• SSH Server
1. ປິດການລັອກອິນດ້ວຍຜູ້ໃຊ້ຊື່ root ໂດຍການຕັ້ງຄ່າໃນໄຟລ
/etc/ssh/sshd_config
ກຳນົດ
PermitRootLogin no
2. ກຳນົດສະເພາະບາງຜູ້ໃຊ້ ໃຫ້ລັອກອິນໄດ້ຕາມໄອພີ ທີກຳນົດເທົ່ານັ້ນໂດຍເພີ່ມ
AllowUsers user1@ip, user2@ip
3. ໃຊ້ Firewall ກຳນົດ Traffic ການອອກ ແລະ ເຂົ້າ ຂອງ SSH Server
ເປີດໃຊ້ ufw
sudo ufw enable
ກຳນົດ Traffic ການອອກ ແລະ ເຂົ້າ ຂອງ SSH Server
sudo ufw limit OpenSSH
ຊຶ່ງຈະປ້ອງກັນການໂຈມຕີແບບ Brute force ເພາະວ່າ Firewall ຈະເປີດການເຊື່ອມຕໍ່ໃຫ້ ssh server ສະເພາະ 6 connections ພາຍໃນ 30 ວິນາທີ ເທົ່ານັ້ນ ໃນ IP ດຽວກັນ
4. ການໃຊ້ Key pair ລັອກອິນ SSH Server
ssh-keygen
ຈາກນັ້ນ copy public key ທີ່ ~/.ssh/id_rsa.pub ໄປວ່າງໄວ້ທີ່ເຊີເວີ ໃນໂຟນເດີທີ່ ~/.ssh/authorized_keys ຕໍ່ມາແມ່ນໄປປິດການລັອກອິນແບບໃຊ້ລະຫັດ
ເປີດໄຟລ /etc/ssh/sshd_config ຊອກຫາຄຳວ່າ #PasswordAuthentication yes ແລະ ປ່ຽນເປັນ PasswordAuthentication no ແລ້ວ
sudo service ssh restart
• Apache SSL Hardening - disable SSL v2/v3 support
SSL v2/v3 protocol ແມ່ນບໍ່ມີຄວາມປອດໄພ ສະນັ້ນ ທ່ານຄວນປິດ
1. ເປີດໄຟລ /etc/apache2/mods-available/ssl.conf
sudo vi /etc/apache2/mods-available/ssl.conf
2. ປ່ຽນ ຈາກ SSLProtocol all -SSLv3 ເປັນ SSLProtocol all -SSLv2 -SSLv3
3. ຈາກນັ້ນ Restart Apache2 sudo service apache2 restart
• ຕັ້ງຄ່າ Network ກັບ sysctl
1. ເປີດໄຟລ /etc/sysctl.conf
sudo vi /etc/sysctl.conf
2. ປິດ comment ອອກ
# IP Spoofing protection net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Ignore ICMP broadcast requests net.ipv4.icmp_echo_ignore_broadcasts = 1 # Disable source packet routing net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Ignore send redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Block SYN attacks net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 # Log Martians net.ipv4.conf.all.log_martians = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Ignore Directed pings net.ipv4.icmp_echo_ignore_all = 1
3. Restart sysctl
sudo sysctl -p
• ປິດ Open DNS Recursion ແລະ ລົບ Version Info - BIND DNS Server
1. ແກ້ໄຂໄຟລ
sudo vi /etc/bind/named.conf.options
2. ແປງຄ່າ
recursion no;
version “Not Disclosed”;
3. Restart Bind
sudo service bind9 restart
• ປ້ອງກັນ IP Spoofing
1. ເປີດໄຟລ /etc/host.conf
sudo vi /etc/host.conf
2. ເພີ່ມ ຫລື ແກ້ໄຂ ຕາມຂໍ້ມູນລຸ່ມນີ້
order bind,hosts nospoof on
• ຕັ້ງຄ່າໃຫ້ PHP ໃຫ້ມີຄວາມປອດໄພ
1. ແກ້ໄຂໄຟລ php.ini
sudo vi /etc/php5/apache2/php.ini
2. ເພີ່ມ ຫລື ແກ້ໄຂ
disable_functions = exec,system,shell_exec,passthru register_globals = Off expose_php = Off display_errors = Off track_errors = Off html_errors = Off magic_quotes_gpc = Off mail.add_x_header = Off session.name = NEWSESSID
3. ຈາກນັ້ນ Restart Apache2
sudo service apache2 restart
• Restrict Apache Information Leakage
1. ແກ້ໄຂ Apache2 configuration security
ກ່ອນອື່ນຕ້ອງເປີດແບບ header ໃຊ້ຄຳສັ່ງ
a2enmod headers
ແລ້ວໄປແກ້ໄຂໄຟລ
sudo vi /etc/apache2/conf-available/security.conf
2. ເພີ່ມ ຫລື ແກ້ໄຂ
ServerTokens Prod ServerSignature Off TraceEnable Off Header unset ETag Header always unset X-Powered-By FileETag None
3. Restart Apache2
sudo service apache2 restart
• ຕິດຕັ້ງ Fail2ban
1. ໃຊ້ຄຳສັ່ງ sudo apt-get install fail2ban
2. ຕັ້ງຄ່າໃຫ້ fail2ban
sudo nano /etc/fail2ban/jail.local
3. ເພີ່ມຂໍ້ມູນນີ້ໃສ່
##To block failed login attempts use the below jail. [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache2/*error.log maxretry = 3 bantime = 600 ignoreip = 192.168.15.189 ##To block the remote host that is trying to request suspicious URLs, use the below jail. [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache2/*error.log maxretry = 3 bantime = 600 ignoreip = 192.168.15.189 ##To block the remote host that is trying to search for scripts on the website to execute, use the below jail. [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache2/*error.log maxretry = 3 bantime = 600 ignoreip = 192.168.15.189 ##To block the remote host that is trying to request malicious bot, use below jail. [apache-badbots] enabled = true port = http,https filter = apache-badbots logpath = /var/log/apache2/*error.log maxretry = 3 bantime = 600 ignoreip = 192.168.15.189 ##To stop DOS attack from remote host. [http-get-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/apache*/access.log maxretry = 400 findtime = 400 bantime = 200 ignoreip = 192.168.15.189 action = iptables[name=HTTP, port=http, protocol=tcp] ##To block the failed login attempts on the SSH server, use the below jail. [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 600 ignoreip = 192.168.15.189
4. ບັນທຶກ ຫລັງຈາກນັ້ນໄປສ້າງໄຟລ Filter
sudo nano /etc/fail2ban/filters.d/http-get-dos.conf
5. ເພີ່ມຂໍ້ມູນລຸ່ມນີ້ໃສ່
# Fail2Ban configuration file [Definition] # Option: failregex # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. failregex = ^<HOST> -.*"(GET|POST).* # Option: ignoreregex ignoreregex =
6. ບັນທຶກ ແລະ Restart fail2ban
sudo systemctl restart fal2ban
• ຕິດຕັ້ງໂປຣແກຣມກວດສອບ Rootkit
1. ຕິດຕັ້ງ
sudo apt-get install rkhunter chkrootkit
2. ວິທີກວດສອບ
sudo chkrootkit
3. ວິທີອັບເດດ
sudo rkhunter --update sudo rkhunter --propupd sudo rkhunter --check
• ຕັ້ງຄ່າ Apache2 ເປີດໃຊ້ .httaccess ໄດ້
1. ເປີດໃຊ້ໂດຍໃຊ້ຄຳສັ່ງ
sudo a2enmod rewrite
2. ແປງໄຟລ config ຂອງ apache2
Sudo nano /etc/apache2/sites-available/myweb.conf
ເພີ່ມຂໍ້ມູນດັ່ງນີ້
<Directory /var/www/myweb.com> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory>
3. ບັນທຶກ ແລະ Restart apache2
Sudo service apache2 restart
• ປ້ອງກັນ ການເຂົ້າເທິງ ໂຟນເດີ Joomla administrator ດ້ວຍ htaccess
1. ສ້າງໄຟລ ເກັບລະຫັດກ່ອນ
ກ່ອນອື່ນແມ່ນກຳນົດ ຊື່ ແລະ ລະຫັດ ໂດຍໃຊ້ເວັບໄຊ http://www.htaccesstools.com
ເມື່ອສ້າງໄດ້ແລ້ວ ກໍ່ເອົາຂໍ້ມູນນັ້ນມາໃສ່ໄຟລ .htpasswd
sudo nano .htpasswd
ຕົວຢ່າງ :
user:$apr1$fdtWgUoy$l/HNArTj92W57ZF.deZys0
ຈາກນັ້ນບັນທຶກ
2. ສ້າງໄຟລ .htaccess
sudo nano .htaccess
ແລ້ວໃສ່ຂໍ້ມູນດັ່ງນີ້:
AuthName "Secured Area" AuthType Basic AuthUserFile var/www/myweb.com/administrator/.htpasswd require valid-user
• ປ້ອງກັນ ການເຂົ້າເທິງ ໂຟນເດີ phpmyadmin ດ້ວຍ htaccess
1. ເປີດໄຟລຕັ້ງຄ່າຂອງ phpmyadmin
sudo nano /etc/phpmyadmin/apache.conf
2. ເພີ່ມຂໍ້ມູນນີ້ໃສ່
Order Deny, Allow Deny from all Allow from 127.0.0.1 (IP ຕ້ອງການໃຫ້ເຂົ້າເທິງ)
ຕົວຢ່າງ:
<Directory /usr/share/phpmyadmin> Options FollowSymLinks DirectoryIndex index.php Order Deny,Allow Deny from all Allow from 127.0.0.1 Allow from 192.168.1.0/24 <IfModule mod_php.c> <IfModule mod_mime.c> AddType application/x-httpd-php .php </IfModule> <FilesMatch ".+.php$"> SetHandler application/x-httpd-php </FilesMatch> php_flag magic_quotes_gpc Off php_flag track_vars On php_flag register_globals Off php_admin_flag allow_url_fopen On php_value include_path . php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/v$ </IfModule> </Directory>
3. Restart apache2
sudo service apache2 restart
