Instructions to set up a basic LAMP+SSH server environment
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

4115 lines
243 KiB

6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
  1. Linux servers - Exercice 5
  2. ==============
  3. *Disclaimer:*
  4. --------------
  5. This exercise is a part of [Linux servers (ICT4TN021, spring 2018) // Linux-palvelimet (ICT4TN021, kevät 2018)](http://www.haaga-helia.fi/fi/opinto-opas/opintojaksokuvaukset/ICT4TN021) school course organized as a part of Information Technology studies in Haaga-Helia university of Applied Sciences, Helsinki, Finland. Course lecturer [Tero Karvinen](http://terokarvinen.com/) has defined the original assignment descriptions in Finnish presented in this document in English. Answers and translations have been written by Pekka Helenius (me, ~ Fincer).
  6. **a)** Install SSH server daemon
  7. --------------
  8. **Answer:**
  9. SSH daemon has already been installed on the virtual server machine (you can't establish a connection to the server with a SSH client program otherwise). However, the installation on Debian-based systems goes as follows:
  10. ```
  11. phelenius@my-machine:~$ sudo apt-get update && sudo apt-get install openssh-server
  12. ```
  13. Start SSH daemon and check whether it is active or not:
  14. ```
  15. phelenius@my-machine:~$ sudo systemctl start sshd.service
  16. phelenius@my-machine:~$ [[ $(systemctl is-active sshd | grep ^active | wc -w) -eq 1 ]] && echo "REPLY: SSH server daemon is active" || echo "REPLY: SSH server daemon is not active"
  17. REPLY: SSH server daemon is active
  18. ```
  19. SSH server daemon has been installed and is active on the server computer. Let's take a look-up into Systemd process tree:
  20. ```
  21. phelenius@my-machine:~$ sudo systemctl status
  22. ...
  23. CGroup: /
  24. ├─init.scope
  25. │ └─1 /lib/systemd/systemd --system --deserialize 20
  26. ├─system.slice
  27. ...
  28. │ ├─ssh.service
  29. │ │ ├─1534 /usr/sbin/sshd -D
  30. │ │ ├─2365 sshd: [accepted]
  31. │ │ └─2366 sshd: [net]
  32. ```
  33. Linux servers - Exercice 5Linux servers - Exercice 5
  34. ==============
  35. *Disclaimer:*
  36. --------------
  37. This exercise is a part of [Linux servers (ICT4TN021, spring 2018) // Linux-palvelimet (ICT4TN021, kevät 2018)](http://www.haaga-helia.fi/fi/opinto-opas/opintojaksokuvaukset/ICT4TN021) school course organized as a part of Information Technology studies in Haaga-Helia university of Applied Sciences, Helsinki, Finland. Course lecturer [Tero Karvinen](http://terokarvinen.com/) has defined the original assignment descriptions in Finnish presented in this document in English. Answers and translations have been written by Pekka Helenius (me, ~ Fincer).
  38. **a)** Install SSH server daemon
  39. --------------
  40. **Answer:**
  41. SSH daemon has already been installed on the virtual server machine (you can't establish a connection to the server with a SSH client program otherwise). However, the installation on Debian-based systems goes as follows:
  42. ```
  43. phelenius@my-machine:~$ sudo apt-get update && sudo apt-get install openssh-server
  44. ```
  45. Start SSH daemon and check whether it is active or not:
  46. ```
  47. phelenius@my-machine:~$ sudo systemctl start sshd.service
  48. phelenius@my-machine:~$ [[ $(systemctl is-active sshd | grep ^active | wc -w) -eq 1 ]] && echo "REPLY: SSH server daemon is active" || echo "REPLY: SSH server daemon is not active"
  49. REPLY: SSH server daemon is active
  50. ```
  51. SSH server daemon has been installed and is active on the server computer. Let's take a look-up into Systemd process tree:
  52. ```
  53. phelenius@my-machine:~$ sudo systemctl status
  54. ...
  55. CGroup: /
  56. ├─init.scope
  57. │ └─1 /lib/systemd/systemd --system --deserialize 20
  58. ├─system.slice
  59. ...
  60. │ ├─ssh.service
  61. │ │ ├─1534 /usr/sbin/sshd -D
  62. │ │ ├─2365 sshd: [accepted]
  63. │ │ └─2366 sshd: [net]
  64. ```
  65. Linux servers - Exercice 5
  66. ==============
  67. *Disclaimer:*
  68. --------------
  69. This exercise is a part of [Linux servers (ICT4TN021, spring 2018) // Linux-palvelimet (ICT4TN021, kevät 2018)](http://www.haaga-helia.fi/fi/opinto-opas/opintojaksokuvaukset/ICT4TN021) school course organized as a part of Information Technology studies in Haaga-Helia university of Applied Sciences, Helsinki, Finland. Course lecturer [Tero Karvinen](http://terokarvinen.com/) has defined the original assignment descriptions in Finnish presented in this document in English. Answers and translations have been written by Pekka Helenius (me, ~ Fincer).
  70. **a)** Install SSH server daemon
  71. --------------
  72. **Answer:**
  73. SSH daemon has already been installed on the virtual server machine (you can't establish a connection to the server with a SSH client program otherwise). However, the installation on Debian-based systems goes as follows:
  74. ```
  75. phelenius@my-machine:~$ sudo apt-get update && sudo apt-get install openssh-server
  76. ```
  77. Start SSH daemon and check whether it is active or not:
  78. ```
  79. phelenius@my-machine:~$ sudo systemctl start sshd.service
  80. phelenius@my-machine:~$ [[ $(systemctl is-active sshd | grep ^active | wc -w) -eq 1 ]] && echo "REPLY: SSH server daemon is active" || echo "REPLY: SSH server daemon is not active"
  81. REPLY: SSH server daemon is active
  82. ```
  83. SSH server daemon has been installed and is active on the server computer. Let's take a look-up into Systemd process tree:
  84. ```
  85. phelenius@my-machine:~$ sudo systemctl status
  86. ...
  87. CGroup: /
  88. ├─init.scope
  89. │ └─1 /lib/systemd/systemd --system --deserialize 20
  90. ├─system.slice
  91. ...
  92. │ ├─ssh.service
  93. │ │ ├─1534 /usr/sbin/sshd -D
  94. │ │ ├─2365 sshd: [accepted]
  95. │ │ └─2366 sshd: [net]
  96. ```
  97. Executable root binary file (sbin) is _/usr/sbin/sshd_ with command parameter _-D_ (Process Identifier/Process ID/PID is 1534).
  98. **NOTE!** The following is stated about _-D_ parameter in sshd manual:
  99. ```
  100. phelenius@my-machine:~$ man sshd | grep -E "\-D" -C1
  101. -D When this option is specified, sshd will not detach and does not become a daemon. This allows easy monitoring of sshd.
  102. ```
  103. _-D_ parameter definition by [SSH Communications Security](https://www.ssh.com/ssh/sshd/):
  104. > -D Do not detach and become daemon. This is often used when sshd is run using systemd. This allows easier monitoring of the process in such environments. Without this option, the SSH server forks and detaches from terminal, making itself a background daemon process. The latter has been the traditional way to run the SSH server until recently. Many embedded systems would still use the latter.
  105. About relevance of the _-D_ parameter has been discussed, for example, on [superuser.com (Differences between ssh -L to -D](https://superuser.com/questions/408031/differences-between-ssh-l-to-d).
  106. **b)** Establish a firewall protection to the server computer (Note: allow SSH traffic before that)
  107. --------------
  108. **Answer:**
  109. The firewall protection is done by using Linux kernel ip_table module(s). Firewall rules can be modified in User Space with the corresponding iptables command or with the simplified Python 3 based program/script 'Uncomplicated Firewall' (ufw). Other firewall solutions also exists on Linux, please see title 'Other firewall solutions' below.
  110. We can check which loadable kernel modules have been enabled in Linux kernel with the kernel-related lsmod command.
  111. ```
  112. phelenius@my-machine:~$ man lsmod | sed -n '/NAME/{n;p}' | sed 's/\s*//'
  113. lsmod - Show the status of modules in the Linux Kernel
  114. ...
  115. phelenius@my-machine:~$ lsmod |grep filter
  116. ip6table_filter 16384 1
  117. ip6_tables 28672 1 ip6table_filter
  118. iptable_filter 16384 1
  119. ip_tables 24576 1 iptable_filter
  120. x_tables 36864 14 ip6table_filter,xt_hl,xt_recent,ip_tables,xt_tcpudp,xt_limit,xt_conntrack,xt_LOG,iptable_filter,ip6t_rt,ipt_REJECT,ip6_tables,xt_addrtype,ip6t_REJECT
  121. ```
  122. Source codes of these modules can be found on git.kernel.org: [ipv6 netfilter](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/netfilter), [ipv6 netfilter core](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/netfilter.c), [ipv4 netfilter](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/netfilter), [ipv4 netfilter core](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/netfilter.c)
  123. By default, Uncomplicated Firewall (ufw) is usually pre-installed on many Linux distributions, including Debian-based systems. Let's confirm that:
  124. ```
  125. phelenius@my-machine:~$ if [[ $(dpkg --get-selections |grep ufw | awk '{print $1}' | wc -l) -eq 0 ]]; then sudo apt-get update && sudo apt-get -y install ufw && echo "REPLY: UFW is installed now"; else echo "REPLY: UFW has already been installed"; fi
  126. REPLY: UFW has already been installed
  127. ```
  128. Therefore ufw firewall is installed. Otherwise it would be installed on the system with _apt-get install_ command.
  129. By default, the Linux firewall blocks SSH input traffic (default port 22). This input port can be opened by applying the following ufw command:
  130. ```
  131. phelenius@my-machine:~$ sudo ufw allow 22/tcp
  132. ```
  133. or with the command (however, not specific port number is defined here):
  134. ```
  135. phelenius@my-machine:~$ sudo ufw allow ssh
  136. ```
  137. Afterwards, UFW can be re-enabled with the following command:
  138. ```
  139. phelenius@my-machine:~$ sudo ufw enable
  140. Command may disrupt existing ssh connections. Proceed with operation (y|n)?
  141. ```
  142. Your answer should be 'y' (yes). The firewall does not close (possibly already established) SSH connection because we have opened port 22 TCP input traffic. We get a notification, stating:
  143. ```
  144. Firewall is active and enabled on system startup
  145. ```
  146. The message is bit unclear, because according to some testing, the ufw firewall may still not be enabled on system boot. Automated start of ufw during system boot can foolproofly be enabled with:
  147. ```
  148. phelenius@my-machine:~$ sudo systemctl enable ufw.service
  149. Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service -> /usr/lib/systemd/system/ufw.service.
  150. ```
  151. Alternatively, the following message may appear:
  152. ```
  153. Synchronizing state of ufw.service with SysV init with /lib/systemd/systemd-sysv-install...
  154. Executing /lib/systemd/systemd-sysv-install enable ufw
  155. ```
  156. **iptables:**
  157. 1. Remove ufw from the Linux system, and remove all relevant ufw entries from iptables firewall rule list.
  158. **NOTE!** Warning: (May) delete other important iptables rules configured by system administration!
  159. **NOTE!** Be sure that you have direct access (local terminal, without network) to the target machine in a case of failure. Otherwise you may lock yourself out from the server.
  160. ```
  161. sudo systemctl stop ufw.service && sudo systemctl disable ufw.service
  162. sudo apt-get purge --remove ufw
  163. sudo iptables --flush && sudo iptables --delete-chains
  164. ```
  165. 2. Confirm deletion of ufw entries from iptables firewall rule list with
  166. ```
  167. sudo iptables -S
  168. ```
  169. Output should be:
  170. ```
  171. -P INPUT ACCEPT
  172. -P FORWARD ACCEPT
  173. -P OUTPUT ACCEPT
  174. ```
  175. 3. Add new firewall rules to iptables and keep already established connections open:
  176. ```
  177. sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  178. ```
  179. 4. Drop all connections, excluding already established connections like SSH:
  180. ```
  181. sudo iptables -A INPUT -j DROP
  182. sudo iptables -A FORWARD -j DROP
  183. ```
  184. 5. Allow SSH traffic (port number: 22, protocol: tcp, etc.):
  185. ```
  186. sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
  187. ```
  188. **NOTE!** This applies only to IPv4 connections. For IPv6, check [iptables6](https://www.linux.com/learn/intro-to-linux/2017/8/iptables-rules-ipv6).
  189. **NOTE!** The forementioned command can be written so that connections only from a single IP is allowed, by using eth0 network interface. For example:
  190. ```
  191. sudo iptables -I INPUT -p tcp -i eth0 -s 231.123.24.24 --dport 22 -j ACCEPT
  192. ```
  193. **NOTE:** Be sure you have enabled 'net.ifnames=0' in your udev rules to get network interface names like 'eth0', 'wlan0' etc.!
  194. More about setting iptables firewall rules, take a look on [DigitalOcean website](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands) and [iptables - Append vs. Insert - website](https://serverfault.com/questions/472258/difference-between-iptables-a-and-i-option), for example.
  195. 6. Confirm proper iptables firewall rules with 'sudo iptables -S' command:
  196. ```
  197. -P INPUT ACCEPT
  198. -P FORWARD ACCEPT
  199. -P OUTPUT ACCEPT
  200. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  201. -A INPUT -j DROP
  202. -A FORWARD -j DROP
  203. -I INPUT -p tcp --dport 22 -j ACCEPT
  204. ```
  205. 7. Save the rules so that they won't be lost after rebooting:
  206. ```
  207. sudo iptables-save | sudo tee /etc/iptables/iptables.save > /dev/null
  208. cat /etc/iptables/iptables.save
  209. ```
  210. 8. Apply and enable the rules. You can restart iptables service (Packet Filtering Framework) if you prefer to do so:
  211. ```
  212. sudo iptables-restore && sudo systemctl restart iptables.service
  213. ```
  214. 9. Confirm the current iptables firewall rules with the command 'sudo iptables -S'.
  215. More about iptables:
  216. - [DigitalOcean - Iptables Essentials: Common Firewall Rules and Commands, SSH service](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands#service-ssh)
  217. - [DigitalOcean - Iptables Essentials: Common Firewall Rules and Commands, Saving rules](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands#saving-rules).
  218. - [The Geek Stuff - 25 Most Frequently Used Linux IPTables Rules Examples](https://www.thegeekstuff.com/2011/06/iptables-rules-examples)
  219. **Other firewall solutions:**
  220. In addition to ufw, other iptables-based firewall solutions have been developed on Linux. Take a look on [Firestarter](http://www.fs-security.com/), [Firewalld](https://fedoraproject.org/wiki/Firewalld?rd=FirewallD), [PeerGuardian](https://sourceforge.net/projects/peerguardian/?source=navbar), [FWBuilder](http://www.fwbuilder.org/), etc.
  221. ------------------------------------------------
  222. **EXTRA - root account: more restrictions**
  223. In addition to previous root restrictions, the following extra restrictions were applied, too:
  224. - root default shell were changed to _/sbin/nologin_ in file _/etc/passwd_
  225. - root account were locked by applying command _sudo usermod root --lock_ (this was done already, it sets up an exclamation mark prefix to the root account password in file _/etc/shadow_
  226. - root access removal of TTY sessions by commenting out relevant lines in file _/etc/securetty_
  227. - SSH: setting _PermitRootLogin no_ were applied in SSH server configuration file _/etc/ssh/sshd_config_
  228. PAM configuration files (Pluggable Authentitation Modules) were not altered in _/etc/pam.d/_ although security can be improved by applying some special system-spefific authentication rules there. PAM rules can restrict root permissions as well, including executable daemon processes and commands (i.e. you can restrict even root execution rights in the target system, in contradiction what is usually told for new Linux users that "root can do anything". With PAM, you can restrict that "anything" privilege.)
  229. Reference: [Red Hat - 4.4.2. Disallowing Root Access](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s2-wstation-privileges-noroot.html)
  230. **c)** Transfer files using SSH protocol
  231. --------------
  232. **Answer:**
  233. Let's use [Secure Copy (scp)](https://en.wikipedia.org/wiki/Secure_copy) command for file transfers.
  234. The assignment has been done in the following command sequence. The following steps are executed:
  235. 1. Create new subdirectory _httpd_ into the current user's home directory on the local computer
  236. 2. Download related control, description and patch files of debian package of Apache web server, version _2.4.18-2ubuntu3.5_ from archive.ubuntu.com ([packages.ubuntu.com](https://packages.ubuntu.com/xenial/apache2)). Target directory for the download is the recently created subdirectory _httpd_
  237. 3. Extract the downloaded archive files into $HOME/httpd. Subdirectory _debian_ will be created in _httpd_ directory.
  238. 4. Establish a new SSH connection to the server computer with server user _newuser_, use port 1234 and create directory _$HOME/patches_ for this user.
  239. 5. Transfer all local files (and directories) which 1) start with any character 2) end with suffix _diff_ and _patch_ 3) locate at the current user's _./httpd/debian/patches/_ subdirectory
  240. to the directory _$HOME/patches_ located at the server computer (where $HOME=/home/newuser/). SSH connection port is 1234. Use command scp.
  241. For more information about patches, check
  242. - [What is the format of a patch file - stackoverflow.com](https://stackoverflow.com/questions/987372/what-is-the-format-of-a-patch-file)
  243. - [Patch command examples - thegeekstuff.com](https://www.thegeekstuff.com/2014/12/patch-command-examples))
  244. 6. List contents of the remote subdirectory _$HOME/patches_ with SSH connection, use port 1234..
  245. 7. Delete current user's local subdirectory _httpd_ and its contents. _-R_ or _-r_ stands for recursive deletion, _-f_ stands for forceful removal. Remote files in the server computer's directory _/home/newuser/patches/_ will be kept intact.
  246. ```
  247. [20/02/2018 13:24:40 - fincer: ~ ]$ mkdir httpd
  248. [20/02/2018 13:24:54 - fincer: ~ ]$ wget http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.5.debian.tar.xz -P httpd
  249. --2018-02-20 13:25:13-- http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.5.debian.tar.xz
  250. Resolving archive.ubuntu.com... 2001:67c:1560:8001::11, 2001:67c:1360:8001::17, 2001:67c:1560:8001::14, ...
  251. Connecting to archive.ubuntu.com|2001:67c:1560:8001::11|:80... connected.
  252. HTTP request sent, awaiting response... 200 OK
  253. Length: 387448 (378K) [application/x-xz]
  254. Saving to: ‘httpd/apache2_2.4.18-2ubuntu3.5.debian.tar.xz’
  255. apache2_2.4.18-2ubuntu3.5.debian.tar.xz 100%[==================================================================================>] 378.37K 450KB/s in 0.8s
  256. 2018-02-20 13:25:15 (450 KB/s) - ‘httpd/apache2_2.4.18-2ubuntu3.5.debian.tar.xz’ saved [387448/387448]
  257. [20/02/2018 13:25:15 - fincer: ~ ]$ tar xf apache2_2.4.18-2ubuntu3.5.debian.tar.xz -C httpd
  258. [20/02/2018 13:25:35 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p 1234 mkdir patches
  259. newuser@174.138.2.190's password:
  260. [20/02/2018 13:26:12 - fincer: ~ ]$ scp -P 1234 ./httpd/debian/patches/*.{diff,patch} newuser@174.138.2.190:./patches/
  261. newuser@174.138.2.190's password:
  262. hostnames_with_underscores.diff 100% 479 114.6KB/s 00:00
  263. reproducible_builds.diff 100% 1710 427.2KB/s 00:00
  264. build_suexec-custom.patch 100% 1981 473.6KB/s 00:00
  265. customize_apxs.patch 100% 9316 888.9KB/s 00:00
  266. CVE-2016-0736.patch 100% 12KB 867.4KB/s 00:00
  267. CVE-2016-2161.patch 100% 4787 493.1KB/s 00:00
  268. CVE-2016-5387.patch 100% 666 287.9KB/s 00:00
  269. CVE-2016-8743.patch 100% 80KB 1.0MB/s 00:00
  270. CVE-2017-3167.patch 100% 8922 698.9KB/s 00:00
  271. CVE-2017-3169.patch 100% 4663 458.1KB/s 00:00
  272. CVE-2017-7668.patch 100% 1746 482.5KB/s 00:00
  273. CVE-2017-7679.patch 100% 1925 527.4KB/s 00:00
  274. CVE-2017-9788.patch 100% 2252 582.1KB/s 00:00
  275. CVE-2017-9798.patch 100% 1172 381.3KB/s 00:00
  276. fhs_compliance.patch 100% 2541 635.6KB/s 00:00
  277. no_LD_LIBRARY_PATH.patch 100% 444 199.8KB/s 00:00
  278. prefork_single_process_crash.patch 100% 773 359.0KB/s 00:00
  279. suexec-custom.patch 100% 5785 792.4KB/s 00:00
  280. suexec-CVE-2007-1742.patch 100% 2356 589.3KB/s 00:00
  281. suexec_is_shared.patch 100% 622 194.1KB/s 00:00
  282. [20/02/2018 13:28:03 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p 1234 ls -l ./patches
  283. newuser@174.138.2.190's password:
  284. total 196
  285. -rw-r--r-- 1 newuser newuser 12446 Feb 20 11:38 CVE-2016-0736.patch
  286. -rw-r--r-- 1 newuser newuser 4787 Feb 20 11:38 CVE-2016-2161.patch
  287. -rw-r--r-- 1 newuser newuser 666 Feb 20 11:38 CVE-2016-5387.patch
  288. -rw-r--r-- 1 newuser newuser 81900 Feb 20 11:38 CVE-2016-8743.patch
  289. -rw-r--r-- 1 newuser newuser 8922 Feb 20 11:38 CVE-2017-3167.patch
  290. -rw-r--r-- 1 newuser newuser 4663 Feb 20 11:38 CVE-2017-3169.patch
  291. -rw-r--r-- 1 newuser newuser 1746 Feb 20 11:38 CVE-2017-7668.patch
  292. -rw-r--r-- 1 newuser newuser 1925 Feb 20 11:38 CVE-2017-7679.patch
  293. -rw-r--r-- 1 newuser newuser 2252 Feb 20 11:38 CVE-2017-9788.patch
  294. -rw-r--r-- 1 newuser newuser 1172 Feb 20 11:38 CVE-2017-9798.patch
  295. -rw-r--r-- 1 newuser newuser 1981 Feb 20 11:38 build_suexec-custom.patch
  296. -rw-r--r-- 1 newuser newuser 9316 Feb 20 11:38 customize_apxs.patch
  297. -rw-r--r-- 1 newuser newuser 2541 Feb 20 11:38 fhs_compliance.patch
  298. -rw-r--r-- 1 newuser newuser 479 Feb 20 11:38 hostnames_with_underscores.diff
  299. -rw-r--r-- 1 newuser newuser 444 Feb 20 11:38 no_LD_LIBRARY_PATH.patch
  300. -rw-r--r-- 1 newuser newuser 773 Feb 20 11:38 prefork_single_process_crash.patch
  301. -rw-r--r-- 1 newuser newuser 1710 Feb 20 11:38 reproducible_builds.diff
  302. -rw-r--r-- 1 newuser newuser 2356 Feb 20 11:38 suexec-CVE-2007-1742.patch
  303. -rw-r--r-- 1 newuser newuser 5785 Feb 20 11:38 suexec-custom.patch
  304. -rw-r--r-- 1 newuser newuser 622 Feb 20 11:38 suexec_is_shared.patch
  305. [20/02/2018 13:32:01 - fincer: ~ ]$ rm -Rf httpd
  306. ```
  307. **d)** Automate SSH login with public key method
  308. --------------
  309. **Answer:**
  310. 1. Let's generate a key pair on the client computer with a user who is wanted to have the public key authentication method for SSH connections. Both private and public keys are generated with 'ssh-keygen' command. Accept the default settings unless you have any requirements to customize them.
  311. 2. Copy the _public_ key to the server computer with your SSH client using command 'ssh-copy-id -i $HOME/.ssh/id_rsa.pub username@server-ip-or-name'. The command copies your public key to the subdirectory *.ssh/authorized_keys* located at the server computer.
  312. **NOTE!** Copy public key only, do **NOT** copy the private key!
  313. More about the topic:
  314. [ssh.com - Key Pair - Public and Private](https://www.ssh.com/ssh/public-key-authentication#sec-Key-Pair-Public-and-Private)
  315. 3. Let confirm that SSH server daemon configuration file (_/etc/ssh/sshd_config_ by default) has the following settings in place (either use 'sudo nano _/etc/ssh/sshd_config_' or 'sudoedit _/etc/ssh/sshd_config_'):
  316. ```
  317. AuthenticationMethods publickey
  318. PubkeyAuthentication yes
  319. AuthorizedKeysFile .ssh/authorized_keys
  320. ```
  321. **Extra hint 1:** SSH client settings are generally defined in _/etc/ssh/ssh_config_
  322. **Extra hint 2:** You can use ssh command with _-v_ parameter to gain more information about used authentication methods in unclear cases or for debugging purposes. The _-v_ parameter is defined as follows:
  323. > -v Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity. The maximum is 3.
  324. 4. We shall restart server SSH daemon with _sudo systemctl restart sshd.service_ command (note! this interrupts any existing & opened SSH connections)
  325. 5. We shall test public key authentication from the client computer. Use same user account which you previously used for executing _ssh-keygen_ command on the client computer. The client computer user should be able to login into SSH server without a password.
  326. **EXTRA: Modifying welcome banner**
  327. Let's modify default Ubuntu login/SSH banner message by executing the following bash script:
  328. ```
  329. #!/bin/bash
  330. # Modify SSH login banner message
  331. ## 00-header file:
  332. #
  333. sudo sed -i 's?printf "Welcome to %s (%s %s %s)\\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"?printf "Welcome to %s\\nUptime:
  334. %s\\n\\n" "Server Computer" "$(uptime)"?' /etc/update-motd.d/00-header
  335. ## File extensions of the following files will be modified
  336. ## We could also remove these files with 'sudo rm <file>'
  337. #
  338. FILES=( 10-help-text 51-cloudguest 90-updates-available 91-release-upgrade )
  339. cd /etc/update-motd.d/
  340. for file in ${FILES[@]}; do sudo mv $file $file.old; done
  341. cd
  342. ```
  343. **NOTE:** Location of the banner file varies between different Linux distributions. For instance, Arch Linux uses banner file _/etc_motd_.
  344. **j)** Install, configure and start sysstat. Use sar command to confirm whether the sysstat package services have been enabled (for instance, log entry "Linux reboot..." exists). Run sysstat a day or two. Afterwards, check computer workload history with sysstat commands sar, iostat, pidstat etc. Analyze the results, i.e. explain the results in detail.
  345. --------------
  346. **Answer:**
  347. 1. We shall connect to the server computer (running Ubuntu) and then install the required package with command sequence 'sudo apt-get update && sudo apt-get install -y install sysstat'
  348. 2. Run [shell-based sysstat script](https://github.com/Fincer/linux_server_setup/blob/master/scripts/sysstat_command.sh) which runs sar and pidstat commands two days with 20 second intervals.
  349. **NOTE!** The script could have been opmitized more for the real requirements for the server environment (statistics interval, collection period, etc.)
  350. 3. The script described in step 2 has generated sar analytics file 'sar-stats_2018-02-24_2018-02-26.file' into path '/home/newuser/sar_statistics/' on the server computer.
  351. Time period: 24. - 26.02.2018
  352. The following sums up some command samples which can be applied to the analytics file.
  353. | File | Description |
  354. |------------------------------------|-------------------------------------------------|
  355. | sar -u -f <analytics-file> | Processor workload statistics |
  356. | sar -v -f <analytics-file> | Inode and file statistics |
  357. | sar -r -f <analytics-file> | Memory consumption statistics |
  358. | sar -n DEV -f <analytics-file> | Network stats: devices |
  359. | sar -n EDEV -f <analytics-file> | Network stats: errors in devices |
  360. | sar -n IP -f <analytics-file> | Network stats: IPv4 traffic |
  361. | sar -n EIP -f <analytics-file> | Network stats: errors in IPv4 traffic |
  362. | sar -n IP6 -f <analytics-file> | Network stats: IPv6 traffic |
  363. | sar -n EIP6 -f <analytics-file> | Network stats: errors in IPv6 traffic |
  364. | sar -n SOCK -f <analytics-file> | Network stats: IPv4 socket |
  365. | sar -n SOCK6 -f <analytics-file> | Network stats: IPv6 socket |
  366. | sar -n TCP -f <analytics-file> | Network stats: TCPv4 protocol traffic |
  367. | sar -n ETCP -f <analytics-file> | Network stats: errors in TCPv4 protocol traffic |
  368. | sar -S -f <analytics-file> | Swap memory consumption |
  369. | sar -w -f <analytics-file> | Process statistics |
  370. | sar -F MOUNT / -f <analytics-file> | File system which is mounted at / |
  371. Statistics can be combined etc, as you can find out with 'man sar' command:
  372. ```
  373. sar -u 2 5
  374. Report CPU utilization for each 2 seconds. 5 lines are displayed.
  375. sar -I 14 -o int14.file 2 10
  376. Report statistics on IRQ 14 for each 2 seconds. 10 lines are displayed. Data are stored in a file called int14.file.
  377. sar -r -n DEV -f /var/log/sysstat/sa16
  378. Display memory and network statistics saved in daily data file 'sa16'.
  379. sar -A
  380. Display all the statistics saved in current daily data file.
  381. ```
  382. Or [The Geek Stuff - 10 Useful Sar (Sysstat) Examples for UNIX / Linux Performance Monitoring](https://www.thegeekstuff.com/2011/03/sar-examples/?utm_source=feedburner)
  383. What are inode and swap? Check
  384. - [inode - 1](https://www.cyberciti.biz/tips/understanding-unixlinux-filesystem-inodes.html)
  385. - [inode - 2](https://unix.stackexchange.com/questions/117093/find-where-inodes-are-being-used)
  386. - [Swap](https://wiki.archlinux.org/index.php/swap)
  387. Additionally, the following pidstat files were generated:
  388. | File | Description |
  389. |----------------------------|------------------------------------|
  390. | pidstat_stats_cpu-tasks | Processor workload statistics |
  391. | pidstat_stats_io | I/O statistics |
  392. | pidstat_stats_kerneltables | Statistics of Linux kernel tables |
  393. | pidstat_stats_pagefaults | Page fault statistics |
  394. | pidstat_stats_stacks | Process stack statistics |
  395. (Check. [Stacks](https://stackoverflow.com/questions/8905271/what-is-the-linux-stack), [Page fault](https://en.wikipedia.org/wiki/Page_fault))
  396. Additionally, iostat command was run on the background.
  397. 4. Let's take a closer look on two sar analytics files and I/O statistics file. The following commands open analytics files in more detailed view.
  398. ------------------------------------------------
  399. **SAR network statistics - IPv4 traffic**
  400. **command: sar -n IP -f sar-stats_2018-02-24_2018-02-26.file**
  401. ![sar-stats-ipv4](https://github.com/Fincer/linux_server_setup/blob/master/images/sar-stats_ipv4.png)
  402. **Observation period:** 24.-26.02.2018
  403. | Field | Description | Average |
  404. |-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
  405. | Left column | Record time | |
  406. | irec/s | The total number of input datagrams received from interfaces per second, including those received in error. | 1.33 |
  407. | fwddgm/s | The number of input datagrams per second, for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. | 0.00 |
  408. | idel/s | The total number of input datagrams,successfully,delivered,per,second,to,IP user-protocols (including ICMP). | 1.30 |
  409. | orq/s | The total number of IP datagrams which local IP user-protocols (including ICMP) supplied per second to IP in requests for,transmission. Note that this,counter,does,not include any datagrams counted in fwddgm/s. | 1.45 |
  410. | asmrq/s | The number of IP fragments received per second which needed to be reassembled at this entity. | 0.00 |
  411. | asmok/s | The number of IP datagrams successfully re-assembled per second. | 0.00 |
  412. | fragok/s | The number of IP datagrams that,have,been,successfully fragmented at this entity per second. | 0.00 |
  413. | fragcrt/s | The number of IP datagram fragments that have been generated per second as a result of fragmentation at this entity. | 0.00 |
  414. **NOTE!** Descriptions are provided in sysstat package (manpages).
  415. **ANALYSIS - IPV4**
  416. The server computer has not forwarded a single datagram in the observation period. Input network traffic has been received which can be concluded by observing _irec/s_, _idel/s_ and _orq/s_ field values. The current workload of the server computer is very low, including only HTTP daemon (Apache web server) and SSH server daemon. No webpages are available on the server which could increase input HTTP/HTTPS protocol based traffic. HTTPS was not enabled in the server computer.
  417. By default, the server computer allows 128 simultaneous input network connections (command 'cat /proc/sys/net/core/somaxconn'. NOTE!: The value can be changed by issuing 'echo 1024 | sudo tee /proc/sys/net/core/somaxconn', for example).
  418. MTU value of the web server computer for network interface eth0 was 1500 (you can check it with 'ifconfig' command). MTU stands for 'Maximum Transmission Unit' which determines the highest PDU unit ([Protocol Data Unit](https://en.wikipedia.org/wiki/Protocol_data_unit)) that can be transferred over the network at once.
  419. Check also
  420. - [MTU - hyperlink 1](http://www.tcpipguide.com/free/t_IPDatagramSizeMaximumTransmissionUnitMTUFragmentat.htm)
  421. - [MTU - hyperlink 2](https://en.wikipedia.org/wiki/Maximum_transmission_unit)
  422. - [Stack Overflow - What's the practical limit on the size of single packet transmitted over domain socket?](https://stackoverflow.com/questions/21856517/whats-the-practical-limit-on-the-size-of-single-packet-transmitted-over-domain)
  423. - [Stack Overflow - What is the default size of datagram queue length in Unix Domain Sockets (AF_UNIX)? Is it configurable?](https://stackoverflow.com/questions/21448960/what-is-the-default-size-of-datagram-queue-length-in-unix-domain-sockets-af-uni)
  424. - [IP fragmentation](https://en.wikipedia.org/wiki/IP_fragmentation)
  425. - Related article: [Linux Tune Network Stack (Buffers Size) To Increase Networking Performance](https://www.cyberciti.biz/faq/linux-tcp-tuning/)
  426. **NOTE!** About datagrams, [quoted from Wikipedia](https://en.wikipedia.org/wiki/Datagram#Internet_Protocol):
  427. > The term datagram is often considered synonymous to packet but there are some nuances. The term datagram is generally reserved for packets of an unreliable service, which cannot notify the sender if delivery fails, while the term packet applies to any packet, reliable or not. Datagrams are the IP packets that provide a quick and unreliable service like UDP, and all IP packets are datagrams; however, at the TCP layer, what is termed a TCP segment is the sometimes necessary IP fragmentation of a datagram, but those are referred to as "packets".
  428. ------------------------------------------------
  429. **SAR - memory consumption statistics - RAM & SWAP**
  430. **command: sar -r -f sar-stats_2018-02-24_2018-02-26.file**
  431. **command: sar -S -f sar-stats_2018-02-24_2018-02-26.file**
  432. ![sar-stats-memusage](https://github.com/Fincer/linux_server_setup/blob/master/images/sar-stats_memusage.png)
  433. **Observation period:** 24.-26.02.2018
  434. NOTE! Average values are not visible in the attached picture!
  435. | Field | Description | Average |
  436. |-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|
  437. | Left column | Record time | |
  438. | kbmemfree | Amount of free memory available in kilobytes. | 87631 KB (~ 87 MB) |
  439. | kbmemused | Amount,of,used,memory in kilobytes. This does not take into account memory used by the kernel itself. | 928 457 KB (~ 928 MB) |
  440. | %memused | Percentage of used memory. | 91.38 % |
  441. | kbbuffers | Amount of memory used as buffers by the kernel in kilobytes. | 77 746 KB (~ 77 MB) |
  442. | kbcached | Amount of memory used to cache data by the kernel in kilobytes. | 644 777 KB (~ 644 MB) |
  443. | kbcommit | Amount of memory in kilobytes needed for current workload. This is an estimate of how much RAM/swap is needed to guarantee that there never is out of memory. | 470 619 KB (~ 470 MB) |
  444. | %commit | Percentage of memory needed for current workload in relation to the total amount of memory (RAM+swap).,This number may be greater than 100% because the,kernel,usually overcommits memory. | 46.32 % |
  445. | kbactive | Amount of active memory in kilobytes (memory that has been used more recently and usually not reclaimed unless absolutely necessary). | 468 703 KB (~ 468 MB) |
  446. | kbinact | Amount of inactive memory in kilobytes (memory which has been less recently used. It is more eligible to be reclaimed for other purposes). | 301 098 KB (~ 301 MB) |
  447. | kbdirty | Amount of memory in kilobytes waiting to get written back to the disk. | 254 KB (0.254 MB) |
  448. **NOTE!** Descriptions are provided in sysstat package (manpages).
  449. **ANALYSIS - MEMORY STATISTICS**
  450. The target server memory size:
  451. ```
  452. [newuser@goauldhost: ~ ]$ cat /proc/meminfo | grep -i memtotal
  453. MemTotal: 1016088 kB
  454. ```
  455. i.e. approximately ~ 1016 MB.
  456. Great part of this memory were in use during the observation period. There were multiple active processes running on the server computer during the period, thus increased workload was intended and meant for statistics collection.
  457. The web server didn't have Swap partition or Swap file. This can be found out by
  458. - executing command 'for i in "cat /etc/fstab" "sudo fdisk -l"; do $i | grep -i swap; echo $?; done' which returns value 1 two times (meaning returning of 'false' boolean value to shell two separate times)
  459. - Or, for example:
  460. ```
  461. [newuser@goauldhost: ~ ]$ cat /etc/fstab
  462. LABEL=cloudimg-rootfs / ext4 defaults 0 0
  463. LABEL=UEFI /boot/efi vfat defaults 0 0
  464. [newuser@goauldhost: ~ ]$ sudo fdisk -l
  465. [sudo] password for newuser:
  466. Disk /dev/vda: 25 GiB, 26843545600 bytes, 52428800 sectors
  467. Units: sectors of 1 * 512 = 512 bytes
  468. Sector size (logical/physical): 512 bytes / 512 bytes
  469. I/O size (minimum/optimal): 512 bytes / 512 bytes
  470. Disklabel type: gpt
  471. Disk identifier: 39DFE5D0-C8FB-44D8-93F8-EBB37A54BDF8
  472. Device Start End Sectors Size Type
  473. /dev/vda1 227328 52428766 52201439 24.9G Linux filesystem
  474. /dev/vda14 2048 10239 8192 4M BIOS boot
  475. /dev/vda15 10240 227327 217088 106M Microsoft basic data
  476. ```
  477. It may not be wise to collect Swap statistics (although Linux kernel [Swappiness value](https://en.wikipedia.org/wiki/Swappiness) has default value 60 defined in file '/proc/sys/vm/swappiness' in DigitalOcean virtual servers).
  478. ------------------------------------------------
  479. **I/O statistics**
  480. ![sar-iostat](https://github.com/Fincer/linux_server_setup/blob/master/images/sar-iostats.png)
  481. Main command: iostat -dmtx 20
  482. -d Display the device utilization report.
  483. -m Display statistics in megabytes per second.
  484. -t Print the time for each report displayed.
  485. -x Display extended statistics.
  486. 20 20 sec interval.
  487. | Field | Description |
  488. |--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
  489. | Device | Device or partition defined in system directory '/dev'. |
  490. | rrqm/s | The number of read requests merged per second that were queued to the device. |
  491. | wrqm/s | The percentage of write requests merged together before being sent to the device. |
  492. | r/s | The number (after merges) of read requests completed per second for the device. |
  493. | w/s | The number (after merges) of write requests completed per second for the device. |
  494. | rMB/s | The number of sectors (KB, MB) read from the device per second. |
  495. | wMB/s | The number of sectors (KB, MB) write from the device per second. |
  496. | avgrq-sz (areq-sz) | The average size (in kilobytes) of the I/O requests,that were issued to the device. |
  497. | avgqu-sz (aqu-sz) | The average queue length of the requests that were issued to the device. |
  498. | await | The average time (ms) for I/O requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  499. | r_await | The average time (ms) for read requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  500. | w_await | The average time (ms),for,write,requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  501. | svctm | The average service time (ms) for I/O requests that were issued to the device. This field will be removed in a future sysstat version. |
  502. | %util | Percentage of elapsed time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100% for devices serving requests serially. But for devices serving requests in parallel, such as RAID arrays and modern SSDs, this number does not reflect their performance limits. |
  503. **NOTE!** Descriptions are provided in sysstat package (manpages).
  504. **ANALYSIS - I/O STATISTICS**
  505. Virtual partition '/dev/vda' were hibernated most of the time during the observation period. Little variation can be seen in writing requests (wrqm/s), in succeeded writing requests (w/s) and in written sector count (wMB/s). Average sector size is 10-20 sectors (avgrq-sz) which is quite little. I/O and read request service times are mostly 0.0. Workload of the virtual hard drive is low during the observation period.
  506. ------------------------------------------------
  507. In addition to sysstat, 'top' command could have been used in some TTY session in order to observe processes in real time, and with [inotify](https://en.wikipedia.org/wiki/Inotify), some file system changes could have been reported. Sysstat's advantage is that programs which are included in it can record and save analytics in binary format for further and detailed inspection.
  508. **e)** (optional) Change sshd (SSH server process) port
  509. --------------
  510. **Answer:**
  511. Let the following shell script do the job...
  512. ```
  513. #!/bin/bash
  514. # SSH server daemon configuration file in the system
  515. SSH_CONFIG=/etc/ssh/sshd_config
  516. # New SSH server daemon input port as user input value.
  517. NEW_SSH_PORT=$1
  518. [[ -f $SSH_CONFIG ]] \
  519. && sed -i "s/.*Port.*/Port $NEW_SSH_PORT/" $SSH_CONFIG && echo "SSH server: new port $NEW_SSH_PORT is set." \
  520. || echo "SSH server configuration file could not be found!"
  521. if [[ $(cat $SSH_CONFIG | grep -i port | awk '{print $2}') == $NEW_SSH_PORT ]]; then
  522. echo -e "SSH server input port has been changed to $NEW_SSH_PORT.\n \
  523. Restarting SSH server daemon in order to apply the changes (root required)."
  524. sudo systemctl restart sshd.service
  525. if [[ $? == 0 ]]; then
  526. echo "SSH server daemon restarted, new input port is $NEW_SSH_PORT."
  527. else
  528. echo "Something went wrong while restarting SSH server daemon. Execute 'systemctl status sshd.service' \
  529. to get more information about the problem."
  530. fi
  531. fi
  532. ```
  533. Save the above script code in file '$HOME/ssh-port.sh', for example. Change the port with command 'bash $HOME/ssh-port.sh 4312' where the number value is your new SSH port (4312 in this case).
  534. ------------------------------------------------
  535. **EXTRA - Using new port address of SSH server daemon when connecting with a client computer/program**
  536. Changing SSH server input port on the server computer must be taken into account while establishing connection with a client computer. Because the default SSH port 22 is not used anymore, the following syntax must be applied while connecting to the SSH server computer:
  537. ```
  538. [19/02/2018 23:23:49 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p <new-port-number>
  539. ```
  540. ------------------------------------------------
  541. **EXTRA - detecting SSH port change with port scanning techniques (nmap)**
  542. Enable log level VERBOSE in '/etc/ssh/sshd_config' configuration file (LogLevel VERBOSE), restart SSH server daemon with command 'sudo systemctl restart sshd.service' and try port scanning with another computer.
  543. Port scanning:
  544. ```
  545. nmap -sS -F -v -O 174.138.2.190
  546. ```
  547. nmap output when port scanning is applied with another computer using target IP 174.138.2.190 and port 1234 (note! This scanning has been applied to my own server only _once_ as an experiment, not in bad intentions! Make sure you have permission to proceed with your scanning and do not attack to any server just for fun, to avoid any problems!):
  548. ```
  549. phelenius@my-machine:~$ sudo nmap -sS -p 1234 -O -v 174.138.2.190
  550. Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-19 20:02 EET
  551. Initiating Ping Scan at 20:02
  552. Scanning 174.138.2.190 [4 ports]
  553. Completed Ping Scan at 19:59, 0.20s elapsed (1 total hosts)
  554. Initiating Parallel DNS resolution of 1 host. at 20:02
  555. Completed Parallel DNS resolution of 1 host. at 20:02, 0.01s elapsed
  556. Initiating SYN Stealth Scan at 20:02
  557. Scanning 174.138.2.190 [1 port]
  558. Completed SYN Stealth Scan at 20:02, 0.20s elapsed (1 total ports)
  559. Initiating OS detection (try #1) against 174.138.2.190
  560. adjust_timeouts2: packet supposedly had rtt of -125997 microseconds. Ignoring time.
  561. adjust_timeouts2: packet supposedly had rtt of -125997 microseconds. Ignoring time.
  562. Retrying OS detection (try #2) against 174.138.2.190
  563. adjust_timeouts2: packet supposedly had rtt of -150518 microseconds. Ignoring time.
  564. adjust_timeouts2: packet supposedly had rtt of -150518 microseconds. Ignoring time.
  565. WARNING: OS didn't match until try #2
  566. Nmap scan report for 174.138.2.190
  567. Host is up (0.00041s latency).
  568. PORT STATE SERVICE
  569. 1234/tcp open unknown
  570. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  571. Device type: switch|general purpose|media device
  572. Running: Cisco CatOS 7.X|8.X, HP Tru64 UNIX 5.X, Vantage embedded
  573. OS CPE: cpe:/h:cisco:catalyst_ws-c6506 cpe:/o:cisco:catos:7.6 cpe:/o:cisco:catos:8.3 cpe:/o:hp:tru64:5.1a cpe:/h:vantage:hd7100s
  574. OS details: Cisco Catalyst WS-C6506 switch (CatOS 7.6(16)), Cisco Catalyst switch (CatOS 8.3(2)), HP Tru64 UNIX 5.1A, Vantage HD7100S satellite receiver
  575. Read data files from: /usr/bin/../share/nmap
  576. OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  577. Nmap done: 1 IP address (1 host up) scanned in 3.39 seconds
  578. Raw packets sent: 44 (6.312KB) | Rcvd: 18 (1.820KB)
  579. ```
  580. If SSH server uses the default input port 22, the following is likely to be presented in output of 'nmap' command (unless you've defined a particular port to be scanned in your 'nmap' command, like port 1234):
  581. ```
  582. PORT STATE SERVICE
  583. 22/tcp filtered ssh
  584. ```
  585. Corresponding log entries of targeted SSH server during the nmap scanning (/var/log/auth.log):
  586. ```
  587. Feb 19 18:02:46 goauldhost sshd[30057]: Connection from XXX.XXX.XXX.XXX port 6967 on 174.138.2.190 port 1234
  588. Feb 19 18:02:46 goauldhost sshd[30057]: Did not receive identification string from XXX.XXX.XXX.XXX
  589. Feb 19 18:02:46 goauldhost sshd[30058]: Connection from XXX.XXX.XXX.XXX port 52205 on 174.138.2.190 port 1234
  590. Feb 19 18:02:46 goauldhost sshd[30058]: Did not receive identification string from XXX.XXX.XXX.XXX
  591. Feb 19 18:02:47 goauldhost sshd[30059]: Connection from XXX.XXX.XXX.XXX port 25326 on 174.138.2.190 port 1234
  592. Feb 19 18:02:47 goauldhost sshd[30059]: Did not receive identification string from XXX.XXX.XXX.XXX
  593. Feb 19 18:02:47 goauldhost sshd[30060]: Connection from XXX.XXX.XXX.XXX port 32812 on 174.138.2.190 port 1234
  594. Feb 19 18:02:47 goauldhost sshd[30060]: Did not receive identification string from XXX.XXX.XXX.XXX
  595. Feb 19 18:02:47 goauldhost sshd[30061]: Connection from XXX.XXX.XXX.XXX port 17024 on 174.138.2.190 port 1234
  596. Feb 19 18:02:47 goauldhost sshd[30061]: Did not receive identification string from XXX.XXX.XXX.XXX
  597. Feb 19 18:02:47 goauldhost sshd[30062]: Connection from XXX.XXX.XXX.XXX port 53268 on 174.138.2.190 port 1234
  598. Feb 19 18:02:47 goauldhost sshd[30062]: Did not receive identification string from XXX.XXX.XXX.XXX
  599. Feb 19 18:02:47 goauldhost sshd[30063]: Connection from XXX.XXX.XXX.XXX port 34923 on 174.138.2.190 port 1234
  600. Feb 19 18:02:47 goauldhost sshd[30063]: Did not receive identification string from XXX.XXX.XXX.XXX
  601. Feb 19 18:02:47 goauldhost sshd[30064]: Connection from XXX.XXX.XXX.XXX port 14489 on 174.138.2.190 port 1234
  602. Feb 19 18:02:47 goauldhost sshd[30064]: Did not receive identification string from XXX.XXX.XXX.XXX
  603. Feb 19 18:02:47 goauldhost sshd[30065]: Connection from XXX.XXX.XXX.XXX port 40086 on 174.138.2.190 port 1234
  604. Feb 19 18:02:47 goauldhost sshd[30065]: Did not receive identification string from XXX.XXX.XXX.XXX
  605. Feb 19 18:02:47 goauldhost sshd[30066]: Connection from XXX.XXX.XXX.XXX port 38147 on 174.138.2.190 port 1234
  606. Feb 19 18:02:47 goauldhost sshd[30066]: Did not receive identification string from XXX.XXX.XXX.XXX
  607. Feb 19 18:02:48 goauldhost sshd[30067]: Connection from XXX.XXX.XXX.XXX port 49215 on 174.138.2.190 port 1234
  608. Feb 19 18:02:48 goauldhost sshd[30067]: Did not receive identification string from XXX.XXX.XXX.XXX
  609. Feb 19 18:02:48 goauldhost sshd[30068]: Connection from XXX.XXX.XXX.XXX port 34445 on 174.138.2.190 port 1234
  610. Feb 19 18:02:48 goauldhost sshd[30068]: Did not receive identification string from XXX.XXX.XXX.XXX
  611. Feb 19 18:02:48 goauldhost sshd[30069]: Connection from XXX.XXX.XXX.XXX port 4600 on 174.138.2.190 port 1234
  612. Feb 19 18:02:48 goauldhost sshd[30069]: Did not receive identification string from XXX.XXX.XXX.XXX
  613. Feb 19 18:02:48 goauldhost sshd[30070]: Connection from XXX.XXX.XXX.XXX port 59405 on 174.138.2.190 port 1234
  614. Feb 19 18:02:48 goauldhost sshd[30070]: Did not receive identification string from XXX.XXX.XXX.XXX
  615. Feb 19 18:02:48 goauldhost sshd[30071]: Connection from XXX.XXX.XXX.XXX port 7848 on 174.138.2.190 port 1234
  616. Feb 19 18:02:48 goauldhost sshd[30071]: Did not receive identification string from XXX.XXX.XXX.XXX
  617. Feb 19 18:02:49 goauldhost sshd[30072]: Connection from XXX.XXX.XXX.XXX port 5206 on 174.138.2.190 port 1234
  618. Feb 19 18:02:49 goauldhost sshd[30072]: Did not receive identification string from XXX.XXX.XXX.XXX
  619. Feb 19 18:02:50 goauldhost sshd[30073]: Connection from XXX.XXX.XXX.XXX port 5517 on 174.138.2.190 port 1234
  620. Feb 19 18:02:50 goauldhost sshd[30073]: Did not receive identification string from XXX.XXX.XXX.XXX
  621. Feb 19 18:02:50 goauldhost sshd[30074]: Connection from XXX.XXX.XXX.XXX port 3970 on 174.138.2.190 port 1234
  622. Feb 19 18:02:50 goauldhost sshd[30074]: Did not receive identification string from XXX.XXX.XXX.XXX
  623. Feb 19 18:02:50 goauldhost sshd[30075]: Connection from XXX.XXX.XXX.XXX port 38690 on 174.138.2.190 port 1234
  624. Feb 19 18:02:50 goauldhost sshd[30075]: Did not receive identification string from XXX.XXX.XXX.XXX
  625. Feb 19 18:02:50 goauldhost sshd[30076]: Connection from XXX.XXX.XXX.XXX port 50572 on 174.138.2.190 port 1234
  626. Feb 19 18:02:50 goauldhost sshd[30076]: Did not receive identification string from XXX.XXX.XXX.XXX
  627. Feb 19 18:02:50 goauldhost sshd[30077]: Connection from XXX.XXX.XXX.XXX port 27830 on 174.138.2.190 port 1234
  628. Feb 19 18:02:50 goauldhost sshd[30077]: Did not receive identification string from XXX.XXX.XXX.XXX
  629. Feb 19 18:02:50 goauldhost sshd[30078]: Connection from XXX.XXX.XXX.XXX port 49371 on 174.138.2.190 port 1234
  630. Feb 19 18:02:50 goauldhost sshd[30078]: Did not receive identification string from XXX.XXX.XXX.XXX
  631. Feb 19 18:02:51 goauldhost sshd[30079]: Connection from XXX.XXX.XXX.XXX port 36802 on 174.138.2.190 port 1234
  632. Feb 19 18:02:51 goauldhost sshd[30079]: Did not receive identification string from XXX.XXX.XXX.XXX
  633. Feb 19 18:02:51 goauldhost sshd[30080]: Connection from XXX.XXX.XXX.XXX port 50546 on 174.138.2.190 port 1234
  634. Feb 19 18:02:51 goauldhost sshd[30080]: Did not receive identification string from XXX.XXX.XXX.XXX
  635. Feb 19 18:02:51 goauldhost sshd[30081]: Connection from XXX.XXX.XXX.XXX port 43542 on 174.138.2.190 port 1234
  636. Feb 19 18:02:51 goauldhost sshd[30081]: Did not receive identification string from XXX.XXX.XXX.XXX
  637. Feb 19 18:02:51 goauldhost sshd[30082]: Connection from XXX.XXX.XXX.XXX port 56108 on 174.138.2.190 port 1234
  638. Feb 19 18:02:51 goauldhost sshd[30082]: Did not receive identification string from XXX.XXX.XXX.XXX
  639. Feb 19 18:02:51 goauldhost sshd[30083]: Connection from XXX.XXX.XXX.XXX port 6399 on 174.138.2.190 port 1234
  640. Feb 19 18:02:51 goauldhost sshd[30083]: Did not receive identification string from XXX.XXX.XXX.XXX
  641. Feb 19 18:02:51 goauldhost sshd[30084]: Connection from XXX.XXX.XXX.XXX port 55980 on 174.138.2.190 port 1234
  642. Feb 19 18:02:51 goauldhost sshd[30084]: Did not receive identification string from XXX.XXX.XXX.XXX
  643. Feb 19 18:02:51 goauldhost sshd[30085]: Connection from XXX.XXX.XXX.XXX port 12713 on 174.138.2.190 port 1234
  644. Feb 19 18:02:51 goauldhost sshd[30085]: Did not receive identification string from XXX.XXX.XXX.XXX
  645. Feb 19 18:02:51 goauldhost sshd[30086]: Connection from XXX.XXX.XXX.XXX port 5026 on 174.138.2.190 port 1234
  646. Feb 19 18:02:51 goauldhost sshd[30086]: Did not receive identification string from XXX.XXX.XXX.XXX
  647. ```
  648. The server computer has logged invalid nmap connection requests. In this case, we have defined the known SSH connection port number 1234 in our 'nmap' command on the client computer (which is INPUT port at the server end, OUTPUT port at the client end).
  649. You may check suggested countermeasures against port scanners on [Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/345114/how-to-protect-against-port-scanners/407904#407904). Does these measures interfere negatively to other network traffic in busy server environments? This depends on which ports (read: server daemon programs/services) are targets of your countermeasures.
  650. Another 'nmap' command shows us the following:
  651. ```
  652. phelenius@my-machine:~$ sudo nmap 174.138.2.190 -sV
  653. Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-20 14:50 EET
  654. Nmap scan report for 174.138.2.190
  655. Host is up (0.33s latency).
  656. Not shown: 998 filtered ports
  657. PORT STATE SERVICE VERSION
  658. 1234/tcp open ssh OpenSSH 7.6 (protocol 2.0)
  659. 80/tcp open http
  660. ...
  661. ```
  662. ... which reveals the actual service behind our new-defined port 1234/tcp to an attacker. In addition, the attacker can get more information about the server system, especially on Debian-based Linux distributions. For example:
  663. ```
  664. ...
  665. PORT STATE SERVICE VERSION
  666. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
  667. ...
  668. ```
  669. This information can be hidden by adding line _DebianBanner no_ in '/etc/ssh/sshd_config' on Debian-based Linux systems and restarting the SSH server daemon with command 'sudo systemctl restart sshd.service'
  670. **NOTE!** Port scanning does not leave any log traces behind in Apache's access.log file ('/var/log/apache/access.log')!
  671. Check also
  672. - [MyPapit GNU/Linux - How to Hide OpenSSH Ubuntu version from Nmap and other scanners](https://blog.mypapit.net/2015/08/how-to-hide-openssh-ubuntu-release-from-nmap-and-other-scanners.html)
  673. - [serverfault.com - How to hide web server name and openssh version on linux when scanning server ports?](https://serverfault.com/questions/81690/how-to-hide-web-server-name-and-openssh-version-on-linux-when-scanning-server-po/81697#81697)
  674. - [Unix & Linux Stack Exchange - Change SSH banner which is grabbed by netcat](https://unix.stackexchange.com/questions/269024/change-ssh-banner-which-is-grabbed-by-netcat/269027#269027)
  675. - [GitHub - metacloud/openssh - Include the Debian version in our identification](https://github.com/metacloud/openssh/blob/master/debian/patches/package-versioning.patch)
  676. ------------------------------------------------
  677. **EXTRA - Using Port Knocking technique against port scanning**
  678. Nmap requests are targeted to layer 3 (Network Layer) in OSI model. Additional security measures can be taken by applying [Port Knocking login techniques](https://wiki.archlinux.org/index.php/Port_knocking) on the server computer.
  679. **WARNING!** The following 'Knockd daemon' may break easily. Thus it can not be recommended for critical or rapidly updating server environments. For instance, dhcpcd version 7 or above breaks knockd daemon. Many users have had problems to start the daemon service during server boot-up process. Knockd assumes that you have a preconfigured network interface with established network connection (this is not 100% valid information but this is my best guess).
  680. [DigitalOcean, "Port Knocking" - Ubuntu, knockd](https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu):
  681. Dynamic firewall rules are manually applied to the server (iptables, for instance) or separate daemon process ([for instance, knockd](http://www.zeroflux.org/projects/knock)) is set up on the server computer. Daemon process is used to open a pre-defined port only if a client program has knocked correct server port numbers in right order and using correct protocol, either TCP or UDP, and this all has been done in predefined time limit. Additionally, limited timeout for user log-in can be set. For example, a correctly authenticated user must log in in 10 seconds ater Knock daemon has opened a SSH port for that time period. When the time limit is reached, Knock daemon closes the port for any further connection attempts unless the knock port sequence is re-applied.
  682. Knocking technique must be configured so that firewall does not close already established connections (like SSH in our case), but refuses any further connection attempts so that the port can not be detected with nmap port scanning techniques after the time limit has been reached.
  683. [DigitalOcean, "Port Knocking" - FWKnop - Single packet authentication](https://www.digitalocean.com/community/tutorials/how-to-use-fwknop-to-enable-single-packet-authentication-on-ubuntu-12-04):
  684. Some more or less secure implementations for port knocking exist. Various encryption methods can be applied to the knocking technique, making it more difficult for an attacker to sniff network packets between a server and a client. One solution using encyption methods is [fwknop](http://www.cipherdyne.org/fwknop/) which uses _Single Packet Authorization_ (SPA) method instead of insecure port sequences.
  685. More about Port Knocking technique:
  686. - [Improved Port Knocking with Strong Authentication - Rennie deGraaf, John Aycock, and Michael Jacobson, Jr.∗ (Department of Computer Science - University of Calgary)](https://www.acsac.org/2005/papers/156.pdf)
  687. - [OpenWRT website](https://wiki.openwrt.org/doc/howto/portknock.server)
  688. - [portknocking.org](http://www.portknocking.org/) and practical solutions on [Implementations sub-page](http://www.portknocking.org/view/implementations)
  689. - [Information Security Stack Exchange - Port Knocking is it a good idea?](https://security.stackexchange.com/questions/1194/port-knocking-is-it-a-good-idea/1196#1196)
  690. **NOTE!** Port Knocking technique must not be applied to block ports of server daemon processes which are required to be always reachable from a client program (take Apache server for example). For SSH which does not require 24/7 connection, port knocking techniques can be applied more reliably. In addition to public key, password and PAM authentication methods, port knocking adds one more security layer to the stack. However, you must not apply these security countermeasures individually but use them together, instead. **The goal is to make it more difficult for an attacker to penetrate your network security.**
  691. ------------------------------------------------
  692. **EXTRA - ARP Scan and spoofing your MAC address**
  693. Program [arp-scan](https://www.blackmoreops.com/2015/12/31/use-arp-scan-to-find-hidden-devices-in-your-network/) can be used in limited scale to scan a MAC address (OSI model layer 2, Data Link Layer) in a network.
  694. Unique MAC address of a network interface (network card) can programmatically be spoofed with [these Arch Wiki instructions](https://wiki.archlinux.org/index.php/MAC_address_spoofing#Method_1:_systemd-networkd) or with my [Spoof MAC Address shell script](https://github.com/Fincer/linux_server_setup/blob/master/scripts/spoof_mac_address.sh).
  695. Sample results of ARP Scan.
  696. BEFORE:
  697. ```
  698. [20/02/2018 18:52:35 - fincer: ~ ]$ sudo arp-scan --interface=wlan0 --localnet
  699. [sudo] password for fincer:
  700. Interface: wlan0, datalink type: EN10MB (Ethernet)
  701. Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
  702. A.B.C.D f4:0e:22:ad:b8:7d (Unknown)
  703. 1.2.3.4 18:a9:05:4b:61:58 Hewlett-Packard Company
  704. ```
  705. AFTER - IP-osoitteessa 1.2.3.4 olevan palvelinkoneen MAC-osoite muutettu:
  706. ```
  707. [20/02/2018 18:54:28 - fincer: ~ ]$ sudo arp-scan --interface=wlan0 --localnet
  708. Interface: wlan0, datalink type: EN10MB (Ethernet)
  709. Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
  710. A.B.C.D f4:0e:22:ad:b8:7d (Unknown)
  711. 1.2.3.4 aa:0c:9a:fa:7b:d4 (Unknown)
  712. ```
  713. The following warning messages may be expected after spoofing a MAC address and when you establish SSH connection from a local computer to your server:
  714. ```
  715. Warning: Permanently added the ECDSA host key for IP address '[1.2.3.4]:22' to the list of known hosts.
  716. ```
  717. **f)** (optional) Allow SSH login only for users in group 'sshers'. Add your account to this group.
  718. --------------
  719. **Answer:**
  720. 1. Log in to the server computer ('ssh username@server-ip -p <ssh-port>')
  721. 2. Add group 'sshers' with GID number 876 (you don't have to define GID here)
  722. ```
  723. sudo groupadd -g 876 sshers
  724. ```
  725. 3. You can confirm existence of the created group with command 'grep sshers /etc/group'. Output:
  726. ```
  727. sshers:x:876:
  728. ```
  729. 4. Add the current user (read: yourself) _newuser_ into this group
  730. ```
  731. sudo usermod -aG sshers newuser
  732. ```
  733. 5. Command 'grep sshers /etc/group' output now:
  734. ```
  735. sshers:x:876:newuser
  736. ```
  737. You can alternatively check groups of _newuser_ by executing command 'groups' while being that user:
  738. ```
  739. [27/02/2018 10:39:58 - newuser@goauldhost: ~ ]$ groups
  740. sshers newuser sudo
  741. ```
  742. or using command 'sudo -u newuser groups" as any system user who can execute commands with sudo.
  743. **NOTE!** _groups_ -komento antaa oikean stdout:n (outputin) vasta uudelleenkirjautumisen jälkeen.
  744. command 'groups' gives correct output only after re-login.
  745. 6. Allow SSH login only to members of the group 'sshers'.
  746. Manual page of 'sshd_config' ('man sshd_config') describes 'AllowGroups' option as follows:
  747. > AllowGroups
  748. > This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
  749. Let's apply the following information into SSH server daemon configuration file '/etc/ssh/sshd_config':
  750. ```
  751. PermitRootLogin no
  752. AllowGroups sshers
  753. ```
  754. And comment out the following lines (be careful here!):
  755. ```
  756. # DenyUsers <user accounts>
  757. # AllowUsers <user accounts>
  758. # DenyGroups <group names>
  759. ```
  760. If those lines are not defined in the configuration file, it is OK.
  761. You can add multiple groups and users after those keywords, as you like.
  762. For additional security, the following options can be applied as well (into '/etc/ssh/sshd_config' file), depending on your requests for SSH authentication policy:
  763. ```
  764. IgnoreRhosts yes
  765. PermitEmptyPasswords no
  766. ChallengeResponseAuthentication yes
  767. UsePAM yes
  768. MaxAuthTries 3
  769. ```
  770. etc. More options and configurations can be found with commands 'man sshd_config' and 'man sshd'
  771. 7. Let's save this configuration and restart SSH server daemon by applying command 'sudo systemctl restart sshd.service' (NOTE! Disconnects already-established SSH connections!)
  772. 8. Test SSH login with a client computer using remote user _newuser_ (belonging to the remote group 'sshers'). Command syntax is: 'ssh newuser@server-ip -p <server-port>'
  773. **g)** (optional) Attach a remote network directory with sshfs.
  774. --------------
  775. **Answer:**
  776. SSHFS stands for SSH File System. Corresponding program 'sshfs' has been developed to attach SSH server file systems (folders/files) remotely on a client computer so that all attached file systems can locally be browsed on the client computer. SSHFS uses encrypted SFTP protocol (SSH/Secure File Transfer Protocol) for file tranfers.
  777. 1. Install 'sshfs' with command sequence 'sudo apt-get update && sudo apt-get -y install sshfs' on a Debian-based Linux system.
  778. 2. Mount remote folder '/home/newuser/public_html/' (server), to path '/home/<current-user>/public_html_ssh_remote' on your client computer.
  779. ```
  780. mkdir $HOME/public_html_ssh_remote && sshfs newuser@174.138.2.190:./public_html $HOME/public_html_ssh_remote -p <ssh-portti>
  781. ```
  782. **NOTE!** If you use public key SSH authentication method, you are not asked for any password.
  783. 3. Check that you have successfully mounted your remote server folder '/home/newuser/public_html' to the client computer (command 'ls ~/public_html_ssh_remote/'). Output should be as follows:
  784. ```
  785. index.html
  786. ```
  787. Additionally, check output of command 'mount | grep public_html_ssh_remote':
  788. ```
  789. newuser@174.138.2.190:./public_html on /home/phelenius/public_html_ssh_remote type fuse.sshfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
  790. ```
  791. 4. Unmount the remote folder by issuing command 'sudo umount /home/phelenius/public_html_ssh_remote'. On the client end, 'ls' command should have empty output for directory 'public_html_ssh_remote'.
  792. Executable root binary file (sbin) is _/usr/sbin/sshd_ with command parameter _-D_ (Process Identifier/Process ID/PID is 1534).
  793. **NOTE!** The following is stated about _-D_ parameter in sshd manual:
  794. ```
  795. phelenius@my-machine:~$ man sshd | grep -E "\-D" -C1
  796. -D When this option is specified, sshd will not detach and does not become a daemon. This allows easy monitoring of sshd.
  797. ```
  798. _-D_ parameter definition by [SSH Communications Security](https://www.ssh.com/ssh/sshd/):
  799. > -D Do not detach and become daemon. This is often used when sshd is run using systemd. This allows easier monitoring of the process in such environments. Without this option, the SSH server forks and detaches from terminal, making itself a background daemon process. The latter has been the traditional way to run the SSH server until recently. Many embedded systems would still use the latter.
  800. About relevance of the _-D_ parameter has been discussed, for example, on [superuser.com (Differences between ssh -L to -D](https://superuser.com/questions/408031/differences-between-ssh-l-to-d).
  801. **b)** Establish a firewall protection to the server computer (Note: allow SSH traffic before that)
  802. --------------
  803. **Answer:**
  804. The firewall protection is done by using Linux kernel ip_table module(s). Firewall rules can be modified in User Space with the corresponding iptables command or with the simplified Python 3 based program/script 'Uncomplicated Firewall' (ufw). Other firewall solutions also exists on Linux, please see title 'Other firewall solutions' below.
  805. We can check which loadable kernel modules have been enabled in Linux kernel with the kernel-related lsmod command.
  806. ```
  807. phelenius@my-machine:~$ man lsmod | sed -n '/NAME/{n;p}' | sed 's/\s*//'
  808. lsmod - Show the status of modules in the Linux Kernel
  809. ...
  810. phelenius@my-machine:~$ lsmod |grep filter
  811. ip6table_filter 16384 1
  812. ip6_tables 28672 1 ip6table_filter
  813. iptable_filter 16384 1
  814. ip_tables 24576 1 iptable_filter
  815. x_tables 36864 14 ip6table_filter,xt_hl,xt_recent,ip_tables,xt_tcpudp,xt_limit,xt_conntrack,xt_LOG,iptable_filter,ip6t_rt,ipt_REJECT,ip6_tables,xt_addrtype,ip6t_REJECT
  816. ```
  817. Source codes of these modules can be found on git.kernel.org: [ipv6 netfilter](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/netfilter), [ipv6 netfilter core](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/netfilter.c), [ipv4 netfilter](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/netfilter), [ipv4 netfilter core](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/netfilter.c)
  818. By default, Uncomplicated Firewall (ufw) is usually pre-installed on many Linux distributions, including Debian-based systems. Let's confirm that:
  819. ```
  820. phelenius@my-machine:~$ if [[ $(dpkg --get-selections |grep ufw | awk '{print $1}' | wc -l) -eq 0 ]]; then sudo apt-get update && sudo apt-get -y install ufw && echo "REPLY: UFW is installed now"; else echo "REPLY: UFW has already been installed"; fi
  821. REPLY: UFW has already been installed
  822. ```
  823. Therefore ufw firewall is installed. Otherwise it would be installed on the system with _apt-get install_ command.
  824. By default, the Linux firewall blocks SSH input traffic (default port 22). This input port can be opened by applying the following ufw command:
  825. ```
  826. phelenius@my-machine:~$ sudo ufw allow 22/tcp
  827. ```
  828. or with the command (however, not specific port number is defined here):
  829. ```
  830. phelenius@my-machine:~$ sudo ufw allow ssh
  831. ```
  832. Afterwards, UFW can be re-enabled with the following command:
  833. ```
  834. phelenius@my-machine:~$ sudo ufw enable
  835. Command may disrupt existing ssh connections. Proceed with operation (y|n)?
  836. ```
  837. Your answer should be 'y' (yes). The firewall does not close (possibly already established) SSH connection because we have opened port 22 TCP input traffic. We get a notification, stating:
  838. ```
  839. Firewall is active and enabled on system startup
  840. ```
  841. The message is bit unclear, because according to some testing, the ufw firewall may still not be enabled on system boot. Automated start of ufw during system boot can foolproofly be enabled with:
  842. ```
  843. phelenius@my-machine:~$ sudo systemctl enable ufw.service
  844. Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service -> /usr/lib/systemd/system/ufw.service.
  845. ```
  846. Alternatively, the following message may appear:
  847. ```
  848. Synchronizing state of ufw.service with SysV init with /lib/systemd/systemd-sysv-install...
  849. Executing /lib/systemd/systemd-sysv-install enable ufw
  850. ```
  851. **iptables:**
  852. 1. Remove ufw from the Linux system, and remove all relevant ufw entries from iptables firewall rule list.
  853. **NOTE!** Warning: (May) delete other important iptables rules configured by system administration!
  854. **NOTE!** Be sure that you have direct access (local terminal, without network) to the target machine in a case of failure. Otherwise you may lock yourself out from the server.
  855. ```
  856. sudo systemctl stop ufw.service && sudo systemctl disable ufw.service
  857. sudo apt-get purge --remove ufw
  858. sudo iptables --flush && sudo iptables --delete-chains
  859. ```
  860. 2. Confirm deletion of ufw entries from iptables firewall rule list with
  861. ```
  862. sudo iptables -S
  863. ```
  864. Output should be:
  865. ```
  866. -P INPUT ACCEPT
  867. -P FORWARD ACCEPT
  868. -P OUTPUT ACCEPT
  869. ```
  870. 3. Add new firewall rules to iptables and keep already established connections open:
  871. ```
  872. sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  873. ```
  874. 4. Drop all connections, excluding already established connections like SSH:
  875. ```
  876. sudo iptables -A INPUT -j DROP
  877. sudo iptables -A FORWARD -j DROP
  878. ```
  879. 5. Allow SSH traffic (port number: 22, protocol: tcp, etc.):
  880. ```
  881. sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
  882. ```
  883. **NOTE!** This applies only to IPv4 connections. For IPv6, check [iptables6](https://www.linux.com/learn/intro-to-linux/2017/8/iptables-rules-ipv6).
  884. **NOTE!** The forementioned command can be written so that connections only from a single IP is allowed, by using eth0 network interface. For example:
  885. ```
  886. sudo iptables -I INPUT -p tcp -i eth0 -s 231.123.24.24 --dport 22 -j ACCEPT
  887. ```
  888. **NOTE:** Be sure you have enabled 'net.ifnames=0' in your udev rules to get network interface names like 'eth0', 'wlan0' etc.!
  889. More about setting iptables firewall rules, take a look on [DigitalOcean website](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands) and [iptables - Append vs. Insert - website](https://serverfault.com/questions/472258/difference-between-iptables-a-and-i-option), for example.
  890. 6. Confirm proper iptables firewall rules with 'sudo iptables -S' command:
  891. ```
  892. -P INPUT ACCEPT
  893. -P FORWARD ACCEPT
  894. -P OUTPUT ACCEPT
  895. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  896. -A INPUT -j DROP
  897. -A FORWARD -j DROP
  898. -I INPUT -p tcp --dport 22 -j ACCEPT
  899. ```
  900. 7. Save the rules so that they won't be lost after rebooting:
  901. ```
  902. sudo iptables-save | sudo tee /etc/iptables/iptables.save > /dev/null
  903. cat /etc/iptables/iptables.save
  904. ```
  905. 8. Apply and enable the rules. You can restart iptables service (Packet Filtering Framework) if you prefer to do so:
  906. ```
  907. sudo iptables-restore && sudo systemctl restart iptables.service
  908. ```
  909. 9. Confirm the current iptables firewall rules with the command 'sudo iptables -S'.
  910. More about iptables:
  911. - [DigitalOcean - Iptables Essentials: Common Firewall Rules and Commands, SSH service](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands#service-ssh)
  912. - [DigitalOcean - Iptables Essentials: Common Firewall Rules and Commands, Saving rules](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands#saving-rules).
  913. - [The Geek Stuff - 25 Most Frequently Used Linux IPTables Rules Examples](https://www.thegeekstuff.com/2011/06/iptables-rules-examples)
  914. **Other firewall solutions:**
  915. In addition to ufw, other iptables-based firewall solutions have been developed on Linux. Take a look on [Firestarter](http://www.fs-security.com/), [Firewalld](https://fedoraproject.org/wiki/Firewalld?rd=FirewallD), [PeerGuardian](https://sourceforge.net/projects/peerguardian/?source=navbar), [FWBuilder](http://www.fwbuilder.org/), etc.
  916. ------------------------------------------------
  917. **EXTRA - root account: more restrictions**
  918. In addition to previous root restrictions, the following extra restrictions were applied, too:
  919. - root default shell were changed to _/sbin/nologin_ in file _/etc/passwd_
  920. - root account were locked by applying command _sudo usermod root --lock_ (this was done already, it sets up an exclamation mark prefix to the root account password in file _/etc/shadow_
  921. - root access removal of TTY sessions by commenting out relevant lines in file _/etc/securetty_
  922. - SSH: setting _PermitRootLogin no_ were applied in SSH server configuration file _/etc/ssh/sshd_config_
  923. PAM configuration files (Pluggable Authentitation Modules) were not altered in _/etc/pam.d/_ although security can be improved by applying some special system-spefific authentication rules there. PAM rules can restrict root permissions as well, including executable daemon processes and commands (i.e. you can restrict even root execution rights in the target system, in contradiction what is usually told for new Linux users that "root can do anything". With PAM, you can restrict that "anything" privilege.)
  924. Reference: [Red Hat - 4.4.2. Disallowing Root Access](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s2-wstation-privileges-noroot.html)
  925. **c)** Transfer files using SSH protocol
  926. --------------
  927. **Answer:**
  928. Let's use [Secure Copy (scp)](https://en.wikipedia.org/wiki/Secure_copy) command for file transfers.
  929. The assignment has been done in the following command sequence. The following steps are executed:
  930. 1. Create new subdirectory _httpd_ into the current user's home directory on the local computer
  931. 2. Download related control, description and patch files of debian package of Apache web server, version _2.4.18-2ubuntu3.5_ from archive.ubuntu.com ([packages.ubuntu.com](https://packages.ubuntu.com/xenial/apache2)). Target directory for the download is the recently created subdirectory _httpd_
  932. 3. Extract the downloaded archive files into $HOME/httpd. Subdirectory _debian_ will be created in _httpd_ directory.
  933. 4. Establish a new SSH connection to the server computer with server user _newuser_, use port 1234 and create directory _$HOME/patches_ for this user.
  934. 5. Transfer all local files (and directories) which 1) start with any character 2) end with suffix _diff_ and _patch_ 3) locate at the current user's _./httpd/debian/patches/_ subdirectory
  935. to the directory _$HOME/patches_ located at the server computer (where $HOME=/home/newuser/). SSH connection port is 1234. Use command scp.
  936. For more information about patches, check [1](https://stackoverflow.com/questions/987372/what-is-the-format-of-a-patch-file), [2](https://www.thegeekstuff.com/2014/12/patch-command-examples))
  937. 6. List contents of the remote subdirectory _$HOME/patches_ with SSH connection, use port 1234..
  938. 7. Delete current user's local subdirectory _httpd_ and its contents. _-R_ or _-r_ stands for recursive deletion, _-f_ stands for forceful removal. Remote files in the server computer's directory _/home/newuser/patches/_ will be kept intact.
  939. ```
  940. [20/02/2018 13:24:40 - fincer: ~ ]$ mkdir httpd
  941. [20/02/2018 13:24:54 - fincer: ~ ]$ wget http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.5.debian.tar.xz -P httpd
  942. --2018-02-20 13:25:13-- http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.5.debian.tar.xz
  943. Resolving archive.ubuntu.com... 2001:67c:1560:8001::11, 2001:67c:1360:8001::17, 2001:67c:1560:8001::14, ...
  944. Connecting to archive.ubuntu.com|2001:67c:1560:8001::11|:80... connected.
  945. HTTP request sent, awaiting response... 200 OK
  946. Length: 387448 (378K) [application/x-xz]
  947. Saving to: ‘httpd/apache2_2.4.18-2ubuntu3.5.debian.tar.xz’
  948. apache2_2.4.18-2ubuntu3.5.debian.tar.xz 100%[==================================================================================>] 378.37K 450KB/s in 0.8s
  949. 2018-02-20 13:25:15 (450 KB/s) - ‘httpd/apache2_2.4.18-2ubuntu3.5.debian.tar.xz’ saved [387448/387448]
  950. [20/02/2018 13:25:15 - fincer: ~ ]$ tar xf apache2_2.4.18-2ubuntu3.5.debian.tar.xz -C httpd
  951. [20/02/2018 13:25:35 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p 1234 mkdir patches
  952. newuser@174.138.2.190's password:
  953. [20/02/2018 13:26:12 - fincer: ~ ]$ scp -P 1234 ./httpd/debian/patches/*.{diff,patch} newuser@174.138.2.190:./patches/
  954. newuser@174.138.2.190's password:
  955. hostnames_with_underscores.diff 100% 479 114.6KB/s 00:00
  956. reproducible_builds.diff 100% 1710 427.2KB/s 00:00
  957. build_suexec-custom.patch 100% 1981 473.6KB/s 00:00
  958. customize_apxs.patch 100% 9316 888.9KB/s 00:00
  959. CVE-2016-0736.patch 100% 12KB 867.4KB/s 00:00
  960. CVE-2016-2161.patch 100% 4787 493.1KB/s 00:00
  961. CVE-2016-5387.patch 100% 666 287.9KB/s 00:00
  962. CVE-2016-8743.patch 100% 80KB 1.0MB/s 00:00
  963. CVE-2017-3167.patch 100% 8922 698.9KB/s 00:00
  964. CVE-2017-3169.patch 100% 4663 458.1KB/s 00:00
  965. CVE-2017-7668.patch 100% 1746 482.5KB/s 00:00
  966. CVE-2017-7679.patch 100% 1925 527.4KB/s 00:00
  967. CVE-2017-9788.patch 100% 2252 582.1KB/s 00:00
  968. CVE-2017-9798.patch 100% 1172 381.3KB/s 00:00
  969. fhs_compliance.patch 100% 2541 635.6KB/s 00:00
  970. no_LD_LIBRARY_PATH.patch 100% 444 199.8KB/s 00:00
  971. prefork_single_process_crash.patch 100% 773 359.0KB/s 00:00
  972. suexec-custom.patch 100% 5785 792.4KB/s 00:00
  973. suexec-CVE-2007-1742.patch 100% 2356 589.3KB/s 00:00
  974. suexec_is_shared.patch 100% 622 194.1KB/s 00:00
  975. [20/02/2018 13:28:03 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p 1234 ls -l ./patches
  976. newuser@174.138.2.190's password:
  977. total 196
  978. -rw-r--r-- 1 newuser newuser 12446 Feb 20 11:38 CVE-2016-0736.patch
  979. -rw-r--r-- 1 newuser newuser 4787 Feb 20 11:38 CVE-2016-2161.patch
  980. -rw-r--r-- 1 newuser newuser 666 Feb 20 11:38 CVE-2016-5387.patch
  981. -rw-r--r-- 1 newuser newuser 81900 Feb 20 11:38 CVE-2016-8743.patch
  982. -rw-r--r-- 1 newuser newuser 8922 Feb 20 11:38 CVE-2017-3167.patch
  983. -rw-r--r-- 1 newuser newuser 4663 Feb 20 11:38 CVE-2017-3169.patch
  984. -rw-r--r-- 1 newuser newuser 1746 Feb 20 11:38 CVE-2017-7668.patch
  985. -rw-r--r-- 1 newuser newuser 1925 Feb 20 11:38 CVE-2017-7679.patch
  986. -rw-r--r-- 1 newuser newuser 2252 Feb 20 11:38 CVE-2017-9788.patch
  987. -rw-r--r-- 1 newuser newuser 1172 Feb 20 11:38 CVE-2017-9798.patch
  988. -rw-r--r-- 1 newuser newuser 1981 Feb 20 11:38 build_suexec-custom.patch
  989. -rw-r--r-- 1 newuser newuser 9316 Feb 20 11:38 customize_apxs.patch
  990. -rw-r--r-- 1 newuser newuser 2541 Feb 20 11:38 fhs_compliance.patch
  991. -rw-r--r-- 1 newuser newuser 479 Feb 20 11:38 hostnames_with_underscores.diff
  992. -rw-r--r-- 1 newuser newuser 444 Feb 20 11:38 no_LD_LIBRARY_PATH.patch
  993. -rw-r--r-- 1 newuser newuser 773 Feb 20 11:38 prefork_single_process_crash.patch
  994. -rw-r--r-- 1 newuser newuser 1710 Feb 20 11:38 reproducible_builds.diff
  995. -rw-r--r-- 1 newuser newuser 2356 Feb 20 11:38 suexec-CVE-2007-1742.patch
  996. -rw-r--r-- 1 newuser newuser 5785 Feb 20 11:38 suexec-custom.patch
  997. -rw-r--r-- 1 newuser newuser 622 Feb 20 11:38 suexec_is_shared.patch
  998. [20/02/2018 13:32:01 - fincer: ~ ]$ rm -Rf httpd
  999. ```
  1000. **d)** Automate SSH login with public key method
  1001. --------------
  1002. **Answer:**
  1003. 1. Let's generate a key pair on the client computer with a user who is wanted to have the public key authentication method for SSH connections. Both private and public keys are generated with 'ssh-keygen' command. Accept the default settings unless you have any requirements to customize them.
  1004. 2. Copy the _public_ key to the server computer with your SSH client using command 'ssh-copy-id -i $HOME/.ssh/id_rsa.pub username@server-ip-or-name'. The command copies your public key to the subdirectory *.ssh/authorized_keys* located at the server computer.
  1005. **NOTE!** Copy public key only, do **NOT** copy the private key!
  1006. More about the topic:
  1007. [ssh.com - Key Pair - Public and Private](https://www.ssh.com/ssh/public-key-authentication#sec-Key-Pair-Public-and-Private)
  1008. 3. Let confirm that SSH server daemon configuration file (_/etc/ssh/sshd_config_ by default) has the following settings in place (either use 'sudo nano _/etc/ssh/sshd_config_' or 'sudoedit _/etc/ssh/sshd_config_'):
  1009. ```
  1010. AuthenticationMethods publickey
  1011. PubkeyAuthentication yes
  1012. AuthorizedKeysFile .ssh/authorized_keys
  1013. ```
  1014. **Extra hint 1:** SSH client settings are generally defined in _/etc/ssh/ssh_config_
  1015. **Extra hint 2:** You can use ssh command with _-v_ parameter to gain more information about used authentication methods in unclear cases or for debugging purposes. The _-v_ parameter is defined as follows:
  1016. > -v Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity. The maximum is 3.
  1017. 4. We shall restart server SSH daemon with _sudo systemctl restart sshd.service_ command (note! this interrupts any existing & opened SSH connections)
  1018. 5. We shall test public key authentication from the client computer. Use same user account which you previously used for executing _ssh-keygen_ command on the client computer. The client computer user should be able to login into SSH server without a password.
  1019. **EXTRA: Modifying welcome banner**
  1020. Let's modify default Ubuntu login/SSH banner message by executing the following bash script:
  1021. ```
  1022. #!/bin/bash
  1023. # Modify SSH login banner message
  1024. ## 00-header file:
  1025. #
  1026. sudo sed -i 's?printf "Welcome to %s (%s %s %s)\\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"?printf "Welcome to %s\\nUptime:
  1027. %s\\n\\n" "Server Computer" "$(uptime)"?' /etc/update-motd.d/00-header
  1028. ## File extensions of the following files will be modified
  1029. ## We could also remove these files with 'sudo rm <file>'
  1030. #
  1031. FILES=( 10-help-text 51-cloudguest 90-updates-available 91-release-upgrade )
  1032. cd /etc/update-motd.d/
  1033. for file in ${FILES[@]}; do sudo mv $file $file.old; done
  1034. cd
  1035. ```
  1036. **NOTE:** Location of the banner file varies between different Linux distributions. For instance, Arch Linux uses banner file _/etc_motd_.
  1037. **j)** Install, configure and start sysstat. Use sar command to confirm whether the sysstat package services have been enabled (for instance, log entry "Linux reboot..." exists). Run sysstat a day or two. Afterwards, check computer workload history with sysstat commands sar, iostat, pidstat etc. Analyze the results, i.e. explain the results in detail.
  1038. --------------
  1039. **Answer:**
  1040. 1. We shall connect to the server computer (running Ubuntu) and then install the required package with command sequence 'sudo apt-get update && sudo apt-get install -y install sysstat'
  1041. 2. Run [shell-based sysstat script](https://github.com/Fincer/linux_server_setup/blob/master/scripts/sysstat_command.sh) which runs sar and pidstat commands two days with 20 second intervals.
  1042. **NOTE!** The script could have been opmitized more for the real requirements for the server environment (statistics interval, collection period, etc.)
  1043. 3. The script described in step 2 has generated sar analytics file 'sar-stats_2018-02-24_2018-02-26.file' into path '/home/newuser/sar_statistics/' on the server computer.
  1044. Time period: 24. - 26.02.2018
  1045. The following sums up some command samples which can be applied to the analytics file.
  1046. | File | Description |
  1047. |------------------------------------|-------------------------------------------------|
  1048. | sar -u -f <analytics-file> | Processor workload statistics |
  1049. | sar -v -f <analytics-file> | Inode and file statistics |
  1050. | sar -r -f <analytics-file> | Memory consumption statistics |
  1051. | sar -n DEV -f <analytics-file> | Network stats: devices |
  1052. | sar -n EDEV -f <analytics-file> | Network stats: errors in devices |
  1053. | sar -n IP -f <analytics-file> | Network stats: IPv4 traffic |
  1054. | sar -n EIP -f <analytics-file> | Network stats: errors in IPv4 traffic |
  1055. | sar -n IP6 -f <analytics-file> | Network stats: IPv6 traffic |
  1056. | sar -n EIP6 -f <analytics-file> | Network stats: errors in IPv6 traffic |
  1057. | sar -n SOCK -f <analytics-file> | Network stats: IPv4 socket |
  1058. | sar -n SOCK6 -f <analytics-file> | Network stats: IPv6 socket |
  1059. | sar -n TCP -f <analytics-file> | Network stats: TCPv4 protocol traffic |
  1060. | sar -n ETCP -f <analytics-file> | Network stats: errors in TCPv4 protocol traffic |
  1061. | sar -S -f <analytics-file> | Swap memory consumption |
  1062. | sar -w -f <analytics-file> | Process statistics |
  1063. | sar -F MOUNT / -f <analytics-file> | File system which is mounted at / |
  1064. Statistics can be combined etc, as you can find out with 'man sar' command:
  1065. ```
  1066. sar -u 2 5
  1067. Report CPU utilization for each 2 seconds. 5 lines are displayed.
  1068. sar -I 14 -o int14.file 2 10
  1069. Report statistics on IRQ 14 for each 2 seconds. 10 lines are displayed. Data are stored in a file called int14.file.
  1070. sar -r -n DEV -f /var/log/sysstat/sa16
  1071. Display memory and network statistics saved in daily data file 'sa16'.
  1072. sar -A
  1073. Display all the statistics saved in current daily data file.
  1074. ```
  1075. Or [The Geek Stuff - 10 Useful Sar (Sysstat) Examples for UNIX / Linux Performance Monitoring](https://www.thegeekstuff.com/2011/03/sar-examples/?utm_source=feedburner)
  1076. What are inode and swap? Check
  1077. - [inode - 1](https://www.cyberciti.biz/tips/understanding-unixlinux-filesystem-inodes.html)
  1078. - [inode - 2](https://unix.stackexchange.com/questions/117093/find-where-inodes-are-being-used)
  1079. - [Swap](https://wiki.archlinux.org/index.php/swap).
  1080. Additionally, the following pidstat files were generated:
  1081. | File | Description |
  1082. |----------------------------|------------------------------------|
  1083. | pidstat_stats_cpu-tasks | Processor workload statistics |
  1084. | pidstat_stats_io | I/O statistics |
  1085. | pidstat_stats_kerneltables | Statistics of Linux kernel tables |
  1086. | pidstat_stats_pagefaults | Page fault statistics |
  1087. | pidstat_stats_stacks | Process stack statistics |
  1088. (Check. [Stacks](https://stackoverflow.com/questions/8905271/what-is-the-linux-stack), [Page fault](https://en.wikipedia.org/wiki/Page_fault))
  1089. Additionally, iostat command was run on the background.
  1090. 4. Let's take a closer look on two sar analytics files and I/O statistics file. The following commands open analytics files in more detailed view.
  1091. ------------------------------------------------
  1092. **SAR network statistics - IPv4 traffic**
  1093. **command: sar -n IP -f sar-stats_2018-02-24_2018-02-26.file**
  1094. ![sar-stats-ipv4](https://github.com/Fincer/linux_server_setup/blob/master/images/sar-stats_ipv4.png)
  1095. **Observation period:** 24.-26.02.2018
  1096. | Field | Description | Average |
  1097. |-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
  1098. | Left column | Record time | |
  1099. | irec/s | The total number of input datagrams received from interfaces per second, including those received in error. | 1.33 |
  1100. | fwddgm/s | The number of input datagrams per second, for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. | 0.00 |
  1101. | idel/s | The total number of input datagrams,successfully,delivered,per,second,to,IP user-protocols (including ICMP). | 1.30 |
  1102. | orq/s | The total number of IP datagrams which local IP user-protocols (including ICMP) supplied per second to IP in requests for,transmission. Note that this,counter,does,not include any datagrams counted in fwddgm/s. | 1.45 |
  1103. | asmrq/s | The number of IP fragments received per second which needed to be reassembled at this entity. | 0.00 |
  1104. | asmok/s | The number of IP datagrams successfully re-assembled per second. | 0.00 |
  1105. | fragok/s | The number of IP datagrams that,have,been,successfully fragmented at this entity per second. | 0.00 |
  1106. | fragcrt/s | The number of IP datagram fragments that have been generated per second as a result of fragmentation at this entity. | 0.00 |
  1107. **NOTE!** Descriptions are provided in sysstat package (manpages).
  1108. **ANALYSIS - IPV4**
  1109. The server computer has not forwarded a single datagram in the observation period. Input network traffic has been received which can be concluded by observing _irec/s_, _idel/s_ and _orq/s_ field values. The current workload of the server computer is very low, including only HTTP daemon (Apache web server) and SSH server daemon. No webpages are available on the server which could increase input HTTP/HTTPS protocol based traffic. HTTPS was not enabled in the server computer.
  1110. By default, the server computer allows 128 simultaneous input network connections (command 'cat /proc/sys/net/core/somaxconn'. NOTE!: The value can be changed by issuing 'echo 1024 | sudo tee /proc/sys/net/core/somaxconn', for example).
  1111. MTU value of the web server computer for network interface eth0 was 1500 (you can check it with 'ifconfig' command). MTU stands for 'Maximum Transmission Unit' which determines the highest PDU unit ([Protocol Data Unit](https://en.wikipedia.org/wiki/Protocol_data_unit)) that can be transferred over the network at once.
  1112. Check also
  1113. - [MTU - hyperlink 1](http://www.tcpipguide.com/free/t_IPDatagramSizeMaximumTransmissionUnitMTUFragmentat.htm)
  1114. - [MTU - hyperlink 2](https://en.wikipedia.org/wiki/Maximum_transmission_unit)
  1115. - [Stack Overflow - What's the practical limit on the size of single packet transmitted over domain socket?](https://stackoverflow.com/questions/21856517/whats-the-practical-limit-on-the-size-of-single-packet-transmitted-over-domain)
  1116. - [Stack Overflow - What is the default size of datagram queue length in Unix Domain Sockets (AF_UNIX)? Is it configurable?](https://stackoverflow.com/questions/21448960/what-is-the-default-size-of-datagram-queue-length-in-unix-domain-sockets-af-uni)
  1117. - [IP fragmentation](https://en.wikipedia.org/wiki/IP_fragmentation)
  1118. - Related article: [Linux Tune Network Stack (Buffers Size) To Increase Networking Performance](https://www.cyberciti.biz/faq/linux-tcp-tuning/)
  1119. **NOTE!** About datagrams, [quoted from Wikipedia](https://en.wikipedia.org/wiki/Datagram#Internet_Protocol):
  1120. > The term datagram is often considered synonymous to packet but there are some nuances. The term datagram is generally reserved for packets of an unreliable service, which cannot notify the sender if delivery fails, while the term packet applies to any packet, reliable or not. Datagrams are the IP packets that provide a quick and unreliable service like UDP, and all IP packets are datagrams; however, at the TCP layer, what is termed a TCP segment is the sometimes necessary IP fragmentation of a datagram, but those are referred to as "packets".
  1121. ------------------------------------------------
  1122. **SAR - memory consumption statistics - RAM & SWAP**
  1123. **command: sar -r -f sar-stats_2018-02-24_2018-02-26.file**
  1124. **command: sar -S -f sar-stats_2018-02-24_2018-02-26.file**
  1125. ![sar-stats-memusage](https://github.com/Fincer/linux_server_setup/blob/master/images/sar-stats_memusage.png)
  1126. **Observation period:** 24.-26.02.2018
  1127. NOTE! Average values are not visible in the attached picture!
  1128. | Field | Description | Average |
  1129. |-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|
  1130. | Left column | Record time | |
  1131. | kbmemfree | Amount of free memory available in kilobytes. | 87631 KB (~ 87 MB) |
  1132. | kbmemused | Amount,of,used,memory in kilobytes. This does not take into account memory used by the kernel itself. | 928 457 KB (~ 928 MB) |
  1133. | %memused | Percentage of used memory. | 91.38 % |
  1134. | kbbuffers | Amount of memory used as buffers by the kernel in kilobytes. | 77 746 KB (~ 77 MB) |
  1135. | kbcached | Amount of memory used to cache data by the kernel in kilobytes. | 644 777 KB (~ 644 MB) |
  1136. | kbcommit | Amount of memory in kilobytes needed for current workload. This is an estimate of how much RAM/swap is needed to guarantee that there never is out of memory. | 470 619 KB (~ 470 MB) |
  1137. | %commit | Percentage of memory needed for current workload in relation to the total amount of memory (RAM+swap).,This number may be greater than 100% because the,kernel,usually overcommits memory. | 46.32 % |
  1138. | kbactive | Amount of active memory in kilobytes (memory that has been used more recently and usually not reclaimed unless absolutely necessary). | 468 703 KB (~ 468 MB) |
  1139. | kbinact | Amount of inactive memory in kilobytes (memory which has been less recently used. It is more eligible to be reclaimed for other purposes). | 301 098 KB (~ 301 MB) |
  1140. | kbdirty | Amount of memory in kilobytes waiting to get written back to the disk. | 254 KB (0.254 MB) |
  1141. **NOTE!** Descriptions are provided in sysstat package (manpages).
  1142. **ANALYSIS - MEMORY STATISTICS**
  1143. The target server memory size:
  1144. ```
  1145. [newuser@goauldhost: ~ ]$ cat /proc/meminfo | grep -i memtotal
  1146. MemTotal: 1016088 kB
  1147. ```
  1148. i.e. approximately ~ 1016 MB.
  1149. Great part of this memory were in use during the observation period. There were multiple active processes running on the server computer during the period, thus increased workload was intended and meant for statistics collection.
  1150. The web server didn't have Swap partition or Swap file. This can be found out by
  1151. - executing command 'for i in "cat /etc/fstab" "sudo fdisk -l"; do $i | grep -i swap; echo $?; done' which returns value 1 two times (meaning returning of 'false' boolean value to shell two separate times)
  1152. - Or, for example:
  1153. ```
  1154. [newuser@goauldhost: ~ ]$ cat /etc/fstab
  1155. LABEL=cloudimg-rootfs / ext4 defaults 0 0
  1156. LABEL=UEFI /boot/efi vfat defaults 0 0
  1157. [newuser@goauldhost: ~ ]$ sudo fdisk -l
  1158. [sudo] password for newuser:
  1159. Disk /dev/vda: 25 GiB, 26843545600 bytes, 52428800 sectors
  1160. Units: sectors of 1 * 512 = 512 bytes
  1161. Sector size (logical/physical): 512 bytes / 512 bytes
  1162. I/O size (minimum/optimal): 512 bytes / 512 bytes
  1163. Disklabel type: gpt
  1164. Disk identifier: 39DFE5D0-C8FB-44D8-93F8-EBB37A54BDF8
  1165. Device Start End Sectors Size Type
  1166. /dev/vda1 227328 52428766 52201439 24.9G Linux filesystem
  1167. /dev/vda14 2048 10239 8192 4M BIOS boot
  1168. /dev/vda15 10240 227327 217088 106M Microsoft basic data
  1169. ```
  1170. It may not be wise to collect Swap statistics (although Linux kernel [Swappiness value](https://en.wikipedia.org/wiki/Swappiness) has default value 60 defined in file '/proc/sys/vm/swappiness' in DigitalOcean virtual servers).
  1171. ------------------------------------------------
  1172. **I/O statistics**
  1173. ![sar-iostat](hhttps://github.com/Fincer/linux_server_setup/blob/master/images/sar-iostats.png)
  1174. Main command: iostat -dmtx 20
  1175. -d Display the device utilization report.
  1176. -m Display statistics in megabytes per second.
  1177. -t Print the time for each report displayed.
  1178. -x Display extended statistics.
  1179. 20 20 sec interval.
  1180. | Field | Description |
  1181. |--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
  1182. | Device | Device or partition defined in system directory '/dev'. |
  1183. | rrqm/s | The number of read requests merged per second that were queued to the device. |
  1184. | wrqm/s | The percentage of write requests merged together before being sent to the device. |
  1185. | r/s | The number (after merges) of read requests completed per second for the device. |
  1186. | w/s | The number (after merges) of write requests completed per second for the device. |
  1187. | rMB/s | The number of sectors (KB, MB) read from the device per second. |
  1188. | wMB/s | The number of sectors (KB, MB) write from the device per second. |
  1189. | avgrq-sz (areq-sz) | The average size (in kilobytes) of the I/O requests,that were issued to the device. |
  1190. | avgqu-sz (aqu-sz) | The average queue length of the requests that were issued to the device. |
  1191. | await | The average time (ms) for I/O requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  1192. | r_await | The average time (ms) for read requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  1193. | w_await | The average time (ms),for,write,requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  1194. | svctm | The average service time (ms) for I/O requests that were issued to the device. This field will be removed in a future sysstat version. |
  1195. | %util | Percentage of elapsed time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100% for devices serving requests serially. But for devices serving requests in parallel, such as RAID arrays and modern SSDs, this number does not reflect their performance limits. |
  1196. **NOTE!** Descriptions are provided in sysstat package (manpages).
  1197. **ANALYSIS - I/O STATISTICS**
  1198. Virtual partition '/dev/vda' were hibernated most of the time during the observation period. Little variation can be seen in writing requests (wrqm/s), in succeeded writing requests (w/s) and in written sector count (wMB/s). Average sector size is 10-20 sectors (avgrq-sz) which is quite little. I/O and read request service times are mostly 0.0. Workload of the virtual hard drive is low during the observation period.
  1199. ------------------------------------------------
  1200. In addition to sysstat, 'top' command could have been used in some TTY session in order to observe processes in real time, and with [inotify](https://en.wikipedia.org/wiki/Inotify), some file system changes could have been reported. Sysstat's advantage is that programs which are included in it can record and save analytics in binary format for further and detailed inspection.
  1201. **e)** (optional) Change sshd (SSH server process) port
  1202. --------------
  1203. **Answer:**
  1204. Let the following shell script do the job...
  1205. ```
  1206. #!/bin/bash
  1207. # SSH server daemon configuration file in the system
  1208. SSH_CONFIG=/etc/ssh/sshd_config
  1209. # New SSH server daemon input port as user input value.
  1210. NEW_SSH_PORT=$1
  1211. [[ -f $SSH_CONFIG ]] \
  1212. && sed -i "s/.*Port.*/Port $NEW_SSH_PORT/" $SSH_CONFIG && echo "SSH server: new port $NEW_SSH_PORT is set." \
  1213. || echo "SSH server configuration file could not be found!"
  1214. if [[ $(cat $SSH_CONFIG | grep -i port | awk '{print $2}') == $NEW_SSH_PORT ]]; then
  1215. echo -e "SSH server input port has been changed to $NEW_SSH_PORT.\n \
  1216. Restarting SSH server daemon in order to apply the changes (root required)."
  1217. sudo systemctl restart sshd.service
  1218. if [[ $? == 0 ]]; then
  1219. echo "SSH server daemon restarted, new input port is $NEW_SSH_PORT."
  1220. else
  1221. echo "Something went wrong while restarting SSH server daemon. Execute 'systemctl status sshd.service' \
  1222. to get more information about the problem."
  1223. fi
  1224. fi
  1225. ```
  1226. Save the above script code in file '$HOME/ssh-port.sh', for example. Change the port with command 'bash $HOME/ssh-port.sh 4312' where the number value is your new SSH port (4312 in this case).
  1227. ------------------------------------------------
  1228. **EXTRA - Using new port address of SSH server daemon when connecting with a client computer/program**
  1229. Changing SSH server input port on the server computer must be taken into account while establishing connection with a client computer. Because the default SSH port 22 is not used anymore, the following syntax must be applied while connecting to the SSH server computer:
  1230. ```
  1231. [19/02/2018 23:23:49 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p <new-port-number>
  1232. ```
  1233. ------------------------------------------------
  1234. **EXTRA - detecting SSH port change with port scanning techniques (nmap)**
  1235. Enable log level VERBOSE in '/etc/ssh/sshd_config' configuration file (LogLevel VERBOSE), restart SSH server daemon with command 'sudo systemctl restart sshd.service' and try port scanning with another computer.
  1236. Port scanning:
  1237. ```
  1238. nmap -sS -F -v -O 174.138.2.190
  1239. ```
  1240. nmap output when port scanning is applied with another computer using target IP 174.138.2.190 and port 1234 (note! This scanning has been applied to my own server only _once_ as an experiment, not in bad intentions! Make sure you have permission to proceed with your scanning and do not attack to any server just for fun, to avoid any problems!):
  1241. ```
  1242. phelenius@my-machine:~$ sudo nmap -sS -p 1234 -O -v 174.138.2.190
  1243. Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-19 20:02 EET
  1244. Initiating Ping Scan at 20:02
  1245. Scanning 174.138.2.190 [4 ports]
  1246. Completed Ping Scan at 19:59, 0.20s elapsed (1 total hosts)
  1247. Initiating Parallel DNS resolution of 1 host. at 20:02
  1248. Completed Parallel DNS resolution of 1 host. at 20:02, 0.01s elapsed
  1249. Initiating SYN Stealth Scan at 20:02
  1250. Scanning 174.138.2.190 [1 port]
  1251. Completed SYN Stealth Scan at 20:02, 0.20s elapsed (1 total ports)
  1252. Initiating OS detection (try #1) against 174.138.2.190
  1253. adjust_timeouts2: packet supposedly had rtt of -125997 microseconds. Ignoring time.
  1254. adjust_timeouts2: packet supposedly had rtt of -125997 microseconds. Ignoring time.
  1255. Retrying OS detection (try #2) against 174.138.2.190
  1256. adjust_timeouts2: packet supposedly had rtt of -150518 microseconds. Ignoring time.
  1257. adjust_timeouts2: packet supposedly had rtt of -150518 microseconds. Ignoring time.
  1258. WARNING: OS didn't match until try #2
  1259. Nmap scan report for 174.138.2.190
  1260. Host is up (0.00041s latency).
  1261. PORT STATE SERVICE
  1262. 1234/tcp open unknown
  1263. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  1264. Device type: switch|general purpose|media device
  1265. Running: Cisco CatOS 7.X|8.X, HP Tru64 UNIX 5.X, Vantage embedded
  1266. OS CPE: cpe:/h:cisco:catalyst_ws-c6506 cpe:/o:cisco:catos:7.6 cpe:/o:cisco:catos:8.3 cpe:/o:hp:tru64:5.1a cpe:/h:vantage:hd7100s
  1267. OS details: Cisco Catalyst WS-C6506 switch (CatOS 7.6(16)), Cisco Catalyst switch (CatOS 8.3(2)), HP Tru64 UNIX 5.1A, Vantage HD7100S satellite receiver
  1268. Read data files from: /usr/bin/../share/nmap
  1269. OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  1270. Nmap done: 1 IP address (1 host up) scanned in 3.39 seconds
  1271. Raw packets sent: 44 (6.312KB) | Rcvd: 18 (1.820KB)
  1272. ```
  1273. If SSH server uses the default input port 22, the following is likely to be presented in output of 'nmap' command (unless you've defined a particular port to be scanned in your 'nmap' command, like port 1234):
  1274. ```
  1275. PORT STATE SERVICE
  1276. 22/tcp filtered ssh
  1277. ```
  1278. Corresponding log entries of targeted SSH server during the nmap scanning (/var/log/auth.log):
  1279. ```
  1280. Feb 19 18:02:46 goauldhost sshd[30057]: Connection from XXX.XXX.XXX.XXX port 6967 on 174.138.2.190 port 1234
  1281. Feb 19 18:02:46 goauldhost sshd[30057]: Did not receive identification string from XXX.XXX.XXX.XXX
  1282. Feb 19 18:02:46 goauldhost sshd[30058]: Connection from XXX.XXX.XXX.XXX port 52205 on 174.138.2.190 port 1234
  1283. Feb 19 18:02:46 goauldhost sshd[30058]: Did not receive identification string from XXX.XXX.XXX.XXX
  1284. Feb 19 18:02:47 goauldhost sshd[30059]: Connection from XXX.XXX.XXX.XXX port 25326 on 174.138.2.190 port 1234
  1285. Feb 19 18:02:47 goauldhost sshd[30059]: Did not receive identification string from XXX.XXX.XXX.XXX
  1286. Feb 19 18:02:47 goauldhost sshd[30060]: Connection from XXX.XXX.XXX.XXX port 32812 on 174.138.2.190 port 1234
  1287. Feb 19 18:02:47 goauldhost sshd[30060]: Did not receive identification string from XXX.XXX.XXX.XXX
  1288. Feb 19 18:02:47 goauldhost sshd[30061]: Connection from XXX.XXX.XXX.XXX port 17024 on 174.138.2.190 port 1234
  1289. Feb 19 18:02:47 goauldhost sshd[30061]: Did not receive identification string from XXX.XXX.XXX.XXX
  1290. Feb 19 18:02:47 goauldhost sshd[30062]: Connection from XXX.XXX.XXX.XXX port 53268 on 174.138.2.190 port 1234
  1291. Feb 19 18:02:47 goauldhost sshd[30062]: Did not receive identification string from XXX.XXX.XXX.XXX
  1292. Feb 19 18:02:47 goauldhost sshd[30063]: Connection from XXX.XXX.XXX.XXX port 34923 on 174.138.2.190 port 1234
  1293. Feb 19 18:02:47 goauldhost sshd[30063]: Did not receive identification string from XXX.XXX.XXX.XXX
  1294. Feb 19 18:02:47 goauldhost sshd[30064]: Connection from XXX.XXX.XXX.XXX port 14489 on 174.138.2.190 port 1234
  1295. Feb 19 18:02:47 goauldhost sshd[30064]: Did not receive identification string from XXX.XXX.XXX.XXX
  1296. Feb 19 18:02:47 goauldhost sshd[30065]: Connection from XXX.XXX.XXX.XXX port 40086 on 174.138.2.190 port 1234
  1297. Feb 19 18:02:47 goauldhost sshd[30065]: Did not receive identification string from XXX.XXX.XXX.XXX
  1298. Feb 19 18:02:47 goauldhost sshd[30066]: Connection from XXX.XXX.XXX.XXX port 38147 on 174.138.2.190 port 1234
  1299. Feb 19 18:02:47 goauldhost sshd[30066]: Did not receive identification string from XXX.XXX.XXX.XXX
  1300. Feb 19 18:02:48 goauldhost sshd[30067]: Connection from XXX.XXX.XXX.XXX port 49215 on 174.138.2.190 port 1234
  1301. Feb 19 18:02:48 goauldhost sshd[30067]: Did not receive identification string from XXX.XXX.XXX.XXX
  1302. Feb 19 18:02:48 goauldhost sshd[30068]: Connection from XXX.XXX.XXX.XXX port 34445 on 174.138.2.190 port 1234
  1303. Feb 19 18:02:48 goauldhost sshd[30068]: Did not receive identification string from XXX.XXX.XXX.XXX
  1304. Feb 19 18:02:48 goauldhost sshd[30069]: Connection from XXX.XXX.XXX.XXX port 4600 on 174.138.2.190 port 1234
  1305. Feb 19 18:02:48 goauldhost sshd[30069]: Did not receive identification string from XXX.XXX.XXX.XXX
  1306. Feb 19 18:02:48 goauldhost sshd[30070]: Connection from XXX.XXX.XXX.XXX port 59405 on 174.138.2.190 port 1234
  1307. Feb 19 18:02:48 goauldhost sshd[30070]: Did not receive identification string from XXX.XXX.XXX.XXX
  1308. Feb 19 18:02:48 goauldhost sshd[30071]: Connection from XXX.XXX.XXX.XXX port 7848 on 174.138.2.190 port 1234
  1309. Feb 19 18:02:48 goauldhost sshd[30071]: Did not receive identification string from XXX.XXX.XXX.XXX
  1310. Feb 19 18:02:49 goauldhost sshd[30072]: Connection from XXX.XXX.XXX.XXX port 5206 on 174.138.2.190 port 1234
  1311. Feb 19 18:02:49 goauldhost sshd[30072]: Did not receive identification string from XXX.XXX.XXX.XXX
  1312. Feb 19 18:02:50 goauldhost sshd[30073]: Connection from XXX.XXX.XXX.XXX port 5517 on 174.138.2.190 port 1234
  1313. Feb 19 18:02:50 goauldhost sshd[30073]: Did not receive identification string from XXX.XXX.XXX.XXX
  1314. Feb 19 18:02:50 goauldhost sshd[30074]: Connection from XXX.XXX.XXX.XXX port 3970 on 174.138.2.190 port 1234
  1315. Feb 19 18:02:50 goauldhost sshd[30074]: Did not receive identification string from XXX.XXX.XXX.XXX
  1316. Feb 19 18:02:50 goauldhost sshd[30075]: Connection from XXX.XXX.XXX.XXX port 38690 on 174.138.2.190 port 1234
  1317. Feb 19 18:02:50 goauldhost sshd[30075]: Did not receive identification string from XXX.XXX.XXX.XXX
  1318. Feb 19 18:02:50 goauldhost sshd[30076]: Connection from XXX.XXX.XXX.XXX port 50572 on 174.138.2.190 port 1234
  1319. Feb 19 18:02:50 goauldhost sshd[30076]: Did not receive identification string from XXX.XXX.XXX.XXX
  1320. Feb 19 18:02:50 goauldhost sshd[30077]: Connection from XXX.XXX.XXX.XXX port 27830 on 174.138.2.190 port 1234
  1321. Feb 19 18:02:50 goauldhost sshd[30077]: Did not receive identification string from XXX.XXX.XXX.XXX
  1322. Feb 19 18:02:50 goauldhost sshd[30078]: Connection from XXX.XXX.XXX.XXX port 49371 on 174.138.2.190 port 1234
  1323. Feb 19 18:02:50 goauldhost sshd[30078]: Did not receive identification string from XXX.XXX.XXX.XXX
  1324. Feb 19 18:02:51 goauldhost sshd[30079]: Connection from XXX.XXX.XXX.XXX port 36802 on 174.138.2.190 port 1234
  1325. Feb 19 18:02:51 goauldhost sshd[30079]: Did not receive identification string from XXX.XXX.XXX.XXX
  1326. Feb 19 18:02:51 goauldhost sshd[30080]: Connection from XXX.XXX.XXX.XXX port 50546 on 174.138.2.190 port 1234
  1327. Feb 19 18:02:51 goauldhost sshd[30080]: Did not receive identification string from XXX.XXX.XXX.XXX
  1328. Feb 19 18:02:51 goauldhost sshd[30081]: Connection from XXX.XXX.XXX.XXX port 43542 on 174.138.2.190 port 1234
  1329. Feb 19 18:02:51 goauldhost sshd[30081]: Did not receive identification string from XXX.XXX.XXX.XXX
  1330. Feb 19 18:02:51 goauldhost sshd[30082]: Connection from XXX.XXX.XXX.XXX port 56108 on 174.138.2.190 port 1234
  1331. Feb 19 18:02:51 goauldhost sshd[30082]: Did not receive identification string from XXX.XXX.XXX.XXX
  1332. Feb 19 18:02:51 goauldhost sshd[30083]: Connection from XXX.XXX.XXX.XXX port 6399 on 174.138.2.190 port 1234
  1333. Feb 19 18:02:51 goauldhost sshd[30083]: Did not receive identification string from XXX.XXX.XXX.XXX
  1334. Feb 19 18:02:51 goauldhost sshd[30084]: Connection from XXX.XXX.XXX.XXX port 55980 on 174.138.2.190 port 1234
  1335. Feb 19 18:02:51 goauldhost sshd[30084]: Did not receive identification string from XXX.XXX.XXX.XXX
  1336. Feb 19 18:02:51 goauldhost sshd[30085]: Connection from XXX.XXX.XXX.XXX port 12713 on 174.138.2.190 port 1234
  1337. Feb 19 18:02:51 goauldhost sshd[30085]: Did not receive identification string from XXX.XXX.XXX.XXX
  1338. Feb 19 18:02:51 goauldhost sshd[30086]: Connection from XXX.XXX.XXX.XXX port 5026 on 174.138.2.190 port 1234
  1339. Feb 19 18:02:51 goauldhost sshd[30086]: Did not receive identification string from XXX.XXX.XXX.XXX
  1340. ```
  1341. The server computer has logged invalid nmap connection requests. In this case, we have defined the known SSH connection port number 1234 in our 'nmap' command on the client computer (which is INPUT port at the server end, OUTPUT port at the client end).
  1342. You may check suggested countermeasures against port scanners on [Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/345114/how-to-protect-against-port-scanners/407904#407904). Does these measures interfere negatively to other network traffic in busy server environments? This depends on which ports (read: server daemon programs/services) are targets of your countermeasures.
  1343. Another 'nmap' command shows us the following:
  1344. ```
  1345. phelenius@my-machine:~$ sudo nmap 174.138.2.190 -sV
  1346. Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-20 14:50 EET
  1347. Nmap scan report for 174.138.2.190
  1348. Host is up (0.33s latency).
  1349. Not shown: 998 filtered ports
  1350. PORT STATE SERVICE VERSION
  1351. 1234/tcp open ssh OpenSSH 7.6 (protocol 2.0)
  1352. 80/tcp open http
  1353. ...
  1354. ```
  1355. ... which reveals the actual service behind our new-defined port 1234/tcp to an attacker. In addition, the attacker can get more information about the server system, especially on Debian-based Linux distributions. For example:
  1356. ```
  1357. ...
  1358. PORT STATE SERVICE VERSION
  1359. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
  1360. ...
  1361. ```
  1362. This information can be hidden by adding line _DebianBanner no_ in '/etc/ssh/sshd_config' on Debian-based Linux systems and restarting the SSH server daemon with command 'sudo systemctl restart sshd.service'
  1363. **NOTE!** Port scanning does not leave any log traces behind in Apache's access.log file ('/var/log/apache/access.log')!
  1364. Check also
  1365. - [MyPapit GNU/Linux - How to Hide OpenSSH Ubuntu version from Nmap and other scanners](https://blog.mypapit.net/2015/08/how-to-hide-openssh-ubuntu-release-from-nmap-and-other-scanners.html)
  1366. - [serverfault.com - How to hide web server name and openssh version on linux when scanning server ports?](https://serverfault.com/questions/81690/how-to-hide-web-server-name-and-openssh-version-on-linux-when-scanning-server-po/81697#81697)
  1367. - [Unix & Linux Stack Exchange - Change SSH banner which is grabbed by netcat](https://unix.stackexchange.com/questions/269024/change-ssh-banner-which-is-grabbed-by-netcat/269027#269027)
  1368. - [GitHub - metacloud/openssh - Include the Debian version in our identification](https://github.com/metacloud/openssh/blob/master/debian/patches/package-versioning.patch)
  1369. ------------------------------------------------
  1370. **EXTRA - Using Port Knocking technique against port scanning**
  1371. Nmap requests are targeted to layer 3 (Network Layer) in OSI model. Additional security measures can be taken by applying [Port Knocking login techniques](https://wiki.archlinux.org/index.php/Port_knocking) on the server computer.
  1372. **WARNING!** The following 'Knockd daemon' may break easily. Thus it can not be recommended for critical or rapidly updating server environments. For instance, dhcpcd version 7 or above breaks knockd daemon. Many users have had problems to start the daemon service during server boot-up process. Knockd assumes that you have a preconfigured network interface with established network connection (this is not 100% valid information but this is my best guess).
  1373. [DigitalOcean, "Port Knocking" - Ubuntu, knockd](https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu):
  1374. Dynamic firewall rules are manually applied to the server (iptables, for instance) or separate daemon process ([for instance, knockd](http://www.zeroflux.org/projects/knock)) is set up on the server computer. Daemon process is used to open a pre-defined port only if a client program has knocked correct server port numbers in right order and using correct protocol, either TCP or UDP, and this all has been done in predefined time limit. Additionally, limited timeout for user log-in can be set. For example, a correctly authenticated user must log in in 10 seconds ater Knock daemon has opened a SSH port for that time period. When the time limit is reached, Knock daemon closes the port for any further connection attempts unless the knock port sequence is re-applied.
  1375. Knocking technique must be configured so that firewall does not close already established connections (like SSH in our case), but refuses any further connection attempts so that the port can not be detected with nmap port scanning techniques after the time limit has been reached.
  1376. [DigitalOcean, "Port Knocking" - FWKnop - Single packet authentication](https://www.digitalocean.com/community/tutorials/how-to-use-fwknop-to-enable-single-packet-authentication-on-ubuntu-12-04):
  1377. Some more or less secure implementations for port knocking exist. Various encryption methods can be applied to the knocking technique, making it more difficult for an attacker to sniff network packets between a server and a client. One solution using encyption methods is [fwknop](http://www.cipherdyne.org/fwknop/) which uses _Single Packet Authorization_ (SPA) method instead of insecure port sequences.
  1378. More about Port Knocking technique:
  1379. - [Improved Port Knocking with Strong Authentication - Rennie deGraaf, John Aycock, and Michael Jacobson, Jr.∗ (Department of Computer Science - University of Calgary)](https://www.acsac.org/2005/papers/156.pdf)
  1380. - [OpenWRT:n sivut](https://wiki.openwrt.org/doc/howto/portknock.server)
  1381. - [portknocking.org](http://www.portknocking.org/) and practical solutions on [Implementations sub-page](http://www.portknocking.org/view/implementations)
  1382. - [Information Security Stack Exchange - Port Knocking is it a good idea?](https://security.stackexchange.com/questions/1194/port-knocking-is-it-a-good-idea/1196#1196)
  1383. **NOTE!** Port Knocking technique must not be applied to block ports of server daemon processes which are required to be always reachable from a client program (take Apache server for example). For SSH which does not require 24/7 connection, port knocking techniques can be applied more reliably. In addition to public key, password and PAM authentication methods, port knocking adds one more security layer to the stack. However, you must not apply these security countermeasures individually but use them together, instead. **The goal is to make it more difficult for an attacker to penetrate your network security.**
  1384. ------------------------------------------------
  1385. **EXTRA - ARP Scan and spoofing your MAC address**
  1386. Program [arp-scan](https://www.blackmoreops.com/2015/12/31/use-arp-scan-to-find-hidden-devices-in-your-network/) can be used in limited scale to scan a MAC address (OSI model layer 2, Data Link Layer) in a network.
  1387. Unique MAC address of a network interface (network card) can programmatically be spoofed with [these Arch Wiki instructions](https://wiki.archlinux.org/index.php/MAC_address_spoofing#Method_1:_systemd-networkd) or with my [Spoof MAC Address shell script](https://github.com/Fincer/linux_server_setup/blob/master/scripts/spoof_mac_address.sh).
  1388. Sample results of ARP Scan.
  1389. BEFORE:
  1390. ```
  1391. [20/02/2018 18:52:35 - fincer: ~ ]$ sudo arp-scan --interface=wlan0 --localnet
  1392. [sudo] password for fincer:
  1393. Interface: wlan0, datalink type: EN10MB (Ethernet)
  1394. Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
  1395. A.B.C.D f4:0e:22:ad:b8:7d (Unknown)
  1396. 1.2.3.4 18:a9:05:4b:61:58 Hewlett-Packard Company
  1397. ```
  1398. AFTER - IP-osoitteessa 1.2.3.4 olevan palvelinkoneen MAC-osoite muutettu:
  1399. ```
  1400. [20/02/2018 18:54:28 - fincer: ~ ]$ sudo arp-scan --interface=wlan0 --localnet
  1401. Interface: wlan0, datalink type: EN10MB (Ethernet)
  1402. Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
  1403. A.B.C.D f4:0e:22:ad:b8:7d (Unknown)
  1404. 1.2.3.4 aa:0c:9a:fa:7b:d4 (Unknown)
  1405. ```
  1406. The following warning messages may be expected after spoofing a MAC address and when you establish SSH connection from a local computer to your server:
  1407. ```
  1408. Warning: Permanently added the ECDSA host key for IP address '[1.2.3.4]:22' to the list of known hosts.
  1409. ```
  1410. **f)** (optional) Allow SSH login only for users in group 'sshers'. Add your account to this group.
  1411. --------------
  1412. **Answer:**
  1413. 1. Log in to the server computer ('ssh username@server-ip -p <ssh-port>')
  1414. 2. Add group 'sshers' with GID number 876 (you don't have to define GID here)
  1415. ```
  1416. sudo groupadd -g 876 sshers
  1417. ```
  1418. 3. You can confirm existence of the created group with command 'grep sshers /etc/group'. Output:
  1419. ```
  1420. sshers:x:876:
  1421. ```
  1422. 4. Add the current user (read: yourself) _newuser_ into this group
  1423. ```
  1424. sudo usermod -aG sshers newuser
  1425. ```
  1426. 5. Command 'grep sshers /etc/group' output now:
  1427. ```
  1428. sshers:x:876:newuser
  1429. ```
  1430. You can alternatively check groups of _newuser_ by executing command 'groups' while being that user:
  1431. ```
  1432. [27/02/2018 10:39:58 - newuser@goauldhost: ~ ]$ groups
  1433. sshers newuser sudo
  1434. ```
  1435. or using command 'sudo -u newuser groups" as any system user who can execute commands with sudo.
  1436. **NOTE!** _groups_ -komento antaa oikean stdout:n (outputin) vasta uudelleenkirjautumisen jälkeen.
  1437. command 'groups' gives correct output only after re-login.
  1438. 6. Allow SSH login only to members of the group 'sshers'.
  1439. Manual page of 'sshd_config' ('man sshd_config') describes 'AllowGroups' option as follows:
  1440. > AllowGroups
  1441. > This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
  1442. Let's apply the following information into SSH server daemon configuration file '/etc/ssh/sshd_config':
  1443. ```
  1444. PermitRootLogin no
  1445. AllowGroups sshers
  1446. ```
  1447. And comment out the following lines (be careful here!):
  1448. ```
  1449. # DenyUsers <user names>
  1450. # AllowUsers <user names>
  1451. # DenyGroups <group names>
  1452. ```
  1453. If those lines are not defined in the configuration file, it is OK.
  1454. You can add multiple groups and users after those keywords, as you like.
  1455. For additional security, the following options can be applied as well (into '/etc/ssh/sshd_config' file), depending on your requests for SSH authentication policy:
  1456. ```
  1457. IgnoreRhosts yes
  1458. PermitEmptyPasswords no
  1459. ChallengeResponseAuthentication yes
  1460. UsePAM yes
  1461. MaxAuthTries 3
  1462. ```
  1463. etc. More options and configurations can be found with commands 'man sshd_config' and 'man sshd'
  1464. 7. Let's save this configuration and restart SSH server daemon by applying command 'sudo systemctl restart sshd.service' (NOTE! Disconnects already-established SSH connections!)
  1465. 8. Test SSH login with a client computer using remote user _newuser_ (belonging to the remote group 'sshers'). Command syntax is: 'ssh newuser@server-ip -p <server-port>'
  1466. **g)** (optional) Attach a remote network directory with sshfs.
  1467. --------------
  1468. **Answer:**
  1469. SSHFS stands for SSH File System. Corresponding program 'sshfs' has been developed to attach SSH server file systems (folders/files) remotely on a client computer so that all attached file systems can locally be browsed on the client computer. SSHFS uses encrypted SFTP protocol (SSH/Secure File Transfer Protocol) for file tranfers.
  1470. 1. Install 'sshfs' with command sequence 'sudo apt-get update && sudo apt-get -y install sshfs' on a Debian-based Linux system.
  1471. 2. Mount remote folder '/home/newuser/public_html/' (server), to path '/home/<current-user>/public_html_ssh_remote' on your client computer.
  1472. ```
  1473. mkdir $HOME/public_html_ssh_remote && sshfs newuser@174.138.2.190:./public_html $HOME/public_html_ssh_remote -p <ssh-portti>
  1474. ```
  1475. **NOTE!** If you use public key SSH authentication method, you are not asked for any password.
  1476. 3. Check that you have successfully mounted your remote server folder '/home/newuser/public_html' to the client computer (command 'ls ~/public_html_ssh_remote/'). Output should be as follows:
  1477. ```
  1478. index.html
  1479. ```
  1480. Additionally, check output of command 'mount | grep public_html_ssh_remote':
  1481. ```
  1482. newuser@174.138.2.190:./public_html on /home/phelenius/public_html_ssh_remote type fuse.sshfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
  1483. ```
  1484. 4. Unmount the remote folder by issuing command 'sudo umount /home/phelenius/public_html_ssh_remote'. On the client end, 'ls' command should have empty output for directory 'public_html_ssh_remote'.
  1485. ==============
  1486. *Disclaimer:*
  1487. --------------
  1488. This exercise is a part of [Linux servers (ICT4TN021, spring 2018) // Linux-palvelimet (ICT4TN021, kevät 2018)](http://www.haaga-helia.fi/fi/opinto-opas/opintojaksokuvaukset/ICT4TN021) school course organized as a part of Information Technology studies in Haaga-Helia university of Applied Sciences, Helsinki, Finland. Course lecturer [Tero Karvinen](http://terokarvinen.com/) has defined the original assignment descriptions in Finnish presented in this document in English. Answers and translations have been written by Pekka Helenius (me, ~ Fincer).
  1489. **a)** Install SSH server daemon
  1490. --------------
  1491. **Answer:**
  1492. SSH daemon has already been installed on the virtual server machine (you can't establish a connection to the server with a SSH client program otherwise). However, the installation on Debian-based systems goes as follows:
  1493. ```
  1494. phelenius@my-machine:~$ sudo apt-get update && sudo apt-get install openssh-server
  1495. ```
  1496. Start SSH daemon and check whether it is active or not:
  1497. ```
  1498. phelenius@my-machine:~$ sudo systemctl start sshd.service
  1499. phelenius@my-machine:~$ [[ $(systemctl is-active sshd | grep ^active | wc -w) -eq 1 ]] && echo "REPLY: SSH server daemon is active" || echo "REPLY: SSH server daemon is not active"
  1500. REPLY: SSH server daemon is active
  1501. ```
  1502. SSH server daemon has been installed and is active on the server computer. Let's take a look-up into Systemd process tree:
  1503. ```
  1504. phelenius@my-machine:~$ sudo systemctl status
  1505. ...
  1506. CGroup: /
  1507. ├─init.scope
  1508. │ └─1 /lib/systemd/systemd --system --deserialize 20
  1509. ├─system.slice
  1510. ...
  1511. │ ├─ssh.service
  1512. │ │ ├─1534 /usr/sbin/sshd -D
  1513. │ │ ├─2365 sshd: [accepted]
  1514. │ │ └─2366 sshd: [net]
  1515. ```
  1516. Executable root binary file (sbin) is _/usr/sbin/sshd_ with command parameter _-D_ (Process Identifier/Process ID/PID is 1534).
  1517. **NOTE!** The following is stated about _-D_ parameter in sshd manual:
  1518. ```
  1519. phelenius@my-machine:~$ man sshd | grep -E "\-D" -C1
  1520. -D When this option is specified, sshd will not detach and does not become a daemon. This allows easy monitoring of sshd.
  1521. ```
  1522. _-D_ parameter definition by [SSH Communications Security](https://www.ssh.com/ssh/sshd/):
  1523. > -D Do not detach and become daemon. This is often used when sshd is run using systemd. This allows easier monitoring of the process in such environments. Without this option, the SSH server forks and detaches from terminal, making itself a background daemon process. The latter has been the traditional way to run the SSH server until recently. Many embedded systems would still use the latter.
  1524. About relevance of the _-D_ parameter has been discussed, for example, on [superuser.com (Differences between ssh -L to -D](https://superuser.com/questions/408031/differences-between-ssh-l-to-d).
  1525. **b)** Establish a firewall protection to the server computer (Note: allow SSH traffic before that)
  1526. --------------
  1527. **Answer:**
  1528. The firewall protection is done by using Linux kernel ip_table module(s). Firewall rules can be modified in User Space with the corresponding iptables command or with the simplified Python 3 based program/script 'Uncomplicated Firewall' (ufw). Other firewall solutions also exists on Linux, please see title 'Other firewall solutions' below.
  1529. We can check which loadable kernel modules have been enabled in Linux kernel with the kernel-related lsmod command.
  1530. ```
  1531. phelenius@my-machine:~$ man lsmod | sed -n '/NAME/{n;p}' | sed 's/\s*//'
  1532. lsmod - Show the status of modules in the Linux Kernel
  1533. ...
  1534. phelenius@my-machine:~$ lsmod |grep filter
  1535. ip6table_filter 16384 1
  1536. ip6_tables 28672 1 ip6table_filter
  1537. iptable_filter 16384 1
  1538. ip_tables 24576 1 iptable_filter
  1539. x_tables 36864 14 ip6table_filter,xt_hl,xt_recent,ip_tables,xt_tcpudp,xt_limit,xt_conntrack,xt_LOG,iptable_filter,ip6t_rt,ipt_REJECT,ip6_tables,xt_addrtype,ip6t_REJECT
  1540. ```
  1541. Source codes of these modules can be found on git.kernel.org: [ipv6 netfilter](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/netfilter), [ipv6 netfilter core](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/netfilter.c), [ipv4 netfilter](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/netfilter), [ipv4 netfilter core](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/netfilter.c)
  1542. By default, Uncomplicated Firewall (ufw) is usually pre-installed on many Linux distributions, including Debian-based systems. Let's confirm that:
  1543. ```
  1544. phelenius@my-machine:~$ if [[ $(dpkg --get-selections |grep ufw | awk '{print $1}' | wc -l) -eq 0 ]]; then sudo apt-get update && sudo apt-get -y install ufw && echo "REPLY: UFW is installed now"; else echo "REPLY: UFW has already been installed"; fi
  1545. REPLY: UFW has already been installed
  1546. ```
  1547. Therefore ufw firewall is installed. Otherwise it would be installed on the system with _apt-get install_ command.
  1548. By default, the Linux firewall blocks SSH input traffic (default port 22). This input port can be opened by applying the following ufw command:
  1549. ```
  1550. phelenius@my-machine:~$ sudo ufw allow 22/tcp
  1551. ```
  1552. or with the command (however, not specific port number is defined here):
  1553. ```
  1554. phelenius@my-machine:~$ sudo ufw allow ssh
  1555. ```
  1556. Afterwards, UFW can be re-enabled with the following command:
  1557. ```
  1558. phelenius@my-machine:~$ sudo ufw enable
  1559. Command may disrupt existing ssh connections. Proceed with operation (y|n)?
  1560. ```
  1561. Your answer should be 'y' (yes). The firewall does not close (possibly already established) SSH connection because we have opened port 22 TCP input traffic. We get a notification, stating:
  1562. ```
  1563. Firewall is active and enabled on system startup
  1564. ```
  1565. The message is bit unclear, because according to some testing, the ufw firewall may still not be enabled on system boot. Automated start of ufw during system boot can foolproofly be enabled with:
  1566. ```
  1567. phelenius@my-machine:~$ sudo systemctl enable ufw.service
  1568. Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service -> /usr/lib/systemd/system/ufw.service.
  1569. ```
  1570. Alternatively, the following message may appear:
  1571. ```
  1572. Synchronizing state of ufw.service with SysV init with /lib/systemd/systemd-sysv-install...
  1573. Executing /lib/systemd/systemd-sysv-install enable ufw
  1574. ```
  1575. **iptables:**
  1576. 1. Remove ufw from the Linux system, and remove all relevant ufw entries from iptables firewall rule list.
  1577. **NOTE!** Warning: (May) delete other important iptables rules configured by system administration!
  1578. **NOTE!** Be sure that you have direct access (local terminal, without network) to the target machine in a case of failure. Otherwise you may lock yourself out from the server.
  1579. ```
  1580. sudo systemctl stop ufw.service && sudo systemctl disable ufw.service
  1581. sudo apt-get purge --remove ufw
  1582. sudo iptables --flush && sudo iptables --delete-chains
  1583. ```
  1584. 2. Confirm deletion of ufw entries from iptables firewall rule list with
  1585. ```
  1586. sudo iptables -S
  1587. ```
  1588. Output should be:
  1589. ```
  1590. -P INPUT ACCEPT
  1591. -P FORWARD ACCEPT
  1592. -P OUTPUT ACCEPT
  1593. ```
  1594. 3. Add new firewall rules to iptables and keep already established connections open:
  1595. ```
  1596. sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  1597. ```
  1598. 4. Drop all connections, excluding already established connections like SSH:
  1599. ```
  1600. sudo iptables -A INPUT -j DROP
  1601. sudo iptables -A FORWARD -j DROP
  1602. ```
  1603. 5. Allow SSH traffic (port number: 22, protocol: tcp, etc.):
  1604. ```
  1605. sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
  1606. ```
  1607. **NOTE!** This applies only to IPv4 connections. For IPv6, check [iptables6](https://www.linux.com/learn/intro-to-linux/2017/8/iptables-rules-ipv6).
  1608. **NOTE!** The forementioned command can be written so that connections only from a single IP is allowed, by using eth0 network interface. For example:
  1609. ```
  1610. sudo iptables -I INPUT -p tcp -i eth0 -s 231.123.24.24 --dport 22 -j ACCEPT
  1611. ```
  1612. **NOTE:** Be sure you have enabled 'net.ifnames=0' in your udev rules to get network interface names like 'eth0', 'wlan0' etc.!
  1613. More about setting iptables firewall rules, take a look on [DigitalOcean website](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands) and [iptables - Append vs. Insert - website](https://serverfault.com/questions/472258/difference-between-iptables-a-and-i-option), for example.
  1614. 6. Confirm proper iptables firewall rules with 'sudo iptables -S' command:
  1615. ```
  1616. -P INPUT ACCEPT
  1617. -P FORWARD ACCEPT
  1618. -P OUTPUT ACCEPT
  1619. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  1620. -A INPUT -j DROP
  1621. -A FORWARD -j DROP
  1622. -I INPUT -p tcp --dport 22 -j ACCEPT
  1623. ```
  1624. 7. Save the rules so that they won't be lost after rebooting:
  1625. ```
  1626. sudo iptables-save | sudo tee /etc/iptables/iptables.save > /dev/null
  1627. cat /etc/iptables/iptables.save
  1628. ```
  1629. 8. Apply and enable the rules. You can restart iptables service (Packet Filtering Framework) if you prefer to do so:
  1630. ```
  1631. sudo iptables-restore && sudo systemctl restart iptables.service
  1632. ```
  1633. 9. Confirm the current iptables firewall rules with the command 'sudo iptables -S'.
  1634. More about iptables:
  1635. - [DigitalOcean - Iptables Essentials: Common Firewall Rules and Commands, SSH service](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands#service-ssh)
  1636. - [DigitalOcean - Iptables Essentials: Common Firewall Rules and Commands, Saving rules](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands#saving-rules).
  1637. - [The Geek Stuff - 25 Most Frequently Used Linux IPTables Rules Examples](https://www.thegeekstuff.com/2011/06/iptables-rules-examples)
  1638. **Other firewall solutions:**
  1639. In addition to ufw, other iptables-based firewall solutions have been developed on Linux. Take a look on [Firestarter](http://www.fs-security.com/), [Firewalld](https://fedoraproject.org/wiki/Firewalld?rd=FirewallD), [PeerGuardian](https://sourceforge.net/projects/peerguardian/?source=navbar), [FWBuilder](http://www.fwbuilder.org/), etc.
  1640. ------------------------------------------------
  1641. **EXTRA - root account: more restrictions**
  1642. In addition to previous root restrictions, the following extra restrictions were applied, too:
  1643. - root default shell were changed to _/sbin/nologin_ in file _/etc/passwd_
  1644. - root account were locked by applying command _sudo usermod root --lock_ (this was done already, it sets up an exclamation mark prefix to the root account password in file _/etc/shadow_
  1645. - root access removal of TTY sessions by commenting out relevant lines in file _/etc/securetty_
  1646. - SSH: setting _PermitRootLogin no_ were applied in SSH server configuration file _/etc/ssh/sshd_config_
  1647. PAM configuration files (Pluggable Authentitation Modules) were not altered in _/etc/pam.d/_ although security can be improved by applying some special system-spefific authentication rules there. PAM rules can restrict root permissions as well, including executable daemon processes and commands (i.e. you can restrict even root execution rights in the target system, in contradiction what is usually told for new Linux users that "root can do anything". With PAM, you can restrict that "anything" privilege.)
  1648. Reference: [Red Hat - 4.4.2. Disallowing Root Access](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s2-wstation-privileges-noroot.html)
  1649. **c)** Transfer files using SSH protocol
  1650. --------------
  1651. **Answer:**
  1652. Let's use [Secure Copy (scp)](https://en.wikipedia.org/wiki/Secure_copy) command for file transfers.
  1653. The assignment has been done in the following command sequence. The following steps are executed:
  1654. 1. Create new subdirectory _httpd_ into the current user's home directory on the local computer
  1655. 2. Download related control, description and patch files of debian package of Apache web server, version _2.4.18-2ubuntu3.5_ from archive.ubuntu.com ([packages.ubuntu.com](https://packages.ubuntu.com/xenial/apache2)). Target directory for the download is the recently created subdirectory _httpd_
  1656. 3. Extract the downloaded archive files into $HOME/httpd. Subdirectory _debian_ will be created in _httpd_ directory.
  1657. 4. Establish a new SSH connection to the server computer with server user _newuser_, use port 1234 and create directory _$HOME/patches_ for this user.
  1658. 5. Transfer all local files (and directories) which 1) start with any character 2) end with suffix _diff_ and _patch_ 3) locate at the current user's _./httpd/debian/patches/_ subdirectory
  1659. to the directory _$HOME/patches_ located at the server computer (where $HOME=/home/newuser/). SSH connection port is 1234. Use command scp.
  1660. For more information about patches, check
  1661. - [What is the format of a patch file - stackoverflow.com](https://stackoverflow.com/questions/987372/what-is-the-format-of-a-patch-file)
  1662. - [Patch command examples - thegeekstuff.com](https://www.thegeekstuff.com/2014/12/patch-command-examples))
  1663. 6. List contents of the remote subdirectory _$HOME/patches_ with SSH connection, use port 1234..
  1664. 7. Delete current user's local subdirectory _httpd_ and its contents. _-R_ or _-r_ stands for recursive deletion, _-f_ stands for forceful removal. Remote files in the server computer's directory _/home/newuser/patches/_ will be kept intact.
  1665. ```
  1666. [20/02/2018 13:24:40 - fincer: ~ ]$ mkdir httpd
  1667. [20/02/2018 13:24:54 - fincer: ~ ]$ wget http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.5.debian.tar.xz -P httpd
  1668. --2018-02-20 13:25:13-- http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.5.debian.tar.xz
  1669. Resolving archive.ubuntu.com... 2001:67c:1560:8001::11, 2001:67c:1360:8001::17, 2001:67c:1560:8001::14, ...
  1670. Connecting to archive.ubuntu.com|2001:67c:1560:8001::11|:80... connected.
  1671. HTTP request sent, awaiting response... 200 OK
  1672. Length: 387448 (378K) [application/x-xz]
  1673. Saving to: ‘httpd/apache2_2.4.18-2ubuntu3.5.debian.tar.xz’
  1674. apache2_2.4.18-2ubuntu3.5.debian.tar.xz 100%[==================================================================================>] 378.37K 450KB/s in 0.8s
  1675. 2018-02-20 13:25:15 (450 KB/s) - ‘httpd/apache2_2.4.18-2ubuntu3.5.debian.tar.xz’ saved [387448/387448]
  1676. [20/02/2018 13:25:15 - fincer: ~ ]$ tar xf apache2_2.4.18-2ubuntu3.5.debian.tar.xz -C httpd
  1677. [20/02/2018 13:25:35 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p 1234 mkdir patches
  1678. newuser@174.138.2.190's password:
  1679. [20/02/2018 13:26:12 - fincer: ~ ]$ scp -P 1234 ./httpd/debian/patches/*.{diff,patch} newuser@174.138.2.190:./patches/
  1680. newuser@174.138.2.190's password:
  1681. hostnames_with_underscores.diff 100% 479 114.6KB/s 00:00
  1682. reproducible_builds.diff 100% 1710 427.2KB/s 00:00
  1683. build_suexec-custom.patch 100% 1981 473.6KB/s 00:00
  1684. customize_apxs.patch 100% 9316 888.9KB/s 00:00
  1685. CVE-2016-0736.patch 100% 12KB 867.4KB/s 00:00
  1686. CVE-2016-2161.patch 100% 4787 493.1KB/s 00:00
  1687. CVE-2016-5387.patch 100% 666 287.9KB/s 00:00
  1688. CVE-2016-8743.patch 100% 80KB 1.0MB/s 00:00
  1689. CVE-2017-3167.patch 100% 8922 698.9KB/s 00:00
  1690. CVE-2017-3169.patch 100% 4663 458.1KB/s 00:00
  1691. CVE-2017-7668.patch 100% 1746 482.5KB/s 00:00
  1692. CVE-2017-7679.patch 100% 1925 527.4KB/s 00:00
  1693. CVE-2017-9788.patch 100% 2252 582.1KB/s 00:00
  1694. CVE-2017-9798.patch 100% 1172 381.3KB/s 00:00
  1695. fhs_compliance.patch 100% 2541 635.6KB/s 00:00
  1696. no_LD_LIBRARY_PATH.patch 100% 444 199.8KB/s 00:00
  1697. prefork_single_process_crash.patch 100% 773 359.0KB/s 00:00
  1698. suexec-custom.patch 100% 5785 792.4KB/s 00:00
  1699. suexec-CVE-2007-1742.patch 100% 2356 589.3KB/s 00:00
  1700. suexec_is_shared.patch 100% 622 194.1KB/s 00:00
  1701. [20/02/2018 13:28:03 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p 1234 ls -l ./patches
  1702. newuser@174.138.2.190's password:
  1703. total 196
  1704. -rw-r--r-- 1 newuser newuser 12446 Feb 20 11:38 CVE-2016-0736.patch
  1705. -rw-r--r-- 1 newuser newuser 4787 Feb 20 11:38 CVE-2016-2161.patch
  1706. -rw-r--r-- 1 newuser newuser 666 Feb 20 11:38 CVE-2016-5387.patch
  1707. -rw-r--r-- 1 newuser newuser 81900 Feb 20 11:38 CVE-2016-8743.patch
  1708. -rw-r--r-- 1 newuser newuser 8922 Feb 20 11:38 CVE-2017-3167.patch
  1709. -rw-r--r-- 1 newuser newuser 4663 Feb 20 11:38 CVE-2017-3169.patch
  1710. -rw-r--r-- 1 newuser newuser 1746 Feb 20 11:38 CVE-2017-7668.patch
  1711. -rw-r--r-- 1 newuser newuser 1925 Feb 20 11:38 CVE-2017-7679.patch
  1712. -rw-r--r-- 1 newuser newuser 2252 Feb 20 11:38 CVE-2017-9788.patch
  1713. -rw-r--r-- 1 newuser newuser 1172 Feb 20 11:38 CVE-2017-9798.patch
  1714. -rw-r--r-- 1 newuser newuser 1981 Feb 20 11:38 build_suexec-custom.patch
  1715. -rw-r--r-- 1 newuser newuser 9316 Feb 20 11:38 customize_apxs.patch
  1716. -rw-r--r-- 1 newuser newuser 2541 Feb 20 11:38 fhs_compliance.patch
  1717. -rw-r--r-- 1 newuser newuser 479 Feb 20 11:38 hostnames_with_underscores.diff
  1718. -rw-r--r-- 1 newuser newuser 444 Feb 20 11:38 no_LD_LIBRARY_PATH.patch
  1719. -rw-r--r-- 1 newuser newuser 773 Feb 20 11:38 prefork_single_process_crash.patch
  1720. -rw-r--r-- 1 newuser newuser 1710 Feb 20 11:38 reproducible_builds.diff
  1721. -rw-r--r-- 1 newuser newuser 2356 Feb 20 11:38 suexec-CVE-2007-1742.patch
  1722. -rw-r--r-- 1 newuser newuser 5785 Feb 20 11:38 suexec-custom.patch
  1723. -rw-r--r-- 1 newuser newuser 622 Feb 20 11:38 suexec_is_shared.patch
  1724. [20/02/2018 13:32:01 - fincer: ~ ]$ rm -Rf httpd
  1725. ```
  1726. **d)** Automate SSH login with public key method
  1727. --------------
  1728. **Answer:**
  1729. 1. Let's generate a key pair on the client computer with a user who is wanted to have the public key authentication method for SSH connections. Both private and public keys are generated with 'ssh-keygen' command. Accept the default settings unless you have any requirements to customize them.
  1730. 2. Copy the _public_ key to the server computer with your SSH client using command 'ssh-copy-id -i $HOME/.ssh/id_rsa.pub username@server-ip-or-name'. The command copies your public key to the subdirectory *.ssh/authorized_keys* located at the server computer.
  1731. **NOTE!** Copy public key only, do **NOT** copy the private key!
  1732. More about the topic:
  1733. [ssh.com - Key Pair - Public and Private](https://www.ssh.com/ssh/public-key-authentication#sec-Key-Pair-Public-and-Private)
  1734. 3. Let confirm that SSH server daemon configuration file (_/etc/ssh/sshd_config_ by default) has the following settings in place (either use 'sudo nano _/etc/ssh/sshd_config_' or 'sudoedit _/etc/ssh/sshd_config_'):
  1735. ```
  1736. AuthenticationMethods publickey
  1737. PubkeyAuthentication yes
  1738. AuthorizedKeysFile .ssh/authorized_keys
  1739. ```
  1740. **Extra hint 1:** SSH client settings are generally defined in _/etc/ssh/ssh_config_
  1741. **Extra hint 2:** You can use ssh command with _-v_ parameter to gain more information about used authentication methods in unclear cases or for debugging purposes. The _-v_ parameter is defined as follows:
  1742. > -v Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity. The maximum is 3.
  1743. 4. We shall restart server SSH daemon with _sudo systemctl restart sshd.service_ command (note! this interrupts any existing & opened SSH connections)
  1744. 5. We shall test public key authentication from the client computer. Use same user account which you previously used for executing _ssh-keygen_ command on the client computer. The client computer user should be able to login into SSH server without a password.
  1745. **EXTRA: Modifying welcome banner**
  1746. Let's modify default Ubuntu login/SSH banner message by executing the following bash script:
  1747. ```
  1748. #!/bin/bash
  1749. # Modify SSH login banner message
  1750. ## 00-header file:
  1751. #
  1752. sudo sed -i 's?printf "Welcome to %s (%s %s %s)\\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"?printf "Welcome to %s\\nUptime:
  1753. %s\\n\\n" "Server Computer" "$(uptime)"?' /etc/update-motd.d/00-header
  1754. ## File extensions of the following files will be modified
  1755. ## We could also remove these files with 'sudo rm <file>'
  1756. #
  1757. FILES=( 10-help-text 51-cloudguest 90-updates-available 91-release-upgrade )
  1758. cd /etc/update-motd.d/
  1759. for file in ${FILES[@]}; do sudo mv $file $file.old; done
  1760. cd
  1761. ```
  1762. **NOTE:** Location of the banner file varies between different Linux distributions. For instance, Arch Linux uses banner file _/etc_motd_.
  1763. **j)** Install, configure and start sysstat. Use sar command to confirm whether the sysstat package services have been enabled (for instance, log entry "Linux reboot..." exists). Run sysstat a day or two. Afterwards, check computer workload history with sysstat commands sar, iostat, pidstat etc. Analyze the results, i.e. explain the results in detail.
  1764. --------------
  1765. **Answer:**
  1766. 1. We shall connect to the server computer (running Ubuntu) and then install the required package with command sequence 'sudo apt-get update && sudo apt-get install -y install sysstat'
  1767. 2. Run [shell-based sysstat script](https://github.com/Fincer/linux_server_setup/blob/master/scripts/sysstat_command.sh) which runs sar and pidstat commands two days with 20 second intervals.
  1768. **NOTE!** The script could have been opmitized more for the real requirements for the server environment (statistics interval, collection period, etc.)
  1769. 3. The script described in step 2 has generated sar analytics file 'sar-stats_2018-02-24_2018-02-26.file' into path '/home/newuser/sar_statistics/' on the server computer.
  1770. Time period: 24. - 26.02.2018
  1771. The following sums up some command samples which can be applied to the analytics file.
  1772. | File | Description |
  1773. |------------------------------------|-------------------------------------------------|
  1774. | sar -u -f <analytics-file> | Processor workload statistics |
  1775. | sar -v -f <analytics-file> | Inode and file statistics |
  1776. | sar -r -f <analytics-file> | Memory consumption statistics |
  1777. | sar -n DEV -f <analytics-file> | Network stats: devices |
  1778. | sar -n EDEV -f <analytics-file> | Network stats: errors in devices |
  1779. | sar -n IP -f <analytics-file> | Network stats: IPv4 traffic |
  1780. | sar -n EIP -f <analytics-file> | Network stats: errors in IPv4 traffic |
  1781. | sar -n IP6 -f <analytics-file> | Network stats: IPv6 traffic |
  1782. | sar -n EIP6 -f <analytics-file> | Network stats: errors in IPv6 traffic |
  1783. | sar -n SOCK -f <analytics-file> | Network stats: IPv4 socket |
  1784. | sar -n SOCK6 -f <analytics-file> | Network stats: IPv6 socket |
  1785. | sar -n TCP -f <analytics-file> | Network stats: TCPv4 protocol traffic |
  1786. | sar -n ETCP -f <analytics-file> | Network stats: errors in TCPv4 protocol traffic |
  1787. | sar -S -f <analytics-file> | Swap memory consumption |
  1788. | sar -w -f <analytics-file> | Process statistics |
  1789. | sar -F MOUNT / -f <analytics-file> | File system which is mounted at / |
  1790. Statistics can be combined etc, as you can find out with 'man sar' command:
  1791. ```
  1792. sar -u 2 5
  1793. Report CPU utilization for each 2 seconds. 5 lines are displayed.
  1794. sar -I 14 -o int14.file 2 10
  1795. Report statistics on IRQ 14 for each 2 seconds. 10 lines are displayed. Data are stored in a file called int14.file.
  1796. sar -r -n DEV -f /var/log/sysstat/sa16
  1797. Display memory and network statistics saved in daily data file 'sa16'.
  1798. sar -A
  1799. Display all the statistics saved in current daily data file.
  1800. ```
  1801. Or [The Geek Stuff - 10 Useful Sar (Sysstat) Examples for UNIX / Linux Performance Monitoring](https://www.thegeekstuff.com/2011/03/sar-examples/?utm_source=feedburner)
  1802. What are inode and swap? Check
  1803. - [inode - 1](https://www.cyberciti.biz/tips/understanding-unixlinux-filesystem-inodes.html)
  1804. - [inode - 2](https://unix.stackexchange.com/questions/117093/find-where-inodes-are-being-used)
  1805. - [Swap](https://wiki.archlinux.org/index.php/swap)
  1806. Additionally, the following pidstat files were generated:
  1807. | File | Description |
  1808. |----------------------------|------------------------------------|
  1809. | pidstat_stats_cpu-tasks | Processor workload statistics |
  1810. | pidstat_stats_io | I/O statistics |
  1811. | pidstat_stats_kerneltables | Statistics of Linux kernel tables |
  1812. | pidstat_stats_pagefaults | Page fault statistics |
  1813. | pidstat_stats_stacks | Process stack statistics |
  1814. (Check. [Stacks](https://stackoverflow.com/questions/8905271/what-is-the-linux-stack), [Page fault](https://en.wikipedia.org/wiki/Page_fault))
  1815. Additionally, iostat command was run on the background.
  1816. 4. Let's take a closer look on two sar analytics files and I/O statistics file. The following commands open analytics files in more detailed view.
  1817. ------------------------------------------------
  1818. **SAR network statistics - IPv4 traffic**
  1819. **command: sar -n IP -f sar-stats_2018-02-24_2018-02-26.file**
  1820. ![sar-stats-ipv4](https://github.com/Fincer/linux_server_setup/blob/master/images/sar-stats_ipv4.png)
  1821. **Observation period:** 24.-26.02.2018
  1822. | Field | Description | Average |
  1823. |-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
  1824. | Left column | Record time | |
  1825. | irec/s | The total number of input datagrams received from interfaces per second, including those received in error. | 1.33 |
  1826. | fwddgm/s | The number of input datagrams per second, for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. | 0.00 |
  1827. | idel/s | The total number of input datagrams,successfully,delivered,per,second,to,IP user-protocols (including ICMP). | 1.30 |
  1828. | orq/s | The total number of IP datagrams which local IP user-protocols (including ICMP) supplied per second to IP in requests for,transmission. Note that this,counter,does,not include any datagrams counted in fwddgm/s. | 1.45 |
  1829. | asmrq/s | The number of IP fragments received per second which needed to be reassembled at this entity. | 0.00 |
  1830. | asmok/s | The number of IP datagrams successfully re-assembled per second. | 0.00 |
  1831. | fragok/s | The number of IP datagrams that,have,been,successfully fragmented at this entity per second. | 0.00 |
  1832. | fragcrt/s | The number of IP datagram fragments that have been generated per second as a result of fragmentation at this entity. | 0.00 |
  1833. **NOTE!** Descriptions are provided in sysstat package (manpages).
  1834. **ANALYSIS - IPV4**
  1835. The server computer has not forwarded a single datagram in the observation period. Input network traffic has been received which can be concluded by observing _irec/s_, _idel/s_ and _orq/s_ field values. The current workload of the server computer is very low, including only HTTP daemon (Apache web server) and SSH server daemon. No webpages are available on the server which could increase input HTTP/HTTPS protocol based traffic. HTTPS was not enabled in the server computer.
  1836. By default, the server computer allows 128 simultaneous input network connections (command 'cat /proc/sys/net/core/somaxconn'. NOTE!: The value can be changed by issuing 'echo 1024 | sudo tee /proc/sys/net/core/somaxconn', for example).
  1837. MTU value of the web server computer for network interface eth0 was 1500 (you can check it with 'ifconfig' command). MTU stands for 'Maximum Transmission Unit' which determines the highest PDU unit ([Protocol Data Unit](https://en.wikipedia.org/wiki/Protocol_data_unit)) that can be transferred over the network at once.
  1838. Check also
  1839. - [MTU - hyperlink 1](http://www.tcpipguide.com/free/t_IPDatagramSizeMaximumTransmissionUnitMTUFragmentat.htm)
  1840. - [MTU - hyperlink 2](https://en.wikipedia.org/wiki/Maximum_transmission_unit)
  1841. - [Stack Overflow - What's the practical limit on the size of single packet transmitted over domain socket?](https://stackoverflow.com/questions/21856517/whats-the-practical-limit-on-the-size-of-single-packet-transmitted-over-domain)
  1842. - [Stack Overflow - What is the default size of datagram queue length in Unix Domain Sockets (AF_UNIX)? Is it configurable?](https://stackoverflow.com/questions/21448960/what-is-the-default-size-of-datagram-queue-length-in-unix-domain-sockets-af-uni)
  1843. - [IP fragmentation](https://en.wikipedia.org/wiki/IP_fragmentation)
  1844. - Related article: [Linux Tune Network Stack (Buffers Size) To Increase Networking Performance](https://www.cyberciti.biz/faq/linux-tcp-tuning/)
  1845. **NOTE!** About datagrams, [quoted from Wikipedia](https://en.wikipedia.org/wiki/Datagram#Internet_Protocol):
  1846. > The term datagram is often considered synonymous to packet but there are some nuances. The term datagram is generally reserved for packets of an unreliable service, which cannot notify the sender if delivery fails, while the term packet applies to any packet, reliable or not. Datagrams are the IP packets that provide a quick and unreliable service like UDP, and all IP packets are datagrams; however, at the TCP layer, what is termed a TCP segment is the sometimes necessary IP fragmentation of a datagram, but those are referred to as "packets".
  1847. ------------------------------------------------
  1848. **SAR - memory consumption statistics - RAM & SWAP**
  1849. **command: sar -r -f sar-stats_2018-02-24_2018-02-26.file**
  1850. **command: sar -S -f sar-stats_2018-02-24_2018-02-26.file**
  1851. ![sar-stats-memusage](https://github.com/Fincer/linux_server_setup/blob/master/images/sar-stats_memusage.png)
  1852. **Observation period:** 24.-26.02.2018
  1853. NOTE! Average values are not visible in the attached picture!
  1854. | Field | Description | Average |
  1855. |-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|
  1856. | Left column | Record time | |
  1857. | kbmemfree | Amount of free memory available in kilobytes. | 87631 KB (~ 87 MB) |
  1858. | kbmemused | Amount,of,used,memory in kilobytes. This does not take into account memory used by the kernel itself. | 928 457 KB (~ 928 MB) |
  1859. | %memused | Percentage of used memory. | 91.38 % |
  1860. | kbbuffers | Amount of memory used as buffers by the kernel in kilobytes. | 77 746 KB (~ 77 MB) |
  1861. | kbcached | Amount of memory used to cache data by the kernel in kilobytes. | 644 777 KB (~ 644 MB) |
  1862. | kbcommit | Amount of memory in kilobytes needed for current workload. This is an estimate of how much RAM/swap is needed to guarantee that there never is out of memory. | 470 619 KB (~ 470 MB) |
  1863. | %commit | Percentage of memory needed for current workload in relation to the total amount of memory (RAM+swap).,This number may be greater than 100% because the,kernel,usually overcommits memory. | 46.32 % |
  1864. | kbactive | Amount of active memory in kilobytes (memory that has been used more recently and usually not reclaimed unless absolutely necessary). | 468 703 KB (~ 468 MB) |
  1865. | kbinact | Amount of inactive memory in kilobytes (memory which has been less recently used. It is more eligible to be reclaimed for other purposes). | 301 098 KB (~ 301 MB) |
  1866. | kbdirty | Amount of memory in kilobytes waiting to get written back to the disk. | 254 KB (0.254 MB) |
  1867. **NOTE!** Descriptions are provided in sysstat package (manpages).
  1868. **ANALYSIS - MEMORY STATISTICS**
  1869. The target server memory size:
  1870. ```
  1871. [newuser@goauldhost: ~ ]$ cat /proc/meminfo | grep -i memtotal
  1872. MemTotal: 1016088 kB
  1873. ```
  1874. i.e. approximately ~ 1016 MB.
  1875. Great part of this memory were in use during the observation period. There were multiple active processes running on the server computer during the period, thus increased workload was intended and meant for statistics collection.
  1876. The web server didn't have Swap partition or Swap file. This can be found out by
  1877. - executing command 'for i in "cat /etc/fstab" "sudo fdisk -l"; do $i | grep -i swap; echo $?; done' which returns value 1 two times (meaning returning of 'false' boolean value to shell two separate times)
  1878. - Or, for example:
  1879. ```
  1880. [newuser@goauldhost: ~ ]$ cat /etc/fstab
  1881. LABEL=cloudimg-rootfs / ext4 defaults 0 0
  1882. LABEL=UEFI /boot/efi vfat defaults 0 0
  1883. [newuser@goauldhost: ~ ]$ sudo fdisk -l
  1884. [sudo] password for newuser:
  1885. Disk /dev/vda: 25 GiB, 26843545600 bytes, 52428800 sectors
  1886. Units: sectors of 1 * 512 = 512 bytes
  1887. Sector size (logical/physical): 512 bytes / 512 bytes
  1888. I/O size (minimum/optimal): 512 bytes / 512 bytes
  1889. Disklabel type: gpt
  1890. Disk identifier: 39DFE5D0-C8FB-44D8-93F8-EBB37A54BDF8
  1891. Device Start End Sectors Size Type
  1892. /dev/vda1 227328 52428766 52201439 24.9G Linux filesystem
  1893. /dev/vda14 2048 10239 8192 4M BIOS boot
  1894. /dev/vda15 10240 227327 217088 106M Microsoft basic data
  1895. ```
  1896. It may not be wise to collect Swap statistics (although Linux kernel [Swappiness value](https://en.wikipedia.org/wiki/Swappiness) has default value 60 defined in file '/proc/sys/vm/swappiness' in DigitalOcean virtual servers).
  1897. ------------------------------------------------
  1898. **I/O statistics**
  1899. ![sar-iostat](https://github.com/Fincer/linux_server_setup/blob/master/images/sar-iostats.png)
  1900. Main command: iostat -dmtx 20
  1901. -d Display the device utilization report.
  1902. -m Display statistics in megabytes per second.
  1903. -t Print the time for each report displayed.
  1904. -x Display extended statistics.
  1905. 20 20 sec interval.
  1906. | Field | Description |
  1907. |--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
  1908. | Device | Device or partition defined in system directory '/dev'. |
  1909. | rrqm/s | The number of read requests merged per second that were queued to the device. |
  1910. | wrqm/s | The percentage of write requests merged together before being sent to the device. |
  1911. | r/s | The number (after merges) of read requests completed per second for the device. |
  1912. | w/s | The number (after merges) of write requests completed per second for the device. |
  1913. | rMB/s | The number of sectors (KB, MB) read from the device per second. |
  1914. | wMB/s | The number of sectors (KB, MB) write from the device per second. |
  1915. | avgrq-sz (areq-sz) | The average size (in kilobytes) of the I/O requests,that were issued to the device. |
  1916. | avgqu-sz (aqu-sz) | The average queue length of the requests that were issued to the device. |
  1917. | await | The average time (ms) for I/O requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  1918. | r_await | The average time (ms) for read requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  1919. | w_await | The average time (ms),for,write,requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  1920. | svctm | The average service time (ms) for I/O requests that were issued to the device. This field will be removed in a future sysstat version. |
  1921. | %util | Percentage of elapsed time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100% for devices serving requests serially. But for devices serving requests in parallel, such as RAID arrays and modern SSDs, this number does not reflect their performance limits. |
  1922. **NOTE!** Descriptions are provided in sysstat package (manpages).
  1923. **ANALYSIS - I/O STATISTICS**
  1924. Virtual partition '/dev/vda' were hibernated most of the time during the observation period. Little variation can be seen in writing requests (wrqm/s), in succeeded writing requests (w/s) and in written sector count (wMB/s). Average sector size is 10-20 sectors (avgrq-sz) which is quite little. I/O and read request service times are mostly 0.0. Workload of the virtual hard drive is low during the observation period.
  1925. ------------------------------------------------
  1926. In addition to sysstat, 'top' command could have been used in some TTY session in order to observe processes in real time, and with [inotify](https://en.wikipedia.org/wiki/Inotify), some file system changes could have been reported. Sysstat's advantage is that programs which are included in it can record and save analytics in binary format for further and detailed inspection.
  1927. **e)** (optional) Change sshd (SSH server process) port
  1928. --------------
  1929. **Answer:**
  1930. Let the following shell script do the job...
  1931. ```
  1932. #!/bin/bash
  1933. # SSH server daemon configuration file in the system
  1934. SSH_CONFIG=/etc/ssh/sshd_config
  1935. # New SSH server daemon input port as user input value.
  1936. NEW_SSH_PORT=$1
  1937. [[ -f $SSH_CONFIG ]] \
  1938. && sed -i "s/.*Port.*/Port $NEW_SSH_PORT/" $SSH_CONFIG && echo "SSH server: new port $NEW_SSH_PORT is set." \
  1939. || echo "SSH server configuration file could not be found!"
  1940. if [[ $(cat $SSH_CONFIG | grep -i port | awk '{print $2}') == $NEW_SSH_PORT ]]; then
  1941. echo -e "SSH server input port has been changed to $NEW_SSH_PORT.\n \
  1942. Restarting SSH server daemon in order to apply the changes (root required)."
  1943. sudo systemctl restart sshd.service
  1944. if [[ $? == 0 ]]; then
  1945. echo "SSH server daemon restarted, new input port is $NEW_SSH_PORT."
  1946. else
  1947. echo "Something went wrong while restarting SSH server daemon. Execute 'systemctl status sshd.service' \
  1948. to get more information about the problem."
  1949. fi
  1950. fi
  1951. ```
  1952. Save the above script code in file '$HOME/ssh-port.sh', for example. Change the port with command 'bash $HOME/ssh-port.sh 4312' where the number value is your new SSH port (4312 in this case).
  1953. ------------------------------------------------
  1954. **EXTRA - Using new port address of SSH server daemon when connecting with a client computer/program**
  1955. Changing SSH server input port on the server computer must be taken into account while establishing connection with a client computer. Because the default SSH port 22 is not used anymore, the following syntax must be applied while connecting to the SSH server computer:
  1956. ```
  1957. [19/02/2018 23:23:49 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p <new-port-number>
  1958. ```
  1959. ------------------------------------------------
  1960. **EXTRA - detecting SSH port change with port scanning techniques (nmap)**
  1961. Enable log level VERBOSE in '/etc/ssh/sshd_config' configuration file (LogLevel VERBOSE), restart SSH server daemon with command 'sudo systemctl restart sshd.service' and try port scanning with another computer.
  1962. Port scanning:
  1963. ```
  1964. nmap -sS -F -v -O 174.138.2.190
  1965. ```
  1966. nmap output when port scanning is applied with another computer using target IP 174.138.2.190 and port 1234 (note! This scanning has been applied to my own server only _once_ as an experiment, not in bad intentions! Make sure you have permission to proceed with your scanning and do not attack to any server just for fun, to avoid any problems!):
  1967. ```
  1968. phelenius@my-machine:~$ sudo nmap -sS -p 1234 -O -v 174.138.2.190
  1969. Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-19 20:02 EET
  1970. Initiating Ping Scan at 20:02
  1971. Scanning 174.138.2.190 [4 ports]
  1972. Completed Ping Scan at 19:59, 0.20s elapsed (1 total hosts)
  1973. Initiating Parallel DNS resolution of 1 host. at 20:02
  1974. Completed Parallel DNS resolution of 1 host. at 20:02, 0.01s elapsed
  1975. Initiating SYN Stealth Scan at 20:02
  1976. Scanning 174.138.2.190 [1 port]
  1977. Completed SYN Stealth Scan at 20:02, 0.20s elapsed (1 total ports)
  1978. Initiating OS detection (try #1) against 174.138.2.190
  1979. adjust_timeouts2: packet supposedly had rtt of -125997 microseconds. Ignoring time.
  1980. adjust_timeouts2: packet supposedly had rtt of -125997 microseconds. Ignoring time.
  1981. Retrying OS detection (try #2) against 174.138.2.190
  1982. adjust_timeouts2: packet supposedly had rtt of -150518 microseconds. Ignoring time.
  1983. adjust_timeouts2: packet supposedly had rtt of -150518 microseconds. Ignoring time.
  1984. WARNING: OS didn't match until try #2
  1985. Nmap scan report for 174.138.2.190
  1986. Host is up (0.00041s latency).
  1987. PORT STATE SERVICE
  1988. 1234/tcp open unknown
  1989. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  1990. Device type: switch|general purpose|media device
  1991. Running: Cisco CatOS 7.X|8.X, HP Tru64 UNIX 5.X, Vantage embedded
  1992. OS CPE: cpe:/h:cisco:catalyst_ws-c6506 cpe:/o:cisco:catos:7.6 cpe:/o:cisco:catos:8.3 cpe:/o:hp:tru64:5.1a cpe:/h:vantage:hd7100s
  1993. OS details: Cisco Catalyst WS-C6506 switch (CatOS 7.6(16)), Cisco Catalyst switch (CatOS 8.3(2)), HP Tru64 UNIX 5.1A, Vantage HD7100S satellite receiver
  1994. Read data files from: /usr/bin/../share/nmap
  1995. OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  1996. Nmap done: 1 IP address (1 host up) scanned in 3.39 seconds
  1997. Raw packets sent: 44 (6.312KB) | Rcvd: 18 (1.820KB)
  1998. ```
  1999. If SSH server uses the default input port 22, the following is likely to be presented in output of 'nmap' command (unless you've defined a particular port to be scanned in your 'nmap' command, like port 1234):
  2000. ```
  2001. PORT STATE SERVICE
  2002. 22/tcp filtered ssh
  2003. ```
  2004. Corresponding log entries of targeted SSH server during the nmap scanning (/var/log/auth.log):
  2005. ```
  2006. Feb 19 18:02:46 goauldhost sshd[30057]: Connection from XXX.XXX.XXX.XXX port 6967 on 174.138.2.190 port 1234
  2007. Feb 19 18:02:46 goauldhost sshd[30057]: Did not receive identification string from XXX.XXX.XXX.XXX
  2008. Feb 19 18:02:46 goauldhost sshd[30058]: Connection from XXX.XXX.XXX.XXX port 52205 on 174.138.2.190 port 1234
  2009. Feb 19 18:02:46 goauldhost sshd[30058]: Did not receive identification string from XXX.XXX.XXX.XXX
  2010. Feb 19 18:02:47 goauldhost sshd[30059]: Connection from XXX.XXX.XXX.XXX port 25326 on 174.138.2.190 port 1234
  2011. Feb 19 18:02:47 goauldhost sshd[30059]: Did not receive identification string from XXX.XXX.XXX.XXX
  2012. Feb 19 18:02:47 goauldhost sshd[30060]: Connection from XXX.XXX.XXX.XXX port 32812 on 174.138.2.190 port 1234
  2013. Feb 19 18:02:47 goauldhost sshd[30060]: Did not receive identification string from XXX.XXX.XXX.XXX
  2014. Feb 19 18:02:47 goauldhost sshd[30061]: Connection from XXX.XXX.XXX.XXX port 17024 on 174.138.2.190 port 1234
  2015. Feb 19 18:02:47 goauldhost sshd[30061]: Did not receive identification string from XXX.XXX.XXX.XXX
  2016. Feb 19 18:02:47 goauldhost sshd[30062]: Connection from XXX.XXX.XXX.XXX port 53268 on 174.138.2.190 port 1234
  2017. Feb 19 18:02:47 goauldhost sshd[30062]: Did not receive identification string from XXX.XXX.XXX.XXX
  2018. Feb 19 18:02:47 goauldhost sshd[30063]: Connection from XXX.XXX.XXX.XXX port 34923 on 174.138.2.190 port 1234
  2019. Feb 19 18:02:47 goauldhost sshd[30063]: Did not receive identification string from XXX.XXX.XXX.XXX
  2020. Feb 19 18:02:47 goauldhost sshd[30064]: Connection from XXX.XXX.XXX.XXX port 14489 on 174.138.2.190 port 1234
  2021. Feb 19 18:02:47 goauldhost sshd[30064]: Did not receive identification string from XXX.XXX.XXX.XXX
  2022. Feb 19 18:02:47 goauldhost sshd[30065]: Connection from XXX.XXX.XXX.XXX port 40086 on 174.138.2.190 port 1234
  2023. Feb 19 18:02:47 goauldhost sshd[30065]: Did not receive identification string from XXX.XXX.XXX.XXX
  2024. Feb 19 18:02:47 goauldhost sshd[30066]: Connection from XXX.XXX.XXX.XXX port 38147 on 174.138.2.190 port 1234
  2025. Feb 19 18:02:47 goauldhost sshd[30066]: Did not receive identification string from XXX.XXX.XXX.XXX
  2026. Feb 19 18:02:48 goauldhost sshd[30067]: Connection from XXX.XXX.XXX.XXX port 49215 on 174.138.2.190 port 1234
  2027. Feb 19 18:02:48 goauldhost sshd[30067]: Did not receive identification string from XXX.XXX.XXX.XXX
  2028. Feb 19 18:02:48 goauldhost sshd[30068]: Connection from XXX.XXX.XXX.XXX port 34445 on 174.138.2.190 port 1234
  2029. Feb 19 18:02:48 goauldhost sshd[30068]: Did not receive identification string from XXX.XXX.XXX.XXX
  2030. Feb 19 18:02:48 goauldhost sshd[30069]: Connection from XXX.XXX.XXX.XXX port 4600 on 174.138.2.190 port 1234
  2031. Feb 19 18:02:48 goauldhost sshd[30069]: Did not receive identification string from XXX.XXX.XXX.XXX
  2032. Feb 19 18:02:48 goauldhost sshd[30070]: Connection from XXX.XXX.XXX.XXX port 59405 on 174.138.2.190 port 1234
  2033. Feb 19 18:02:48 goauldhost sshd[30070]: Did not receive identification string from XXX.XXX.XXX.XXX
  2034. Feb 19 18:02:48 goauldhost sshd[30071]: Connection from XXX.XXX.XXX.XXX port 7848 on 174.138.2.190 port 1234
  2035. Feb 19 18:02:48 goauldhost sshd[30071]: Did not receive identification string from XXX.XXX.XXX.XXX
  2036. Feb 19 18:02:49 goauldhost sshd[30072]: Connection from XXX.XXX.XXX.XXX port 5206 on 174.138.2.190 port 1234
  2037. Feb 19 18:02:49 goauldhost sshd[30072]: Did not receive identification string from XXX.XXX.XXX.XXX
  2038. Feb 19 18:02:50 goauldhost sshd[30073]: Connection from XXX.XXX.XXX.XXX port 5517 on 174.138.2.190 port 1234
  2039. Feb 19 18:02:50 goauldhost sshd[30073]: Did not receive identification string from XXX.XXX.XXX.XXX
  2040. Feb 19 18:02:50 goauldhost sshd[30074]: Connection from XXX.XXX.XXX.XXX port 3970 on 174.138.2.190 port 1234
  2041. Feb 19 18:02:50 goauldhost sshd[30074]: Did not receive identification string from XXX.XXX.XXX.XXX
  2042. Feb 19 18:02:50 goauldhost sshd[30075]: Connection from XXX.XXX.XXX.XXX port 38690 on 174.138.2.190 port 1234
  2043. Feb 19 18:02:50 goauldhost sshd[30075]: Did not receive identification string from XXX.XXX.XXX.XXX
  2044. Feb 19 18:02:50 goauldhost sshd[30076]: Connection from XXX.XXX.XXX.XXX port 50572 on 174.138.2.190 port 1234
  2045. Feb 19 18:02:50 goauldhost sshd[30076]: Did not receive identification string from XXX.XXX.XXX.XXX
  2046. Feb 19 18:02:50 goauldhost sshd[30077]: Connection from XXX.XXX.XXX.XXX port 27830 on 174.138.2.190 port 1234
  2047. Feb 19 18:02:50 goauldhost sshd[30077]: Did not receive identification string from XXX.XXX.XXX.XXX
  2048. Feb 19 18:02:50 goauldhost sshd[30078]: Connection from XXX.XXX.XXX.XXX port 49371 on 174.138.2.190 port 1234
  2049. Feb 19 18:02:50 goauldhost sshd[30078]: Did not receive identification string from XXX.XXX.XXX.XXX
  2050. Feb 19 18:02:51 goauldhost sshd[30079]: Connection from XXX.XXX.XXX.XXX port 36802 on 174.138.2.190 port 1234
  2051. Feb 19 18:02:51 goauldhost sshd[30079]: Did not receive identification string from XXX.XXX.XXX.XXX
  2052. Feb 19 18:02:51 goauldhost sshd[30080]: Connection from XXX.XXX.XXX.XXX port 50546 on 174.138.2.190 port 1234
  2053. Feb 19 18:02:51 goauldhost sshd[30080]: Did not receive identification string from XXX.XXX.XXX.XXX
  2054. Feb 19 18:02:51 goauldhost sshd[30081]: Connection from XXX.XXX.XXX.XXX port 43542 on 174.138.2.190 port 1234
  2055. Feb 19 18:02:51 goauldhost sshd[30081]: Did not receive identification string from XXX.XXX.XXX.XXX
  2056. Feb 19 18:02:51 goauldhost sshd[30082]: Connection from XXX.XXX.XXX.XXX port 56108 on 174.138.2.190 port 1234
  2057. Feb 19 18:02:51 goauldhost sshd[30082]: Did not receive identification string from XXX.XXX.XXX.XXX
  2058. Feb 19 18:02:51 goauldhost sshd[30083]: Connection from XXX.XXX.XXX.XXX port 6399 on 174.138.2.190 port 1234
  2059. Feb 19 18:02:51 goauldhost sshd[30083]: Did not receive identification string from XXX.XXX.XXX.XXX
  2060. Feb 19 18:02:51 goauldhost sshd[30084]: Connection from XXX.XXX.XXX.XXX port 55980 on 174.138.2.190 port 1234
  2061. Feb 19 18:02:51 goauldhost sshd[30084]: Did not receive identification string from XXX.XXX.XXX.XXX
  2062. Feb 19 18:02:51 goauldhost sshd[30085]: Connection from XXX.XXX.XXX.XXX port 12713 on 174.138.2.190 port 1234
  2063. Feb 19 18:02:51 goauldhost sshd[30085]: Did not receive identification string from XXX.XXX.XXX.XXX
  2064. Feb 19 18:02:51 goauldhost sshd[30086]: Connection from XXX.XXX.XXX.XXX port 5026 on 174.138.2.190 port 1234
  2065. Feb 19 18:02:51 goauldhost sshd[30086]: Did not receive identification string from XXX.XXX.XXX.XXX
  2066. ```
  2067. The server computer has logged invalid nmap connection requests. In this case, we have defined the known SSH connection port number 1234 in our 'nmap' command on the client computer (which is INPUT port at the server end, OUTPUT port at the client end).
  2068. You may check suggested countermeasures against port scanners on [Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/345114/how-to-protect-against-port-scanners/407904#407904). Does these measures interfere negatively to other network traffic in busy server environments? This depends on which ports (read: server daemon programs/services) are targets of your countermeasures.
  2069. Another 'nmap' command shows us the following:
  2070. ```
  2071. phelenius@my-machine:~$ sudo nmap 174.138.2.190 -sV
  2072. Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-20 14:50 EET
  2073. Nmap scan report for 174.138.2.190
  2074. Host is up (0.33s latency).
  2075. Not shown: 998 filtered ports
  2076. PORT STATE SERVICE VERSION
  2077. 1234/tcp open ssh OpenSSH 7.6 (protocol 2.0)
  2078. 80/tcp open http
  2079. ...
  2080. ```
  2081. ... which reveals the actual service behind our new-defined port 1234/tcp to an attacker. In addition, the attacker can get more information about the server system, especially on Debian-based Linux distributions. For example:
  2082. ```
  2083. ...
  2084. PORT STATE SERVICE VERSION
  2085. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
  2086. ...
  2087. ```
  2088. This information can be hidden by adding line _DebianBanner no_ in '/etc/ssh/sshd_config' on Debian-based Linux systems and restarting the SSH server daemon with command 'sudo systemctl restart sshd.service'
  2089. **NOTE!** Port scanning does not leave any log traces behind in Apache's access.log file ('/var/log/apache/access.log')!
  2090. Check also
  2091. - [MyPapit GNU/Linux - How to Hide OpenSSH Ubuntu version from Nmap and other scanners](https://blog.mypapit.net/2015/08/how-to-hide-openssh-ubuntu-release-from-nmap-and-other-scanners.html)
  2092. - [serverfault.com - How to hide web server name and openssh version on linux when scanning server ports?](https://serverfault.com/questions/81690/how-to-hide-web-server-name-and-openssh-version-on-linux-when-scanning-server-po/81697#81697)
  2093. - [Unix & Linux Stack Exchange - Change SSH banner which is grabbed by netcat](https://unix.stackexchange.com/questions/269024/change-ssh-banner-which-is-grabbed-by-netcat/269027#269027)
  2094. - [GitHub - metacloud/openssh - Include the Debian version in our identification](https://github.com/metacloud/openssh/blob/master/debian/patches/package-versioning.patch)
  2095. ------------------------------------------------
  2096. **EXTRA - Using Port Knocking technique against port scanning**
  2097. Nmap requests are targeted to layer 3 (Network Layer) in OSI model. Additional security measures can be taken by applying [Port Knocking login techniques](https://wiki.archlinux.org/index.php/Port_knocking) on the server computer.
  2098. **WARNING!** The following 'Knockd daemon' may break easily. Thus it can not be recommended for critical or rapidly updating server environments. For instance, dhcpcd version 7 or above breaks knockd daemon. Many users have had problems to start the daemon service during server boot-up process. Knockd assumes that you have a preconfigured network interface with established network connection (this is not 100% valid information but this is my best guess).
  2099. [DigitalOcean, "Port Knocking" - Ubuntu, knockd](https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu):
  2100. Dynamic firewall rules are manually applied to the server (iptables, for instance) or separate daemon process ([for instance, knockd](http://www.zeroflux.org/projects/knock)) is set up on the server computer. Daemon process is used to open a pre-defined port only if a client program has knocked correct server port numbers in right order and using correct protocol, either TCP or UDP, and this all has been done in predefined time limit. Additionally, limited timeout for user log-in can be set. For example, a correctly authenticated user must log in in 10 seconds ater Knock daemon has opened a SSH port for that time period. When the time limit is reached, Knock daemon closes the port for any further connection attempts unless the knock port sequence is re-applied.
  2101. Knocking technique must be configured so that firewall does not close already established connections (like SSH in our case), but refuses any further connection attempts so that the port can not be detected with nmap port scanning techniques after the time limit has been reached.
  2102. [DigitalOcean, "Port Knocking" - FWKnop - Single packet authentication](https://www.digitalocean.com/community/tutorials/how-to-use-fwknop-to-enable-single-packet-authentication-on-ubuntu-12-04):
  2103. Some more or less secure implementations for port knocking exist. Various encryption methods can be applied to the knocking technique, making it more difficult for an attacker to sniff network packets between a server and a client. One solution using encyption methods is [fwknop](http://www.cipherdyne.org/fwknop/) which uses _Single Packet Authorization_ (SPA) method instead of insecure port sequences.
  2104. More about Port Knocking technique:
  2105. - [Improved Port Knocking with Strong Authentication - Rennie deGraaf, John Aycock, and Michael Jacobson, Jr.∗ (Department of Computer Science - University of Calgary)](https://www.acsac.org/2005/papers/156.pdf)
  2106. - [OpenWRT website](https://wiki.openwrt.org/doc/howto/portknock.server)
  2107. - [portknocking.org](http://www.portknocking.org/) and practical solutions on [Implementations sub-page](http://www.portknocking.org/view/implementations)
  2108. - [Information Security Stack Exchange - Port Knocking is it a good idea?](https://security.stackexchange.com/questions/1194/port-knocking-is-it-a-good-idea/1196#1196)
  2109. **NOTE!** Port Knocking technique must not be applied to block ports of server daemon processes which are required to be always reachable from a client program (take Apache server for example). For SSH which does not require 24/7 connection, port knocking techniques can be applied more reliably. In addition to public key, password and PAM authentication methods, port knocking adds one more security layer to the stack. However, you must not apply these security countermeasures individually but use them together, instead. **The goal is to make it more difficult for an attacker to penetrate your network security.**
  2110. ------------------------------------------------
  2111. **EXTRA - ARP Scan and spoofing your MAC address**
  2112. Program [arp-scan](https://www.blackmoreops.com/2015/12/31/use-arp-scan-to-find-hidden-devices-in-your-network/) can be used in limited scale to scan a MAC address (OSI model layer 2, Data Link Layer) in a network.
  2113. Unique MAC address of a network interface (network card) can programmatically be spoofed with [these Arch Wiki instructions](https://wiki.archlinux.org/index.php/MAC_address_spoofing#Method_1:_systemd-networkd) or with my [Spoof MAC Address shell script](https://github.com/Fincer/linux_server_setup/blob/master/scripts/spoof_mac_address.sh).
  2114. Sample results of ARP Scan.
  2115. BEFORE:
  2116. ```
  2117. [20/02/2018 18:52:35 - fincer: ~ ]$ sudo arp-scan --interface=wlan0 --localnet
  2118. [sudo] password for fincer:
  2119. Interface: wlan0, datalink type: EN10MB (Ethernet)
  2120. Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
  2121. A.B.C.D f4:0e:22:ad:b8:7d (Unknown)
  2122. 1.2.3.4 18:a9:05:4b:61:58 Hewlett-Packard Company
  2123. ```
  2124. AFTER - IP-osoitteessa 1.2.3.4 olevan palvelinkoneen MAC-osoite muutettu:
  2125. ```
  2126. [20/02/2018 18:54:28 - fincer: ~ ]$ sudo arp-scan --interface=wlan0 --localnet
  2127. Interface: wlan0, datalink type: EN10MB (Ethernet)
  2128. Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
  2129. A.B.C.D f4:0e:22:ad:b8:7d (Unknown)
  2130. 1.2.3.4 aa:0c:9a:fa:7b:d4 (Unknown)
  2131. ```
  2132. The following warning messages may be expected after spoofing a MAC address and when you establish SSH connection from a local computer to your server:
  2133. ```
  2134. Warning: Permanently added the ECDSA host key for IP address '[1.2.3.4]:22' to the list of known hosts.
  2135. ```
  2136. **f)** (optional) Allow SSH login only for users in group 'sshers'. Add your account to this group.
  2137. --------------
  2138. **Answer:**
  2139. 1. Log in to the server computer ('ssh username@server-ip -p <ssh-port>')
  2140. 2. Add group 'sshers' with GID number 876 (you don't have to define GID here)
  2141. ```
  2142. sudo groupadd -g 876 sshers
  2143. ```
  2144. 3. You can confirm existence of the created group with command 'grep sshers /etc/group'. Output:
  2145. ```
  2146. sshers:x:876:
  2147. ```
  2148. 4. Add the current user (read: yourself) _newuser_ into this group
  2149. ```
  2150. sudo usermod -aG sshers newuser
  2151. ```
  2152. 5. Command 'grep sshers /etc/group' output now:
  2153. ```
  2154. sshers:x:876:newuser
  2155. ```
  2156. You can alternatively check groups of _newuser_ by executing command 'groups' while being that user:
  2157. ```
  2158. [27/02/2018 10:39:58 - newuser@goauldhost: ~ ]$ groups
  2159. sshers newuser sudo
  2160. ```
  2161. or using command 'sudo -u newuser groups" as any system user who can execute commands with sudo.
  2162. **NOTE!** _groups_ -komento antaa oikean stdout:n (outputin) vasta uudelleenkirjautumisen jälkeen.
  2163. command 'groups' gives correct output only after re-login.
  2164. 6. Allow SSH login only to members of the group 'sshers'.
  2165. Manual page of 'sshd_config' ('man sshd_config') describes 'AllowGroups' option as follows:
  2166. > AllowGroups
  2167. > This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
  2168. Let's apply the following information into SSH server daemon configuration file '/etc/ssh/sshd_config':
  2169. ```
  2170. PermitRootLogin no
  2171. AllowGroups sshers
  2172. ```
  2173. And comment out the following lines (be careful here!):
  2174. ```
  2175. # DenyUsers <user accounts>
  2176. # AllowUsers <user accounts>
  2177. # DenyGroups <group names>
  2178. ```
  2179. If those lines are not defined in the configuration file, it is OK.
  2180. You can add multiple groups and users after those keywords, as you like.
  2181. For additional security, the following options can be applied as well (into '/etc/ssh/sshd_config' file), depending on your requests for SSH authentication policy:
  2182. ```
  2183. IgnoreRhosts yes
  2184. PermitEmptyPasswords no
  2185. ChallengeResponseAuthentication yes
  2186. UsePAM yes
  2187. MaxAuthTries 3
  2188. ```
  2189. etc. More options and configurations can be found with commands 'man sshd_config' and 'man sshd'
  2190. 7. Let's save this configuration and restart SSH server daemon by applying command 'sudo systemctl restart sshd.service' (NOTE! Disconnects already-established SSH connections!)
  2191. 8. Test SSH login with a client computer using remote user _newuser_ (belonging to the remote group 'sshers'). Command syntax is: 'ssh newuser@server-ip -p <server-port>'
  2192. **g)** (optional) Attach a remote network directory with sshfs.
  2193. --------------
  2194. **Answer:**
  2195. SSHFS stands for SSH File System. Corresponding program 'sshfs' has been developed to attach SSH server file systems (folders/files) remotely on a client computer so that all attached file systems can locally be browsed on the client computer. SSHFS uses encrypted SFTP protocol (SSH/Secure File Transfer Protocol) for file tranfers.
  2196. 1. Install 'sshfs' with command sequence 'sudo apt-get update && sudo apt-get -y install sshfs' on a Debian-based Linux system.
  2197. 2. Mount remote folder '/home/newuser/public_html/' (server), to path '/home/<current-user>/public_html_ssh_remote' on your client computer.
  2198. ```
  2199. mkdir $HOME/public_html_ssh_remote && sshfs newuser@174.138.2.190:./public_html $HOME/public_html_ssh_remote -p <ssh-portti>
  2200. ```
  2201. **NOTE!** If you use public key SSH authentication method, you are not asked for any password.
  2202. 3. Check that you have successfully mounted your remote server folder '/home/newuser/public_html' to the client computer (command 'ls ~/public_html_ssh_remote/'). Output should be as follows:
  2203. ```
  2204. index.html
  2205. ```
  2206. Additionally, check output of command 'mount | grep public_html_ssh_remote':
  2207. ```
  2208. newuser@174.138.2.190:./public_html on /home/phelenius/public_html_ssh_remote type fuse.sshfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
  2209. ```
  2210. 4. Unmount the remote folder by issuing command 'sudo umount /home/phelenius/public_html_ssh_remote'. On the client end, 'ls' command should have empty output for directory 'public_html_ssh_remote'.
  2211. Executable root binary file (sbin) is _/usr/sbin/sshd_ with command parameter _-D_ (Process Identifier/Process ID/PID is 1534).
  2212. **NOTE!** The following is stated about _-D_ parameter in sshd manual:
  2213. ```
  2214. phelenius@my-machine:~$ man sshd | grep -E "\-D" -C1
  2215. -D When this option is specified, sshd will not detach and does not become a daemon. This allows easy monitoring of sshd.
  2216. ```
  2217. _-D_ parameter definition by [SSH Communications Security](https://www.ssh.com/ssh/sshd/):
  2218. > -D Do not detach and become daemon. This is often used when sshd is run using systemd. This allows easier monitoring of the process in such environments. Without this option, the SSH server forks and detaches from terminal, making itself a background daemon process. The latter has been the traditional way to run the SSH server until recently. Many embedded systems would still use the latter.
  2219. About relevance of the _-D_ parameter has been discussed, for example, on [superuser.com (Differences between ssh -L to -D](https://superuser.com/questions/408031/differences-between-ssh-l-to-d).
  2220. **b)** Establish a firewall protection to the server computer (Note: allow SSH traffic before that)
  2221. --------------
  2222. **Answer:**
  2223. The firewall protection is done by using Linux kernel ip_table module(s). Firewall rules can be modified in User Space with the corresponding iptables command or with the simplified Python 3 based program/script 'Uncomplicated Firewall' (ufw). Other firewall solutions also exists on Linux, please see title 'Other firewall solutions' below.
  2224. We can check which loadable kernel modules have been enabled in Linux kernel with the kernel-related lsmod command.
  2225. ```
  2226. phelenius@my-machine:~$ man lsmod | sed -n '/NAME/{n;p}' | sed 's/\s*//'
  2227. lsmod - Show the status of modules in the Linux Kernel
  2228. ...
  2229. phelenius@my-machine:~$ lsmod |grep filter
  2230. ip6table_filter 16384 1
  2231. ip6_tables 28672 1 ip6table_filter
  2232. iptable_filter 16384 1
  2233. ip_tables 24576 1 iptable_filter
  2234. x_tables 36864 14 ip6table_filter,xt_hl,xt_recent,ip_tables,xt_tcpudp,xt_limit,xt_conntrack,xt_LOG,iptable_filter,ip6t_rt,ipt_REJECT,ip6_tables,xt_addrtype,ip6t_REJECT
  2235. ```
  2236. Source codes of these modules can be found on git.kernel.org: [ipv6 netfilter](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/netfilter), [ipv6 netfilter core](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/netfilter.c), [ipv4 netfilter](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/netfilter), [ipv4 netfilter core](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/netfilter.c)
  2237. By default, Uncomplicated Firewall (ufw) is usually pre-installed on many Linux distributions, including Debian-based systems. Let's confirm that:
  2238. ```
  2239. phelenius@my-machine:~$ if [[ $(dpkg --get-selections |grep ufw | awk '{print $1}' | wc -l) -eq 0 ]]; then sudo apt-get update && sudo apt-get -y install ufw && echo "REPLY: UFW is installed now"; else echo "REPLY: UFW has already been installed"; fi
  2240. REPLY: UFW has already been installed
  2241. ```
  2242. Therefore ufw firewall is installed. Otherwise it would be installed on the system with _apt-get install_ command.
  2243. By default, the Linux firewall blocks SSH input traffic (default port 22). This input port can be opened by applying the following ufw command:
  2244. ```
  2245. phelenius@my-machine:~$ sudo ufw allow 22/tcp
  2246. ```
  2247. or with the command (however, not specific port number is defined here):
  2248. ```
  2249. phelenius@my-machine:~$ sudo ufw allow ssh
  2250. ```
  2251. Afterwards, UFW can be re-enabled with the following command:
  2252. ```
  2253. phelenius@my-machine:~$ sudo ufw enable
  2254. Command may disrupt existing ssh connections. Proceed with operation (y|n)?
  2255. ```
  2256. Your answer should be 'y' (yes). The firewall does not close (possibly already established) SSH connection because we have opened port 22 TCP input traffic. We get a notification, stating:
  2257. ```
  2258. Firewall is active and enabled on system startup
  2259. ```
  2260. The message is bit unclear, because according to some testing, the ufw firewall may still not be enabled on system boot. Automated start of ufw during system boot can foolproofly be enabled with:
  2261. ```
  2262. phelenius@my-machine:~$ sudo systemctl enable ufw.service
  2263. Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service -> /usr/lib/systemd/system/ufw.service.
  2264. ```
  2265. Alternatively, the following message may appear:
  2266. ```
  2267. Synchronizing state of ufw.service with SysV init with /lib/systemd/systemd-sysv-install...
  2268. Executing /lib/systemd/systemd-sysv-install enable ufw
  2269. ```
  2270. **iptables:**
  2271. 1. Remove ufw from the Linux system, and remove all relevant ufw entries from iptables firewall rule list.
  2272. **NOTE!** Warning: (May) delete other important iptables rules configured by system administration!
  2273. **NOTE!** Be sure that you have direct access (local terminal, without network) to the target machine in a case of failure. Otherwise you may lock yourself out from the server.
  2274. ```
  2275. sudo systemctl stop ufw.service && sudo systemctl disable ufw.service
  2276. sudo apt-get purge --remove ufw
  2277. sudo iptables --flush && sudo iptables --delete-chains
  2278. ```
  2279. 2. Confirm deletion of ufw entries from iptables firewall rule list with
  2280. ```
  2281. sudo iptables -S
  2282. ```
  2283. Output should be:
  2284. ```
  2285. -P INPUT ACCEPT
  2286. -P FORWARD ACCEPT
  2287. -P OUTPUT ACCEPT
  2288. ```
  2289. 3. Add new firewall rules to iptables and keep already established connections open:
  2290. ```
  2291. sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  2292. ```
  2293. 4. Drop all connections, excluding already established connections like SSH:
  2294. ```
  2295. sudo iptables -A INPUT -j DROP
  2296. sudo iptables -A FORWARD -j DROP
  2297. ```
  2298. 5. Allow SSH traffic (port number: 22, protocol: tcp, etc.):
  2299. ```
  2300. sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
  2301. ```
  2302. **NOTE!** This applies only to IPv4 connections. For IPv6, check [iptables6](https://www.linux.com/learn/intro-to-linux/2017/8/iptables-rules-ipv6).
  2303. **NOTE!** The forementioned command can be written so that connections only from a single IP is allowed, by using eth0 network interface. For example:
  2304. ```
  2305. sudo iptables -I INPUT -p tcp -i eth0 -s 231.123.24.24 --dport 22 -j ACCEPT
  2306. ```
  2307. **NOTE:** Be sure you have enabled 'net.ifnames=0' in your udev rules to get network interface names like 'eth0', 'wlan0' etc.!
  2308. More about setting iptables firewall rules, take a look on [DigitalOcean website](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands) and [iptables - Append vs. Insert - website](https://serverfault.com/questions/472258/difference-between-iptables-a-and-i-option), for example.
  2309. 6. Confirm proper iptables firewall rules with 'sudo iptables -S' command:
  2310. ```
  2311. -P INPUT ACCEPT
  2312. -P FORWARD ACCEPT
  2313. -P OUTPUT ACCEPT
  2314. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  2315. -A INPUT -j DROP
  2316. -A FORWARD -j DROP
  2317. -I INPUT -p tcp --dport 22 -j ACCEPT
  2318. ```
  2319. 7. Save the rules so that they won't be lost after rebooting:
  2320. ```
  2321. sudo iptables-save | sudo tee /etc/iptables/iptables.save > /dev/null
  2322. cat /etc/iptables/iptables.save
  2323. ```
  2324. 8. Apply and enable the rules. You can restart iptables service (Packet Filtering Framework) if you prefer to do so:
  2325. ```
  2326. sudo iptables-restore && sudo systemctl restart iptables.service
  2327. ```
  2328. 9. Confirm the current iptables firewall rules with the command 'sudo iptables -S'.
  2329. More about iptables:
  2330. - [DigitalOcean - Iptables Essentials: Common Firewall Rules and Commands, SSH service](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands#service-ssh)
  2331. - [DigitalOcean - Iptables Essentials: Common Firewall Rules and Commands, Saving rules](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands#saving-rules).
  2332. - [The Geek Stuff - 25 Most Frequently Used Linux IPTables Rules Examples](https://www.thegeekstuff.com/2011/06/iptables-rules-examples)
  2333. **Other firewall solutions:**
  2334. In addition to ufw, other iptables-based firewall solutions have been developed on Linux. Take a look on [Firestarter](http://www.fs-security.com/), [Firewalld](https://fedoraproject.org/wiki/Firewalld?rd=FirewallD), [PeerGuardian](https://sourceforge.net/projects/peerguardian/?source=navbar), [FWBuilder](http://www.fwbuilder.org/), etc.
  2335. ------------------------------------------------
  2336. **EXTRA - root account: more restrictions**
  2337. In addition to previous root restrictions, the following extra restrictions were applied, too:
  2338. - root default shell were changed to _/sbin/nologin_ in file _/etc/passwd_
  2339. - root account were locked by applying command _sudo usermod root --lock_ (this was done already, it sets up an exclamation mark prefix to the root account password in file _/etc/shadow_
  2340. - root access removal of TTY sessions by commenting out relevant lines in file _/etc/securetty_
  2341. - SSH: setting _PermitRootLogin no_ were applied in SSH server configuration file _/etc/ssh/sshd_config_
  2342. PAM configuration files (Pluggable Authentitation Modules) were not altered in _/etc/pam.d/_ although security can be improved by applying some special system-spefific authentication rules there. PAM rules can restrict root permissions as well, including executable daemon processes and commands (i.e. you can restrict even root execution rights in the target system, in contradiction what is usually told for new Linux users that "root can do anything". With PAM, you can restrict that "anything" privilege.)
  2343. Reference: [Red Hat - 4.4.2. Disallowing Root Access](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s2-wstation-privileges-noroot.html)
  2344. **c)** Transfer files using SSH protocol
  2345. --------------
  2346. **Answer:**
  2347. Let's use [Secure Copy (scp)](https://en.wikipedia.org/wiki/Secure_copy) command for file transfers.
  2348. The assignment has been done in the following command sequence. The following steps are executed:
  2349. 1. Create new subdirectory _httpd_ into the current user's home directory on the local computer
  2350. 2. Download related control, description and patch files of debian package of Apache web server, version _2.4.18-2ubuntu3.5_ from archive.ubuntu.com ([packages.ubuntu.com](https://packages.ubuntu.com/xenial/apache2)). Target directory for the download is the recently created subdirectory _httpd_
  2351. 3. Extract the downloaded archive files into $HOME/httpd. Subdirectory _debian_ will be created in _httpd_ directory.
  2352. 4. Establish a new SSH connection to the server computer with server user _newuser_, use port 1234 and create directory _$HOME/patches_ for this user.
  2353. 5. Transfer all local files (and directories) which 1) start with any character 2) end with suffix _diff_ and _patch_ 3) locate at the current user's _./httpd/debian/patches/_ subdirectory
  2354. to the directory _$HOME/patches_ located at the server computer (where $HOME=/home/newuser/). SSH connection port is 1234. Use command scp.
  2355. For more information about patches, check [1](https://stackoverflow.com/questions/987372/what-is-the-format-of-a-patch-file), [2](https://www.thegeekstuff.com/2014/12/patch-command-examples))
  2356. 6. List contents of the remote subdirectory _$HOME/patches_ with SSH connection, use port 1234..
  2357. 7. Delete current user's local subdirectory _httpd_ and its contents. _-R_ or _-r_ stands for recursive deletion, _-f_ stands for forceful removal. Remote files in the server computer's directory _/home/newuser/patches/_ will be kept intact.
  2358. ```
  2359. [20/02/2018 13:24:40 - fincer: ~ ]$ mkdir httpd
  2360. [20/02/2018 13:24:54 - fincer: ~ ]$ wget http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.5.debian.tar.xz -P httpd
  2361. --2018-02-20 13:25:13-- http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.4.18-2ubuntu3.5.debian.tar.xz
  2362. Resolving archive.ubuntu.com... 2001:67c:1560:8001::11, 2001:67c:1360:8001::17, 2001:67c:1560:8001::14, ...
  2363. Connecting to archive.ubuntu.com|2001:67c:1560:8001::11|:80... connected.
  2364. HTTP request sent, awaiting response... 200 OK
  2365. Length: 387448 (378K) [application/x-xz]
  2366. Saving to: ‘httpd/apache2_2.4.18-2ubuntu3.5.debian.tar.xz’
  2367. apache2_2.4.18-2ubuntu3.5.debian.tar.xz 100%[==================================================================================>] 378.37K 450KB/s in 0.8s
  2368. 2018-02-20 13:25:15 (450 KB/s) - ‘httpd/apache2_2.4.18-2ubuntu3.5.debian.tar.xz’ saved [387448/387448]
  2369. [20/02/2018 13:25:15 - fincer: ~ ]$ tar xf apache2_2.4.18-2ubuntu3.5.debian.tar.xz -C httpd
  2370. [20/02/2018 13:25:35 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p 1234 mkdir patches
  2371. newuser@174.138.2.190's password:
  2372. [20/02/2018 13:26:12 - fincer: ~ ]$ scp -P 1234 ./httpd/debian/patches/*.{diff,patch} newuser@174.138.2.190:./patches/
  2373. newuser@174.138.2.190's password:
  2374. hostnames_with_underscores.diff 100% 479 114.6KB/s 00:00
  2375. reproducible_builds.diff 100% 1710 427.2KB/s 00:00
  2376. build_suexec-custom.patch 100% 1981 473.6KB/s 00:00
  2377. customize_apxs.patch 100% 9316 888.9KB/s 00:00
  2378. CVE-2016-0736.patch 100% 12KB 867.4KB/s 00:00
  2379. CVE-2016-2161.patch 100% 4787 493.1KB/s 00:00
  2380. CVE-2016-5387.patch 100% 666 287.9KB/s 00:00
  2381. CVE-2016-8743.patch 100% 80KB 1.0MB/s 00:00
  2382. CVE-2017-3167.patch 100% 8922 698.9KB/s 00:00
  2383. CVE-2017-3169.patch 100% 4663 458.1KB/s 00:00
  2384. CVE-2017-7668.patch 100% 1746 482.5KB/s 00:00
  2385. CVE-2017-7679.patch 100% 1925 527.4KB/s 00:00
  2386. CVE-2017-9788.patch 100% 2252 582.1KB/s 00:00
  2387. CVE-2017-9798.patch 100% 1172 381.3KB/s 00:00
  2388. fhs_compliance.patch 100% 2541 635.6KB/s 00:00
  2389. no_LD_LIBRARY_PATH.patch 100% 444 199.8KB/s 00:00
  2390. prefork_single_process_crash.patch 100% 773 359.0KB/s 00:00
  2391. suexec-custom.patch 100% 5785 792.4KB/s 00:00
  2392. suexec-CVE-2007-1742.patch 100% 2356 589.3KB/s 00:00
  2393. suexec_is_shared.patch 100% 622 194.1KB/s 00:00
  2394. [20/02/2018 13:28:03 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p 1234 ls -l ./patches
  2395. newuser@174.138.2.190's password:
  2396. total 196
  2397. -rw-r--r-- 1 newuser newuser 12446 Feb 20 11:38 CVE-2016-0736.patch
  2398. -rw-r--r-- 1 newuser newuser 4787 Feb 20 11:38 CVE-2016-2161.patch
  2399. -rw-r--r-- 1 newuser newuser 666 Feb 20 11:38 CVE-2016-5387.patch
  2400. -rw-r--r-- 1 newuser newuser 81900 Feb 20 11:38 CVE-2016-8743.patch
  2401. -rw-r--r-- 1 newuser newuser 8922 Feb 20 11:38 CVE-2017-3167.patch
  2402. -rw-r--r-- 1 newuser newuser 4663 Feb 20 11:38 CVE-2017-3169.patch
  2403. -rw-r--r-- 1 newuser newuser 1746 Feb 20 11:38 CVE-2017-7668.patch
  2404. -rw-r--r-- 1 newuser newuser 1925 Feb 20 11:38 CVE-2017-7679.patch
  2405. -rw-r--r-- 1 newuser newuser 2252 Feb 20 11:38 CVE-2017-9788.patch
  2406. -rw-r--r-- 1 newuser newuser 1172 Feb 20 11:38 CVE-2017-9798.patch
  2407. -rw-r--r-- 1 newuser newuser 1981 Feb 20 11:38 build_suexec-custom.patch
  2408. -rw-r--r-- 1 newuser newuser 9316 Feb 20 11:38 customize_apxs.patch
  2409. -rw-r--r-- 1 newuser newuser 2541 Feb 20 11:38 fhs_compliance.patch
  2410. -rw-r--r-- 1 newuser newuser 479 Feb 20 11:38 hostnames_with_underscores.diff
  2411. -rw-r--r-- 1 newuser newuser 444 Feb 20 11:38 no_LD_LIBRARY_PATH.patch
  2412. -rw-r--r-- 1 newuser newuser 773 Feb 20 11:38 prefork_single_process_crash.patch
  2413. -rw-r--r-- 1 newuser newuser 1710 Feb 20 11:38 reproducible_builds.diff
  2414. -rw-r--r-- 1 newuser newuser 2356 Feb 20 11:38 suexec-CVE-2007-1742.patch
  2415. -rw-r--r-- 1 newuser newuser 5785 Feb 20 11:38 suexec-custom.patch
  2416. -rw-r--r-- 1 newuser newuser 622 Feb 20 11:38 suexec_is_shared.patch
  2417. [20/02/2018 13:32:01 - fincer: ~ ]$ rm -Rf httpd
  2418. ```
  2419. **d)** Automate SSH login with public key method
  2420. --------------
  2421. **Answer:**
  2422. 1. Let's generate a key pair on the client computer with a user who is wanted to have the public key authentication method for SSH connections. Both private and public keys are generated with 'ssh-keygen' command. Accept the default settings unless you have any requirements to customize them.
  2423. 2. Copy the _public_ key to the server computer with your SSH client using command 'ssh-copy-id -i $HOME/.ssh/id_rsa.pub username@server-ip-or-name'. The command copies your public key to the subdirectory *.ssh/authorized_keys* located at the server computer.
  2424. **NOTE!** Copy public key only, do **NOT** copy the private key!
  2425. More about the topic:
  2426. [ssh.com - Key Pair - Public and Private](https://www.ssh.com/ssh/public-key-authentication#sec-Key-Pair-Public-and-Private)
  2427. 3. Let confirm that SSH server daemon configuration file (_/etc/ssh/sshd_config_ by default) has the following settings in place (either use 'sudo nano _/etc/ssh/sshd_config_' or 'sudoedit _/etc/ssh/sshd_config_'):
  2428. ```
  2429. AuthenticationMethods publickey
  2430. PubkeyAuthentication yes
  2431. AuthorizedKeysFile .ssh/authorized_keys
  2432. ```
  2433. **Extra hint 1:** SSH client settings are generally defined in _/etc/ssh/ssh_config_
  2434. **Extra hint 2:** You can use ssh command with _-v_ parameter to gain more information about used authentication methods in unclear cases or for debugging purposes. The _-v_ parameter is defined as follows:
  2435. > -v Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity. The maximum is 3.
  2436. 4. We shall restart server SSH daemon with _sudo systemctl restart sshd.service_ command (note! this interrupts any existing & opened SSH connections)
  2437. 5. We shall test public key authentication from the client computer. Use same user account which you previously used for executing _ssh-keygen_ command on the client computer. The client computer user should be able to login into SSH server without a password.
  2438. **EXTRA: Modifying welcome banner**
  2439. Let's modify default Ubuntu login/SSH banner message by executing the following bash script:
  2440. ```
  2441. #!/bin/bash
  2442. # Modify SSH login banner message
  2443. ## 00-header file:
  2444. #
  2445. sudo sed -i 's?printf "Welcome to %s (%s %s %s)\\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"?printf "Welcome to %s\\nUptime:
  2446. %s\\n\\n" "Server Computer" "$(uptime)"?' /etc/update-motd.d/00-header
  2447. ## File extensions of the following files will be modified
  2448. ## We could also remove these files with 'sudo rm <file>'
  2449. #
  2450. FILES=( 10-help-text 51-cloudguest 90-updates-available 91-release-upgrade )
  2451. cd /etc/update-motd.d/
  2452. for file in ${FILES[@]}; do sudo mv $file $file.old; done
  2453. cd
  2454. ```
  2455. **NOTE:** Location of the banner file varies between different Linux distributions. For instance, Arch Linux uses banner file _/etc_motd_.
  2456. **j)** Install, configure and start sysstat. Use sar command to confirm whether the sysstat package services have been enabled (for instance, log entry "Linux reboot..." exists). Run sysstat a day or two. Afterwards, check computer workload history with sysstat commands sar, iostat, pidstat etc. Analyze the results, i.e. explain the results in detail.
  2457. --------------
  2458. **Answer:**
  2459. 1. We shall connect to the server computer (running Ubuntu) and then install the required package with command sequence 'sudo apt-get update && sudo apt-get install -y install sysstat'
  2460. 2. Run [shell-based sysstat script](https://github.com/Fincer/linux_server_setup/blob/master/scripts/sysstat_command.sh) which runs sar and pidstat commands two days with 20 second intervals.
  2461. **NOTE!** The script could have been opmitized more for the real requirements for the server environment (statistics interval, collection period, etc.)
  2462. 3. The script described in step 2 has generated sar analytics file 'sar-stats_2018-02-24_2018-02-26.file' into path '/home/newuser/sar_statistics/' on the server computer.
  2463. Time period: 24. - 26.02.2018
  2464. The following sums up some command samples which can be applied to the analytics file.
  2465. | File | Description |
  2466. |------------------------------------|-------------------------------------------------|
  2467. | sar -u -f <analytics-file> | Processor workload statistics |
  2468. | sar -v -f <analytics-file> | Inode and file statistics |
  2469. | sar -r -f <analytics-file> | Memory consumption statistics |
  2470. | sar -n DEV -f <analytics-file> | Network stats: devices |
  2471. | sar -n EDEV -f <analytics-file> | Network stats: errors in devices |
  2472. | sar -n IP -f <analytics-file> | Network stats: IPv4 traffic |
  2473. | sar -n EIP -f <analytics-file> | Network stats: errors in IPv4 traffic |
  2474. | sar -n IP6 -f <analytics-file> | Network stats: IPv6 traffic |
  2475. | sar -n EIP6 -f <analytics-file> | Network stats: errors in IPv6 traffic |
  2476. | sar -n SOCK -f <analytics-file> | Network stats: IPv4 socket |
  2477. | sar -n SOCK6 -f <analytics-file> | Network stats: IPv6 socket |
  2478. | sar -n TCP -f <analytics-file> | Network stats: TCPv4 protocol traffic |
  2479. | sar -n ETCP -f <analytics-file> | Network stats: errors in TCPv4 protocol traffic |
  2480. | sar -S -f <analytics-file> | Swap memory consumption |
  2481. | sar -w -f <analytics-file> | Process statistics |
  2482. | sar -F MOUNT / -f <analytics-file> | File system which is mounted at / |
  2483. Statistics can be combined etc, as you can find out with 'man sar' command:
  2484. ```
  2485. sar -u 2 5
  2486. Report CPU utilization for each 2 seconds. 5 lines are displayed.
  2487. sar -I 14 -o int14.file 2 10
  2488. Report statistics on IRQ 14 for each 2 seconds. 10 lines are displayed. Data are stored in a file called int14.file.
  2489. sar -r -n DEV -f /var/log/sysstat/sa16
  2490. Display memory and network statistics saved in daily data file 'sa16'.
  2491. sar -A
  2492. Display all the statistics saved in current daily data file.
  2493. ```
  2494. Or [The Geek Stuff - 10 Useful Sar (Sysstat) Examples for UNIX / Linux Performance Monitoring](https://www.thegeekstuff.com/2011/03/sar-examples/?utm_source=feedburner)
  2495. What are inode and swap? Check
  2496. - [inode - 1](https://www.cyberciti.biz/tips/understanding-unixlinux-filesystem-inodes.html)
  2497. - [inode - 2](https://unix.stackexchange.com/questions/117093/find-where-inodes-are-being-used)
  2498. - [Swap](https://wiki.archlinux.org/index.php/swap).
  2499. Additionally, the following pidstat files were generated:
  2500. | File | Description |
  2501. |----------------------------|------------------------------------|
  2502. | pidstat_stats_cpu-tasks | Processor workload statistics |
  2503. | pidstat_stats_io | I/O statistics |
  2504. | pidstat_stats_kerneltables | Statistics of Linux kernel tables |
  2505. | pidstat_stats_pagefaults | Page fault statistics |
  2506. | pidstat_stats_stacks | Process stack statistics |
  2507. (Check. [Stacks](https://stackoverflow.com/questions/8905271/what-is-the-linux-stack), [Page fault](https://en.wikipedia.org/wiki/Page_fault))
  2508. Additionally, iostat command was run on the background.
  2509. 4. Let's take a closer look on two sar analytics files and I/O statistics file. The following commands open analytics files in more detailed view.
  2510. ------------------------------------------------
  2511. **SAR network statistics - IPv4 traffic**
  2512. **command: sar -n IP -f sar-stats_2018-02-24_2018-02-26.file**
  2513. ![sar-stats-ipv4](https://raw.githubusercontent.com/Fincer-altego/basics-of-a-linux-server-school-course-/master/sar-stats_ipv4.png)
  2514. **Observation period:** 24.-26.02.2018
  2515. | Field | Description | Average |
  2516. |-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
  2517. | Left column | Record time | |
  2518. | irec/s | The total number of input datagrams received from interfaces per second, including those received in error. | 1.33 |
  2519. | fwddgm/s | The number of input datagrams per second, for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. | 0.00 |
  2520. | idel/s | The total number of input datagrams,successfully,delivered,per,second,to,IP user-protocols (including ICMP). | 1.30 |
  2521. | orq/s | The total number of IP datagrams which local IP user-protocols (including ICMP) supplied per second to IP in requests for,transmission. Note that this,counter,does,not include any datagrams counted in fwddgm/s. | 1.45 |
  2522. | asmrq/s | The number of IP fragments received per second which needed to be reassembled at this entity. | 0.00 |
  2523. | asmok/s | The number of IP datagrams successfully re-assembled per second. | 0.00 |
  2524. | fragok/s | The number of IP datagrams that,have,been,successfully fragmented at this entity per second. | 0.00 |
  2525. | fragcrt/s | The number of IP datagram fragments that have been generated per second as a result of fragmentation at this entity. | 0.00 |
  2526. **NOTE!** Descriptions are provided in sysstat package (manpages).
  2527. **ANALYSIS - IPV4**
  2528. The server computer has not forwarded a single datagram in the observation period. Input network traffic has been received which can be concluded by observing _irec/s_, _idel/s_ and _orq/s_ field values. The current workload of the server computer is very low, including only HTTP daemon (Apache web server) and SSH server daemon. No webpages are available on the server which could increase input HTTP/HTTPS protocol based traffic. HTTPS was not enabled in the server computer.
  2529. By default, the server computer allows 128 simultaneous input network connections (command 'cat /proc/sys/net/core/somaxconn'. NOTE!: The value can be changed by issuing 'echo 1024 | sudo tee /proc/sys/net/core/somaxconn', for example).
  2530. MTU value of the web server computer for network interface eth0 was 1500 (you can check it with 'ifconfig' command). MTU stands for 'Maximum Transmission Unit' which determines the highest PDU unit ([Protocol Data Unit](https://en.wikipedia.org/wiki/Protocol_data_unit)) that can be transferred over the network at once.
  2531. Check also
  2532. - [MTU - hyperlink 1](http://www.tcpipguide.com/free/t_IPDatagramSizeMaximumTransmissionUnitMTUFragmentat.htm)
  2533. - [MTU - hyperlink 2](https://en.wikipedia.org/wiki/Maximum_transmission_unit)
  2534. - [Stack Overflow - What's the practical limit on the size of single packet transmitted over domain socket?](https://stackoverflow.com/questions/21856517/whats-the-practical-limit-on-the-size-of-single-packet-transmitted-over-domain)
  2535. - [Stack Overflow - What is the default size of datagram queue length in Unix Domain Sockets (AF_UNIX)? Is it configurable?](https://stackoverflow.com/questions/21448960/what-is-the-default-size-of-datagram-queue-length-in-unix-domain-sockets-af-uni)
  2536. - [IP fragmentation](https://en.wikipedia.org/wiki/IP_fragmentation)
  2537. - Related article: [Linux Tune Network Stack (Buffers Size) To Increase Networking Performance](https://www.cyberciti.biz/faq/linux-tcp-tuning/)
  2538. **NOTE!** About datagrams, [quoted from Wikipedia](https://en.wikipedia.org/wiki/Datagram#Internet_Protocol):
  2539. > The term datagram is often considered synonymous to packet but there are some nuances. The term datagram is generally reserved for packets of an unreliable service, which cannot notify the sender if delivery fails, while the term packet applies to any packet, reliable or not. Datagrams are the IP packets that provide a quick and unreliable service like UDP, and all IP packets are datagrams; however, at the TCP layer, what is termed a TCP segment is the sometimes necessary IP fragmentation of a datagram, but those are referred to as "packets".
  2540. ------------------------------------------------
  2541. **SAR - memory consumption statistics - RAM & SWAP**
  2542. **command: sar -r -f sar-stats_2018-02-24_2018-02-26.file**
  2543. **command: sar -S -f sar-stats_2018-02-24_2018-02-26.file**
  2544. ![sar-stats-memusage](https://raw.githubusercontent.com/Fincer-altego/basics-of-a-linux-server-school-course-/master/sar-stats_memusage.png)
  2545. **Observation period:** 24.-26.02.2018
  2546. NOTE! Average values are not visible in the attached picture!
  2547. | Field | Description | Average |
  2548. |-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|
  2549. | Left column | Record time | |
  2550. | kbmemfree | Amount of free memory available in kilobytes. | 87631 KB (~ 87 MB) |
  2551. | kbmemused | Amount,of,used,memory in kilobytes. This does not take into account memory used by the kernel itself. | 928 457 KB (~ 928 MB) |
  2552. | %memused | Percentage of used memory. | 91.38 % |
  2553. | kbbuffers | Amount of memory used as buffers by the kernel in kilobytes. | 77 746 KB (~ 77 MB) |
  2554. | kbcached | Amount of memory used to cache data by the kernel in kilobytes. | 644 777 KB (~ 644 MB) |
  2555. | kbcommit | Amount of memory in kilobytes needed for current workload. This is an estimate of how much RAM/swap is needed to guarantee that there never is out of memory. | 470 619 KB (~ 470 MB) |
  2556. | %commit | Percentage of memory needed for current workload in relation to the total amount of memory (RAM+swap).,This number may be greater than 100% because the,kernel,usually overcommits memory. | 46.32 % |
  2557. | kbactive | Amount of active memory in kilobytes (memory that has been used more recently and usually not reclaimed unless absolutely necessary). | 468 703 KB (~ 468 MB) |
  2558. | kbinact | Amount of inactive memory in kilobytes (memory which has been less recently used. It is more eligible to be reclaimed for other purposes). | 301 098 KB (~ 301 MB) |
  2559. | kbdirty | Amount of memory in kilobytes waiting to get written back to the disk. | 254 KB (0.254 MB) |
  2560. **NOTE!** Descriptions are provided in sysstat package (manpages).
  2561. **ANALYSIS - MEMORY STATISTICS**
  2562. The target server memory size:
  2563. ```
  2564. [newuser@goauldhost: ~ ]$ cat /proc/meminfo | grep -i memtotal
  2565. MemTotal: 1016088 kB
  2566. ```
  2567. i.e. approximately ~ 1016 MB.
  2568. Great part of this memory were in use during the observation period. There were multiple active processes running on the server computer during the period, thus increased workload was intended and meant for statistics collection.
  2569. The web server didn't have Swap partition or Swap file. This can be found out by
  2570. - executing command 'for i in "cat /etc/fstab" "sudo fdisk -l"; do $i | grep -i swap; echo $?; done' which returns value 1 two times (meaning returning of 'false' boolean value to shell two separate times)
  2571. - Or, for example:
  2572. ```
  2573. [newuser@goauldhost: ~ ]$ cat /etc/fstab
  2574. LABEL=cloudimg-rootfs / ext4 defaults 0 0
  2575. LABEL=UEFI /boot/efi vfat defaults 0 0
  2576. [newuser@goauldhost: ~ ]$ sudo fdisk -l
  2577. [sudo] password for newuser:
  2578. Disk /dev/vda: 25 GiB, 26843545600 bytes, 52428800 sectors
  2579. Units: sectors of 1 * 512 = 512 bytes
  2580. Sector size (logical/physical): 512 bytes / 512 bytes
  2581. I/O size (minimum/optimal): 512 bytes / 512 bytes
  2582. Disklabel type: gpt
  2583. Disk identifier: 39DFE5D0-C8FB-44D8-93F8-EBB37A54BDF8
  2584. Device Start End Sectors Size Type
  2585. /dev/vda1 227328 52428766 52201439 24.9G Linux filesystem
  2586. /dev/vda14 2048 10239 8192 4M BIOS boot
  2587. /dev/vda15 10240 227327 217088 106M Microsoft basic data
  2588. ```
  2589. It may not be wise to collect Swap statistics (although Linux kernel [Swappiness value](https://en.wikipedia.org/wiki/Swappiness) has default value 60 defined in file '/proc/sys/vm/swappiness' in DigitalOcean virtual servers).
  2590. ------------------------------------------------
  2591. **I/O statistics**
  2592. ![sar-iostat](https://raw.githubusercontent.com/Fincer-altego/basics-of-a-linux-server-school-course-/master/sar-iostats.png)
  2593. Main command: iostat -dmtx 20
  2594. -d Display the device utilization report.
  2595. -m Display statistics in megabytes per second.
  2596. -t Print the time for each report displayed.
  2597. -x Display extended statistics.
  2598. 20 20 sec interval.
  2599. | Field | Description |
  2600. |--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
  2601. | Device | Device or partition defined in system directory '/dev'. |
  2602. | rrqm/s | The number of read requests merged per second that were queued to the device. |
  2603. | wrqm/s | The percentage of write requests merged together before being sent to the device. |
  2604. | r/s | The number (after merges) of read requests completed per second for the device. |
  2605. | w/s | The number (after merges) of write requests completed per second for the device. |
  2606. | rMB/s | The number of sectors (KB, MB) read from the device per second. |
  2607. | wMB/s | The number of sectors (KB, MB) write from the device per second. |
  2608. | avgrq-sz (areq-sz) | The average size (in kilobytes) of the I/O requests,that were issued to the device. |
  2609. | avgqu-sz (aqu-sz) | The average queue length of the requests that were issued to the device. |
  2610. | await | The average time (ms) for I/O requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  2611. | r_await | The average time (ms) for read requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  2612. | w_await | The average time (ms),for,write,requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them. |
  2613. | svctm | The average service time (ms) for I/O requests that were issued to the device. This field will be removed in a future sysstat version. |
  2614. | %util | Percentage of elapsed time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100% for devices serving requests serially. But for devices serving requests in parallel, such as RAID arrays and modern SSDs, this number does not reflect their performance limits. |
  2615. **NOTE!** Descriptions are provided in sysstat package (manpages).
  2616. **ANALYSIS - I/O STATISTICS**
  2617. Virtual partition '/dev/vda' were hibernated most of the time during the observation period. Little variation can be seen in writing requests (wrqm/s), in succeeded writing requests (w/s) and in written sector count (wMB/s). Average sector size is 10-20 sectors (avgrq-sz) which is quite little. I/O and read request service times are mostly 0.0. Workload of the virtual hard drive is low during the observation period.
  2618. ------------------------------------------------
  2619. In addition to sysstat, 'top' command could have been used in some TTY session in order to observe processes in real time, and with [inotify](https://en.wikipedia.org/wiki/Inotify), some file system changes could have been reported. Sysstat's advantage is that programs which are included in it can record and save analytics in binary format for further and detailed inspection.
  2620. **e)** (optional) Change sshd (SSH server process) port
  2621. --------------
  2622. **Answer:**
  2623. Let the following shell script do the job...
  2624. ```
  2625. #!/bin/bash
  2626. # SSH server daemon configuration file in the system
  2627. SSH_CONFIG=/etc/ssh/sshd_config
  2628. # New SSH server daemon input port as user input value.
  2629. NEW_SSH_PORT=$1
  2630. [[ -f $SSH_CONFIG ]] \
  2631. && sed -i "s/.*Port.*/Port $NEW_SSH_PORT/" $SSH_CONFIG && echo "SSH server: new port $NEW_SSH_PORT is set." \
  2632. || echo "SSH server configuration file could not be found!"
  2633. if [[ $(cat $SSH_CONFIG | grep -i port | awk '{print $2}') == $NEW_SSH_PORT ]]; then
  2634. echo -e "SSH server input port has been changed to $NEW_SSH_PORT.\n \
  2635. Restarting SSH server daemon in order to apply the changes (root required)."
  2636. sudo systemctl restart sshd.service
  2637. if [[ $? == 0 ]]; then
  2638. echo "SSH server daemon restarted, new input port is $NEW_SSH_PORT."
  2639. else
  2640. echo "Something went wrong while restarting SSH server daemon. Execute 'systemctl status sshd.service' \
  2641. to get more information about the problem."
  2642. fi
  2643. fi
  2644. ```
  2645. Save the above script code in file '$HOME/ssh-port.sh', for example. Change the port with command 'bash $HOME/ssh-port.sh 4312' where the number value is your new SSH port (4312 in this case).
  2646. ------------------------------------------------
  2647. **EXTRA - Using new port address of SSH server daemon when connecting with a client computer/program**
  2648. Changing SSH server input port on the server computer must be taken into account while establishing connection with a client computer. Because the default SSH port 22 is not used anymore, the following syntax must be applied while connecting to the SSH server computer:
  2649. ```
  2650. [19/02/2018 23:23:49 - fincer: ~ ]$ ssh newuser@174.138.2.190 -p <new-port-number>
  2651. ```
  2652. ------------------------------------------------
  2653. **EXTRA - detecting SSH port change with port scanning techniques (nmap)**
  2654. Enable log level VERBOSE in '/etc/ssh/sshd_config' configuration file (LogLevel VERBOSE), restart SSH server daemon with command 'sudo systemctl restart sshd.service' and try port scanning with another computer.
  2655. Port scanning:
  2656. ```
  2657. nmap -sS -F -v -O 174.138.2.190
  2658. ```
  2659. nmap output when port scanning is applied with another computer using target IP 174.138.2.190 and port 1234 (note! This scanning has been applied to my own server only _once_ as an experiment, not in bad intentions! Make sure you have permission to proceed with your scanning and do not attack to any server just for fun, to avoid any problems!):
  2660. ```
  2661. phelenius@my-machine:~$ sudo nmap -sS -p 1234 -O -v 174.138.2.190
  2662. Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-19 20:02 EET
  2663. Initiating Ping Scan at 20:02
  2664. Scanning 174.138.2.190 [4 ports]
  2665. Completed Ping Scan at 19:59, 0.20s elapsed (1 total hosts)
  2666. Initiating Parallel DNS resolution of 1 host. at 20:02
  2667. Completed Parallel DNS resolution of 1 host. at 20:02, 0.01s elapsed
  2668. Initiating SYN Stealth Scan at 20:02
  2669. Scanning 174.138.2.190 [1 port]
  2670. Completed SYN Stealth Scan at 20:02, 0.20s elapsed (1 total ports)
  2671. Initiating OS detection (try #1) against 174.138.2.190
  2672. adjust_timeouts2: packet supposedly had rtt of -125997 microseconds. Ignoring time.
  2673. adjust_timeouts2: packet supposedly had rtt of -125997 microseconds. Ignoring time.
  2674. Retrying OS detection (try #2) against 174.138.2.190
  2675. adjust_timeouts2: packet supposedly had rtt of -150518 microseconds. Ignoring time.
  2676. adjust_timeouts2: packet supposedly had rtt of -150518 microseconds. Ignoring time.
  2677. WARNING: OS didn't match until try #2
  2678. Nmap scan report for 174.138.2.190
  2679. Host is up (0.00041s latency).
  2680. PORT STATE SERVICE
  2681. 1234/tcp open unknown
  2682. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  2683. Device type: switch|general purpose|media device
  2684. Running: Cisco CatOS 7.X|8.X, HP Tru64 UNIX 5.X, Vantage embedded
  2685. OS CPE: cpe:/h:cisco:catalyst_ws-c6506 cpe:/o:cisco:catos:7.6 cpe:/o:cisco:catos:8.3 cpe:/o:hp:tru64:5.1a cpe:/h:vantage:hd7100s
  2686. OS details: Cisco Catalyst WS-C6506 switch (CatOS 7.6(16)), Cisco Catalyst switch (CatOS 8.3(2)), HP Tru64 UNIX 5.1A, Vantage HD7100S satellite receiver
  2687. Read data files from: /usr/bin/../share/nmap
  2688. OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  2689. Nmap done: 1 IP address (1 host up) scanned in 3.39 seconds
  2690. Raw packets sent: 44 (6.312KB) | Rcvd: 18 (1.820KB)
  2691. ```
  2692. If SSH server uses the default input port 22, the following is likely to be presented in output of 'nmap' command (unless you've defined a particular port to be scanned in your 'nmap' command, like port 1234):
  2693. ```
  2694. PORT STATE SERVICE
  2695. 22/tcp filtered ssh
  2696. ```
  2697. Corresponding log entries of targeted SSH server during the nmap scanning (/var/log/auth.log):
  2698. ```
  2699. Feb 19 18:02:46 goauldhost sshd[30057]: Connection from XXX.XXX.XXX.XXX port 6967 on 174.138.2.190 port 1234
  2700. Feb 19 18:02:46 goauldhost sshd[30057]: Did not receive identification string from XXX.XXX.XXX.XXX
  2701. Feb 19 18:02:46 goauldhost sshd[30058]: Connection from XXX.XXX.XXX.XXX port 52205 on 174.138.2.190 port 1234
  2702. Feb 19 18:02:46 goauldhost sshd[30058]: Did not receive identification string from XXX.XXX.XXX.XXX
  2703. Feb 19 18:02:47 goauldhost sshd[30059]: Connection from XXX.XXX.XXX.XXX port 25326 on 174.138.2.190 port 1234
  2704. Feb 19 18:02:47 goauldhost sshd[30059]: Did not receive identification string from XXX.XXX.XXX.XXX
  2705. Feb 19 18:02:47 goauldhost sshd[30060]: Connection from XXX.XXX.XXX.XXX port 32812 on 174.138.2.190 port 1234
  2706. Feb 19 18:02:47 goauldhost sshd[30060]: Did not receive identification string from XXX.XXX.XXX.XXX
  2707. Feb 19 18:02:47 goauldhost sshd[30061]: Connection from XXX.XXX.XXX.XXX port 17024 on 174.138.2.190 port 1234
  2708. Feb 19 18:02:47 goauldhost sshd[30061]: Did not receive identification string from XXX.XXX.XXX.XXX
  2709. Feb 19 18:02:47 goauldhost sshd[30062]: Connection from XXX.XXX.XXX.XXX port 53268 on 174.138.2.190 port 1234
  2710. Feb 19 18:02:47 goauldhost sshd[30062]: Did not receive identification string from XXX.XXX.XXX.XXX
  2711. Feb 19 18:02:47 goauldhost sshd[30063]: Connection from XXX.XXX.XXX.XXX port 34923 on 174.138.2.190 port 1234
  2712. Feb 19 18:02:47 goauldhost sshd[30063]: Did not receive identification string from XXX.XXX.XXX.XXX
  2713. Feb 19 18:02:47 goauldhost sshd[30064]: Connection from XXX.XXX.XXX.XXX port 14489 on 174.138.2.190 port 1234
  2714. Feb 19 18:02:47 goauldhost sshd[30064]: Did not receive identification string from XXX.XXX.XXX.XXX
  2715. Feb 19 18:02:47 goauldhost sshd[30065]: Connection from XXX.XXX.XXX.XXX port 40086 on 174.138.2.190 port 1234
  2716. Feb 19 18:02:47 goauldhost sshd[30065]: Did not receive identification string from XXX.XXX.XXX.XXX
  2717. Feb 19 18:02:47 goauldhost sshd[30066]: Connection from XXX.XXX.XXX.XXX port 38147 on 174.138.2.190 port 1234
  2718. Feb 19 18:02:47 goauldhost sshd[30066]: Did not receive identification string from XXX.XXX.XXX.XXX
  2719. Feb 19 18:02:48 goauldhost sshd[30067]: Connection from XXX.XXX.XXX.XXX port 49215 on 174.138.2.190 port 1234
  2720. Feb 19 18:02:48 goauldhost sshd[30067]: Did not receive identification string from XXX.XXX.XXX.XXX
  2721. Feb 19 18:02:48 goauldhost sshd[30068]: Connection from XXX.XXX.XXX.XXX port 34445 on 174.138.2.190 port 1234
  2722. Feb 19 18:02:48 goauldhost sshd[30068]: Did not receive identification string from XXX.XXX.XXX.XXX
  2723. Feb 19 18:02:48 goauldhost sshd[30069]: Connection from XXX.XXX.XXX.XXX port 4600 on 174.138.2.190 port 1234
  2724. Feb 19 18:02:48 goauldhost sshd[30069]: Did not receive identification string from XXX.XXX.XXX.XXX
  2725. Feb 19 18:02:48 goauldhost sshd[30070]: Connection from XXX.XXX.XXX.XXX port 59405 on 174.138.2.190 port 1234
  2726. Feb 19 18:02:48 goauldhost sshd[30070]: Did not receive identification string from XXX.XXX.XXX.XXX
  2727. Feb 19 18:02:48 goauldhost sshd[30071]: Connection from XXX.XXX.XXX.XXX port 7848 on 174.138.2.190 port 1234
  2728. Feb 19 18:02:48 goauldhost sshd[30071]: Did not receive identification string from XXX.XXX.XXX.XXX
  2729. Feb 19 18:02:49 goauldhost sshd[30072]: Connection from XXX.XXX.XXX.XXX port 5206 on 174.138.2.190 port 1234
  2730. Feb 19 18:02:49 goauldhost sshd[30072]: Did not receive identification string from XXX.XXX.XXX.XXX
  2731. Feb 19 18:02:50 goauldhost sshd[30073]: Connection from XXX.XXX.XXX.XXX port 5517 on 174.138.2.190 port 1234
  2732. Feb 19 18:02:50 goauldhost sshd[30073]: Did not receive identification string from XXX.XXX.XXX.XXX
  2733. Feb 19 18:02:50 goauldhost sshd[30074]: Connection from XXX.XXX.XXX.XXX port 3970 on 174.138.2.190 port 1234
  2734. Feb 19 18:02:50 goauldhost sshd[30074]: Did not receive identification string from XXX.XXX.XXX.XXX
  2735. Feb 19 18:02:50 goauldhost sshd[30075]: Connection from XXX.XXX.XXX.XXX port 38690 on 174.138.2.190 port 1234
  2736. Feb 19 18:02:50 goauldhost sshd[30075]: Did not receive identification string from XXX.XXX.XXX.XXX
  2737. Feb 19 18:02:50 goauldhost sshd[30076]: Connection from XXX.XXX.XXX.XXX port 50572 on 174.138.2.190 port 1234
  2738. Feb 19 18:02:50 goauldhost sshd[30076]: Did not receive identification string from XXX.XXX.XXX.XXX
  2739. Feb 19 18:02:50 goauldhost sshd[30077]: Connection from XXX.XXX.XXX.XXX port 27830 on 174.138.2.190 port 1234
  2740. Feb 19 18:02:50 goauldhost sshd[30077]: Did not receive identification string from XXX.XXX.XXX.XXX
  2741. Feb 19 18:02:50 goauldhost sshd[30078]: Connection from XXX.XXX.XXX.XXX port 49371 on 174.138.2.190 port 1234
  2742. Feb 19 18:02:50 goauldhost sshd[30078]: Did not receive identification string from XXX.XXX.XXX.XXX
  2743. Feb 19 18:02:51 goauldhost sshd[30079]: Connection from XXX.XXX.XXX.XXX port 36802 on 174.138.2.190 port 1234
  2744. Feb 19 18:02:51 goauldhost sshd[30079]: Did not receive identification string from XXX.XXX.XXX.XXX
  2745. Feb 19 18:02:51 goauldhost sshd[30080]: Connection from XXX.XXX.XXX.XXX port 50546 on 174.138.2.190 port 1234
  2746. Feb 19 18:02:51 goauldhost sshd[30080]: Did not receive identification string from XXX.XXX.XXX.XXX
  2747. Feb 19 18:02:51 goauldhost sshd[30081]: Connection from XXX.XXX.XXX.XXX port 43542 on 174.138.2.190 port 1234
  2748. Feb 19 18:02:51 goauldhost sshd[30081]: Did not receive identification string from XXX.XXX.XXX.XXX
  2749. Feb 19 18:02:51 goauldhost sshd[30082]: Connection from XXX.XXX.XXX.XXX port 56108 on 174.138.2.190 port 1234
  2750. Feb 19 18:02:51 goauldhost sshd[30082]: Did not receive identification string from XXX.XXX.XXX.XXX
  2751. Feb 19 18:02:51 goauldhost sshd[30083]: Connection from XXX.XXX.XXX.XXX port 6399 on 174.138.2.190 port 1234
  2752. Feb 19 18:02:51 goauldhost sshd[30083]: Did not receive identification string from XXX.XXX.XXX.XXX
  2753. Feb 19 18:02:51 goauldhost sshd[30084]: Connection from XXX.XXX.XXX.XXX port 55980 on 174.138.2.190 port 1234
  2754. Feb 19 18:02:51 goauldhost sshd[30084]: Did not receive identification string from XXX.XXX.XXX.XXX
  2755. Feb 19 18:02:51 goauldhost sshd[30085]: Connection from XXX.XXX.XXX.XXX port 12713 on 174.138.2.190 port 1234
  2756. Feb 19 18:02:51 goauldhost sshd[30085]: Did not receive identification string from XXX.XXX.XXX.XXX
  2757. Feb 19 18:02:51 goauldhost sshd[30086]: Connection from XXX.XXX.XXX.XXX port 5026 on 174.138.2.190 port 1234
  2758. Feb 19 18:02:51 goauldhost sshd[30086]: Did not receive identification string from XXX.XXX.XXX.XXX
  2759. ```
  2760. The server computer has logged invalid nmap connection requests. In this case, we have defined the known SSH connection port number 1234 in our 'nmap' command on the client computer (which is INPUT port at the server end, OUTPUT port at the client end).
  2761. You may check suggested countermeasures against port scanners on [Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/345114/how-to-protect-against-port-scanners/407904#407904). Does these measures interfere negatively to other network traffic in busy server environments? This depends on which ports (read: server daemon programs/services) are targets of your countermeasures.
  2762. Another 'nmap' command shows us the following:
  2763. ```
  2764. phelenius@my-machine:~$ sudo nmap 174.138.2.190 -sV
  2765. Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-20 14:50 EET
  2766. Nmap scan report for 174.138.2.190
  2767. Host is up (0.33s latency).
  2768. Not shown: 998 filtered ports
  2769. PORT STATE SERVICE VERSION
  2770. 1234/tcp open ssh OpenSSH 7.6 (protocol 2.0)
  2771. 80/tcp open http
  2772. ...
  2773. ```
  2774. ... which reveals the actual service behind our new-defined port 1234/tcp to an attacker. In addition, the attacker can get more information about the server system, especially on Debian-based Linux distributions. For example:
  2775. ```
  2776. ...
  2777. PORT STATE SERVICE VERSION
  2778. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
  2779. ...
  2780. ```
  2781. This information can be hidden by adding line _DebianBanner no_ in '/etc/ssh/sshd_config' on Debian-based Linux systems and restarting the SSH server daemon with command 'sudo systemctl restart sshd.service'
  2782. **NOTE!** Port scanning does not leave any log traces behind in Apache's access.log file ('/var/log/apache/access.log')!
  2783. Check also
  2784. - [MyPapit GNU/Linux - How to Hide OpenSSH Ubuntu version from Nmap and other scanners](https://blog.mypapit.net/2015/08/how-to-hide-openssh-ubuntu-release-from-nmap-and-other-scanners.html)
  2785. - [serverfault.com - How to hide web server name and openssh version on linux when scanning server ports?](https://serverfault.com/questions/81690/how-to-hide-web-server-name-and-openssh-version-on-linux-when-scanning-server-po/81697#81697)
  2786. - [Unix & Linux Stack Exchange - Change SSH banner which is grabbed by netcat](https://unix.stackexchange.com/questions/269024/change-ssh-banner-which-is-grabbed-by-netcat/269027#269027)
  2787. - [GitHub - metacloud/openssh - Include the Debian version in our identification](https://github.com/metacloud/openssh/blob/master/debian/patches/package-versioning.patch)
  2788. ------------------------------------------------
  2789. **EXTRA - Using Port Knocking technique against port scanning**
  2790. Nmap requests are targeted to layer 3 (Network Layer) in OSI model. Additional security measures can be taken by applying [Port Knocking login techniques](https://wiki.archlinux.org/index.php/Port_knocking) on the server computer.
  2791. **WARNING!** The following 'Knockd daemon' may break easily. Thus it can not be recommended for critical or rapidly updating server environments. For instance, dhcpcd version 7 or above breaks knockd daemon. Many users have had problems to start the daemon service during server boot-up process. Knockd assumes that you have a preconfigured network interface with established network connection (this is not 100% valid information but this is my best guess).
  2792. [DigitalOcean, "Port Knocking" - Ubuntu, knockd](https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu):
  2793. Dynamic firewall rules are manually applied to the server (iptables, for instance) or separate daemon process ([for instance, knockd](http://www.zeroflux.org/projects/knock)) is set up on the server computer. Daemon process is used to open a pre-defined port only if a client program has knocked correct server port numbers in right order and using correct protocol, either TCP or UDP, and this all has been done in predefined time limit. Additionally, limited timeout for user log-in can be set. For example, a correctly authenticated user must log in in 10 seconds ater Knock daemon has opened a SSH port for that time period. When the time limit is reached, Knock daemon closes the port for any further connection attempts unless the knock port sequence is re-applied.
  2794. Knocking technique must be configured so that firewall does not close already established connections (like SSH in our case), but refuses any further connection attempts so that the port can not be detected with nmap port scanning techniques after the time limit has been reached.
  2795. [DigitalOcean, "Port Knocking" - FWKnop - Single packet authentication](https://www.digitalocean.com/community/tutorials/how-to-use-fwknop-to-enable-single-packet-authentication-on-ubuntu-12-04):
  2796. Some more or less secure implementations for port knocking exist. Various encryption methods can be applied to the knocking technique, making it more difficult for an attacker to sniff network packets between a server and a client. One solution using encyption methods is [fwknop](http://www.cipherdyne.org/fwknop/) which uses _Single Packet Authorization_ (SPA) method instead of insecure port sequences.
  2797. More about Port Knocking technique:
  2798. - [Improved Port Knocking with Strong Authentication - Rennie deGraaf, John Aycock, and Michael Jacobson, Jr.∗ (Department of Computer Science - University of Calgary)](https://www.acsac.org/2005/papers/156.pdf)
  2799. - [OpenWRT:n sivut](https://wiki.openwrt.org/doc/howto/portknock.server)
  2800. - [portknocking.org](http://www.portknocking.org/) and practical solutions on [Implementations sub-page](http://www.portknocking.org/view/implementations)
  2801. - [Information Security Stack Exchange - Port Knocking is it a good idea?](https://security.stackexchange.com/questions/1194/port-knocking-is-it-a-good-idea/1196#1196)
  2802. **NOTE!** Port Knocking technique must not be applied to block ports of server daemon processes which are required to be always reachable from a client program (take Apache server for example). For SSH which does not require 24/7 connection, port knocking techniques can be applied more reliably. In addition to public key, password and PAM authentication methods, port knocking adds one more security layer to the stack. However, you must not apply these security countermeasures individually but use them together, instead. **The goal is to make it more difficult for an attacker to penetrate your network security.**
  2803. ------------------------------------------------
  2804. **EXTRA - ARP Scan and spoofing your MAC address**
  2805. Program [arp-scan](https://www.blackmoreops.com/2015/12/31/use-arp-scan-to-find-hidden-devices-in-your-network/) can be used in limited scale to scan a MAC address (OSI model layer 2, Data Link Layer) in a network.
  2806. Unique MAC address of a network interface (network card) can programmatically be spoofed with [these Arch Wiki instructions](https://wiki.archlinux.org/index.php/MAC_address_spoofing#Method_1:_systemd-networkd) or with my [Spoof MAC Address shell script](https://github.com/Fincer/linux_server_setup/blob/master/scripts/spoof_mac_address.sh).
  2807. Sample results of ARP Scan.
  2808. BEFORE:
  2809. ```
  2810. [20/02/2018 18:52:35 - fincer: ~ ]$ sudo arp-scan --interface=wlan0 --localnet
  2811. [sudo] password for fincer:
  2812. Interface: wlan0, datalink type: EN10MB (Ethernet)
  2813. Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
  2814. A.B.C.D f4:0e:22:ad:b8:7d (Unknown)
  2815. 1.2.3.4 18:a9:05:4b:61:58 Hewlett-Packard Company
  2816. ```
  2817. AFTER - IP-osoitteessa 1.2.3.4 olevan palvelinkoneen MAC-osoite muutettu:
  2818. ```
  2819. [20/02/2018 18:54:28 - fincer: ~ ]$ sudo arp-scan --interface=wlan0 --localnet
  2820. Interface: wlan0, datalink type: EN10MB (Ethernet)
  2821. Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
  2822. A.B.C.D f4:0e:22:ad:b8:7d (Unknown)
  2823. 1.2.3.4 aa:0c:9a:fa:7b:d4 (Unknown)
  2824. ```
  2825. The following warning messages may be expected after spoofing a MAC address and when you establish SSH connection from a local computer to your server:
  2826. ```
  2827. Warning: Permanently added the ECDSA host key for IP address '[1.2.3.4]:22' to the list of known hosts.
  2828. ```
  2829. **f)** (optional) Allow SSH login only for users in group 'sshers'. Add your account to this group.
  2830. --------------
  2831. **Answer:**
  2832. 1. Log in to the server computer ('ssh username@server-ip -p <ssh-port>')
  2833. 2. Add group 'sshers' with GID number 876 (you don't have to define GID here)
  2834. ```
  2835. sudo groupadd -g 876 sshers
  2836. ```
  2837. 3. You can confirm existence of the created group with command 'grep sshers /etc/group'. Output:
  2838. ```
  2839. sshers:x:876:
  2840. ```
  2841. 4. Add the current user (read: yourself) _newuser_ into this group
  2842. ```
  2843. sudo usermod -aG sshers newuser
  2844. ```
  2845. 5. Command 'grep sshers /etc/group' output now:
  2846. ```
  2847. sshers:x:876:newuser
  2848. ```
  2849. You can alternatively check groups of _newuser_ by executing command 'groups' while being that user:
  2850. ```
  2851. [27/02/2018 10:39:58 - newuser@goauldhost: ~ ]$ groups
  2852. sshers newuser sudo
  2853. ```
  2854. or using command 'sudo -u newuser groups" as any system user who can execute commands with sudo.
  2855. **NOTE!** _groups_ -komento antaa oikean stdout:n (outputin) vasta uudelleenkirjautumisen jälkeen.
  2856. command 'groups' gives correct output only after re-login.
  2857. 6. Allow SSH login only to members of the group 'sshers'.
  2858. Manual page of 'sshd_config' ('man sshd_config') describes 'AllowGroups' option as follows:
  2859. > AllowGroups
  2860. > This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
  2861. Let's apply the following information into SSH server daemon configuration file '/etc/ssh/sshd_config':
  2862. ```
  2863. PermitRootLogin no
  2864. AllowGroups sshers
  2865. ```
  2866. And comment out the following lines (be careful here!):
  2867. ```
  2868. # DenyUsers <kayttajatunnuksia>
  2869. # AllowUsers <kayttajatunnuksia>
  2870. # DenyGroups <ryhmatunnuksia>
  2871. ```
  2872. If those lines are not defined in the configuration file, it is OK.
  2873. You can add multiple groups and users after those keywords, as you like.
  2874. For additional security, the following options can be applied as well (into '/etc/ssh/sshd_config' file), depending on your requests for SSH authentication policy:
  2875. ```
  2876. IgnoreRhosts yes
  2877. PermitEmptyPasswords no
  2878. ChallengeResponseAuthentication yes
  2879. UsePAM yes
  2880. MaxAuthTries 3
  2881. ```
  2882. etc. More options and configurations can be found with commands 'man sshd_config' and 'man sshd'
  2883. 7. Let's save this configuration and restart SSH server daemon by applying command 'sudo systemctl restart sshd.service' (NOTE! Disconnects already-established SSH connections!)
  2884. 8. Test SSH login with a client computer using remote user _newuser_ (belonging to the remote group 'sshers'). Command syntax is: 'ssh newuser@server-ip -p <server-port>'
  2885. **g)** (optional) Attach a remote network directory with sshfs.
  2886. --------------
  2887. **Answer:**
  2888. SSHFS stands for SSH File System. Corresponding program 'sshfs' has been developed to attach SSH server file systems (folders/files) remotely on a client computer so that all attached file systems can locally be browsed on the client computer. SSHFS uses encrypted SFTP protocol (SSH/Secure File Transfer Protocol) for file tranfers.
  2889. 1. Install 'sshfs' with command sequence 'sudo apt-get update && sudo apt-get -y install sshfs' on a Debian-based Linux system.
  2890. 2. Mount remote folder '/home/newuser/public_html/' (server), to path '/home/<current-user>/public_html_ssh_remote' on your client computer.
  2891. ```
  2892. mkdir $HOME/public_html_ssh_remote && sshfs newuser@174.138.2.190:./public_html $HOME/public_html_ssh_remote -p <ssh-portti>
  2893. ```
  2894. **NOTE!** If you use public key SSH authentication method, you are not asked for any password.
  2895. 3. Check that you have successfully mounted your remote server folder '/home/newuser/public_html' to the client computer (command 'ls ~/public_html_ssh_remote/'). Output should be as follows:
  2896. ```
  2897. index.html
  2898. ```
  2899. Additionally, check output of command 'mount | grep public_html_ssh_remote':
  2900. ```
  2901. newuser@174.138.2.190:./public_html on /home/phelenius/public_html_ssh_remote type fuse.sshfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
  2902. ```
  2903. 4. Unmount the remote folder by issuing command 'sudo umount /home/phelenius/public_html_ssh_remote'. On the client end, 'ls' command should have empty output for directory 'public_html_ssh_remote'.