edwin
/
thelyoncompany.com
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Upload files to 'content/english/blog'

Browse Source
master
Edwin Lyon 3 years ago
parent b855b72986
commit 423c01fcd7
5 changed files with 873 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 7
      content/english/blog/_index.md
  2. 372
      content/english/blog/bastion.md
  3. 379
      content/english/blog/hardening-linux.md
  4. 93
      content/english/blog/installation.md
  5. 22
      content/english/blog/qos.md

7
content/english/blog/_index.md
Unescape View File

@ -0,0 +1,7 @@
---
title : "BLOG"
description : "Cyber Security & IT Infrastructure Blog"
draft : false
---
## **Latest Post**

372
content/english/blog/bastion.md
Unescape View File

@ -0,0 +1,372 @@
---
title: "Bastion Host On DigitalOcean"
date: 2021-09-14T21:17:12+06:00
image: "images/blog/blog-post-4.jpg"
author: "Edwin Lyon"
categories: ["cybersecurity","cloud"]
tags: ["ubuntu","harden","security","linux","digital ocean","bastion-host","cloud"]
description : "Hardening Your Ubuntu 20.0.4 LTS Cloud Server With A Bastion Host"
draft: false
type: "post"
---
## **What is a Bastion Host?**
A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. There are two common network configurations that include bastion hosts and their placement.
The first requires two firewalls, with bastion hosts sitting between the first "outside world" firewall, and an inside firewall, in a DMZ. Often, smaller networks do not have multiple firewalls, so if only one firewall exists in a network, bastion hosts are commonly placed outside the firewall.
### **Getting Started**
You can use the referral badge below to get started with a $100 credit from Digital Ocean or use this link to [DigitalOcean](https://m.do.co/c/42cf2120197b).
[![DigitalOcean Referral Badge](https://web-platforms.sfo2.cdn.digitaloceanspaces.com/WWW/Badge%201.svg)](https://www.digitalocean.com/?refcode=42cf2120197b&utm_campaign=Referral_Invite&utm_medium=Referral_Program&utm_source=badge)
### **DigitalOcean VPC**
On 7 April, 2020, the VPC service replaced the Private Networking service on DigitalOcean.
> A Virtual Private Cloud (VPC) is a private network interface for collections of DigitalOcean resources. VPC networks provide a more secure connection between resources because the network is inaccessible from the public internet and other VPC networks. Traffic within a VPC network doesn’t count against bandwidth usage.
VPC are available at no additional cost and are enabled by default. They serve the same function as VLANs do. You have two options, you can either manual create a VPC network or if you don't have a VPC network DigitalOcean will create it for you when you build a new VPS.
### **DigitalOcean Cloud Firewalls**
> Cloud Firewalls affect both public and VPC network traffic. Rules specific to either must specify the public or private IP range.
We will be creating two cloud firewall rules, one named public-network and the other named private-network. These will be used as Access Control Lists to help protect our VPC network.
Both the Public-Network and Private-Network cloud firewalls should be added to the bastion-host, while only the Private-Network cloud firewall should be added to all other members of your VPS.
**PUBLIC-NETWORK**
* INBOUND RULES :
**Type** | **Protocol** | **Port Range** | **Sources**
:--- | :--- | :--- | :---
ICMP | ICMP | None | All IPv4, All IPv6
SSH | TCP | 22 | All IPv4, All IPv6
HTTP | TCP | 80 | All IPv4, All IPv6
HTTPS | TCP | 443 | All IPv4, All IPv6
CUSTOM | UDP | 51820 | All IPv4, All IPv6
* OUTBOUND RULES :
**Type** | **Protocol** | **Port Range** | **Sources**
:--- | :--- | :--- | :---
ICMP | ICMP | None | All IPv4, All IPv6
All TCP | TCP | All Ports | All IPv4, All IPv6
All UDP | UDP | All Ports | All IPv4, All IPv6
**PRIVATE-NETWORK**
* INBOUND RULES :
**Type** | **Protocol** | **Port Range** | **Sources**
:--- | :--- | :--- | :---
ICMP | ICMP | None | 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
All TCP | TCP | All Ports | 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
All UDP | UDP | All Ports | 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
* OUTBOUND RULES :
**Type** | **Protocol** | **Port Range** | **Sources**
:--- | :--- | :--- | :---
ICMP | ICMP | None | All IPv4
All TCP | TCP | All Ports | All IPv4
All UDP | UDP | All Ports | All IPv4
I also recommend creating new ssh keys to add to your bastion-host.
```bash
ssh-keygen -b 4096 -a 1000 -t rsa -f ~/.ssh/id_rsa
```
Let's lock down your ssh service.
```bash
$ sudo mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# Harden SSH Settings
$ sudo cat <<-EOF > /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
AcceptEnv LANG LC_*
AllowGroups root sudo
Banner /etc/issue.net
ChallengeResponseAuthentication no
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
ClientAliveCountMax 0
ClientAliveInterval 300
Compression no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
LoginGraceTime 20
LogLevel VERBOSE
Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
MaxAuthTries 3
MaxSessions 3
MaxStartups 10:30:60
PermitEmptyPasswords no
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
PermitUserEnvironment no
PrintLastLog yes
PrintMotd no
StrictModes yes
Subsystem sftp internal-sftp
UseDNS no
UsePAM yes
X11Forwarding no
AllowTcpForwarding yes
EOF
```
Create a new set of ssh host keys.
```bash
## Update ssh_host keys
rm /etc/ssh/ssh_host_*
ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N ""
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli
```
We need to edit the netplan for both the bastion-host and the webproxy so that the bastion-host handles all routing.
```bash
sudo nano /etc/netplan/50-cloud-init.yaml
```
You can read more details on editing your netplan on DigitalOcean.
```nano
network:
version: 2
ethernets:
eth0:
addresses:
- xxx.xxx.xxx.xxx/20
- 26xx:xxxx:x:xxx::xx:xxxx/64
gateway4: xxx.xxx.xxx.1
gateway6: 26xx:xxxx:x:xxx::1
match:
macaddress: ab:ab:ab:ab:ab:ab
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
search: [technerdonline.com]
eth1:
addresses:
- 10.128.0.2/20
match:
macaddress: ba:ba:ba:ba:ba:ba
nameservers:
addresses:
- 10.128.0.2
search: [local]
routes:
- to: 10.128.0.0/20
via: 10.128.0.2
```
On the proxy server make the following netplan change.
```nano
network:
version: 2
ethernets:
eth0:
addresses:
- xxx.xxx.xxx.xxx/20
- 26xx:xxxx:x:xxx::xx:xxxx/64
#gateway4: xxx.xxx.xxx.1
#gateway6: 26xx:xxxx:x:xxx::1
match:
macaddress: ab:ab:ab:ab:ab:ab
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
search: [technerdonline.com]
eth1:
addresses:
- 10.128.0.3/20
match:
macaddress: ba:ba:ba:ba:ba:ba
nameservers:
addresses:
- 10.128.0.2
search: [local]
routes:
- to: 0.0.0.0/0
via: 10.128.0.2
```
Apply the netplan changes.
```bash
sudo netplan apply
```
We will need to create a set of IPTABLES rules for both IPv4 and IPv6 but first we need to load some Kernel modules.
```bash
sudo nano /etc/modules-load.d/iptables.conf
```
```nano
overlay
br_netfilter
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
iptable_nat
iptable_filter
iptable_mangle
ip_nf_target_redirect
ip_set
ip_vs_nfct
ip_vs_proto_tcp
ip_vs_proto_udp
veth
bridge
bridge_netfilter
ip_nf_filter
ip_nf_target_masquerade
netfilter_xt_match_addrtype
netfilter_xt_match_conntrack
netfilter_xt_match_ipvs
nf_nat
```
Copy and paste the following content, replacing PUBLIC_IP with the public IP address of the bastion-host, WEBPROXY_PRIVATE_IP with the VPC IP address for the webproxy, and BASTION_PRIVATE_IP with the VPC IP address with the bastion host private IP.
```bash
nano ipv4.conf
```
```nano
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -d {PUBLIC_IP} -p tcp -m tcp --dport 80 -j DNAT --to-destination {WEBPROXY_PRIVATE_IP}:80
-A PREROUTING -i eth0 -d {PUBLIC_IP} -p tcp -m tcp --dport 443 -j DNAT --to-destination {WEBPROXY_PRIVATE_IP}:443
-A POSTROUTING -d {WEBPROXY_PRIVATE_IP} -o eth1 -p tcp -m tcp --dport 80 -j SNAT --to-source {BASTION_PRIVATE_IP}
-A POSTROUTING -d {WEBPROXY_PRIVATE_IP} -o eth1 -p tcp -m tcp --dport 443 -j SNAT --to-source {BASTION_PRIVATE_IP}
-A POSTROUTING -s {BASTION_PRIVATE_IP} -o eth0 -j SNAT --to-source {PUBLIC_IP}
-A POSTROUTING -s {PRIVATE_SUBNET} ! -d {PRIVATE_SUBNET} -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec -j ACCEPT
-A INPUT -i eth1 -m conntrack --ctstate NEW -s {PRIVATE_SUBNET} -j ACCEPT
-A INPUT -j FILTERS
-A INPUT -j DROP
-A FORWARD -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth1 -m conntrack --ctstate NEW -s {PRIVATE_SUBNET} -j ACCEPT
-A FORWARD -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m conntrack --ctstate NEW -s {PRIVATE_SUBNET} -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j FILTERS
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A FILTERS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FILTERS -p tcp -m conntrack --ctstate NEW -m tcp --syn --dport 22 -j ACCEPT
-A FILTERS -p tcp -m conntrack --ctstate NEW -m tcp --syn --dport 80 -j ACCEPT
-A FILTERS -p tcp -m conntrack --ctstate NEW -m tcp --syn --dport 443 -j ACCEPT
-A FILTERS -p udp -m conntrack --ctstate NEW -m udp --dport 51820 -j ACCEPT
-A FILTERS -p udp -m conntrack --ctstate NEW -m udp --dport 51821 -j ACCEPT
-A FILTERS -m conntrack --ctstate INVALID -j DROP
-A FILTERS -j REJECT
COMMIT
```
Now create IPTABLES Rules for IPv6.
```bash
nano ipv6.conf
```
```nano
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -i eth0 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 5/sec -j ACCEPT
-A INPUT -i eth0 -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 5/sec -j ACCEPT
-A INPUT -i eth0 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 5/sec -j ACCEPT
-A INPUT -i eth0 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 5/sec -j ACCEPT
-A INPUT -j FILTERS
-A INPUT -j DROP
-A FILTERS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FILTERS -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A FILTERS -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A FILTERS -m conntrack --ctstate INVALID -j DROP
-A FILTERS -j REJECT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A FORWARD -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth1 -j FILTERS
-A FORWARD -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j FILTERS
-A FORWARD -j REJECT
COMMIT
```
Apply the iptables rules and install iptables-persistent.
```bash
sudo iptables-restore -n ipv4.conf
sudo ip6tables-restore -n ipv6.conf
sudo iptables-save
sudo ip6tables-save
sudo apt install iptables-persistent
```
Simply install your favorite web server on the proxy droplet (i.e. nginx, caddy, haproxy etc). I would also suggest installing wireguard on the bastion host, it is also pretty easy to get a secure wireguard mesh network setup if you have multiple VPC.

379
content/english/blog/hardening-linux.md
Unescape View File

@ -0,0 +1,379 @@
---
title: "Hardening Your Cloud Server"
date: 2021-08-02T21:17:12+06:00
image: "images/blog/blog-post-5.jpg"
author: "Edwin Lyon"
categories: ["cybersecurity","cloud"]
tags: ["ubuntu","harden","security","linux","cloud","digital ocean","cloud"]
description : "Hardening Your Ubuntu 20.0.4 LTS Cloud Server"
draft: false
type: "post"
---
Taking the extra steps to protect your Ubuntu or Debian cloud droplet takes only a little effort and time but will have a huge long term impact on your cyber security. You can use the referral badge below to get started with a $100 credit from Digital Ocean or use this link to [DigitalOcean](https://m.do.co/c/42cf2120197b).
[![DigitalOcean Referral Badge](https://web-platforms.sfo2.cdn.digitaloceanspaces.com/WWW/Badge%201.svg)](https://www.digitalocean.com/?refcode=42cf2120197b&utm_campaign=Referral_Invite&utm_medium=Referral_Program&utm_source=badge)
### **1. ASSESS & IDENTIFY THE RISK**
Undertaking a review to identify potential risks is a important first step. Some useful techniques for identifying risks are:
* **NMAP** is a great tool to help identify potential risks. DigitalOcean has a pretty good guide **[HERE](https://www.digitalocean.com/community/tutorials/how-to-test-your-firewall-configuration-with-nmap-and-tcpdump)**.
* **Tenable** offers a great solution that also provides a very friendly report. Although normally a Nessus Professional license isn't cheap, Tenable does offer a free version as well. You can download the free version **[HERE](https://www.tenable.com/downloads/nessus?loginAttempted=true)**.
* **Sn1per** is a open source solution that puts together a number of great open projects to deliver a very effective and easy to use package. You can check out the project on Github **[HERE](https://github.com/1N3/Sn1per)**.
* **Lynis** is a open source tool that audits and grades your linux operating system's security. You can check out the project on Github **[HERE](https://github.com/CISOfy/lynis)**.
### **2. REDUCE THE RISK**
Once you have an idea of what potential cyber security risks you face you should start to take the steps to reduce those risks.
Set the default user profile to "umask 027" it is a good compromise between security and simplicity. A umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 makes files and directories readable by users in the same Unix group (i.e. "sudo" or "root"), while a umask of 022 makes files readable by every user on the system.
```bash
# Setting global umask
sudo echo "umask 027" >> /etc/profile
```
Restrict at and cron to authorized users only.
```bash
# First Remove both at.deny & cron.deny
sudo rm /etc/cron.deny 2> /dev/null
sudo rm /etc/at.deny 2> /dev/null
# Second create both at.allow & cron.allow
sudo echo 'root' > /etc/cron.allow
sudo echo 'root' > /etc/at.allow
# Third set the ownership to root
sudo chown root:root /etc/cron*
sudo chown root:root /etc/at*
```
Use the hosts.allow and hosts.deny files to help restrict access to services. For example the only IP address that should have access to NRPE on port 5666 is your Nagios server.
```bash
# Setup Some Access Control Rules
sudo echo 'sshd : ALL : ALLOW' > /etc/hosts.allow
# Or if this Node should only be accessible via a bastion-host
sudo echo 'sshd: 192.168.0.2' > /etc/hosts.allow
sudo echo 'ALL: LOCAL, 127.0.0.1' >> /etc/hosts.allow
sudo echo 'NRPE: 192.168.0.2' >> /etc/hosts.allow
sudo echo 'ALL: PARANOID' > /etc/hosts.deny
sudo chmod 644 /etc/hosts.allow
sudo chmod 644 /etc/hosts.deny
```
Limit visibility of running processes to those services that started the process or users in the same group.
```bash
# Edit fstab & Hide PID2
sudo echo 'proc /proc proc defaults,hidepid=2 0 0' >> /etc/fstab
```
Disable Root Recovery console, but make sure you have set a root password first.
```bash
# GRUB enable swap & disable root recovery
sudo echo 'GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"' >> /etc/default/grub
sudo echo 'GRUB_DISABLE_RECOVERY="true"' >> /etc/default/grub
sudo update-grub
```
It may seem unimportant, but having the time stamps match your timezone will make things easier later on when you are reviewing your logs and reports.
```bash
# Setup NTP
sudo timedatectl set-ntp true
sudo timedatectl set-timezone America/Los_Angeles
sudo echo 'servers=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org' >> /etc/systemd/timesyncd.conf
```
```bash
sudo apt update
sudo apt install apparmor apparmor-profiles apparmor-utils apparmor-easyprof -y
# Enforce apparmor profiles
sudo echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor
sudo systemctl start apparmor.service
sudo systemctl enable apparmor.service
```
```bash
sudo apt update
sudo apt install libpam-tmpdir libpam-apparmor libpam-cracklib -y
```
Disable USB access on your cloud node.
```bash
# Install USBGuard
sudo apt update
sudo apt install usbguard -y
# Setting up USBGuard
sudo usbguard generate-policy > /tmp/rules.conf
sudo install -m 0600 -o root -g root /tmp/rules.conf /etc/usbguard/rules.conf
```
Securing your remote access services isn't just about disabling root access and enabling authorized keys in your SSH configuration.
```bash
sudo mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# Harden SSH Settings
sudo cat <<-EOF > /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
AcceptEnv LANG LC_*
AllowGroups root sudo
Banner /etc/issue.net
ChallengeResponseAuthentication no
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
ClientAliveCountMax 0
ClientAliveInterval 300
Compression no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
LoginGraceTime 20
LogLevel VERBOSE
Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
MaxAuthTries 3
MaxSessions 3
MaxStartups 10:30:60
PermitEmptyPasswords no
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
PermitUserEnvironment no
PrintLastLog yes
PrintMotd no
StrictModes yes
Subsystem sftp internal-sftp
UseDNS no
UsePAM yes
X11Forwarding no
AllowTcpForwarding no
EOF
sudo systemctl daemon-reload
sudo systemctl restart ssh.service
```
Now update your host keys and test ssh by starting a 2nd session.
```bash
## Switch to root
sudo su -
## Update ssh_host keys
rm /etc/ssh/ssh_host_*
ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N ""
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli
```
### **3. MANAGE YOUR RISK**
```bash
sudo apt update
sudo apt install dbconfig-common dbconfig-sqlite3 sqlite3 fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.d/jail.local
sudo systemctl restart fail2ban
```
```bash
sudo apt update
sudo apt install rkhunter -y
sudo dpkg-reconfigure rkhunter
```
```bash
sudo cat <<-EOF > /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF
```
### **4. MONITOR YOUR RISK**
Auditd can be a pretty powerful tool once you have the audit rules setup as it will give you valuable insights about your server performance and activities by ensuring that they are written to your logs.
```bash
sudo apt update
sudo apt install auditd audispd-plugins -y
# Setup Auditd Rules and Logging
sudo cat <<-EOF > /etc/audit/rules.d/docker.rules
# Remove any existing rules
-D
# Buffer Size
-b 8192
# Ignore errors
-i
# Failure Mode
-f 1
# Audit the audit logs
-w /var/log/audit/ -k auditlog
# Auditd configuration
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig
# Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
# Monitor AppArmor configuration changes
-w /etc/apparmor/ -p wa -k apparmor
-w /etc/apparmor.d/ -p wa -k apparmor
# Monitor usage of AppArmor tools
-w /sbin/apparmor_parser -p x -k apparmor_tools
-w /usr/sbin/aa-complain -p x -k apparmor_tools
-w /usr/sbin/aa-disable -p x -k apparmor_tools
-w /usr/sbin/aa-enforce -p x -k apparmor_tools
# Monitor Systemd configuration changes
-w /etc/systemd/ -p wa -k systemd
-w /lib/systemd/ -p wa -k systemd
# Monitor usage of systemd tools
-w /bin/systemctl -p x -k systemd_tools
-w /bin/journalctl -p x -k systemd_tools
# Special files
-a always,exit -F arch=x86_64 -S mknod -S mknodat -k specialfiles
-a always,exit -F arch=b32 -S mknod -S mknodat -k specialfiles
# Mount operations
-a always,exit -F arch=x86_64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
# Changes to the time
-a always,exit -F arch=x86_64 -S settimeofday -k audit_time_rules
-a always,exit -F arch=x86_64 -S adjtimex -k audit_time_rules
-a always,exit -F arch=x86_64 -S clock_settime -k audit_time_rules
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
# Cron configuration & scheduled jobs
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -k cron
# User, group, password databases
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
# MAC-policy
-w /etc/selinux/ -p wa -k MAC-policy
# Monitor usage of passwd
-w /usr/bin/passwd -p x -k passwd_modification
# Monitor for use of tools to change group identifiers
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
# Monitor module tools
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
# Login configuration and information
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login
# Network configuration
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/network/ -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
# System startup scripts
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init
# Library search paths
-w /etc/ld.so.conf -p wa -k libpath
# Local time zone
-w /etc/localtime -p wa -k localtime
# Time zone configuration
-w /etc/timezone -p wa -k audit_time_ruleszone
# Kernel parameters
-w /etc/sysctl.conf -p wa -k sysctl
# Modprobe configuration
-w /etc/modprobe.conf -p wa -k modprobe
-w /etc/modprobe.d/ -p wa -k modprobe
-w /etc/modules -p wa -k modprobe
# Module manipulations
-a always,exit -F arch=x86_64 -S init_module -S delete_module -F key=modules
-a always,exit -F arch=x86_64 -S init_module -F key=modules
-a always,exit -F arch=b32 -S init_module -S delete_module -F key=modules
-a always,exit -F arch=b32 -S init_module -F key=modules
# PAM configuration
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam
# Postfix configuration
-w /etc/aliases -p wa -k mail
-w /etc/postfix/ -p wa -k mail
# SSH configuration
-w /etc/ssh/sshd_config -k sshd
# Changes to hostname
-a always,exit -F arch=x86_64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
# Changes to issue
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
# Capture all unauthorized file accesses
-a always,exit -F arch=x86_64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
# Monitor for use of process ID change (switching accounts) applications
-w /bin/su -p x -k actions
-w /usr/bin/sudo -p x -k actions
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d -p wa -k actions
# Make the configuration immutable
-e 2
EOF
sudo systemctl start auditd
sudo systemctl enable auditd
```
You can then install logcheck or logwatch to get more detailed reports emailed to you. In addition you can use projects like [mkcert](https://github.com/FiloSottile/mkcert) or [cfssl](https://github.com/cloudflare/cfssl) to enable TLS for internal communications between software like nrpe and nagios for example.
Follow this link for setting up a bastion screening host [here](https://thelyoncompany.com/blog/bastion/) or for my personal git project go [here](https://git.technerdonline.com/edwin/bastion-host-ubuntu).

93
content/english/blog/installation.md
Unescape View File

@ -0,0 +1,93 @@
---
title: "How To Setup Meghna Hugo"
date: 2018-09-12T14:51:12+06:00
author: Mark Dinn
# post thumbnail
image: "images/blog/blog-post-2.jpg"
description : "How To Setup Meghna Hugo"
categories: ["web"]
tags: ["linux","html5","hugo","website"]
type: "post"
---
These steps can be applied to most hugo themes. Once you are happy with your theme you can generate the static files and copy the public folder to your web server (i.e - nginx, caddy, apache, etc).
**Install this template by following these simple steps :**
#### STEP-1 : Hugo installation
Check this link below for install hugo on your computer.
[hugo install documentation](https://gohugo.io/getting-started/installing/)
#### STEP-2 : Create your project
Hugo provides a `new` command to create a new website.
```
hugo new site <new_project>
```
#### STEP-3 : Install the theme
Run this command
```
hugo new site meghna-hugo
```
and then go to the themes folder inside of meghna-hugo folder. You can also use this command ```cd meghna-hugo/themes``` for going to this folder.
Then run the command
```
git clone git@github.com:themefisher/meghna-hugo.git
```
Alternatively, you can [download the theme as .zip](https://github.com/themefisher/meghna-hugo/archive/master.zip) file and extract it in the `themes` directory
After that you need to go to the `meghna-hugo/exampleSite` folder and copy or cut all the elements, and now go back to the root folder and paste it here.
open the command prompt again and run `cd ../` command for go back to the root folder.
#### STEP-4 : Host locally
Launching the website locally by using the following command:
```
hugo server
```
Go to `http://localhost:1313`
Or you can check this video documentation for installing this template:
{{< youtube 3O3qvDoVp5g >}}
#### STEP-5 : Basic configuration
When building the website, you can set a theme by using `--theme` option. However, we suggest you modify the configuration file (`config.toml`) and set the theme as the default.
```toml
# Change the default theme to be use when building the site with Hugo
theme = "meghna-hugo"
```
#### STEP-6 : Create your first content pages
```
hugo new blog/post-name.md
```
#### STEP-7 : Build the website
When your site is ready to deploy, run the following command:
```
hugo
# You can also create a minified version by using this command:
hugo --minify
```
A `public` folder will be generated, containing all static content and assets for your website. It can now be deployed on any web server.
<br>
You can use the referral badge below to get started with a $100 credit from Digital Ocean or use this link to [DigitalOcean](https://m.do.co/c/42cf2120197b).
[![DigitalOcean Referral Badge](https://web-platforms.sfo2.cdn.digitaloceanspaces.com/WWW/Badge%201.svg)](https://www.digitalocean.com/?refcode=42cf2120197b&utm_campaign=Referral_Invite&utm_medium=Referral_Program&utm_source=badge)

22
content/english/blog/qos.md
Unescape View File

@ -0,0 +1,22 @@
---
title: "Improve Your Conferencing"
date: 2021-01-30T14:51:12+06:00
# post thumbnail
image: "images/blog/blog-post-1.jpg"
author: Edwin Lyon
categories: ["conferencing","performance"]
tags: ["advice","remote","QoS","VoIP"]
description: "Using Quality of Service to Improve Video Conferencing Sessions"
draft: false
type: "post"
---
Video Conferencing services have become extremely popular and are critical in facilitating professional face-to-face meetings between businesses. Using Quality of Service will improve your video conferencing experience. So when the video conferencing service isn't performing well, latency, jitter, or dropped connections it can quickly become critical to your business to fix the problem as quickly as possible. Especially if the problem is happening across multiple video conferencing services.
I am going to suggest the first thing to check is that you have **Quality of Service** or QoS setup on your network devices. Video Conferencing services and Voice over IP for that matter all use UDP packets. UDP is a simple, stateless, and fast transport layer used by services and protocols that require speed such as real-time streaming protocols, Voice over IP, and streaming media services as well as online gaming services. While it is pretty straight forward, with little overhead their is no guaranteed or verification of the packets being received or the order of the packets.
A noisy network with either a lot of clients or traffic can cause enough latency or congestion to make for a poor video conferencing experience and in most cases it isn't going to be an issue of inadequate bandwidth. Quality of Service or QoS manages the flow of traffic by prioritizing packets, preventing potential traffic jams, so network devices don't have to drop packets entirely. It basically lets certain packets that match the rules that you have created to have priority over traffic that doesn't match those same rules.
Essentially you can think of it like the car pool lane or toll road, any packets that are marked by the QoS policy as having priority are moved to the fast lane and are allowed to move ahead of packets with a lower priority. In order to get QoS setup you will need two pieces of information.
First your average upload/download bandwidth which you can get from any number of speed test sites. Second the UDP ports of the video conferencing service, for example Zoom's UDP ports would be 3478-3479, and 8801-8810. QoS would need to be enabled and configured on the edge firewall as well as any network switches and routers the traffic would pass on the business's network. For remote workers, most retail firewall support QoS and its a simple matter to enable and setup the ports, an example would be setting up Web Ex with a value of "7" while setting Netflix with a value of "6" and configuring HTTP, and HTTPS with a value of "4". In this case you would be able to use Web Ex without performance issues while the kids are watching Netflix or surfing the web.
Write Preview
Loading…
Cancel
Save