33:35 WIT 2012
ntpdntpd lebih halus daripada ntpdate, ntp daemon akan melakukan sinkronisasi secara halus dan mengkoreksi waktu sedikit demi sedikit, dengan acuan ntp server.
utk installasi :
root@server:/var/run# apt-get install ntpReading package lists... DoneBuilding dependency tree Reading state information... DoneThe following extra packages will be installed: libopts25Suggested packages: ntp-docThe following NEW packages will be installed: libopts25 ntp0 upgraded, 2 newly installed, 0 to remove and 171 not upgraded.Need to get 654 kB of archives.After this operation, 1,618 kB of additional disk space will be used.Do you want to continue [Y/n]? YGet:1 http://id.archive.ubuntu.com/ubuntu/ precise/main libopts25 i386 1:5.12-0.1ubuntu1 [58.4 kB]Get:2 http://id.archive.ubuntu.com/ubuntu/ precise-updates/main ntp i386 1:4.2.6.p3+dfsg-1ubuntu3.1 [595 kB]Fetched 654 kB in 12s (51.6 kB/s) Selecting previously unselected package libopts25.(Reading database ... 43364 files and directories currently installed.)Unpacking libopts25 (from .../libopts25_1%3a5.12-0.1ubuntu1_i386.deb) ...Selecting previously unselected package ntp.Unpacking ntp (from .../ntp_1%3a4.2.6.p3+dfsg-1ubuntu3.1_i386.deb) ...Processing triggers for ureadahead ...Processing triggers for man-db ...Setting up libopts25 (1:5.12-0.1ubuntu1) ...Setting up ntp (1:4.2.6.p3+dfsg-1ubuntu3.1) ... * Starting NTP server ntpd [ OK ]Processing triggers for libc-bin ...ldconfig deferred processing now taking place
merubah sinkronisasi waktu server,ntpdate :di file /etc/cron.daily/ntpdateisi dgn :ntpdate -s ntp.ubuntu.com pool.ntp.org
atau bila anda menggunakan ntpd :
edit file : /etc/ntp.conf
isi dgn baris :
server ntp.ubuntu.comserver pool.ntp.org
utk menemukan ntp server di seluruh dunia, silakan kunjungi alamat : http://www.pool.ntp.org
REMOTE ADMINISTRASI
Ada banyak cara utk melakukan remote administrasi, tapi kali ini kita hanya membahas openSSH.
installasi openssh client :
# apt-get install openssh-client
installasi openssh server :
# apt-get install openssh-server
konfigurasi openssh ada di :
/etc/ssh/sshd_config
beberapa baris penting :
Port 2222Banner /etc/issue.netProtocol 2PermitRootLogin no
SSH TANPA PASSWORD
generate key :
admin@localhost .ssh]$ ssh-keygen -t dsaGenerating public/private dsa key pair.Enter file in which to save the key (/home/admin/.ssh/id_dsa):/home/admin/.ssh/id_dsa already exists.Overwrite (y/n)? yEnter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /home/admin/.ssh/id_dsa.Your public key has been saved in /home/admin/.ssh/id_dsa.pub.The key fingerprint is:56:aa:95:98:c1:d2:52:a7:bd:c1:77:24:e9:69:cb:e1 [email protected] key's randomart image is:+--[ DSA 1024]----+| . . ... || + = .o || o = +.o.. || o + B=. || o S+ o || + E || . || || |+-----------------+
kemudian :
[admin@localhost .ssh]$ ssh-copy-id -i ./id_dsa.pub [email protected]@10.11.12.13's password:[admin@localhost .ssh]$
setelah itu anda dapat melakukan ssh tanpa password :
[admin@localhost .ssh]$ ssh -l new 10.11.12.13Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Mon Sep 3 16:26:50 WIT 2012
System load: 0.25 Users logged in: 2 Usage of /: 5.6% of 37.17GB IP address for eth0: 10.11.11.223 Memory usage: 38% IP address for eth0:0: 123.123.12.13 Swap usage: 0% IP address for virbr0: 192.168.122.1 Processes: 129
Graph this data and manage this system at https://landscape.canonical.com/
Last login: Mon Sep 3 16:23:28 2012 from 180.246.112.240new@server:~$
DNS SERVERInstallasi BIND9 :
# apt-get install bind9
Paket untuk melakukan pengecekan DNS Server :
# apt-get install dnsutils
kalau sudah terinstall bisa anda lakukan update :
Get:1 Changelog for libisc83 (http://changelogs.ubuntu.com/changelogs/pool/main/b/bind9/bind9_9.8.1.dfsg.P1-4ubuntu0.2/changelog) [53.0 kB]bind9 (1:9.8.1.dfsg.P1-4ubuntu0.2) precise-security; urgency=low
* SECURITY UPDATE: denial of service via dnssec validation load - lib/dns/resolver.c: don't use bad->expire before it has been set. - Patch backported from 9.8.3-P2. - CVE-2012-3817
-- Marc Deslauriers <[email protected]> Wed, 25 Jul 2012 16:21:36 -0400
bind9 (1:9.8.1.dfsg.P1-4ubuntu0.1) precise-security; urgency=low
* SECURITY UPDATE: ghost domain names attack - lib/dns/rbtdb.c: Restrict the TTL of NS RRset to no more than that of the old NS RRset when replacing it. - Patch backported from 9.8.2. - CVE-2012-1033 * SECURITY UPDATE: denial of service via zero length rdata handling - lib/dns/rdata.c,lib/dns/rdataslab.c: use sentinel pointer for duplicate rdata. - Patch backported from 9.8.3-P1. - CVE-2012-1667
-- Marc Deslauriers <[email protected]> Mon, 04 Jun 2012 13:12:43 -0400
primary configuration ada di :
/etc/bind/named.confisinya adalah :
include "/etc/bind/named.conf.options";include "/etc/bind/named.conf.local";include "/etc/bind/named.conf.default-zones";
pada file2 tersebutlah sebaiknya kita konfigurasi detail dari DNS Server kita.
CACHING NAMESERVERutk melakukan caching nameserver, kita bisa mengedit file named.conf.options, dan menambahkan baris :
forwarders { 8.8.8.8; };
PRIMARY NAMESERVER
/etc/bind/named.conf.optionszone "example.com" {type master;file "/etc/bind/db.example.com";};
# cp /etc/bind/db.local /etc/bind/db.example.com
edit /etc/bind/db.example.com :;; BIND data file for local loopback interface;$TTL 604800@ IN SOA localhost. root.localhost. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL;@ IN NS localhost.@ IN A 127.0.0.1@ IN AAAA ::1
ns IN A 192.168.0.10
REVERSE ZONE FILE
/etc/bind/named.conf.optionszone "1.168.192.in-addr.arpa" {type master;notify no;file "/etc/bind/db.192";};
# cp /etc/bind/db.127 /etc/bind/db.192
edit file /etc/bind/db.192
;; BIND reverse data file for local loopback interface;$TTL 604800@ IN SOA localhost. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL;@ IN NS localhost.1.0.0 IN PTR localhost.10 IN PTR ns.example.com.
SECONDARY MASTER
Di Primary Master harus mengijinkan transfer ke ip secondary :
zone "example.com" {type master;file "/etc/bind/db.example.com";allow-transfer { 192.168.1.11; };};zone "1.168.192.in-addr.arpa" {type master;notify no;file "/etc/bind/db.192";allow-transfer { 192.168.1.11; };};
Konfig di Secondary Master :
zone "example.com" {type slave;file "db.example.com";masters { 192.168.1.10; };};zone "1.168.192.in-addr.arpa" {type slave;file "db.192";masters { 192.168.1.10; };};
restart bind :# /etc/init.d/bind9 restart
log di /var/log/syslog akan terdapat :
slave zone "example.com" (IN) loaded (serial 6)slave zone "100.18.172.in-addr.arpa" (IN) loaded (serial 3)
PENGECEKAN BIND
# dig -x ip_addr# dig namadomain
# dig @dns a www.namadomain.com# ping namadomain
yc2int@server:~$ nslookup> server 8.8.8.8Default server: 8.8.8.8Address: 8.8.8.8#53> set type=a> www.google.com.Server: 8.8.8.8Address: 8.8.8.8#53
Non-authoritative answer:www.google.com canonical name = www.l.google.com.Name: www.l.google.comAddress: 173.194.38.177Name: www.l.google.comAddress: 173.194.38.178Name: www.l.google.comAddress: 173.194.38.179Name: www.l.google.comAddress: 173.194.38.180Name: www.l.google.comAddress: 173.194.38.176> set type=mx> gmail.com.Server: 8.8.8.8Address: 8.8.8.8#53
Non-authoritative answer:gmail.com mail exchanger = 5 gmail-smtp-in.l.google.com.gmail.com mail exchanger = 30 alt3.gmail-smtp-in.l.google.com.gmail.com mail exchanger = 20 alt2.gmail-smtp-in.l.google.com.gmail.com mail exchanger = 40 alt4.gmail-smtp-in.l.google.com.gmail.com mail exchanger = 10 alt1.gmail-smtp-in.l.google.com.> set type=any> gmail.com.Server: 8.8.8.8Address: 8.8.8.8#53
Non-authoritative answer:Name: gmail.comAddress: 173.194.38.181Name: gmail.comAddress: 173.194.38.182gmail.com has AAAA address 2404:6800:4003:803::1016gmail.com mail exchanger = 40 alt4.gmail-smtp-in.l.google.com.gmail.com nameserver = ns4.google.com.gmail.com nameserver = ns1.google.com.gmail.com mail exchanger = 10 alt1.gmail-smtp-in.l.google.com.gmail.com nameserver = ns2.google.com.gmail.com text = "v=spf1 redirect=_spf.google.com"gmail.com mail exchanger = 30 alt3.gmail-smtp-in.l.google.com.gmail.com mail exchanger = 5 gmail-smtp-in.l.google.com.gmail.com mail exchanger = 20 alt2.gmail-smtp-in.l.google.com.gmail.com nameserver = ns3.google.com.gmail.com origin = ns1.google.com mail addr = dns-admin.google.com serial = 2012061200 refresh = 21600 retry = 3600 expire = 1209600 minimum = 300Name: gmail.comAddress: 173.194.38.181Name: gmail.comAddress: 173.194.38.182
DNS LOGGING
Tanpa logging :
logging {category default { default_syslog; default_debug; };category unmatched { null; };};
Konfig logging query :
logging {channel query.log {file "/var/log/query.log";severity debug 3;};category queries { query.log; };};
SECURITYUSER MANAGEMENT
- Gunakan Password yg baik
$ sudo passwd
locking/disable password user (user tidak bisa masuk) :$ sudo passwd -l user
unlock password root :$ sudo passwd -u user
tambah user :$ sudo adduser username
delete user :$ sudo deluser username
kepemilikan :$ sudo chown -R root:root /home/username/$ sudo mkdir /home/archived_users/$ sudo mv /home/username /home/archived_users/
manajemen group :$ sudo addgroup groupname$ sudo delgroup groupname
tambah user baru dalam grup tertentu :$ sudo adduser username groupname
list user dan permission :$ ls -ld /home/username
Change mod :$ sudo chmod 0750 /home/username
konfigurasi adduser : /etc/adduser.conf
DIR_MODE=0750
$ sudo adduser username$ ls -ld /home/usernamedrwxr-x--- 2 username username 4096 2007-10-02 20:03 username
PASSWORD POLICY
MINIMAL KARAKTER UTK PASSWORDperhatikan file :/etc/pam.d/common-password
utk setting minimal character utk password menjadi 8 :ganti baris :password [success=2 default=ignore] pam_unix.so obscure sha512menjadi :password [success=2 default=ignore] pam_unix.so obscure sha512 min=8
PASSWORD EXPIRATION
root@server:/etc/pam.d# chage -l newLast password change : Sep 03, 2012Password expires : neverPassword inactive : neverAccount expires : neverMinimum number of days between password change : 0Maximum number of days between password change : 99999Number of days of warning before password expires : 7
root@server:/etc/pam.d# chage newChanging the aging information for newEnter the new value, or press ENTER for the default
Minimum Password Age [0]: 0 Maximum Password Age [99999]: 7 Last Password Change (YYYY-MM-DD) [2012-09-03]: Password Expiration Warning [7]: Password Inactive [-1]: Account Expiration Date (YYYY-MM-DD) [1969-12-31]: 2013-01-01root@server:/etc/pam.d# chage -l newLast password change : Sep 03, 2012Password expires : Sep 10, 2012Password inactive : neverAccount expires : Jan 01, 2013Minimum number of days between password change : 0Maximum number of days between password change : 7Number of days of warning before password expires : 7
root@server:/etc/pam.d# chage -E 01/31/2013 -m 5 -M 90 -I 30 -W 14 newroot@server:/etc/pam.d# chage -l newLast password change : Sep 03, 2012Password expires : Dec 02, 2012Password inactive : Jan 01, 2013Account expires : Jan 31, 2013Minimum number of days between password change : 5Maximum number of days between password change : 90Number of days of warning before password expires : 14
WARNING DISABLED USER BISA MASUK LEWAT SSH
Selalu periksa homedirektori , dan .ssh
terutama file : authorized_keys , yg memungkinkan user melakukan ssh tanpa password (perhatikan pada pembahasan sebelumnya ttg ssh)
PEMBATASAN USER SSH
Untuk membatasi user mana saja yang boleh melakukan ssh, anda bisa mengedit file sshd_config, dan menambahkan baris :
AllowGroups sshlogin
sshlogin adalah group dari user2 yang diperbolehkan melakukan ssh
CONSOLE SECURITY
Untuk disable control+alt+del :/etc/init/control-alt-delete.conf
silakan comment out baris berikut :
# exec shutdown -r now "Control-Alt-Delete pressed"
FIREWALL
UFW ( Uncomplicated Firewall )adalah tools mudah untuk menangani firewall sederhana, secara default ubuntu server sudah menyertakan.
perhatikan command2 berikut :
# ufw enable
# ufw allow 22# ufw insert 1 allow 80# ufw deny 22# ufw delete deny 22# ufw allow proto tcp from 192.168.0.2 to any port 22# ufw disable# ufw status# ufw status verbose# ufw status numbered
ufw application integrationFile konfigurasi terletak di /etc/ufw/applications.d/
contoh konfigurasi :
/etc/ufw/applications.d//etc/ufw/applications.d
[Apache]title=Web Serverdescription=Apache v2 is the next generation of the omnipresent Apache web server.ports=80/tcp
[Apache Secure]title=Web Server (HTTPS)description=Apache v2 is the next generation of the omnipresent Apache web server.ports=443/tcp
[Apache Full]title=Web Server (HTTP,HTTPS)description=Apache v2 is the next generation of the omnipresent Apache web server.ports=80,443/tcp
root@server:/etc/ufw/applications.d# ufw app listAvailable applications: Apache Apache Full Apache Secure Bind9 CUPS Dovecot IMAP Dovecot POP3 Dovecot Secure IMAP Dovecot Secure POP3 OpenSSH Postfix Postfix SMTPS Postfix Submissionroot@server:/etc/ufw/applications.d#
# sudo ufw allow Apache# ufw allow from 192.168.0.0/24 to any app Apache
root@server:/etc/ufw/applications.d# ufw app info ApacheProfile: ApacheTitle: Web ServerDescription: Apache v2 is the next generation of the omnipresent Apache webserver.
Port: 80/tcp
IP MASQUERADING
ufw Masquerading
file : /etc/default/ufwDEFAULT_FORWARD_POLICY="ACCEPT"
file : /etc/ufw/sysctl.confnet/ipv4/ip_forward=1
file : /etc/ufw/before.rules# nat Table rules*nat:POSTROUTING ACCEPT [0:0]# Forward traffic from eth1 through eth0.-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE# don't delete the 'COMMIT' line or these nat table rules won't be processedCOMMIT
restart ufw :# ufw disable && sudo ufw enableIPTABLES MASQUERADING
File /etc/sysctl.conf :net.ipv4.ip_forward=1
# sysctl -p
# iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
# iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT# iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT
edit file : /etc/rc.local
# iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
LOGGING
# ufw logging on# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: "
Otomatis akan generate logging di dmesg
AppArmor
Modul AppArmor secara default sudah terinstall di ubuntu server,
root@server:/etc/ufw/applications.d# dpkg -l | grep apparmorii apparmor 2.7.102-0ubuntu3 User-space parser utility for AppArmorii libapparmor1 2.7.102-0ubuntu3 changehat AppArmor library
utk menginstall apparmor-profiles dan utils :
# apt-get install apparmor-profiles# apt-get install apparmor-utils
root@server:/etc/ufw/applications.d# apparmor_statusapparmor module is loaded.12 profiles are loaded.12 profiles are in enforce mode. /sbin/dhclient /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/libvirt/virt-aa-helper /usr/sbin/cupsd /usr/sbin/dhcpd /usr/sbin/libvirtd /usr/sbin/mysqld /usr/sbin/named /usr/sbin/ntpd /usr/sbin/tcpdump0 profiles are in complain mode.6 processes have profiles defined.6 processes are in enforce mode. /usr/sbin/cupsd (578) /usr/sbin/dhcpd (6189) /usr/sbin/libvirtd (1245) /usr/sbin/mysqld (1045) /usr/sbin/named (9399) /usr/sbin/ntpd (6791)0 processes are in complain mode.0 processes are unconfined but have a profile defined.
AppArmor dijalankan untuk mengawasi suatu program dalam 2 mode :
- Complaining/Learning : akses dari suatu program yg diawasi semua diperbolehkan dan di log ( tujuannya untuk mempelajari dan membuat profile baru)- Enforce/Confined : Suatu program diawasi dan dijalankan sesuai profile, serta di log
untuk merubah suatu profile program dijalankan dalam complain mode :# aa-complain /path/to/bin
untuk merubah suatu profile program dijalankan dalam enforce mode :# aa-enforce /path/to/bin
profle dari apparmor di simpan dalam : /etc/apparmor.d/*
apparmor_parser digunakan untuk memanggil profile ke dalam kernel, contohnya :
# cat /etc/apparmor.d/profile.name | apparmor_parser -a
atau untuk mereload profile yg sudah di load / running :
# cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
mereload profile :# /etc/init.d/apparmor reload
anda bisa mendisable suatu profile dengan cara di symlink ke /etc/apparmor.d/disable
# ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/# apparmor_parser -R /etc/apparmor.d/profile.name
untuk me-enable kembali :
# rm /etc/apparmor.d/disable/profile.name# cat /etc/apparmor.d/profile.name | apparmor_parser -a
untuk stop apparmor dan mendisable supaya tidak dijalankan saat boot up :
# /etc/init.d/apparmor stop# update-rc.d -f apparmor remove
PROFILE APPARMOR
Profile apparmor adalah file teks biasa yg diletakkan di /etc/apparmor.d :nama file menunjukkan path dari program yg di setting profilenya, hanya tanda / diganti dgn tanda titik (.), contoh :
/etc/apparmor.d/bin.ping (pathnya dari programnya adalah ke /bin/ping)
#include <tunables/global>/bin/ping flags=(complain) {#include <abstractions/base>#include <abstractions/consoles>#include <abstractions/nameservice>capability net_raw,capability setuid,network inet raw,/bin/ping mixr,/etc/modules.conf r,}
berikut adalah arti dari baris2nya :
• #include <tunables/global>: include statements from other files. This allows statements pertaining to multiple applications to be placed in a common file.• /bin/ping flags=(complain): path to the profiled program, also setting the mode to complain.• capability net_raw,: allows the application access to the CAP_NET_RAW Posix.1e capability.• /bin/ping mixr,: allows the application read and execute access to the file.
Bagaimana membuat PROFILE BARU AppArmor
untuk membuat profile baru langkah2nya adalah :
- jalan kan program, hentikan, dan perhatikan prilaku dari program tersebut- generate profile baru dgn perintah :
# aa-genprof <nama program>- kemudian buka konfigurasi profilenya di /etc/apparmor/nama_file_profiletentukan akses program nya dalam file tsb, contoh :
/usr/sbin/mysqld { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/user-tmp> #include <abstractions/mysql> #include <abstractions/winbind>
capability dac_override, capability sys_resource, capability setgid, capability setuid,
network tcp,
/etc/hosts.allow r, /etc/hosts.deny r, /etc/mysql/*.pem r, /etc/mysql/conf.d/ r, /etc/mysql/conf.d/* r, /etc/mysql/*.cnf r, /usr/lib/mysql/plugin/ r, /usr/lib/mysql/plugin/*.so* mr, /usr/sbin/mysqld mr, /usr/share/mysql/** r, /var/log/mysql.log rw, /var/log/mysql.err rw, /var/lib/mysql/ r, /var/lib/mysql/** rwk, /var/log/mysql/ r, /var/log/mysql/* rw, /var/run/mysqld/mysqld.pid w, /var/run/mysqld/mysqld.sock w, /run/mysqld/mysqld.pid w, /run/mysqld/mysqld.sock w,
/sys/devices/system/cpu/ r,
# Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.mysqld>}
CERTIFICATE KROPTOGRAFI
Salahsatu teknik enkripsi populer saat ini adalah menggunakan system public-key dan private-key, untuk melakukan enkripsi menggunakan public-key, dan hasil enkripsi tersebut hanya dapat di de-crypt oleh private-key.
CertificateUntuk mensetup secure server dengan menggunakan public key cryptography, biasanya anda harus mengirimkan permintaan sertifikat ke CA (Certification Athority). yaitu perusahaan/badan pihak ketiga yang bertanggung jawab utk mengeluarkan sertifikat public key (mis. Verisign dll)
Certificate yang di keluarkan oleh CA mempunyai karakteristik kelebihan bila dibanding dgn certificate yg di generate sendiri, diantaranya adalah :
- Browser mengenali secara otomatis, dan langsung membentuk secure connection tanpa konfirmasi apa2.- CA menjamin identitas organisasi/badan dari webserver.
GENERATE CSR (Certificate Signing Request)
Generate server.key :root@server:~# openssl genrsa -des3 -out server.key 2048Generating RSA private key, 2048 bit long modulus......................................................................................................................................................+++..........................................................................................................................+++e is 65537 (0x10001)Enter pass phrase for server.key:Verifying - Enter pass phrase for server.key:
Generate server.key.insecure :root@server ~# openssl rsa -in server.key -out server.key.insecureEnter pass phrase for server.key:writing RSA key
rename server.key menjadi server.key.secure :# mv server.key server.key.secure
rename server.key.insecure menjadi server.key :# mv server.key.insecure server.key
GENERATE CSR (Certificate Signing Request ) :root@server:~/key# openssl req -new -key server.key -out server.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:ID State or Province Name (full name) [Some-State]:Central JavaLocality Name (eg, city) []:SemarangOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Multisolusi InformatikaOrganizational Unit Name (eg, section) []:Network and Programming SolutionsCommon Name (e.g. server FQDN or YOUR name) []:Multisolusi InformatikaEmail Address []:[email protected]
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:tantanganAn optional company name []:root@server:~/key# lsserver.csr server.key server.key.secure
Membuat Self Signed Certificate :
root@server:~/key# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crtSignature oksubject=/C=ID/ST=Central Java/L=Semarang/O=Multisolusi Informatika/OU=Network and Programming Solutions/CN=Multisolusi Informatika/[email protected] Private key
Install Serfikat
# cp server.crt /etc/ssl/certs# cp server.key /etc/ssl/private
Sampai dengan langkah ini sertifikat SSL sudah terinstall, dan dapat digunakan untuk apa enkripsi apa saja sesuai dengan service yang kita konfigurasikan (mis HTTPS, Dovecot IMAPS dan POP3-S) dll.
WEBSERVER
Apache2Apabila apache2 di ubuntu server anda belum terinstall, silakan ketikkan perintah :
# apt-get install apache2
Konfigurasi Esensi Dasar Apache
/etc/apache2/apache2.conf -> berisi konfigurasi dasar apache./etc/apache2/conf.d -> berisi file2 konfigurasi2 tambahan dengan tema tertentu/etc/apache2/envvars -> Setting environtment variabel/etc/apache2/httpd.conf -> di Apache2 file ini biasanya kosong, dan hanya berisi konfig2 yang sifatnya spesifik/etc/apach2/mods-available: berisi file2 konfigurasi untuk memanggil modul2 dan mengkonfigurasi modul2 tsb.mods-enabled: berisi modul2 yg di enable, isinya symlink dari file2 yg terdapat di /etc/apache2/mods-available/etc/apache2/ports.conf: berisi port2 yg listen/etc/apache2/sites-enabled: berisi symlink dari direktori /etc/apache2/sites-available, isinya adalah daftar site yang enable dari apache tsb.
Apache2 memberikan kemudahan kita dalam mengkonfigurasi virtual Host.Default Virtual Host dikonfigurasikan di : /etc/apache2/sites-available/default
jika anda ingin membuat VirtualHost baru, langkah2nya adalah copy kan file tersebut (/etc/apache2/sites-available/default), menjadi nama baru, kemudian konfigurasikan sesuai dengan keinginan kita.
# cp /etc/apache2/sites-available/default /etc/apache2/sites-available/mynewsite
beberapa directive yang penting untuk di perhatikan adalah :ServerAdmin -> untuk mengkonfigurasikan email dari webmasterListen -> menentukan listen di port berapa (default 80)ServerName -> menentukan virtual domain tersebut bernama apa (mis. www.domainku.com )ServerAlias -> membuat nama alias dari ServerName, bisa menggunakan wildchar, contoh :ServerAlias *.serverku.comDocumentRoot -> menentukan direktori tempat root dokumen html yang akan di display.
setelah virtual host baru sudah di di konfigurasikan, silakan jalankan perintah sbb :
root@server:/etc/apache2/sites-available# a2ensite sitebaruEnabling site sitebaru.To activate the new configuration, you need to run: service apache2 reloadroot@server:/etc/apache2/sites-available# service apache2 reload * Reloading web server config apache2 apache2: Could not reliably determine the server's fully qualified domain name, using 202.122.14.202 for ServerName [ OK ]
Default SettingDefault Setting adalah konfigurasi default yang akan di panggil, apabila konfigurasi khusus tidak di definisikan pada virtual host.
DirectoryIndex DirectiveDigunakan untuk menentukan file apa yang akan di load by default, saat tidak di definisikan pada URL, di konfigurasi pada file : /etc/apache2/mods-available/dir.conf
isinya kurang lebih :
DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
ErrorDocument DirectiveDigunakan untuk mengatur tampilan/pesan saat suatu error tertentu terjadi.silakan buka file :
/etc/apache2/conf.d/localized-error-pages
Log FileBy default akses thd website dilogging pada file : /var/log/apache2/access.logtapi anda bisa merubah logging akses untuk masing2 virtual host dengan cara menggunakan Directive : CustomLog di masing2 virtual host
perhatikan file : /etc/apache2/conf.d/other-vhosts-access-log
Option Directory
<Directory /var/www/mysite>.........</Directory>
Options ExecCGIMengijinkan eksekusi file2 tertentu dlm system sebagai CGI.
Options IncludesMengijinkan SSI/Server Side Include, yaitu memungkinkan suatu HTML menginclude file lain dan di tempilkan pada browser secara otomatis.
Options IncludesNOEXEC
Allow server-side includes, but disable the #exec and #include commandsin CGI scripts.
mengenai SSI, bisa anda pelajari di situs : http://httpd.apache.org/docs/2.2/howto/ssi.html
What are SSI?SSI (Server Side Includes) are directives that are placed in HTML pages, and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.The decision of when to use SSI, and when to have your page entirely generated by some program, is usually a matter of how much of the page is static, and how much needs to be recalculated every time the page is served. SSI is a great way to add small pieces of information, such as the current time. But if a majority of your page is being generated at the time that it is served, you need to look for some other solution.
Options IndexesMengijinkan menampilkan file2 apa saja yang terdapat dalam suatu direktori, apabila DirectoryIndex tidak ditetapkan
SymLinksIfOwnerMatchSymlink di ijinkan untuk dibaca apabila pemilik dari filenya sama.
httpd setting
User -> Directive ini menentukan akses dari apache ke server server saat terjadi request.
Group -> Directive ini mirip dengan User, tapi menentukan Group aksesnya terhadap server.
Apache2 ModulesApache di design sangat modular, sehingga kita bisa memanggil suatu modul tertentu untuk dijalankan bersama dengan apache.Untuk meload modul, kita menggunakan directive : LoadModule ,untuk konfigurasi modulenya di lakukan di dalam directive <IfModule> … </IfModule>
Contoh installasi Module di Ubuntu :root@server:/etc/apache2/mods-enabled# apt-get install libapache2-mod-auth-mysqlReading package lists... DoneBuilding dependency tree Reading state information... DoneThe following NEW packages will be installed: libapache2-mod-auth-mysql0 upgraded, 1 newly installed, 0 to remove and 161 not upgraded.Need to get 22.1 kB of archives.After this operation, 94.2 kB of additional disk space will be used.Get:1 http://id.archive.ubuntu.com/ubuntu/ precise/main libapache2-mod-auth-mysql i386 4.3.9-13ubuntu3 [22.1 kB]Fetched 22.1 kB in 6s (3,273 B/s) Selecting previously unselected package libapache2-mod-auth-mysql.(Reading database ... 45844 files and directories currently installed.)Unpacking libapache2-mod-auth-mysql (from .../libapache2-mod-auth-mysql_4.3.9-13ubuntu3_i386.deb) ...Setting up libapache2-mod-auth-mysql (4.3.9-13ubuntu3) ...root@server:/etc/apache2/mods-enabled# a2enmod auth_mysqlEnabling module auth_mysql.To activate the new configuration, you need to run: service apache2 restartroot@server:/etc/apache2/mods-enabled# service apache2 restart
root@server:/etc/apache2/mods-enabled# a2dismod auth_mysqlModule auth_mysql disabled.To activate the new configuration, you need to run: service apache2 restartroot@server:/etc/apache2/mods-enabled# service apache2 restart * Restarting web server apache2 [ OK ] root@server:/etc/apache2/mods-enabled#
Konfigurasi HTTPS (HTTP-SSL)
root@server:/etc/apache2/mods-enabled# a2enmod sslEnabling module ssl.See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.To activate the new configuration, you need to run: service apache2 restartroot@server:/etc/apache2/mods-enabled# service apache2 restart * Restarting web server apache2 [ OK ] root@server:/etc/apache2/mods-enabled# a2ensite default-sslEnabling site default-ssl.To activate the new configuration, you need to run: service apache2 reloadroot@server:/etc/apache2/mods-enabled# /etc/init.d/apache2 reload * Reloading web server config apache2 [ OK ]
direktori : /etc/ssl/certs dan /etc/ssl/private adalah default dari kita meletakkan certificate dan key, apabila anda ingin merubahnya, anda harus menggunakan directive :SSLCertificateFileSSLCertificateKeyFile
PHP 5Installasi PHP5 di ubuntu server :
silakan anda ketikkan perintah :
# apt-get install php5 libapache2-mod-php5
untuk menginstall, dan mengupdate apabila masih terdapat bug sbb :
Get:1 Changelog for php5-common (http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.3.10-1ubuntu3.2/changelog) [190 kB]php5 (5.3.10-1ubuntu3.2) precise-security; urgency=low
* SECURITY UPDATE: denial of service via invalid tidy objects - debian/patches/CVE-2012-0781.patch: track initialization in ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt, ext/tidy/tests/bug54682.phpt. - CVE-2012-0781 * SECURITY UPDATE: denial of service or possible directory traversal via invalid filename. - debian/patches/CVE-2012-1172.patch: ensure brackets get closed in main/rfc1867.c, add test to tests/basic/bug55500.phpt. - CVE-2012-1172 * SECURITY UPDATE: password truncation via invalid byte - debian/patches/CVE-2012-2143.patch: improve logic in ext/standard/crypt_freesec.c, add test to ext/standard/tests/strings/crypt_chars.phpt. - CVE-2012-2143 * SECURITY UPDATE: improve php5-cgi query string parameter parsing - debian/patches/CVE-2012-233x.patch: improve parsing in sapi/cgi/cgi_main.c. - CVE-2012-2335 - CVE-2012-2336 * SECURITY UPDATE: phar extension heap overflow - debian/patches/CVE-2012-2386.patch: check for overflow in ext/phar/tar.c. - CVE-2012-2386
-- Marc Deslauriers <[email protected]> Tue, 12 Jun 2012 13:40:37 -0400
php5 (5.3.10-1ubuntu3.1) precise-security; urgency=low
* SECURITY UPDATE: php5-cgi query string parameters parsing vulnerability - debian/patches/php5-CVE-2012-1823.patch: filter query strings that are prefixed with '-' - CVE-2012-1823 - CVE-2012-2311
-- Steve Beattie <[email protected]> Thu, 03 May 2012 15:42:08 -0700
Installasi php-cli :# apt-get install php5-cli
installasi php sebagai CGI :
# apt-get install php5-cgi
Installasi php support mysql :# apt-get install php5-mysql
Installasi php support postgreSQL :# apt-get install php5-pgsql
halaman testing :
<?phpphpinfo();?>
Hardening apache/phpTUTUP FASILITAS BROWSING DIREKTORIbuka file : /etc/apache2/sites-available/default
Agar direktori dan file2 dalam direktori yang tidak mengandung index.html (DirectoryIndex), tidak dapat dibrowse isinya, silakan edit tambahkan tanda -Indexes :
<Directory /var/www/> Options -Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all</Directory>
Enable the rewrite module of Apache.
modul ini berguna untuk me-rewrite request2 dengan pola2 tertentu.
root@server:/etc/apache2/sites-available# a2enmod rewriteEnabling module rewrite.To activate the new configuration, you need to run: service apache2 restartroot@server:/etc/apache2/sites-available# service apache2 restart * Restarting web server apache2 [ OK ]
kemudian untuk menghindari serangan Cross Site Tracking, silakan
pada <VirtualHost *:80> anda tambahkan Rewrite sbb :
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]</IfModule>
INSTALL Mod EvasiveModul ini berguna untuk menghindari httpd DoS, Brute force Attack,
# apt-get install libapache2-mod-evasive
Install Libapache Mod Security dan libapache2-modsecurity
# apt-get install libapache2-modsecurity
kemudian enable kan dengan perintah :# a2enmod mod-security
Tutup semua informasi tentang server dan apache saat error terjadi
edit : /etc/apache2/conf.d/securityServerToken ProdServerSignature Off
Edit file php.ini
buka file /etc/php5/apache2/php.inidisplay_errors = Offlog_errors = Onallow_url_fopen = Offsafe_mode = Onexpose_php = Offenable_dl = Off register_globals = Offmagic_quotes_gpc = On
jika memungkinkan/tidak mengganggu service, disable kan beberapa fungsi berbahaya :
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd, proc_open,curl_exec,curl_multi_exec,parse_ini_file,show_source
/etc/sysctl.confedit juga file /etc/sysctl.conf :
# IP Spoofing protectionnet.ipv4.conf.all.rp_filter = 1net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requestsnet.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routingnet.ipv4.conf.all.accept_source_route = 0net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirectsnet.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0
# Block SYN attacksnet.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 2048net.ipv4.tcp_synack_retries = 2net.ipv4.tcp_syn_retries = 5
# Log Martiansnet.ipv4.conf.all.log_martians = 1net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirectsnet.ipv4.conf.all.accept_redirects = 0net.ipv6.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pingsnet.ipv4.icmp_echo_ignore_all = 1
•. To reload sysctl with the latest changes, enter: sudo sysctl -p
kemudian ketikkan :# sysctl -p
Secure Shared Memory/dev/shm seringkali digunakan untuk melakukan serangan terhadap running daemon, spt apache/httpd dll, untuk itu silakan anda edit /etc/fstabrubah menjadi berikut :
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
Disable DNS Recursion
edit file : /etc/bind/named.conf.optionstambahkan baris :
recursion no;
IP Spoofing
order bind,hostsnospoof on
setelah suatu ip address di lihat nama hostnya, kemudian akan dibalik apakah hostname tsb ip nya sama dengan ip address tsb, apabila ternyata beda, maka query akan digagalkan.
Periksa Log, dan ban semua host2 mencurigakan
DenyHosts -> adalah scripts phyton yang akan menganalisa log ssh, dan mem-ban host2 mencurigakan, dengan cara memasukkan ke dalam /etc/hosts.deny
INSTALLASI :
root@server:/home/yc2int# apt-get install denyhostsReading package lists... DoneBuilding dependency tree Reading state information... DoneThe following NEW packages will be installed: denyhosts0 upgraded, 1 newly installed, 0 to remove and 157 not upgraded.Need to get 66.1 kB of archives.After this operation, 317 kB of additional disk space will be used.Get:1 http://id.archive.ubuntu.com/ubuntu/ precise/universe denyhosts all 2.6-10 [66.1 kB]Fetched 66.1 kB in 2s (25.8 kB/s) Selecting previously unselected package denyhosts.(Reading database ... 45994 files and directories currently installed.)Unpacking denyhosts (from .../denyhosts_2.6-10_all.deb) ...Processing triggers for man-db ...Processing triggers for ureadahead ...Setting up denyhosts (2.6-10) ... * Starting DenyHosts denyhosts [ OK ]16635 ? S 0:00 python /usr/sbin/denyhosts --daemon --purge --config=/etc/denyhosts.conf16653 pts/0 S+ 0:00 grep --color=auto denyhost
edit /etc/denyhosts.conf, konfigurasikan sesuai dengan kebutuhan :
ADMIN_EMAIL = root@localhostSMTP_HOST = localhostSMTP_PORT = 25#SMTP_USERNAME=foo#SMTP_PASSWORD=barSMTP_FROM = DenyHosts nobody@localhost#SYSLOG_REPORT=YES
Fail2banInstallasi fail2ban :
# apt-get install fail2ban
kemudian konfigurasikan :
/etc/fail2ban/jail.confsesuai dengan situasi dan kondisi.
RKHunter and CHKRootKitkedua tools ini melakukan tugas yang hampir sama, diantaranya yaitu mencari keberadaan rootkit.
untuk menginstall silakan anda ketikkan : # apt-get install rkhunter chkrootkit
silakan anda coba : sudo rkhunter --updatesudo rkhunter --propupdsudo rkhunter --check
berikut adalah manual singkat tentang cara menggunakan rkhunter :
rkhunter "debugging" howto
•. Don't be afraid of the RKhunter warnings in the terminal.•. Using RKhunter is always a work in progress.•. To install RKhunter:
sudo apt-get install rkhunter•. Before running RKhunter you will need to fill the file properties database by
running the following command: rkhunter --propupd Do no forget to set rkhunter in sysconfig to run the --propupd every time new software is installed or else you will get "false positives" after every software and system update.
sudo rkhunter --propupd•. To run rkhunter --propupd, automatic after software updates, add the line
APT_AUTOGEN="yes" to /etc/default/rkhunter (this gets read by /etc/apt/apt.conf.d/90rkhunter).
•. Wait till it completes gathering the new values, then exit. This should eliminate all the warnings except the hidden files related to the /dev folder. They show up occassionally and disappear with a next reboot of your system.
•. Additionally, the --versioncheck option of rkhunter itself will indicate if a new version is available.
sudo rkhunter --versioncheck•. The first run of 'rkhunter' after installation may give some warning messages.
They are is some way normal. Even on clean installed system, with no additional software installed, these warnings occur. You could take a at the FAQ of RKhunter. I got these warnings on Xubuntu beta, clean install:
sudo rkhunter --checkall•. warnings:
/usr/bin/mail/usr/bin/bsd/mail-xchecking /dev for susp. fileschecking hidden files and direct/usr/bin/lwp-request
•. It is possible for a package manager database to become maliciously corrupted. RKhunter can only report on changes, but not on what has caused the change, it is reactive.
•. Help Rootkit Hunter users on the rkhunter-users mailing list. the rkhunter mailinglist It is also a source of information on "false positives".
•. "Intruder Detection Checklist". This list is available via the intruder detection list•. What to do with "common" warnings as:
Warning: Hidden directory found: /dev/.staticWarning: Hidden directory found: /dev/.udevWarning: Hidden directory found: /dev/.initramfsTo avoid these warnings, you can reconfigure rkhunter to ignore these files via whitelisting these warnings. Edit the rkhunter.conf file: gedit /etc/rkhunter.conf and remove the # in front of these lines:#ALLOWHIDDENDIR=/dev/.udev#ALLOWHIDDENDIR=/dev/.static#ALLOWHIDDENDIR=/dev/.initramfs
ALLOWHIDDENDIR=/dev/.udevALLOWHIDDENDIR=/dev/.staticALLOWHIDDENDIR=/dev/.initramfs
•. Linkage for debugging rkhunter via watchdog: debugging linkage You can disable the 'os_specific' check in your rkhunter.conf file. Add it to the DISABLE_TESTS list.You can stop rkhunter from checking these by editing /etc/rkhunter.conf
Un-comment the related ALLOWHIDDENDIR and ALLOWHIDDENFILE lines.
Scan open port dengan menggunakan NMAP
installasi :
# apt-get install nmap # nmap -v -sT localhost# nmap -v -sS localhost
LOGWATCH
analisa log dengan menggunakan logwatch : # apt-get install logwatch libdate-manip-perl
untuk melihat output dari logwatch, ketikkan perintah :# logwatch | less
TIGERTiger adalah tools security yang bisa digunakan untuk audit sekuriti, dan intrusion detection.installasi :# apt-get install tiger
utk menjalankan :# tiger
MENJALANKAN VHOSTS PADA UID/GID BERBEDA
install Apache-mpm-itk :
# apt-get install apache-mpm-itk
tambahkan group baru dan user baru :
# groupadd web1# adduser sitebaru -g web1
tambahkan virtual host, mis: sitebaru.multisolusi.info :
konfignya kurang lebih :
<VirtualHost *:80> ServerAdmin webmaster@localhost ServerName sitebaru.multisolusi.info DocumentRoot /home/sitebaru/html/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /home/sitebaru/html/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory>
ScriptAlias /cgi-bin/ /home/sitebaru/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory>
</VirtualHost>
<IfModule mpm_itk_module>AssignUserId sitebaru web1</IfModule>
kemudian restart apache :# /etc/init.d/apache2 restart
TAMBAHAN
User quotas with Ubuntu This step by step tutorial shows how to install and implement user quotas, to limit disk space available for selected users in a Linux system (tested on Ubuntu, using repositories).To add support for user disk quotas on Ubuntu:Install quota from repository:
sudo apt-get install quotaEdit, as root, /etc/fstab adding usrquota and grpquota to desired partitions:
/dev/hda3 /home ext3 defaults,usrquota,grpquota 0 2
Reboot the system.Then
sudo edquota -u username -f /dev/desiredpartitionEditing the file:
Disk quotas for user username (uid 1050): Filesystem blocks soft hard inodes soft hard /dev/hdaN 0 31457280 31457280 0 0 0
Save that file… now do:sudo edquota -t -f /dev/hda3
set grace periods to 0 seconds like this:
Grace period before enforcing soft limits for users:Time units may be: days, hours, minutes, or seconds Filesystem Block grace period Inode grace period /dev/hda3 0seconds 0seconds
Save, and finally:quotaoff -a
Code:quotaon /dev/hda3
VSFTPD
Installasi :
apt-get install vsftpd
merubah homedir default :
sudo mkdir /srv/ftpsudo usermod -d /srv/ftp ftp
restart vsftpd :/etc/init.d/vsftpd restart
mengijinkan localuser utk login dan upload edit file /etc/vsftpd.conf :local_enable=YESwrite_enable=YES
mengijinkan anonymous utk upload :anon_upload_enable=YES
melimit user hanya pada homedirnya :
chroot_local_user=YES
me list user2 tertentu supaya chroot :
chroot_list_enable=YESchroot_list_file=/etc/vsftpd.chroot_list
untuk alasan keamanan, dalam chrooted environtment, menulis ke / tidak diijinkan.silakan ubah permission homedir menjadi 555
user ftp only : tambahkan valid shell pada :/etc/shells, baris berikut :
/usr/sbin/nologin
rubah shell dari user ybs pada /etc/passwd menjadi /usr/sbin/nologin
Howto: Backup and restore your system!More recent up to date information this tutorial deals with can be found on the Ubuntu Wiki
https://help.ubuntu.com/community/BackupYourSystemhttps://help.ubuntu.com/community/BackupYourSystem/TARhttps://help.ubuntu.com/community/Ca...BackupRecovery
Hi, and welcome to the Heliode guide to successful backing-up and restoring of a Linux system!
Most of you have probably used Windows before you started using Ubuntu. During that time you might have needed to backup and restore your system. For Windows you would need
proprietary software for which you would have to reboot your machine and boot into a special environment in which you could perform the backing-up/restoring (programs like Norton Ghost).During that time you might have wondered why it wasn't possible to just add the whole c:\ to a big zip-file. This is impossible because in Windows, there are lots of files you can't copy or overwrite while they are being used, and therefore you needed specialized software to handle this.
Well, I'm here to tell you that those things, just like rebooting, are Windows CrazyThings (tm). There's no need to use programs like Ghost to create backups of your Ubuntu system (or any Linux system, for that matter). In fact; using Ghost might be a very bad idea if you are using anything but ext2. Ext3, the default Ubuntu partition, is seen by Ghost as a damaged ext2 partition and does a very good job at screwing up your data.
1: Backing-up
"What should I use to backup my system then?" might you ask. Easy; the same thing you use to backup/compress everything else; TAR. Unlike Windows, Linux doesn't restrict root access to anything, so you can just throw every single file on a partition in a TAR file!
To do this, become root withCode:
sudo su
and go to the root of your filesystem (we use this in our example, but you can go anywhere you want your backup to end up, including remote or removable drives.)Code:
cd /
Now, below is the full command I would use to make a backup of my system:
Code:
tar cvpzf backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/backup.tgz --exclude=/mnt --exclude=/sys /
Now, lets explain this a little bit.The 'tar' part is, obviously, the program we're going to use.
'cvpfz' are the options we give to tar, like 'create archive' (obviously),'preserve permissions'(to keep the same permissions on everything the same), and 'gzip' to keep the size down.
Next, the name the archive is going to get. backup.tgz in our example.
Next comes the root of the directory we want to backup. Since we want to backup everything; /
Now come the directories we want to exclude. We don't want to backup everything since some dirs aren't very useful to include. Also make sure you don't include the file itself, or else you'll get weird results.You might also not want to include the /mnt folder if you have other partitions mounted there or you'll end up backing those up too. Also make sure you don't have anything mounted in /media (i.e. don't have any cd's or removable media mounted). Either that or exclude /media.
EDIT : kvidell suggests below we also exclude the /dev directory. I have other evidence that says it is very unwise to do so though.
Well, if the command agrees with you, hit enter (or return, whatever) and sit back&relax. This might take a while.
Afterwards you'll have a file called backup.tgz in the root of your filessytem, which is probably pretty large. Now you can burn it to DVD or move it to another machine, whatever you like!
EDIT2:At the end of the process you might get a message along the lines of 'tar: Error exit delayed from previous errors' or something, but in most cases you can just ignore that.
Alternatively, you can use Bzip2 to compress your backup. This means higher compression but lower speed. If compression is important to you, just substitutethe 'z' in the command with 'j', and give the backup the right extension.That would make the command look like this:
Code:
tar cvpjf backup.tar.bz2 --exclude=/proc --exclude=/lost+found --exclude=/backup.tar.bz2 --exclude=/mnt --exclude=/sys /
2: Restoring
Warning: Please, for goodness sake, be careful here. If you don't understand what you are doing here you might end up overwriting stuff that is important to you, so please take care!
Well, we'll just continue with our example from the previous chapter; the file backup.tgz in the root of the partition.
Once again, make sure you are root and that you and the backup file are in the root of the filesystem.
One of the beautiful things of Linux is that This'll work even on a running system; no need to screw around with boot-cd's or anything. Of course, if you've rendered your system unbootable you might have no choice but to use a live-cd, but the results are the same. You can even remove every single file of a Linux system while it is running with one command. I'm not giving you that command though!
Well, back on-topic.This is the command that I would use:
Code:
tar xvpfz backup.tgz -C /
Or if you used bz2;
Code:
tar xvpfj backup.tar.bz2 -C /
WARNING: this will overwrite every single file on your partition with the one in the archive!
Just hit enter/return/your brother/whatever and watch the fireworks. Again, this might take a while. When it is done, you have a fully restored Ubuntu system! Just make sure that, before you do anything else, you re-create the directories you excluded:Code:
mkdir procmkdir lost+foundmkdir mntmkdir sysetc...
And when you reboot, everything should be the way it was when you made the backup!
2.1: GRUB restoreNow, if you want to move your system to a new harddisk or if you did something nasty to your GRUB (like, say, install Windows), You'll also need to reinstall GRUB.There are several very good howto's on how to do that here on this forum, so i'm not going to reinvent the wheel. Instead, take a look here:
http://www.ubuntuforums.org/showthre...t=grub+restore
There are a couple of methods proposed. I personally recommend the second one, posted by remmelt, since that has always worked for me.
Well that's it! I hope it was helpful!As always, any feedback is appreciated!
HOWTO: Restore GRUB (if your MBR is messed up)Restore GRUB quite simple in Ubuntu, instead going through all the "gain root access" and play with shell commands, you
can use the Ubuntu installation CD to restore it without going through all kinds of hassles.
Here are the steps:
1. Boot your computer up with Ubunto CD2. Go through all the process until you reech "[!!!] Disk Partition"3. Select Manual Partition4. Mount your appropriate linux partions
//bootswap.....
5. DO NOT FORMAT THEM.6. Finish the manual partition7. Say "Yes" when it asks you to save the changes8. It will give you errors saying that "the system couldn't install ....." after that9. Ignore them, keep select "continue" until you get back to the Ubuntu installation menu10. Jump to "Install Grub ...."11. Once it is finished, just restart your computer
Good luck!.