-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdeployment
More file actions
449 lines (316 loc) · 13.5 KB
/
deployment
File metadata and controls
449 lines (316 loc) · 13.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
------------------------- Virtual Box setting -------------------------
> setting Network attached to Bridged Adapter
> size of the virtual hard disk 8gb
------------------------- OS Installation -------------------------
> Shin as hostname
> Setup loot password as 1231
> Username as hyshin
> for software selection, only chose web server, SSH server, standard system utilities (No need others for this project)
------------------------- Setup & install -------------------------
> type su to access root
> to download and update all the needed applications. (uwf for firewall) (fail2ban for DOS protection) by typing this commands
apt-get update -y && apt-get upgrade -y, apt-get install sudo vim ufw portsentry fail2ban apache2 mailutils -y
------------------------- Configure sudo-------------------------
In order to get special rights for my user I need to edit /etc/sudoers file.
use command "vim /etc/sudoers" and add this line after root
/// #User privilege specification
root ALL=(ALL:ALL) ALL
hyshin ALL=(ALL:ALL) NOPASSWD:ALL
///end of line
------------------------- Setup static IP -------------------------
check current setting using "cat /etc/network/interfaces"
The output should look like this:
///start output
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug enp0s3
iface enp0s3 inet dhcp
/// end output
Now, remove the last line and change "allow-hotplug" to "auto"
create a file and edit "/etc/network/interfaces.d/enp0s3" with:
> sudo vim /etc/network/interfaces.d/enp0s3
///content start
iface enp0s3 inet static
address 10.13.200.247
netmask 255.255.255.252
gateway 10.13.254.254
///content end
Now, restart the network service to make changes:
> sudo service networking restart
check your ip now:
> ip a
connect the SSH service in remote terminal:
> ssh hyshin@10.13.200.247
------------------------- Change SSH default port -------------------------
> sudo vim /etc/ssh/sshd_config (NOT ssh_config!!)
Change line 13 "Port 22" to "Port 54321" and if this line has "#" take it away
Port numbers are assigned in various ways, based on three ranges: System Ports (0-1023) this is forbidden to use, User Ports (1024-49151) this should be avoided as well, and the Dynamic and/or Private Ports (49152-65535) this range can be used;
available information here: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
Restart the sshd services
> sudo service sshd restart
Now we can connect to remote terminal with this port number:
> ssh hyshin@10.13.200.247 -p 54321
------------------------- SSH access with public key -------------------------
Generate a public/private RSA key pair, on the host machine (in terminal of our local machine, outside of virtual machine)
we can check if there is already rsa_key exists or not in our host computer (command > ls ~/.ssh/id_rsa*)
> ssh-keygen -t rsa
This command will generate 2 files id_rsa and id_rsa.pub
id_rsa: This is private key, we should keep it safely, we can encrypt it with a password
id_rsa.pub: Our public key, we have to transfer this one to the server. You can freely share your public key with others. if someone else adds your public key to their server, you will be able to log in to that server.
Source: https://www.linode.com/docs/security/authentication/use-public-key-authentication-with-ssh/#connect-to-the-remote-server
-----------------
Add public key to the server:
> ssh-copy-id -i /Users/hyshin/.ssh/id_rsa.pub hyshin@10.13.200.247 -p 54321
The public key is automatically added in "~/.ssh/authorized_keys" on the server.
------------------
Now we need to disable password authentication and login:
>sudo vim /etc/ssh/sshd_config
change line 32,37,56. It should look like this
////
#PermitRootLogin prohibit-password / L32
#PubkeyAuthentication yes / L37
#PasswordAuthentication yes / L56
////
to
////
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
////
Don't forget to remove "#"
-----------------------
Restart the SSHD service
>sudo service sshd restart
No we are able to connect to the server via ssh with the public key without typing in the password and login into the root will not be possible.
> ssh hyshin@10.13.200.247 -p 54321
we should use the password for private key.
------------------------- Set the rules for firewall -------------------------
First check firewall status using
>sudo ufw status
Now, allow incoming traffic to HTTPS, HTTP, ssh (our 54321 port)
> sudo ufw enable
> sudo ufw default deny incoming
> sudo ufw default allow outgoing
> sudo ufw allow 443
> sudo ufw allow 80/tcp
> sudo ufw allow 54321/tcp
Here, 443 is HTTPS, 80/tcp is HTTP, and 54321 is SSH
Now, restart ufw service:
> sudo ufw reload
Source: https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server
------------------------- Set up DOS protection with fail2ban -------------------------
Check current rules:
> sudo service fail2ban status
We need to edit the jail.conf in the fail2ban folder, but we need to make adding
copy of the fail, otherwise the conf file will reset itself to default.
<<< sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local >>>
------------------------------------------------------------------------------
Now we can edit the jail.local file, the Jail part inside the file should
look like this: (on line 238)
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
bantime = 600
**********#Add after HTTP servers: ***********
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/access.log
maxretry = 300
findtime = 300
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]
------------------------------------------------------------------------------
Now we need to create a http-get-dos.conf inside this folder
sudo vim /etc/fail2ban/filter.d/http-get-dos.conf
The output should look like this:
[Definition]
failregex = ^<HOST> -.*"(GET|POST).
*ignoreregex =
------------------------------------------------------------------------------
Last but not least we need to reload our firewall and fail2ban:
<<< sudo ufw reload >>>
<<< sudo service fail2ban restart >>>
------------------------------------------------------------------------------
We can test if the new conf works with SlowLoris (an HTTP DDOS attack script)
install git: <<< sudo apt-get install git >>>
install SlowLoris: <<< git clone https://github.com/gkbrk/slowloris.git >>>
Run the program: perl slowloris.py 10.13.200.**
-----------------------------------------------------------------------------
To see if our new fail2ban conf actually works we need to check the following
file: ~/var/log/fail2ban.log
#################
------------------------- Setting up protection agains port scans -------------------------
First we need to install the nmap tool with <<< sudo apt-get install nmap >>>
Nmap is a free and open source netwokr discovery and security utility. It works
by ssending data packets on a specific target and by interpreting the incoming
packets to determine what ports are open or closed.
We get the following output if we run nmap:
> sudo nmap ip_address_of_machine_want_to_attack
> sudo nmap 10.13.200.247
In standard mode portsentry runs in the background and reports any violations, in Stealth modes, PortSentry will use a raw socket to monitor all incoming packets, and if a monitored port is probed, it will block the host. The most sensitive modes are those used by Advanced Stealth scan detection. You can explicitly ask PortSentry to ignore certain ports (which can be key when running a particularly reactionary configuration) to protect legitimate traffic. By default, PortSentry pays most attention to the first 1024 ports (otherwise known as privileged ports)because that’s where non-ephemeral connections usually originate from daemons.
> sudo vim /etc/default/portsentry
change tcp and udp to atcp and audp (advanced) or overwrite with file resources/portsentry
> sudo vim /etc/portsentry/portsentry.conf
Ignore Options are:
# 0 = Do not block UDP/TCP scans
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)
change
"
BLOCK_UDP="0"
BLOCK_TCP="0"
"
to
BLOCK_UDP="1"
BLOCK_TCP="1"
................
we opt for a blocking of malicious persons through iptables.
Comment the current KILL_ROUTE command and uncomment the following one:
> KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
This will drop all packets originating from an attacker’s IP address and
log future connection attempts.
..................
Comment this out:
KILL_HOSTS_DENY="ALL: $TARGET$ : DENY
So the SSH access is not denied.
.................
Now restart the portsentry service:
> sudo service portsentry restart
.................
------------------------- Stop the services I don't need for this project -------------------------
In order to see, list of services those are enable
> sudo systemctl list-unit-files --type=service | grep enabled
...................
> sudo systemctl disable console-setup.service
This package provides the console with the same keyboard configuration scheme as the X window system
> sudo systemctl disable keyboard-setup.service
> sudo systemctl disable syslog.service
------------------------- Update Packages with cron -------------------------
create log file
> sudo touch /var/log/update_script.log
> sudo chmod 777 /var/log/update_script.log
Create and edit update.sh:
> sudo vim update.sh
Add:
#########
sudo apt-get update -y >> /var/log/update_script.log
sudo apt-get upgrade -y >> /var/log/update_script.log
#########
Change file mode:
> sudo chmod 755 update.sh
Add task to cron:
> sudo crontab -e
Add:
"@reboot sudo ~/update.sh
0 4 * * 6 sudo ~/update.sh"
Enable cron:
> sudo systemctl enable cron
------------------------- Monitor file change with cron -------------------------
Create and edit ~/cronmonitor.sh like:
> vim ~/cronmonitor.sh
//CONTENT
#!/bin/bash
FILE="/home/hyshin/crontab_monitor"
FILE_TO_MONITOR="/etc/crontab"
MD5=$(sudo md5sum $FILE_TO_MONITOR)
if [ ! -f $FILE ]
then
echo "$MD5" > $FILE
exit 0;
fi;
if [ "$MD5" != "$(sudo cat $FILE)" ]
then
echo "$MD5" > $FILE
echo "$FILE_TO_MONITOR has been changed! 0_0! Be careful." | mail -s "$FILE_TO_MONITOR was changed!" root
fi;
//END OF CONTENT
Change file mode
> sudo chmod 755 cronmonitor.sh
Add task to crontab:
> sudo crontab -e
0 0 * * * sudo /home/hyshin/cronmonitor.sh
------------------------- Webpage deploying -------------------------
Now we need a web server. Web servers are used to serve web pages requested by clients computers. Here, we will use apache2 web server.
In order to see status of the apache2 web server, type following command
> sudo systemctl status apache2
in your browser type your ip:
> 10.13.200.247
if your ip doesn't work then restart apache server
> sudo systemctl restart apache2
if apache2 server works fine then type
>sudo vim /var/www/html/index.html
it will open index.html, now you can edit this .html file based on your webpage requirement.
------------------------- SSL certificate -------------------------
For this section this is the best article:
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04
> sudo mkdir -p /etc/ssl/localcerts
> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key
> sudo ls -la /etc/ssl/localcerts/
> sudo chmod 600 /etc/ssl/localcerts/apache*
> sudo ls -la /etc/ssl/localcerts/
> sudo vim /etc/apache2/conf-available/ssl-params.conf
add the following content
########
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLSessionTickets Off
######
add content from here: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04
.....................
> sudo vim /etc/apache2/sites-available/default-ssl.conf
add the following content
##############
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin hyshin@student.hive.fi
ServerName 10.13.200.247
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/localcerts/apache.pem
SSLCertificateKeyFile /etc/ssl/localcerts/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
###########
> sudo vim /etc/apache2/sites-available/000-default.conf
redirect to your IP address
#########
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
Redirect permanent "/" "https://10.13.200.247/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
###########
Load the new configurations
> sudo a2enmod ssl <enter>
> sudo a2enmod headers <enter>
> sudo a2ensite default-ssl <enter>
> sudo a2enconf ssl-params <enter>
# Reload the apache 2
> systemctl reload apache2 <enter>
------------------------------------------------------------