Building a perfect web server | Part 3

In part one we did some planning and decided what we were going to do with this server and bought  some hardware
In part two we updated the system, added the packages and got the web server listening on port 80.

In part 3 of Building a perfect web server we are going to start locking down the system.

Securing your web server

Securing your web server is not just about a firewall, relying solely on firewall rules  to protect your system is putting the cart before the horse.
First we are going to harden this web server with absolutely no firewall in place we will then have a good foundation to build that amazing firewall on.

Examine the web server you just built

Drop all the firewall rules on your web server. If it is sitting on an exposed network you obviously don’t do this, but I am assuming it is on your LAN in a protected environment.

 iptables -F

The system is now totally open and exposing the TCP and UDP ports the server is listening on. This next step is not an exhaustive test but does give us a starting point for locking down services.  I won’t go through every service since the process, if not the procedure,  is the same for each open port.

On your local machindownload and install nmap.

My web server IP is 192.168.122.14 so I will be doing a quick syn scan of the first 1024 ports using TCP from my local machine.

nmap -sS 192.168.1.14

Results:

nmap scan report for 192.168.122.14
Host is up (0.00014s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql

We will  need port 80 open since this is your web server and we want people to find us.

Port 22  is “ssh”  which we will  leave open

We do not want or need Mysql listening on the network.

Please see Securing your Mysql on your web-server and then come back here and continue here.

Re-scan the system from your local machine.

nmap -sS 192.168.1.14

Results:

nmap scan report for 192.168.122.14
Host is up (0.00014s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Mysql is no longer detectable by nmap as a port open or closed.   If you can still see it have another look at Securing your MySql webserver

Securing open-shh

Openssh is secure and is used by almost everyone to get command line access to NIX servers all over the world.

Remember that all communication that is transmitted via ssh is encrypted including the password exchange. The primary reason that SSH gets hacked is nothing to do with SSH itself but  human error. While we can not eliminate human error but we can make it harder to make a mistake.

Only allow specific users to connect to the service. 

If you are the only person who is going to connect to the server and make changes then there is no reason that you can not use the root account. By using the root account and never creating any other accounts you are reducing the  the amount of  user  management on this server.
Abandoned and forgotten user accounts  with user created keys and passwords are a far more likely entry point than a brute force attack on the root account.

If you are needing more than one administrator or you need to allow access to the server  for other users  then you will need to set up up users and sudo. I will cover that somewhere else.

Set your pass phrase 
passwd 

Choose a passphrase and not a password.

Choose a passphrase


Only allow ssh from specific locations

While locking down ssh to an IP address may seem like good security it is not really that convenient or secure since IP addresses can easily be spoofed to appear to come from anywhere.  It also makes management of your server harder if you need to access the system from Starbucks wireless. It is better  to allow ssh from anywhere but limit the number of connection attempts from any one location. We will do this when we setup the firewall