1. Add non-free archive to apt sources (pico /etc/apt/sources.list)

deb http://ftp.uk.debian.org/debian/ squeeze main non-free
deb-src http://ftp.uk.debian.org/debian/ squeeze main non-free


Add non-free behind main in both lines

2. Update the package list

apt-get update


3. Install Nikto

apt-get install nikto

4. Test the local web server

nikto -h localhost

Nikto also supports testing on different ports. Click here for Nikto usage information.

1. Install rkhunter

apt-get install rkhunter


2. Run rkhunter to check your server

rkhunter --check


1. Install the apache2-mpm-itk package

apt-get install apache2-mpm-itk


2. Configure user and group for each virtual host by adding the following line somewhere between <VirtualHost *:80>...</VirtualHost>

AssignUserId [user] [group]


Replace [user] and [group] with a username and group name that already exists on the system.

3. Change the owner of the web root

chown [user].[group] [location]


Replace [user] and [group] with the username and group name configured on the virtual host. Replace [location] with the location specified as DocumentRoot for the virtual host, eg. /var/www

4. Make sure the location isn't accessible by other users (optional)

chmod o= [location]


Replace [location] with the location specified as DocumentRoot for the virtual host, eg. /var/www

5. Restart apache

/etc/init.d/apache restart


1. Install fail2ban

apt-get install fail2ban


2. Test by connecting via ssh and making three incorrect password attempts. By default fail2ban blocks the IP address for 10 minutes.

You can tail the fail2ban log file to monitor actions:

tail -f /var/log/fail2ban.log


Sample results

2010-06-21 22:27:58,953 fail2ban.jail : INFO Jail 'ssh' started
2010-06-21 22:29:36,430 fail2ban.actions: WARNING [ssh] Ban 192.168.1.18


3. (optional) Specify a list of IP addresses ignored by fail2ban. This can be useful to avoid getting locked out (pico /etc/fail2ban/jail.conf)

ignoreip = 127.0.0.1 192.168.1.0/24


Modify the ignoreip property and type a list of IP addresses or networks seperated by a space.

4. Restart fail2ban (only required if you modified the ignoreip property)

/etc/init.d/fail2ban restart


1. Install suPHP

apt-get install libapache2-mod-suphp


2. Disable the php5 apache module

a2dismod php5


3. Restart Apache

/etc/init.d/apache2 restart


4. You can test if suPHP is working correctly by creating a php file containing the following lines:

<?php
system('id');
?>


The script will return user/group id and name. Make sure you set the file owner to a user/group with id greater than 99.

1. Install Nikto

apt-get install nikto


2. Test the local web server

nikto -h localhost


Nikto also supports testing on different ports. Click here for Nikto usage information.

1. Open the SSH daemon config file and change this line: (pico /etc/ssh/sshd_config)

PermitRootLogin no


2. Restart the SSH daemon

/etc/init.d/ssh restart


1. Create a new user (optional)

adduser user1


2. Make sure sudo is install (installed by default on lenny)

apt-get install sudo


3. Add the new user to the sudo-ers list (visudo)

user1 ALL=(ALL) ALL


This will allow user1 to run all commands that require root privileges. You can also limit the access, Click here to view the syntax

4. Save the file by pressing Ctrl-X if you are using Nano/pico or :w if using vi

You can now login as the standard user (user1) and execute commands that require root privileges using sudo.

1. Rules file

Create a new file that will contain a shell script to insert rules into iptables (pico /etc/firewall-rules.sh) and add this content as template:

#!/bin/sh
IPT="/sbin/iptables"

echo -n "Loading iptables rules..."

# Flush old rules
$IPT --flush
$IPT --delete-chain

# By default, drop everything except outgoing traffic
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Allow incoming and outgoing for loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# ICMP rules
$IPT -A INPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/s -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-request -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-reply -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block new connections without SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established connections:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# HTTP
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
$IPT -A INPUT -p ip -f -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Anti-spoofing rules
$IPT -A INPUT -s 200.200.200.200 -j DROP
$IPT -A INPUT -s 192.168.0.0/24 -j DROP
$IPT -A INPUT -s 127.0.0.0/8 -j DROP

echo "rules loaded."
You can customize this file as required, check the iptables manual for parameters and options.

Change the permissions to make the file executable by root:

chown root /etc/firewall-rules.sh
chmod 700 /etc/firewall-rules.sh


2. Load rules shell script on startup

Add this line above the address line for your default network interface (pico /etc/network/interfaces):

pre-up /etc/firewall-rules.sh


Now, every time you start the network interfaces including restarting the system, iptables rules are reloaded.