Debian Tutorials » Security

Prevent brute force attacks using fail2ban

aip — Mon, 21 Jun 2010 22:38:04 +0000

fail2ban monitors log files such as /var/log/auth.log and /var/log/apache/access.log and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Currently, by default, fail2ban supports ssh/apache/vsftpd but configuration can be easily extended for monitoring any other ASCII file.

1. Install fail2ban

apt-get install fail2ban

2. Test by connecting via ssh and making three incorrect password attempts. By default fail2ban blocks the IP address for 10 minutes.

You can tail the fail2ban log file to monitor actions:

tail -f /var/log/fail2ban.log

Sample results

2010-06-21 22:27:58,953 fail2ban.jail : INFO Jail 'ssh' started 2010-06-21 22:29:36,430 fail2ban.actions: WARNING [ssh] Ban 192.168.1.18

Installing HAVP (HTTP Antivirus Proxy)

aip — Sun, 13 Jun 2010 06:50:05 +0000

HAVP (HTTP Antivirus Proxy) is a proxy with a ClamAV anti-virus scanner. The main aims are continuous, non-blocking downloads and smooth scanning of dynamic and password protected HTTP traffic. Havp antivirus proxy has a parent and transparent proxy mode. It can be used with squid or standalone.

1. Install HAVP

apt-get install havp

2. Start HAVP if it didn't start after the installation

/etc/init.d/havp start

It's ready, by default HAVP listens on port 8080. You can configure your web browser to use the server as a proxy.

You can customize the error pages by editing the html files in this directory: /etc/havp/templates/en/

OpenID authentication with the mod_auth_openid Apache module

aip — Wed, 09 Jun 2010 21:33:10 +0000

mod_auth_openid is an authentication module for the Apache 2 webserver. It handles the functions of an OpenID consumer as specified in the OpenID 2.0 specification.

After a user authenticates themselves, the user's identity will be available in the REMOTE_USER variable. A cookie named open_id_session_id is saved to maintain each user's session.

1. Install the module

apt-get install libapache2-mod-auth-openid

2. Enable the module

a2enmod authopenid

3. You can now add the line below to any Directory, Location or File directive in the virtual host configuration or a .htaccess file .

AuthOpenIDEnabled On

Click here for more configuration options, including only allowing logins from specific OpenID providers and using a custom login page

4. Restart Apache

/etc/init.d/apache2 restart

Install mod_spamhaus Apache module to fight comment spam

aip — Tue, 01 Jun 2010 20:53:01 +0000

mod_spamhaus is an Apache module for DNS Block Listing that protects web services by denying access to particular IP addresses. It can stop spam relaying via web form URL injection, and block HTTP DDoS attacks from bot-nets.

It queries sbl-xbl.spamhaus.org, taking advantage of the Spamhaus Block List (SBL) and the Exploits Block List (XBL).

1. Download the latest mod_spamhaus deb package from sid package repository (mod_spamhaus is not available for lenny but we can use the sid package)

wget http://ftp.us.debian.org/debian/pool/main/m/mod-spamhaus/libapache2-mod-spamhaus_0.7-1_i386.deb

This package is for i386. If you are using other architecture, you can find a suitable package on the bottom of this page: http://packages.debian.org/sid/libapache2-mod-spamhaus

2. Install the package

dpkg -i libapache2-mod-spamhaus_0.7-1_i386.deb

Apache is automatically restarted and the module is enabled. If you would like to test the module you can add a line to your hosts file to make it think that your IP address is blocked (pico /etc/hosts)

127.0.0.4 1.0.168.192.sbl-xbl.spamhaus.org

Replace 1.0.168.192 with your IP address and reverse it. The IP address 192.168.0.1 should read 1.0.168.192.

By default, only POST, PUT, OPTIONS, CONNECT methods are blocked. You can add GET to the list of methods blocked in /etc/apache2/mods-enabled/mod-spamhaus.conf to block the spammers from seeing your website.

Installing and configuring PPTP VPN server on lenny

aip — Wed, 17 Feb 2010 22:21:36 +0000

If you would like to setup a Virtual Private Network (VPN) for Windows clients, PPTP is a great choice. It's easy to set up on the server and you don't need any additional software for the Windows clients to connect.

1. Install the required packages

apt-get install pptpd

2. Configure the IP range assigned to clients (pico /etc/pptpd.conf)

localip 192.168.1.2 remoteip 192.168.1.10-20

Using this config the clients are assigned any IP address between and including 192.168.1.10 and 192.168.1.20.

3. Restart the PPTP daemon

/etc/init.d/pptpd restart

4. Create a user allowed to connect (pico /etc/ppp/chap-secrets)

user1 pptpd secretpassword *

Passwords are not encrypted. This allows the a user with the username: user1 and the password: secretpassword to login from any ip address.

5. Enable IP forward at startup to allow the VPN clients to connect to the server's local network. (pico /etc/sysctl.conf)

net.ipv4.ip_forward=1

Also run this command to activate the IP forward instantly:

echo 1 > /proc/sys/net/ipv4/ip_forward

6. Create a routing rule to allow the VPN clients to route network traffic through the server.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Read this tutorial to learn how to create iptables rules on startup:
Loading iptables rules on startup

Installing suPHP

aip — Fri, 01 Jan 2010 22:05:02 +0000

suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.

1. Install suPHP

apt-get install libapache2-mod-suphp

2. Disable the php5 apache module

a2dismod php5

3. Restart Apache

/etc/init.d/apache2 restart

4. You can test if suPHP is working correctly by creating a php file containing the following lines:

system('id'); ?>

The script will return user/group id and name. Make sure you set the file owner to a user/group with id greater than 99.

Scan your web server for vulnerabilities with Nikto

aip — Mon, 28 Dec 2009 09:49:56 +0000

Nikto is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers.

1. Install Nikto

apt-get install nikto

2. Test the local web server

nikto -h localhost

Nikto also supports testing on different ports. Click here for Nikto usage information.

Disable root login to SSH

aip — Mon, 09 Nov 2009 20:44:31 +0000

Allowing root logins to your SSH damon is a big security threat. If the SSH port is open, hackers will probably at some time attempt to brute force your root password. It's a good idea to disable root logins to SSH and instead use a normal user to login and type "su -" to enter the super user shell or sudo to perform tasks that require root privileges.

1. Open the SSH daemon config file and change this line: (pico /etc/ssh/sshd_config)

PermitRootLogin no

2. Restart the SSH daemon

/etc/init.d/ssh restart

Adding a sudoer to use sudo on Debian

aip — Mon, 09 Nov 2009 20:36:59 +0000

Sudo allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.

1. Create a new user (optional)

adduser user1

2. Make sure sudo is install (installed by default on lenny)

apt-get install sudo

3. Add the new user to the sudo-ers list (visudo)

user1 ALL=(ALL) ALL

This will allow user1 to run all commands that require root privileges. You can also limit the access, Click here to view the syntax

4. Save the file by pressing Ctrl-X if you are using Nano/pico or :w if using vi

You can now login as the standard user (user1) and execute commands that require root privileges using sudo.

Securing unencrypted traffic with stunnel

aip — Wed, 14 Oct 2009 20:54:44 +0000

Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively. In this tutorial we'll secure Samba connection but you could use this for other services like SMTP, IMAP, POP3 etc.

If you are securing a service where the client supports encrypting like SMTP, IMAP and POP3 you can skip the client step.

Server

1. Install stunnel

apt-get install stunnel

2. Configure Samba to only listen on localhost only (pico /etc/samba/smb.conf)

interfaces = 127.0.0.0/8 bind interfaces only = yes

3. Restart Samba

/etc/init.d/samba restart

4. Create SSL certificate and a key

openssl req -new -nodes -x509 -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem

5. Configure stunnel to listen for secure connections on port 8139 and forward to port 139 on localhost (pico /etc/stunnel/stunnel.conf)

cert = /etc/stunnel/stunnel.pem [smb] accept = 8139 connect = 139

6. Enable stunnel (pico /etc/default/stunnel4)

ENABLED=1

7. Start stunnel

/etc/init.d/stunnel4 restart

Client

1. Install stunnel and smbclient

apt-get install smbclient stunnel

2. Configure stunnel to listen for connections on localhost:139 and forward to the server on port 8139 using a secure connection (pico /etc/stunnel/stunnel.conf)

client = yes [smb] accept = localhost:139 connect = {ip}:8139

Replace {ip} with the IP address of your server previously configured

3. Enable stunnel (pico /etc/default/stunnel4)

ENABLED=1

4. Start stunnel

/etc/init.d/stunnel4 restart

5. Test the connection using smbclient

smbclient -U user1 //localhost/sambashare