[Guide] Advanced INTERNAL Server Protection (Stop Brute Force, Port Scans...) [Linux]

Discussion in 'Systems Administration' started by NewEraStudios, Mar 20, 2018.

?

Did you find the guide usefull?

  1. Yes

    9 vote(s)
    81.8%
  2. No

    2 vote(s)
    18.2%
  1. Your Network is popular and some people wants to steal you some files or information?
    Don't worry! I will provide you in this post the solutions for good attackers.

    FIRST STEP - CHANGE SSH PORT AND DISABLE ROOT USER ACCES

    This is a basic and easy step, and it is REALLY usefull, as the majority of the Lammers, that try to get into your server, by default, if they are not that skilled, they will try to Brute Force (password attack) the default SSH port, and they will mostly try with Root User. There are tools to discover the SSH port, obviusly, port scanning, but we will also block Port-Scans in this post :)

    CHANGE SSH PORT
    First, use the command "sudo su" and enter your root password.

    Second, use the command "apt-get install nano" if you have not Nano installed yet, its a good file editor.

    Third, use the command "nano /etc/ssh/sshd_config"

    Fourth, look for Port and change the 22 to any port up to 1020, if there is a # behind Port, delete the #, because if you dont delete it, the change will be just ignored.

    DISABLE ROOT USER ACCES AND CREATE NEW USER

    First, use the command "sudo su" and enter your root password.

    Second, create a new USER so you will have to join not with Root, with another USER. Use the command

    "useradd -d /home/newuser newuser" (Change "newuser" for the once that you want)

    Third, use the command "apt-get install nano" if you have not Nano installed yet, its a good file editor

    Fourth, use the command "nano /etc/ssh/sshd_config"

    Fifth, look for "# PermitRootLogin yes" and change it to " PermitRootLogin no"

    Finally, use the command "service ssh restart" to apply changes

    With the First Step, you made in some way, more difficult Brute Force Attacks and also normal Intrusions.
    Also, now, every time that you want to do an action, it will ask you for the password (x999 more security)


    SECOND STEP - FILTER PORTS FOR MORE SECURITY

    You will need to Filter Ports to be more protected, and just let Open those ports that you really need to use.
    So you will need to do the following to filter ports. We will use a Tool Called: "ufw" as it is so simple and easy to use (it uses IPTables but in a easy way).

    First, use the command "apt-get install ufw" to install UFW (Uncomplicated FireWall initials)

    Second, use the command "service ufw start" to start the service and use "ufw enable" to enable the firewall.

    Third, use the command "ufw allow (your new ssh port)" ¡IMPORTANT! Or you will lose acces to your server!

    Fourth, use the command "ufw allow (port)" and do it for ALL ports that you need to use for your dedicated, maybe SQL (3306), or any you want to use.


    THIRD STEP - BLOCK ALL PORT SCANS
    We will use Port Sentry to block all Port Scans, as it is a Updated and Good Tool for this.

    First, use the command "apt-get install portsentry"

    Second, when you did the command to install it, a Configuration Window will appear, just click Accept.

    Third, use the command "nano /etc/portsentry/portsentry.conf" and lets configurate PortSentry :)

    Fourth, make the following changes from the PortSentry config:

    From BLOCK_UDP=”0″ to BLOCK_UDP=”1″
    From BLOCK_TCP=”0″ to BLOCK_TCP=”1″
    From ADVANCED_PORTS_TCP="1024" to ADVANCED_PORTS_TCP="(Your Highest Opened Port)"
    From ADVANCED_PORTS_UDP="1024" to ADVANCED_PORTS_TCP="(Your Highest Opened Port)"
    From RESOLVE_HOST = "0" to RESOLVE_HOST = "1"

    Fifth, use the command "service portsentry restart"


    FOURTH STEP - BLOCKING BRUTE FORCE ATTACKS
    We will use a tool called fail2ban for this. This will prevent IPs from failing so many times the Password.

    First, use the command "apt-get install fail2ban" and lets configurate it :)

    Second, do the command "nano /etc/fail2ban/jail.conf"


    Third, make the following changes to the config:

    From
    bantime = 600 to bantime = 36000
    From findtime = 600 to findtime = 86400


    Then, go to the [sshd] part and make it look like this:

    [sshd]

    port = (Your New SSH PORT)
    logpath = %(sshd_log)s

    Last, do the command "service fail2ban restart" to apply changes

    Then, if you use SQL, go take a look at SQL part and change it too, and you can enable or disable any service you want and change the configuration of every service fail attempts.


    FIFTH STEP - DENY ICMP REQUESTS (OPTIONAL)
    Optionally, deny icmp requests can be done for stopping ping-based DDoS and also some Exploits that Must Need Pinging the Server with ICMP.

    You can use one of this commands to prevent ICMP requests, use what is working for you:

    The command to disable icmp requests is: echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
    If you want to re-enable Icmp requests change the 1 for a 0.


    SIXTH STEP - INSTALL AN ANTIBOT PLUGIN (2019)
    2019 is here, and bot attacks speed has increased so much. In addition, me and another developer had made a Unique AntiBot system for BungeeCord.

    It has been tested against 7.000 bots per second, and its not currently bypassed by any booting program, including mcspam site, minebot, etc... All of them are blocked without any issues. Also, we achieved geting 0% false positive chance.

    The unique that is required is that if an attack is going on, only NEW users, have to ping once the server list and then join, or don't ping the server list and then join, depending on the Checks. Its like a fast-captcha inside Minecraft.

    The cost of the AntiBot is 8.99€, take a look at the Spigot page to see all the features
    https://www.spigotmc.org/resources/...ttacks-handling-10-000-bots-per-second.55924/



    If you found the tutorial usefull and worked for you :) Just give a good comment, and a positive rate in my profile :) Thank you very much.

    If you find any error or have any question, just ask it and ill fix it or answer you :)
     
    #1 NewEraStudios, Mar 20, 2018
    Last edited: Jan 9, 2019
    • Like Like x 2
    • Winner Winner x 2
    • Optimistic Optimistic x 1
  2. Great post, most of these work very well.
     
  3. Thank you very much :)
     
  4. Screenshot from 2018-03-20 23-47-57.png
    I'm honestly shocked that there's nothing in this guide about ssh keys, when it says "server protection" in the title.

    First thing you should be doing when getting a new server is disabling password authentication and setting up ssh keys on your accounts, then all the other steps listed in this guide.
     
    • Agree Agree x 2
  5. I do not entirely agree on this, it depends on how you are planning on using your server, and also how the rest of your security is set up...
     
  6. You can disagree all you want. No server is 99% secure without a security key.

    And yes, I meant 99%. There is no such thing as 100% secure.
     
  7. Added a important Sixth step in the Guide