Cybersecurity on TECHNERDONLINE https://technerdonline.com/categories/cybersecurity/ Recent content in Cybersecurity on TECHNERDONLINE Hugo -- gohugo.io en Copyright &copy; 2025 TECHNERDONLINE All Rights Reserved. Sun, 23 May 2021 21:17:12 +0600 Bastion Host On DigitalOcean https://technerdonline.com/post/bastion/ Sun, 23 May 2021 21:17:12 +0600 https://technerdonline.com/post/bastion/ What is a Bastion Host? A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. There are two common network configurations that include bastion hosts and their placement. The first requires two firewalls, with bastion hosts sitting between the first &ldquo;outside world&rdquo; firewall, and an inside firewall, in a DMZ. Often, smaller networks do not have multiple firewalls, so if only one firewall exists in a network, bastion hosts are commonly placed outside the firewall. <h2 id="what-is-a-bastion-host"><strong>What is a Bastion Host?</strong></h2> <p>A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. There are two common network configurations that include bastion hosts and their placement.</p> <p>The first requires two firewalls, with bastion hosts sitting between the first &ldquo;outside world&rdquo; firewall, and an inside firewall, in a DMZ. Often, smaller networks do not have multiple firewalls, so if only one firewall exists in a network, bastion hosts are commonly placed outside the firewall.</p> <h3 id="getting-started"><strong>Getting Started</strong></h3> <p>You can use the referral badge below to get started with a $100 credit from Digital Ocean or use this link to <a href="https://m.do.co/c/42cf2120197b">DigitalOcean</a>.</p> <p><a href="https://www.digitalocean.com/?refcode=42cf2120197b&utm_campaign=Referral_Invite&utm_medium=Referral_Program&utm_source=badge"><img alt="DigitalOcean Referral Badge" src="https://web-platforms.sfo2.cdn.digitaloceanspaces.com/WWW/Badge%201.svg"></a></p> <h3 id="digitalocean-vpc"><strong>DigitalOcean VPC</strong></h3> <p>On 7 April, 2020, the VPC service replaced the Private Networking service on DigitalOcean.</p> <blockquote> <p>A Virtual Private Cloud (VPC) is a private network interface for collections of DigitalOcean resources. VPC networks provide a more secure connection between resources because the network is inaccessible from the public internet and other VPC networks. Traffic within a VPC network doesn’t count against bandwidth usage.</p> </blockquote> <p>VPC are available at no additional cost and are enabled by default. They serve the same function as VLANs do. You have two options, you can either manual create a VPC network or if you don&rsquo;t have a VPC network DigitalOcean will create it for you when you build a new VPS.</p> <h3 id="digitalocean-cloud-firewalls"><strong>DigitalOcean Cloud Firewalls</strong></h3> <blockquote> <p>Cloud Firewalls affect both public and VPC network traffic. Rules specific to either must specify the public or private IP range.</p> </blockquote> <p>We will be creating two cloud firewall rules, one named public-network and the other named private-network. These will be used as Access Control Lists to help protect our VPC network.</p> <p>Both the Public-Network and Private-Network cloud firewalls should be added to the bastion-host, while only the Private-Network cloud firewall should be added to all other members of your VPS.</p> <p><strong>PUBLIC-NETWORK</strong></p> <ul> <li>INBOUND RULES :</li> </ul> <table> <thead> <tr> <th style="text-align:left"><strong>Type</strong></th> <th style="text-align:left"><strong>Protocol</strong></th> <th style="text-align:left"><strong>Port Range</strong></th> <th style="text-align:left"><strong>Sources</strong></th> </tr> </thead> <tbody> <tr> <td style="text-align:left">ICMP</td> <td style="text-align:left">ICMP</td> <td style="text-align:left">None</td> <td style="text-align:left">All IPv4, All IPv6</td> </tr> <tr> <td style="text-align:left">SSH</td> <td style="text-align:left">TCP</td> <td style="text-align:left">22</td> <td style="text-align:left">All IPv4, All IPv6</td> </tr> <tr> <td style="text-align:left">HTTP</td> <td style="text-align:left">TCP</td> <td style="text-align:left">80</td> <td style="text-align:left">All IPv4, All IPv6</td> </tr> <tr> <td style="text-align:left">HTTPS</td> <td style="text-align:left">TCP</td> <td style="text-align:left">443</td> <td style="text-align:left">All IPv4, All IPv6</td> </tr> <tr> <td style="text-align:left">CUSTOM</td> <td style="text-align:left">UDP</td> <td style="text-align:left">51820</td> <td style="text-align:left">All IPv4, All IPv6</td> </tr> </tbody> </table> <ul> <li>OUTBOUND RULES :</li> </ul> <table> <thead> <tr> <th style="text-align:left"><strong>Type</strong></th> <th style="text-align:left"><strong>Protocol</strong></th> <th style="text-align:left"><strong>Port Range</strong></th> <th style="text-align:left"><strong>Sources</strong></th> </tr> </thead> <tbody> <tr> <td style="text-align:left">ICMP</td> <td style="text-align:left">ICMP</td> <td style="text-align:left">None</td> <td style="text-align:left">All IPv4, All IPv6</td> </tr> <tr> <td style="text-align:left">All TCP</td> <td style="text-align:left">TCP</td> <td style="text-align:left">All Ports</td> <td style="text-align:left">All IPv4, All IPv6</td> </tr> <tr> <td style="text-align:left">All UDP</td> <td style="text-align:left">UDP</td> <td style="text-align:left">All Ports</td> <td style="text-align:left">All IPv4, All IPv6</td> </tr> </tbody> </table> <p><strong>PRIVATE-NETWORK</strong></p> <ul> <li>INBOUND RULES :</li> </ul> <table> <thead> <tr> <th style="text-align:left"><strong>Type</strong></th> <th style="text-align:left"><strong>Protocol</strong></th> <th style="text-align:left"><strong>Port Range</strong></th> <th style="text-align:left"><strong>Sources</strong></th> </tr> </thead> <tbody> <tr> <td style="text-align:left">ICMP</td> <td style="text-align:left">ICMP</td> <td style="text-align:left">None</td> <td style="text-align:left">10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16</td> </tr> <tr> <td style="text-align:left">All TCP</td> <td style="text-align:left">TCP</td> <td style="text-align:left">All Ports</td> <td style="text-align:left">10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16</td> </tr> <tr> <td style="text-align:left">All UDP</td> <td style="text-align:left">UDP</td> <td style="text-align:left">All Ports</td> <td style="text-align:left">10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16</td> </tr> </tbody> </table> <ul> <li>OUTBOUND RULES :</li> </ul> <table> <thead> <tr> <th style="text-align:left"><strong>Type</strong></th> <th style="text-align:left"><strong>Protocol</strong></th> <th style="text-align:left"><strong>Port Range</strong></th> <th style="text-align:left"><strong>Sources</strong></th> </tr> </thead> <tbody> <tr> <td style="text-align:left">ICMP</td> <td style="text-align:left">ICMP</td> <td style="text-align:left">None</td> <td style="text-align:left">All IPv4</td> </tr> <tr> <td style="text-align:left">All TCP</td> <td style="text-align:left">TCP</td> <td style="text-align:left">All Ports</td> <td style="text-align:left">All IPv4</td> </tr> <tr> <td style="text-align:left">All UDP</td> <td style="text-align:left">UDP</td> <td style="text-align:left">All Ports</td> <td style="text-align:left">All IPv4</td> </tr> </tbody> </table> <p>I also recommend creating new ssh keys to add to your bastion-host.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ssh-keygen -b <span style="color:#ae81ff">4096</span> -a <span style="color:#ae81ff">1000</span> -t rsa -f ~/.ssh/id_rsa </span></span></code></pre></div><p>Let&rsquo;s lock down your ssh service.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ sudo mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Harden SSH Settings</span> </span></span><span style="display:flex;"><span>$ sudo cat <span style="color:#e6db74">&lt;&lt;-EOF &gt; /etc/ssh/sshd_config </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">HostKey /etc/ssh/ssh_host_ed25519_key </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">HostKey /etc/ssh/ssh_host_rsa_key </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">HostKey /etc/ssh/ssh_host_ecdsa_key </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">AcceptEnv LANG LC_* </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">AllowGroups root sudo </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Banner /etc/issue.net </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">ChallengeResponseAuthentication no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">ClientAliveCountMax 0 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">ClientAliveInterval 300 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Compression no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">HostbasedAuthentication no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">IgnoreUserKnownHosts yes </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">LoginGraceTime 20 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">LogLevel VERBOSE </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">MaxAuthTries 3 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">MaxSessions 3 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">MaxStartups 10:30:60 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PermitEmptyPasswords no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PermitRootLogin no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PubkeyAuthentication yes </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PasswordAuthentication no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PermitUserEnvironment no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PrintLastLog yes </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PrintMotd no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">StrictModes yes </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Subsystem sftp internal-sftp </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">UseDNS no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">UsePAM yes </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">X11Forwarding no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">AllowTcpForwarding yes </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">EOF</span> </span></span></code></pre></div><p>Create a new set of ssh host keys.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">## Update ssh_host keys</span> </span></span><span style="display:flex;"><span>rm /etc/ssh/ssh_host_* </span></span><span style="display:flex;"><span>ssh-keygen -t ecdsa -b <span style="color:#ae81ff">521</span> -f /etc/ssh/ssh_host_ecdsa_key -N <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span>ssh-keygen -t rsa -b <span style="color:#ae81ff">4096</span> -f /etc/ssh/ssh_host_rsa_key -N <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span>ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>awk <span style="color:#e6db74">&#39;$5 &gt;= 3071&#39;</span> /etc/ssh/moduli &gt; /etc/ssh/moduli.safe </span></span><span style="display:flex;"><span>mv /etc/ssh/moduli.safe /etc/ssh/moduli </span></span></code></pre></div><p>We need to edit the netplan for both the bastion-host and the webproxy so that the bastion-host handles all routing.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo nano /etc/netplan/50-cloud-init.yaml </span></span></code></pre></div><p>You can read more details on editing your netplan on DigitalOcean.</p> <pre tabindex="0"><code class="language-nano" data-lang="nano">network: version: 2 ethernets: eth0: addresses: - xxx.xxx.xxx.xxx/20 - 26xx:xxxx:x:xxx::xx:xxxx/64 gateway4: xxx.xxx.xxx.1 gateway6: 26xx:xxxx:x:xxx::1 match: macaddress: ab:ab:ab:ab:ab:ab nameservers: addresses: - 1.1.1.1 - 1.0.0.1 - 2606:4700:4700::1111 - 2606:4700:4700::1001 search: [technerdonline.com] eth1: addresses: - 10.128.0.2/20 match: macaddress: ba:ba:ba:ba:ba:ba nameservers: addresses: - 10.128.0.2 search: [local] routes: - to: 10.128.0.0/20 via: 10.128.0.2 </code></pre><p>On the proxy server make the following netplan change.</p> <pre tabindex="0"><code class="language-nano" data-lang="nano">network: version: 2 ethernets: eth0: addresses: - xxx.xxx.xxx.xxx/20 - 26xx:xxxx:x:xxx::xx:xxxx/64 #gateway4: xxx.xxx.xxx.1 #gateway6: 26xx:xxxx:x:xxx::1 match: macaddress: ab:ab:ab:ab:ab:ab nameservers: addresses: - 1.1.1.1 - 1.0.0.1 - 2606:4700:4700::1111 - 2606:4700:4700::1001 search: [technerdonline.com] eth1: addresses: - 10.128.0.3/20 match: macaddress: ba:ba:ba:ba:ba:ba nameservers: addresses: - 10.128.0.2 search: [local] routes: - to: 0.0.0.0/0 via: 10.128.0.2 </code></pre><p>Apply the netplan changes.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo netplan apply </span></span></code></pre></div><p>We will need to create a set of IPTABLES rules for both IPv4 and IPv6 but first we need to load some Kernel modules.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo nano /etc/modules-load.d/iptables.conf </span></span></code></pre></div><pre tabindex="0"><code class="language-nano" data-lang="nano">overlay br_netfilter ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh nf_conntrack iptable_nat iptable_filter iptable_mangle ip_nf_target_redirect ip_set ip_vs_nfct ip_vs_proto_tcp ip_vs_proto_udp veth bridge bridge_netfilter ip_nf_filter ip_nf_target_masquerade netfilter_xt_match_addrtype netfilter_xt_match_conntrack netfilter_xt_match_ipvs nf_nat </code></pre><p>Copy and paste the following content, replacing PUBLIC_IP with the public IP address of the bastion-host, WEBPROXY_PRIVATE_IP with the VPC IP address for the webproxy, and BASTION_PRIVATE_IP with the VPC IP address with the bastion host private IP.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>nano ipv4.conf </span></span></code></pre></div><pre tabindex="0"><code class="language-nano" data-lang="nano">*mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth0 -d {PUBLIC_IP} -p tcp -m tcp --dport 80 -j DNAT --to-destination {WEBPROXY_PRIVATE_IP}:80 -A PREROUTING -i eth0 -d {PUBLIC_IP} -p tcp -m tcp --dport 443 -j DNAT --to-destination {WEBPROXY_PRIVATE_IP}:443 -A POSTROUTING -d {WEBPROXY_PRIVATE_IP} -o eth1 -p tcp -m tcp --dport 80 -j SNAT --to-source {BASTION_PRIVATE_IP} -A POSTROUTING -d {WEBPROXY_PRIVATE_IP} -o eth1 -p tcp -m tcp --dport 443 -j SNAT --to-source {BASTION_PRIVATE_IP} -A POSTROUTING -s {BASTION_PRIVATE_IP} -o eth0 -j SNAT --to-source {PUBLIC_IP} -A POSTROUTING -s {PRIVATE_SUBNET} ! -d {PRIVATE_SUBNET} -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :FILTERS - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec -j ACCEPT -A INPUT -i eth1 -m conntrack --ctstate NEW -s {PRIVATE_SUBNET} -j ACCEPT -A INPUT -j FILTERS -A INPUT -j DROP -A FORWARD -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth1 -m conntrack --ctstate NEW -s {PRIVATE_SUBNET} -j ACCEPT -A FORWARD -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate NEW -s {PRIVATE_SUBNET} -j ACCEPT -A FORWARD -i eth0 -o eth1 -j FILTERS -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT -A FILTERS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FILTERS -p tcp -m conntrack --ctstate NEW -m tcp --syn --dport 22 -j ACCEPT -A FILTERS -p tcp -m conntrack --ctstate NEW -m tcp --syn --dport 80 -j ACCEPT -A FILTERS -p tcp -m conntrack --ctstate NEW -m tcp --syn --dport 443 -j ACCEPT -A FILTERS -p udp -m conntrack --ctstate NEW -m udp --dport 51820 -j ACCEPT -A FILTERS -p udp -m conntrack --ctstate NEW -m udp --dport 51821 -j ACCEPT -A FILTERS -m conntrack --ctstate INVALID -j DROP -A FILTERS -j REJECT COMMIT </code></pre><p>Now create IPTABLES Rules for IPv6.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>nano ipv6.conf </span></span></code></pre></div><pre tabindex="0"><code class="language-nano" data-lang="nano">*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :FILTERS - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -i eth0 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 5/sec -j ACCEPT -A INPUT -i eth0 -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 5/sec -j ACCEPT -A INPUT -i eth0 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 5/sec -j ACCEPT -A INPUT -i eth0 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 5/sec -j ACCEPT -A INPUT -j FILTERS -A INPUT -j DROP -A FILTERS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FILTERS -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A FILTERS -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A FILTERS -m conntrack --ctstate INVALID -j DROP -A FILTERS -j REJECT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT -A FORWARD -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth1 -j FILTERS -A FORWARD -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT -A FORWARD -i eth0 -o eth1 -j FILTERS -A FORWARD -j REJECT COMMIT </code></pre><p>Apply the iptables rules and install iptables-persistent.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo iptables-restore -n ipv4.conf </span></span><span style="display:flex;"><span>sudo ip6tables-restore -n ipv6.conf </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sudo iptables-save </span></span><span style="display:flex;"><span>sudo ip6tables-save </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sudo apt install iptables-persistent </span></span></code></pre></div><p>Simply install your favorite web server on the proxy droplet (i.e. nginx, caddy, haproxy etc). I would also suggest installing wireguard on the bastion host, it is also pretty easy to get a secure wireguard mesh network setup if you have multiple VPC.</p> Hardening Your Cloud Server https://technerdonline.com/post/hardening-linux/ Sun, 23 May 2021 21:17:12 +0600 https://technerdonline.com/post/hardening-linux/ Taking the extra steps to protect your Ubuntu or Debian cloud droplet takes only a little effort and time but will have a huge long term impact on your cyber security. You can use the referral badge below to get started with a $100 credit from Digital Ocean or use this link to DigitalOcean. 1. ASSESS &amp; IDENTIFY THE RISK Undertaking a review to identify potential risks is a important first step. <p>Taking the extra steps to protect your Ubuntu or Debian cloud droplet takes only a little effort and time but will have a huge long term impact on your cyber security. You can use the referral badge below to get started with a $100 credit from Digital Ocean or use this link to <a href="https://m.do.co/c/42cf2120197b">DigitalOcean</a>.</p> <p><a href="https://www.digitalocean.com/?refcode=42cf2120197b&utm_campaign=Referral_Invite&utm_medium=Referral_Program&utm_source=badge"><img alt="DigitalOcean Referral Badge" src="https://web-platforms.sfo2.cdn.digitaloceanspaces.com/WWW/Badge%201.svg"></a></p> <h3 id="1-assess--identify-the-risk"><strong>1. ASSESS &amp; IDENTIFY THE RISK</strong></h3> <p>Undertaking a review to identify potential risks is a important first step. Some useful techniques for identifying risks are:</p> <ul> <li> <p><strong>NMAP</strong> is a great tool to help identify potential risks. DigitalOcean has a pretty good guide <a href="https://www.digitalocean.com/community/tutorials/how-to-test-your-firewall-configuration-with-nmap-and-tcpdump">here</a>.</p> </li> <li> <p><strong>Tenable</strong> offers a great solution that also provides a very friendly report. Although normally a Nessus Professional license isn&rsquo;t cheap, Tenable does offer a free version as well. You can download the free version <a href="https://www.tenable.com/downloads/nessus?loginAttempted=true">here</a>.</p> </li> <li> <p><strong>Sn1per</strong> is a open source solution that puts together a number of great open projects to deliver a very effective and easy to use package. You can check out the project on Github <a href="https://github.com/1N3/Sn1per">here</a>.</p> </li> <li> <p><strong>Lynis</strong> is a open source tool that audits and grades your linux operating system&rsquo;s security. You can check out the project on Github <a href="https://github.com/CISOfy/lynis">here</a>.</p> </li> </ul> <h3 id="2-reduce-the-risk"><strong>2. REDUCE THE RISK</strong></h3> <p>Once you have an idea of what potential cyber security risks you face you should start to take the steps to reduce those risks.</p> <p>Set the default user profile to &ldquo;umask 027&rdquo; it is a good compromise between security and simplicity. A umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 makes files and directories readable by users in the same Unix group (i.e. &ldquo;sudo&rdquo; or &ldquo;root&rdquo;), while a umask of 022 makes files readable by every user on the system.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Setting global umask</span> </span></span><span style="display:flex;"><span>sudo echo <span style="color:#e6db74">&#34;umask 027&#34;</span> &gt;&gt; /etc/profile </span></span></code></pre></div><p>Restrict at and cron to authorized users only.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># First Remove both at.deny &amp; cron.deny</span> </span></span><span style="display:flex;"><span>sudo rm /etc/cron.deny 2&gt; /dev/null </span></span><span style="display:flex;"><span>sudo rm /etc/at.deny 2&gt; /dev/null </span></span><span style="display:flex;"><span><span style="color:#75715e"># Second create both at.allow &amp; cron.allow</span> </span></span><span style="display:flex;"><span>sudo echo <span style="color:#e6db74">&#39;root&#39;</span> &gt; /etc/cron.allow </span></span><span style="display:flex;"><span>sudo echo <span style="color:#e6db74">&#39;root&#39;</span> &gt; /etc/at.allow </span></span><span style="display:flex;"><span><span style="color:#75715e"># Third set the ownership to root</span> </span></span><span style="display:flex;"><span>sudo chown root:root /etc/cron* </span></span><span style="display:flex;"><span>sudo chown root:root /etc/at* </span></span></code></pre></div><p>Use the hosts.allow and hosts.deny files to help restrict access to services. For example the only IP address that should have access to NRPE on port 5666 is your Nagios server.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Setup Some Access Control Rules</span> </span></span><span style="display:flex;"><span>sudo echo <span style="color:#e6db74">&#39;sshd : ALL : ALLOW&#39;</span> &gt; /etc/hosts.allow </span></span><span style="display:flex;"><span><span style="color:#75715e"># Or if this Node should only be accessible via a bastion-host</span> </span></span><span style="display:flex;"><span>sudo echo <span style="color:#e6db74">&#39;sshd: 192.168.0.2&#39;</span> &gt; /etc/hosts.allow </span></span><span style="display:flex;"><span>sudo echo <span style="color:#e6db74">&#39;ALL: LOCAL, 127.0.0.1&#39;</span> &gt;&gt; /etc/hosts.allow </span></span><span style="display:flex;"><span>sudo echo <span style="color:#e6db74">&#39;NRPE: 192.168.0.2&#39;</span> &gt;&gt; /etc/hosts.allow </span></span><span style="display:flex;"><span>sudo echo <span style="color:#e6db74">&#39;ALL: PARANOID&#39;</span> &gt; /etc/hosts.deny </span></span><span style="display:flex;"><span>sudo chmod <span style="color:#ae81ff">644</span> /etc/hosts.allow </span></span><span style="display:flex;"><span>sudo chmod <span style="color:#ae81ff">644</span> /etc/hosts.deny </span></span></code></pre></div><p>Limit visibility of running processes to those services that started the process or users in the same group.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Edit fstab &amp; Hide PID2</span> </span></span><span style="display:flex;"><span>sudo echo <span style="color:#e6db74">&#39;proc /proc proc defaults,hidepid=2 0 0&#39;</span> &gt;&gt; /etc/fstab </span></span></code></pre></div><p>Disable Root Recovery console, but make sure you have set a root password first.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># GRUB enable swap &amp; disable root recovery</span> </span></span><span style="display:flex;"><span>sudo echo <span style="color:#e6db74">&#39;GRUB_CMDLINE_LINUX=&#34;cgroup_enable=memory swapaccount=1&#34;&#39;</span> &gt;&gt; /etc/default/grub </span></span><span style="display:flex;"><span>sudo echo <span style="color:#e6db74">&#39;GRUB_DISABLE_RECOVERY=&#34;true&#34;&#39;</span> &gt;&gt; /etc/default/grub </span></span><span style="display:flex;"><span>sudo update-grub </span></span></code></pre></div><p>It may seem unimportant, but having the time stamps match your timezone will make things easier later on when you are reviewing your logs and reports.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Setup NTP</span> </span></span><span style="display:flex;"><span>sudo timedatectl set-ntp true </span></span><span style="display:flex;"><span>sudo timedatectl set-timezone America/Los_Angeles </span></span><span style="display:flex;"><span>sudo echo <span style="color:#e6db74">&#39;servers=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org&#39;</span> &gt;&gt; /etc/systemd/timesyncd.conf </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo apt update </span></span><span style="display:flex;"><span>sudo apt install apparmor apparmor-profiles apparmor-utils apparmor-easyprof -y </span></span><span style="display:flex;"><span><span style="color:#75715e"># Enforce apparmor profiles</span> </span></span><span style="display:flex;"><span>sudo echo <span style="color:#e6db74">&#39;session optional pam_apparmor.so order=user,group,default&#39;</span> &gt; /etc/pam.d/apparmor </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sudo systemctl start apparmor.service </span></span><span style="display:flex;"><span>sudo systemctl enable apparmor.service </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo apt update </span></span><span style="display:flex;"><span>sudo apt install libpam-tmpdir libpam-apparmor libpam-cracklib -y </span></span></code></pre></div><p>Disable USB access on your cloud node.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Install USBGuard</span> </span></span><span style="display:flex;"><span>sudo apt update </span></span><span style="display:flex;"><span>sudo apt install usbguard -y </span></span><span style="display:flex;"><span><span style="color:#75715e"># Setting up USBGuard</span> </span></span><span style="display:flex;"><span>sudo usbguard generate-policy &gt; /tmp/rules.conf </span></span><span style="display:flex;"><span>sudo install -m <span style="color:#ae81ff">0600</span> -o root -g root /tmp/rules.conf /etc/usbguard/rules.conf </span></span></code></pre></div><p>Securing your remote access services isn&rsquo;t just about disabling root access and enabling authorized keys in your SSH configuration.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Harden SSH Settings</span> </span></span><span style="display:flex;"><span>sudo cat <span style="color:#e6db74">&lt;&lt;-EOF &gt; /etc/ssh/sshd_config </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">HostKey /etc/ssh/ssh_host_ed25519_key </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">HostKey /etc/ssh/ssh_host_rsa_key </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">HostKey /etc/ssh/ssh_host_ecdsa_key </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">AcceptEnv LANG LC_* </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">AllowGroups root sudo </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Banner /etc/issue.net </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">ChallengeResponseAuthentication no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">ClientAliveCountMax 0 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">ClientAliveInterval 300 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Compression no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">HostbasedAuthentication no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">IgnoreUserKnownHosts yes </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">LoginGraceTime 20 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">LogLevel VERBOSE </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">MaxAuthTries 3 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">MaxSessions 3 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">MaxStartups 10:30:60 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PermitEmptyPasswords no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PermitRootLogin no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PubkeyAuthentication yes </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PasswordAuthentication no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PermitUserEnvironment no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PrintLastLog yes </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PrintMotd no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">StrictModes yes </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Subsystem sftp internal-sftp </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">UseDNS no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">UsePAM yes </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">X11Forwarding no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">AllowTcpForwarding no </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">EOF</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sudo systemctl daemon-reload </span></span><span style="display:flex;"><span>sudo systemctl restart ssh.service </span></span></code></pre></div><p>Now update your host keys and test ssh by starting a 2nd session.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">## Switch to root</span> </span></span><span style="display:flex;"><span>sudo su - </span></span><span style="display:flex;"><span><span style="color:#75715e">## Update ssh_host keys</span> </span></span><span style="display:flex;"><span>rm /etc/ssh/ssh_host_* </span></span><span style="display:flex;"><span>ssh-keygen -t ecdsa -b <span style="color:#ae81ff">521</span> -f /etc/ssh/ssh_host_ecdsa_key -N <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span>ssh-keygen -t rsa -b <span style="color:#ae81ff">4096</span> -f /etc/ssh/ssh_host_rsa_key -N <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span>ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>awk <span style="color:#e6db74">&#39;$5 &gt;= 3071&#39;</span> /etc/ssh/moduli &gt; /etc/ssh/moduli.safe </span></span><span style="display:flex;"><span>mv /etc/ssh/moduli.safe /etc/ssh/moduli </span></span></code></pre></div><h3 id="3-manage-your-risk"><strong>3. MANAGE YOUR RISK</strong></h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo apt update </span></span><span style="display:flex;"><span>sudo apt install dbconfig-common dbconfig-sqlite3 sqlite3 fail2ban -y </span></span><span style="display:flex;"><span>sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.d/jail.local </span></span><span style="display:flex;"><span>sudo systemctl restart fail2ban </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo apt update </span></span><span style="display:flex;"><span>sudo apt install rkhunter -y </span></span><span style="display:flex;"><span>sudo dpkg-reconfigure rkhunter </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo cat <span style="color:#e6db74">&lt;&lt;-EOF &gt; /etc/apt/apt.conf.d/20auto-upgrades </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">APT::Periodic::Update-Package-Lists &#34;1&#34;; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">APT::Periodic::Download-Upgradeable-Packages &#34;1&#34;; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">APT::Periodic::AutocleanInterval &#34;7&#34;; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">APT::Periodic::Unattended-Upgrade &#34;1&#34;; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">EOF</span> </span></span></code></pre></div><h3 id="4-monitor-your-risk"><strong>4. MONITOR YOUR RISK</strong></h3> <p>Auditd can be a pretty powerful tool once you have the audit rules setup as it will give you valuable insights about your server performance and activities by ensuring that they are written to your logs.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo apt update </span></span><span style="display:flex;"><span>sudo apt install auditd audispd-plugins -y </span></span><span style="display:flex;"><span><span style="color:#75715e"># Setup Auditd Rules and Logging</span> </span></span><span style="display:flex;"><span>sudo cat <span style="color:#e6db74">&lt;&lt;-EOF &gt; /etc/audit/rules.d/docker.rules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Remove any existing rules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-D </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Buffer Size </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-b 8192 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Ignore errors </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-i </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Failure Mode </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-f 1 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Audit the audit logs </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /var/log/audit/ -k auditlog </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Auditd configuration </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/audit/ -p wa -k auditconfig </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/libaudit.conf -p wa -k auditconfig </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/audisp/ -p wa -k audispconfig </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Monitor for use of audit management tools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /sbin/auditctl -p x -k audittools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /sbin/auditd -p x -k audittools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Monitor AppArmor configuration changes </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/apparmor/ -p wa -k apparmor </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/apparmor.d/ -p wa -k apparmor </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Monitor usage of AppArmor tools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /sbin/apparmor_parser -p x -k apparmor_tools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/sbin/aa-complain -p x -k apparmor_tools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/sbin/aa-disable -p x -k apparmor_tools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/sbin/aa-enforce -p x -k apparmor_tools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Monitor Systemd configuration changes </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/systemd/ -p wa -k systemd </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /lib/systemd/ -p wa -k systemd </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Monitor usage of systemd tools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /bin/systemctl -p x -k systemd_tools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /bin/journalctl -p x -k systemd_tools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Special files </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S mknod -S mknodat -k specialfiles </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S mknod -S mknodat -k specialfiles </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Mount operations </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S mount -F auid&gt;=1000 -F auid!=4294967295 -F key=export </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S mount -F auid&gt;=1000 -F auid!=4294967295 -F key=export </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Changes to the time </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S settimeofday -k audit_time_rules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S adjtimex -k audit_time_rules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S clock_settime -k audit_time_rules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Cron configuration &amp; scheduled jobs </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/cron.allow -p wa -k cron </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/cron.deny -p wa -k cron </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/cron.d/ -p wa -k cron </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/cron.daily/ -p wa -k cron </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/cron.hourly/ -p wa -k cron </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/cron.monthly/ -p wa -k cron </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/cron.weekly/ -p wa -k cron </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/crontab -p wa -k cron </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /var/spool/cron/crontabs/ -k cron </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># User, group, password databases </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/group -p wa -k audit_rules_usergroup_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/passwd -p wa -k audit_rules_usergroup_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/gshadow -p wa -k audit_rules_usergroup_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/shadow -p wa -k audit_rules_usergroup_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># MAC-policy </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/selinux/ -p wa -k MAC-policy </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Monitor usage of passwd </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/bin/passwd -p x -k passwd_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Monitor for use of tools to change group identifiers </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/sbin/groupadd -p x -k group_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/sbin/groupmod -p x -k group_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/sbin/addgroup -p x -k group_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/sbin/useradd -p x -k user_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/sbin/usermod -p x -k user_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/sbin/adduser -p x -k user_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Monitor module tools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /sbin/insmod -p x -k modules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /sbin/rmmod -p x -k modules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /sbin/modprobe -p x -k modules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/sbin/insmod -p x -k modules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/sbin/rmmod -p x -k modules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/sbin/modprobe -p x -k modules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Login configuration and information </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/login.defs -p wa -k login </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/securetty -p wa -k login </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /var/log/faillog -p wa -k login </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /var/run/faillock/ -p wa -k logins </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /var/log/lastlog -p wa -k login </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /var/log/tallylog -p wa -k login </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Network configuration </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/hosts -p wa -k audit_rules_networkconfig_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/network/ -p wa -k audit_rules_networkconfig_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># System startup scripts </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/inittab -p wa -k init </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/init.d/ -p wa -k init </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/init/ -p wa -k init </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Library search paths </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/ld.so.conf -p wa -k libpath </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Local time zone </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/localtime -p wa -k localtime </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Time zone configuration </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/timezone -p wa -k audit_time_ruleszone </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Kernel parameters </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/sysctl.conf -p wa -k sysctl </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Modprobe configuration </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/modprobe.conf -p wa -k modprobe </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/modprobe.d/ -p wa -k modprobe </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/modules -p wa -k modprobe </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Module manipulations </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S init_module -S delete_module -F key=modules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S init_module -F key=modules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S init_module -S delete_module -F key=modules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S init_module -F key=modules </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># PAM configuration </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/pam.d/ -p wa -k pam </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/security/limits.conf -p wa -k pam </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/security/pam_env.conf -p wa -k pam </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/security/namespace.conf -p wa -k pam </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/security/namespace.init -p wa -k pam </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Postfix configuration </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/aliases -p wa -k mail </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/postfix/ -p wa -k mail </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># SSH configuration </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/ssh/sshd_config -k sshd </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Changes to hostname </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Changes to issue </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/issue -p wa -k audit_rules_networkconfig_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Capture all unauthorized file accesses </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=x86_64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -F key=access </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Monitor for use of process ID change (switching accounts) applications </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /bin/su -p x -k actions </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /usr/bin/sudo -p x -k actions </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/sudoers -p wa -k actions </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-w /etc/sudoers.d -p wa -k actions </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Make the configuration immutable </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-e 2 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">EOF</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sudo systemctl start auditd </span></span><span style="display:flex;"><span>sudo systemctl enable auditd </span></span></code></pre></div><p>You can then install logcheck or logwatch to get more detailed reports emailed to you. In addition you can use projects like <a href="https://github.com/FiloSottile/mkcert">mkcert</a> or <a href="https://github.com/cloudflare/cfssl">cfssl</a> to enable TLS for internal communications between software like nrpe and nagios for example.</p> <p>Follow this link for setting up a bastion screening host <a href="https://technerdonline.com/post/bastion/">here</a> or for my git project go <a href="https://git.technerdonline.com/edwin/bastion-host-ubuntu">here</a>.</p>