In this first part of a series of 3 posts about setting up a Witness server we will see how to install the prerequisites and do some tuning.
- CPU: Intel Xeon E3-1230v6 4 Cores/8 Threads 3.50 GHz
- RAM: 32GB DDR4 ECC 2133MHz
- HDD: 1 To SSD NVMe
How-To: Secure Ubuntu server (18.04)
Increase the security and usability of your Ubuntu server is very important. There are few configuration/install that you should take early on as part of the basic setup.
Never use directly the user root and prefer to create a new user. For our case we will use an account named witness with sudo power
As root, run this command to add your new user
[email protected]:~$ adduser witness
The system will ask you for a password, use a secure one! (Upper, Lower, Number, Special)
Adding user `witness' ... Adding new group `witness' (1000) ... Adding new user `witness' (1000) with group `witness' ... Creating home directory `/home/witness' ... Copying files from `/etc/skel' ... Enter new UNIX password:
When done, you just need to fill the Full Name and to write y to validate.
Retype new UNIX password: passwd: password updated successfully Changing the user information for witness Enter the new value, or press ENTER for the default Full Name : witness Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n] y
Not forgot to run this command to add your new user to the sudo group
[email protected]:~$ usermod -aG sudo witness
Add Public Key Authentication (SSH)
Set up public key authentication for your new user. Setting this up will increase the security of your server by requiring a private SSH key to log in.
Generate The Key Pair for SSH
If you haven’t an SSH key pair already you can create it by following this process. To generate a new key pair, enter the following command (use the option -b 4096 for higher security) in your terminal.
[email protected]:~$ ssh-keygen -b 4096
Assuming your local user is witness, you will see the following output:
Generating public/private rsa key pair. Enter file in which to save the key (/home/witness/.ssh/id_rsa):
Hit return to accept and securing your keys with a strong passphrases!
Created directory '/home/witness/.ssh' Enter passphrase (empty for no passphrase): Enter same passphrase again:
At the end you will have an output like this
Your identification has been saved in /home/witness/.ssh/id_rsa. Your public key has been saved in /home/witness/.ssh/id_rsa.pub. The key fingerprint is: SHA256:XXXXXXXXXXXXXXXXXXX5GcBMBXXXXXXXXXXM [email protected] The key's randomart image is: +---[RSA 4096]----+ |XXXX | |XX | |X X XX XXX | |XXX X XXX | |X XXXX X XX | | XX XX | | X | | X | | | +----[SHA256]-----+
You have now 2 files in the directory
/home/witness/.ssh/ a private key
id_rsa and a public key
Rename the Public Key
if you generate the keys directly on the server rename the public key
authorized_keys like this
[email protected]:~/.ssh$ sudo mv id_rsa.pub authorized_keys
And retrieve the private
key id_rsa on your computer (not let it on the server!)
Putty users, you need to load the private key
id_rsa in PuTTYgen then save the private key for have it in .ppk format
Disabling Password Authentication and change the default TCP port
If you were able to login to your account using SSH with the private key then you have successfully configured SSH key-based authentication to your account. We can now remove the authentication with password only in the ssh config file (not hesitate to change also the default port number 22).
Edit the ssh config file
[email protected]:~/.ssh$ sudo vim /etc/ssh/sshd_config
Uncomment the # Port 22 line and change the number to 8022.
Change the value of PermitRootLogin to no
Change the value of PasswordAuthentication to no
Save and close the file when you are finished. To actually implement the changes we just made, you must restart the service.
[email protected]:~/.ssh$ sudo service ssh restart
Basic firewall rules
The default firewall configuration tool for Ubuntu is ufw. It’s an interface to iptables.
Allow our specific TCP port for ssh
To add our TCP port 8022 for ssh you can use the command below
[email protected]:~$ sudo ufw allow proto tcp from any to any port 8022
Allow other ports needed for a Witness server
a Witness server use per default the TCP port 2001 and optionally need TCP port for running ws, http and rpc plugins. To allow them, you can use the command below as exemple (the port 443 is for https!)
[email protected]:~$ sudo ufw allow proto tcp from any to any port 2001,443
To enable ufw, use this command:
[email protected]:~$ sudo ufw enable
Answer y to the question for proceed
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
To list the active rules you can use the command
[email protected]:~$ sudo ufw status
The output will be something like this
Status: active To Action From -- ------ ---- 8022/tcp ALLOW Anywhere 2001/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 8022/tcp (v6) ALLOW Anywhere (v6) 2001/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6)
Fail2ban scan the log files of the server and bans IPs that show the malicious signs. Like for exemple too many password failures, seeking for exploits, etc.. It work as a service and create rules that automatically alter iptables configuration. All based on a predefined number of unsuccessful login attempts. This will allow the server to respond to illegitimate access attempts without manual intervention.
Fail2ban is in package list of Ubuntu. To install it from a command prompt do like this (update first).
[email protected]:~$ sudo apt-get update [email protected]:~$ sudo apt-get install fail2ban
Configuration files are in the
/etc/fail2ban directory. Stop the service
[email protected]:~$ sudo service fail2ban stop
Duplicate the config file
jail.conf to keep default options inside (this file can be overwriten when update applied). Put all the specific settings in
[email protected]:~$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now we can modify the
jail.local file to adjust to our server case
[email protected]:~$ sudo vim /etc/fail2ban/jail.local
Setup the base consist to add one or more source @ip to ignore, the bann time and the number of retry allowed. To do this we need to modify the variables:
- ignoreip = @ip to ignore (separated by a space).
- bantime (in second) = parameter for banned client (default 10 minutes).
- findtime (in second) = a window of time to find a specific number of tries (see below).
- maxretry = number of tries before being banned.
By default ban 10 minutes a client after 5 tries in 10 minutes.
Configure email alerts with the variable destemail, sendername, and mta. To use it you need the Ubuntu package sendmail!
To activate a service juste need a line enabled = true in the appropriate section [ssh] and modify the port (remember we use specific!)
[sshd] enable = true # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal port = ssh,8022 logpath = %(sshd_log)s backend = %(sshd_backend)s
After editing, start the fail2ban service
sudo service fail2ban start
If you go want deeper in fail2ban I suggest this excellent post from Linode
use the command fail2ban-client with one of these command to action/check information:
- start: Starts the server and jails.
- reload: Reloads configuration files.
- reload JAIL: Replaces JAIL with the name of a Fail2ban jail; this will reload the jail.
- stop: Stop the server.
- status: Show the status of the server, and enable jails.
- status JAIL: Show the status of the jail, including any currently-banned IPs.
Replace JAIL by the service you want to check, exemple with ssh
[email protected]:~$ sudo fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
[email protected]:~$ sudo fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
UTILITIES and TUNING
Install and use the port scanning NMAP to check your open ports
[email protected]:~$ sudo apt-get install nmap
To scan the server use the command
[email protected]:~$ nmap -sV -p 1-65535 localhost Starting Nmap 7.60 ( https://nmap.org ) at 2020-03-31 05:06 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.000070s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 53/tcp open domain 953/tcp open rndc? 8022/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.89 seconds
-sV = service identification
-p = list of port to scan (range separate by -)
Time Synchronization with NTP
For a better time synchronization, we will use the NTP packet.
Before installing ntpd, we should turn off timesyncd (the default manager for time synchronization):
[email protected]:~$ sudo timedatectl set-ntp no
Verify that timesyncd is off:
[email protected]:~$ timedatectl Local time: Tue 2020-03-31 05:32:52 UTC Universal time: Tue 2020-03-31 05:32:52 UTC RTC time: Tue 2020-03-31 05:32:52 Time zone: Etc/UTC (UTC, +0000) System clock synchronized: yes systemd-timesyncd.service active: no RTC in local TZ: no
We can see that systemd-timesyncd.service active is set to no
To install the NTP packet run the command
[email protected]:~$ sudo apt install ntp
ntpd will be started automatically after install. You can check the version with the command
[email protected]:~$ sntp --version sntp [email protected] (1)
We need to edit the
ntp.conf file to replace the default ubuntu.pool with something closer. To do this, you first need to check here https://www.ntppool.org/zone/@ which are the closest pool servers.
[email protected]:~$ sudo vim /etc/ntp.conf
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board # on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for # more information. pool 0.ubuntu.pool.ntp.org iburst pool 1.ubuntu.pool.ntp.org iburst pool 2.ubuntu.pool.ntp.org iburst pool 3.ubuntu.pool.ntp.org iburst
By your nearest NTP pool servers (fr in my case)
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board # on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for # more information. pool 0.fr.pool.ntp.org iburst pool 1.fr.pool.ntp.org iburst pool 2.fr.pool.ntp.org iburst pool 3.fr.pool.ntp.org iburst
Restart the service
[email protected]:~$ sudo service ntp restart
Check if everything OK
[email protected]:~$ ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== 0.fr.pool.ntp.o .POOL. 16 p - 64 0 0.000 0.000 0.000 1.fr.pool.ntp.o .POOL. 16 p - 64 0 0.000 0.000 0.000 2.fr.pool.ntp.o .POOL. 16 p - 64 0 0.000 0.000 0.000 3.fr.pool.ntp.o .POOL. 16 p - 64 0 0.000 0.000 0.000
Increase the max open files limit
To avoid the problem of Too many open files we need to make a few changes to the ulimit
[email protected]:~$ sudo vim /etc/security/limits.conf
Add the following lines
root soft nproc 999999 root hard nproc 999999 root soft nofile 999999 root hard nofile 999999 witness soft nproc 999999 witness hard nproc 999999 witness soft nofile 999999 witness hard nofile 999999
[email protected]:~$ sudo vim /etc/pam.d/common-session
Add the following line
session required pam_limits.so
Reboot the server for the change to take effect.
Check the open files limit (need to be connected with the right user!)
[email protected]:~$ ulimit -n 999999
Install SCREEN and LNAV
Install the package screen (a terminal multiplexer) which will continue to run either if the window is not visible or if you get disconnected if not already installed.
[email protected]:~$ sudo apt install screen
Install the package lnav a log file navigator, streamer, regex searchable
[email protected]:~$ sudo apt install lnav
[WITNESS server - part II] HIVE - The manual way
If you liked Upvote, Follow, Reblog or Cross post are welcome - @mintrawa