Introduction

Updated 8/15/2019 – Added updated code and support for Systemd systems.

  Building a LAMP (Linux, Apache, MySQL, Php) Web server or another variation of a Linux Web Server stack and getting it all nicely configured with reliable data handling, a domain name, and a TLS/SSL certificate is only half of the battle. You’ll also need to make sure your infrastructure (Server, Hosting Provider, Network) is protected from the internet’s many frightening threats and attacks.

  Securing Web Servers has become increasingly more advanced and difficult as compared to before. Notice some of the most recent recommendations for Essential Security on your Linux Web Server, Ubuntu or CentOS, for any company, big or small. We will focus mainly on CentOS 6 OS but most of what is listed here can be applied to Ubuntu and the many Red Hat (RHEL) Linux OS versions such as CentOS and Amazon Linux.

 

    For all you Security Admins or Linux SysAdmins, site security and interconnectivity based on open source tools is essential today. Common protocols such as SSH, HTTP and HTTPS are solely dependent on your OpenSSL Configurations, the OpenSSL Version to support modern secure encryption and ciphers and your Web Server support for these as well, including some of the more popular Enterprise solutions, Ngnix and Apache.

  Lets look at a few settings that are essential for good security. Though having other methods in place, such as Firewalls and VPNs, are important as well, we will not discuss those in this article.

Repositories needed:

None beyond the basic included Repos in your OS. If you want the latest version not supplied by the default repo, EPEL or IUS are recommended.

Install Instructions – OpenSSL:

 Lets start by installing the needed packages from Yum (CentOS and Amazon Linux) and Apt-Get (Ubuntu) and ensure they are running the most current repo version:

CentOS/ Amazon Linux:

  • sudo yum install openssl

Ubuntu:

  • sudo update
  • sudo apt-get -V install openssl

SSH:

 Securing SSH Configuration:

  • sudo vim /etc/ssh/sshd_config
  • # Make sure the following settings are set:
  • PermitRootLogin no
  • UsePrivilegeSeparation yes
  • Protocol 2
  • AllowAgentForwarding no

The first option here, ‘PermitRootLogin no’, is to disable anyone using the root user via ssh. This will help protect against root user brute force attacks.

The second options here, ‘UsePrivilegeSeparation yes’, is to split the daemon process into two parts. That way only what is needed and a small part of the code runs as root (kernel level access) and the rest of the code runs in a chroot jail environment.

The third option here, ‘Protocol 2’, may already be enabled in your configuration, but this limits ssh to the latest version 2 protocol only. Version 1 is no longer secure.

The forth option, ‘AllowAgentForwarding no’, may already be enabled in your configuration, but this keeps ssh keys from being used from the original source. We dont want to forward ssh keys beyond the first server, most cases we would not be using an SSH Jump Host of sorts.

Login Banners:

 Lets modify the motd file:

  • sudo vim /etc/motd:
  • *Notice*
  • This System, {System Name}, is property of {Company Name}.
  • Use of this system constitutes consent to official monitoring.

Placing a legal banner in the motd (Message of The Day) file gives anyone accessing the server notice about this environment. It is prudent to place a legal banner on login screens on all servers for legal reasons and to potentially deter intruders among other things. This motd banner will be displayed after  a user logins via ssh, local console, etc. If this files doesn’t exist, you can create it as root user using sudo. We like this method as well, so everyone knows which server they are in, especially if the command prompt has no name in it.

 Apply changes:

Systemvinit setups such as CentOS 6, Amazon Linux OS 1, use the command below:

  • sudo service sshd restart

Systemd setups such as CentOS 7, Amazon Linux OS 2, use the command below:

  • sudo systemctl restart ssh

 

Secure Nginx or Apache:

 Nginx, lets remove old vulnerable protocols, such as SSLv2 and SSLv3:

  • sudo vim /etc/nginx/sites-enabled/{your-site.conf}
  • server {
  • ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  • # UPDATE – TLS 1.0 and even at times 1.1, are discouraged.
  • # If your end users dont need old systems supported,
  • # use the below code instead for ssl_protocols.
  • ssl_protocols TLSv1.2;
  • }

Inside your server block that uses https/ssl, if you add these settings instead, you will not be vulnerable to many recent security flaws, DROWN, etc.

You can also modify the nginx.conf config to apply these settings as well.

 Check you configuration and Apply changes:

Test the configuration in the first step with ‘configtest’/’config’. We dont want any typos or misconfigurations.

Systemvinit setups such as CentOS 6, Amazon Linux OS 1, use the command below:

  • sudo service nginx configtest
  • sudo service nginx reload

Systemd setups such as CentOS 7, Amazon Linux OS 2, use the command below:

  • sudo systemctl config nginx
  • sudo systemctl reload nginx

 Apache, Lets remove old vulnerable protocols, such as SSLv2 and SSLv3:

  • sudo vim /etc/httpd/conf.d/ssl.conf
  • SSLProtocols +TLSv1 +TLSv1.1 +TLS1.2
  • # UPDATE – TLS 1.0 and even at times 1.1, are discouraged.
  • # If your end users dont need old systems supported,
  • # use the below code instead for sslProtocols.
  • SSLProtocols +TLS1.2

Inside your apache vhost that uses https/ssl, if you add these settings instead, you will not be vulnerable to many recent security flaws, DROWN, etc.

This will apply globally unless you overwrite it in a vhost. Please make sure the default ssl vhost is disabled or update its settings to this.

 Check you configuration and Apply changes:

Test the configuration in the first step with ‘configtest’/’config’. We dont want any typos or misconfigurations.

Systemvinit setups such as CentOS 6, Amazon Linux OS 1, use the command below:

  • sudo service httpd configtest
  • sudo service httpd reload

Systemd setups such as CentOS 7, Amazon Linux OS 2, use the command below:

  • sudo httpd -t
  • sudo systemctl reload httpd

Conclusion:

There are many other options we can include, but these I think are a must. In other articles we will discuss SSL Cipher Suites and HSTS for apache and nginx.

Remember, that if you are using a different OS, you may need to change Apache package name for Ubuntu. For Example, instead of ‘httpd’, you may need to use ‘apache2’ or similar.

Please post any comments below and feel free to ask questions.