First Steps In Securing Your Linux Server

.

Some notes here to keep it in mind when you manage your Linux server security:

  • Keep your system clean: Install ONLY the packages you need.
  • Check the enabled services and disable the services that you don’t need. The disabled services will NOT run automatically when system boot. To display the enabled services, execute this:

# systemctl list-unit-files –type=service | grep enabled

The unit files of the enabled services exist in “/usr/lib/systemd/system/”. To stop a running service, execute: # systemd stop $serviceName. To disable a service: # systemd disable $serviceName

  • Change the port of the sshd:
    • Edit the configuration file of the SSH daemon: # vim /etc/ssh/sshd_config
    • For Example, change the port to 1866:  “Port 1866” in the configuration file.
    •  If SELinux is enabled,  you have to tell SELinux about this change:
      # semanage port -a -t ssh_port_t -p tcp
    • Restart sshd : # systemctl restart sshd
    • By doing that, you need to use the option -p1866 when you login.
  • Disable sshing as root:
    • Disable Root Login:
      • Edit the configuration file of the SSH daemon: # vim /etc/ssh/sshd_config
      • Uncomment and change yes to no in the line “PermitRootLogin no”
      • Restart the SSH daemon: # systemctl restart sshd
    • Create an admin user so you can ssh into the server as an administrator:  As a root, do these: Create a new user and its password  using useradd and passwd. Then to make the new user (lets say it is binan) an administrator, execute visudo and do one of these:
      • Search for the line “%wheel  ALL=(ALL)       ALL” and uncomment it (delete the # at the begining of the line). This allows people in group wheel to run all commands. Add the user binan to the group wheel so the user binan can execute all commands using sudo: # usermod -aG wheel binan.
      • OR Instead of adding the user binan to the group wheel, you can add “binan ALL=(ALL) ALL”.  

Everything sudo users do will be logged so “who did what” is determined (that’s why we disable logging as root).

  • Generate SSH key pair on your machine:  # ssh-keygen  -t rsa. The generated private and the public keys will be stored in the .ssh directory in the home directory (e.g. private key: ~/.ssh/id_rsa and public key: ~/.ssh/id_rsa.pub).
  • You must have the public key installed on the server (appended in ~/.ssh/authorized_keys). To copy the public key to the server, you can temporarily enable the sshing using passwords (“PasswordAuthentication yes” in the /etc/ssh/sshd_config and restart the sshd daemon).  Now copy the public key to the server as following: # cat ~/.ssh/id_rsa.pub | ssh -p 1866 binan@Hostname/IP-Address “mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys
  • Disable sshing using passwords: “PasswordAuthentication no” in the /etc/ssh/sshd_config. Restart the daemon. Now the login will be using public key authentication.
  • Check that you can login from another terminal using : Assuming you have the key pair (the public and private keys) on your local machine:

# ssh -p 1866 binan@Hostname/IP-Address
Last login: Wed Nov  4 09:40:00 2015
-bash-4.2$


Advertisements

Running RTPEngine Under Systemd Control

.

To compile and install RTPEngine go here.

To run the RTPEngine under systemd control, follow these steps:

# git clone https://github.com/Binan/rtpengine-systemd.git

# cd rtpengine-systemd

Edit the configuration file ” rtpengine-conf ” to reflect your configuration. Then install the files in your system:

# cp rtpengine-conf /etc/default/rtpengine-conf

# cp rtpengine.service /usr/lib/systemd/system/rtpengine.service

# cp rtpengine-start /usr/bin/rtpengine/rtpengine-start
# cp rtpengine-stop-post /usr/bin/rtpengine/rtpengine-stop-post

# chmod +x /usr/bin/rtpengine/rtpengine-start

# chmod +x /usr/bin/rtpengine/rtpengine-stop-post

In the systemd unit file, the option “ExecStopPost” is used to clean the system after the RTPEngine daemon is stopped. This incolves: deleting the forwarding table, the iptables related rules, and unload the kernel module (xt_RTPENGINE).

Now you can enable/start/stop/status the rtpengine service as following:

# systemctl enable rtpengine.service

# systemctl start rtpengine.service

# systemctl status rtpengine.service

# systemctl stop rtpengine.service

If you do enable, then the rtpengine will be automatically started by the Systemd after boot.

This work is a translation of the Sipwise ngcp-rtpengine-daemon.init script to what Systemd needs.