This week, Hayden showed off some random stuff related to administering a Linux system, and talked about his home server setup.
Running a Linux box securely
The slides for Hayden’s presentation were written in Markdown and presented with a CLI tool called patat. The Markdown content of the slides has been copied below:
What gear am I rocking?
- Home server running Debian, primarily used as a NAS
- Parts list if you’re into that: https://pcpartpicker.com/list/bXvPKB
- Also was sorta “the devops guy” at the startup I worked at
- A bunch of Linux EC2 instances on AWS (mostly CentOS)
Broad security goals
- Least privilege: isolate everything
- Network, applications, files
- Patch, patch, patch
CLI tool for configuring Linux firewall
- Chains: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
- Tables: filter, nat, mangle, raw
- Most common config
- Reject all new connections on INPUT (except localhost and specific ports)
- Allow all on OUTPUT
A typical rules.v4 file
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
More advanced rules
Reject TCP connections from Windows machines
-I INPUT -p tcp -m osf --genre Windows --log 1 --smart -j REJECT --reject-with icmp-host-prohibited
More info: http://www.ioremap.net/2012/08/13/osf/
. . .
Reject HTTP connections containing “banana69”
-I INPUT -p tcp -m tcp --dport 80 -m string --algo bm --string "banana69" -j REJECT --reject-with tcp-reset
. . .
So much more
Basically everything has a web server tacked on it now
(gonna talk about Apache cuz I’m old school)
- You need it.
- It’s free so you have no excuse – Let’s Encrypt
- Easiest way: Certbot
- Because some 3rd party software just isn’t trustworthy enough.
- For example… https://redd.it/91r295
Very simple config in Apache:
ProxyPass "/foobar" "http://127.0.0.1:1234" ProxyPassReverse "/foobar" "http://127.0.0.1:1234"
Restrict services by IP address, user account, etc
- No password logins!
- Need to have your public key in ~/.ssh/authorized_keys
- No root login!
ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no PermitRootLogin no
- Shifts the paradigm from “deny all” instead of “allow all”
- Every service can only access files with that type explicitly set
- Apache is only given access to say, /etc/httpd and /var/www
- Dennis accidentally sets /home/dennis/muh-bitcoins.txt to chmod 644
(typical fucking Dennis)
- A web app on the server had a filesystem traversal vulnerability
- Attacker tries, but fails, to steal Dennis’ bitcoins
Automatic package updates
For Debian/Ubuntu-like systems: