First Steps In Securing Your Linux Server

.

Some notes here to keep it in mind when you manage your Linux server security:

  • Keep your system clean: Install ONLY the packages you need.
  • Check the enabled services and disable the services that you don’t need. The disabled services will NOT run automatically when system boot. To display the enabled services, execute this:

# systemctl list-unit-files –type=service | grep enabled

The unit files of the enabled services exist in “/usr/lib/systemd/system/”. To stop a running service, execute: # systemd stop $serviceName. To disable a service: # systemd disable $serviceName

  • Change the port of the sshd:
    • Edit the configuration file of the SSH daemon: # vim /etc/ssh/sshd_config
    • For Example, change the port to 1866:  “Port 1866” in the configuration file.
    •  If SELinux is enabled,  you have to tell SELinux about this change:
      # semanage port -a -t ssh_port_t -p tcp
    • Restart sshd : # systemctl restart sshd
    • By doing that, you need to use the option -p1866 when you login.
  • Disable sshing as root:
    • Disable Root Login:
      • Edit the configuration file of the SSH daemon: # vim /etc/ssh/sshd_config
      • Uncomment and change yes to no in the line “PermitRootLogin no”
      • Restart the SSH daemon: # systemctl restart sshd
    • Create an admin user so you can ssh into the server as an administrator:  As a root, do these: Create a new user and its password  using useradd and passwd. Then to make the new user (lets say it is binan) an administrator, execute visudo and do one of these:
      • Search for the line “%wheel  ALL=(ALL)       ALL” and uncomment it (delete the # at the begining of the line). This allows people in group wheel to run all commands. Add the user binan to the group wheel so the user binan can execute all commands using sudo: # usermod -aG wheel binan.
      • OR Instead of adding the user binan to the group wheel, you can add “binan ALL=(ALL) ALL”.  

Everything sudo users do will be logged so “who did what” is determined (that’s why we disable logging as root).

  • Generate SSH key pair on your machine:  # ssh-keygen  -t rsa. The generated private and the public keys will be stored in the .ssh directory in the home directory (e.g. private key: ~/.ssh/id_rsa and public key: ~/.ssh/id_rsa.pub).
  • You must have the public key installed on the server (appended in ~/.ssh/authorized_keys). To copy the public key to the server, you can temporarily enable the sshing using passwords (“PasswordAuthentication yes” in the /etc/ssh/sshd_config and restart the sshd daemon).  Now copy the public key to the server as following: # cat ~/.ssh/id_rsa.pub | ssh -p 1866 binan@Hostname/IP-Address “mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys
  • Disable sshing using passwords: “PasswordAuthentication no” in the /etc/ssh/sshd_config. Restart the daemon. Now the login will be using public key authentication.
  • Check that you can login from another terminal using : Assuming you have the key pair (the public and private keys) on your local machine:

# ssh -p 1866 binan@Hostname/IP-Address
Last login: Wed Nov  4 09:40:00 2015
-bash-4.2$


Advertisements

DNS mapping of E.164 numbers to a list of URIs and IP Addresses

.

The Domain Name System (DNS) can be used to store the telephone numbers in E.164 format and identify the corresponding service. The domain “e164.arpa” is populated to make the DNS able to store the E.164 numbers. This domain is divided in subdomains so you should contact the corresponding zone administrator in order to list your E.164 number.

Explanation by Example

The DNS client string is “+441632910011” . It is a telephone number in E.164 format and we want to get the information about the service associated with this number (Service Type, Transport Protocol, Port number, IP Address). The DNS client which performs the look up operations, can be part of any kind of network servers .The corresponding domain name for that number will be “1.1.0.0.1.9.2.3.6.1.4.4.e164.arpa.”. The figure below shows the steps to get the IP address of the server which provides the service and some information about the service. We will explain this below.


Step 1: Getting SIP URI as a Result of First DNS Look Up Operation

The DNS client performs the first DNS lookup on the domain name “3.8.0.0.6.9.2.3.6.1.4.4.e164.arpa”. The output are two NAPTR records:

$ORIGIN 1.1.0.0.1.9.2.3.6.1.4.4.e164.arpa.

NAPTR 10 100u” “E2U+sip” “!^.*$!sip:info@example.com!.             # Record Number 1

NAPTR 10 101 “u” “E2U+h323” “!^.*$!h323:info@example.com!” .       # Record Number 2

Here we have two records associated with that name. The fields in each record are: order, preference, flags, service, regular expression, and replacement.The “order” specifies the processing order of the NAPTR records. The “preference” specifies the processing order of the NAPTR records that have same order value. Here both records have an “order” value of 10 but the first one has the lowest “preference” value. So the DNS client will pickup the first record.

The “u” flag means that the output will be a URI. The service name in the selected record is “E2U+sip” and it means the record is used in Telephone Number-to-SIP URI queries.

The regular expression “!^.*$!sip:info@example.com!”  takes this form: “Delimit ERE Delimit Substitution Delimit Flag”.

Delimit = !

ERE (Extended Reqular Expression ) = ^.*$ which means everything from the beginning of the user string till the end.

Delimit=!

Substitution=sip:info@example.com

Delimit=!

and No flags.

The replacement field in the NAPTR record if not present must be indicated by dot (.). if the replacement field is present then the reqular expresion field should be an empty string (“”). The replacement field if present must be a FQDN. So when DNS Client pickup the first record, the result of the first step will be the SIP URI sip:info@example.comThe pattern provided in the regular expression filed is used. As we see here, we get SIP URI from E.164 telephone number. We can stop here if that is what we want.   Note: You can use “Dig” in linux terminal to perform a DNS  lookup: # dig -t naptr  1.1.0.0.1.9.2.3.6.1.4.4.e164.arpa.


Step 2: Getting the service’s FQDN (Include Service type + Transport Protocol)

Now the DNS client string is “sip:info@example.com” .The client performs a second  DNS lookup on the domain name “example.com. The output are two NAPTR records:

$ORIGIN example.com.
IN NAPTR 100 10 “S” “SIP+D2U” “!^.*$!sip:info@example.com!” _sip._udp.example.com.
IN NAPTR 102 10 “S” “SIP+D2T” “!^.*$!sip:info@example.com!” _sip._tcp.example.com.

Here the replacement field is present and the regular expression is also present (i.e. the regular expression should be empty but this is not mandatory). The flag “S” means the replacement field contains a FQDN which points to SRV record. The DNS client picks the first record because it has the lowest order value. The replacement is applied and the result will be ” _sip._udp.example.com“. The service is SIP  and the transport protocol is UDP.


Step 3: Getting Server’s FQDN and Listening Port Number

Now the DNS client string is “ _sip._udp.example.com“. The client performs the third look up on “_sip._udp.example.com and it gets the SRV records. This record takes this form  “_Service._Protocol.Name TTL Class SRV Priority Weight Port Target”

The record in this example:

 _sip._udp.example.com 86400 IN SRV 0 5 5060 sipserver.example.com

Service: The service name is sip,

Protocol: The transport protocol is UDP,

Name : The domain name is example.com,

TTL: Time to live is in seconds is 86400

Class: The  DNS class is IN

Priority: the priority of the Target is 0.

Weight: The relative weight of this record is 5.

Port: 5060,

Target: The hostname of machine which provides the service. sipserver.example.com

The result of this step is the FQDN “sipserver.example.com” which represents SIP server listening on port 5060.


Step 4: Getting the IP Address

The client prforms DNS look up on “sipserver.example.com . The output is A record which contains the IP Address.

Summary

Using Domain Name System (DNS) we can get the service information (Mainly the Service Type, Transport Protocol, Port number, and  IP Address) associated with a specific telephone number (E.164 number) .


More Information RFC 2916 , RFC 3761