Basic secure setup of LAMP server for Ubuntu

I came across a concise forum post on setting up security on a LAMP stack but experienced some issues getting it working on Ubuntu, so here is my updated guide.

http://www.howtoforge.com/ubuntu_debian_lamp_server

Please also try to use an updated debian system so we don’t have any crash on dependencies. In some cases you might want to get the build-essential package as well

apt-get install build-essential

You will also have to get syslog-ng for logging.

apt-get install syslog-ng

Step 1: Installing webmin

“Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely.”

If you are like me and prefer to use APT to install packages then edit the /etc/apt/sources.list file on your system and add these lines :

deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

You should also fetch and install my GPG key with which the repository is signed, with the commands :

cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc

You will now be able to install with the commands:

apt-get update

apt-get install webmin

All dependencies should be resolved automatically.

The Manual Method

We start of with our web interface for easy management and set up of the firewall etc:

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.500_all.deb

Installing webmin with:

dpkg -i webmin_1.500_all.deb

If you get an error saying you don’t have all the dependencies just run:

apt-get -f install

So after this has installed itself you can easily access your web interface by going to this address:

http://localhost:10000

If this now display a login page you have done it right.

Now we can start the fun part of setting up the firewall

Step 2: Installing and configuring CSF firewall

Downloading CSF:

wget http://configserver.com/free/csf.tgz

Untar the package:

tar xvzf csf.tgz

Switch to the csf directory

cd csf

And just run the install script:

sh install.sh

If this completed without errors we can now load csf into webmin.

Loading the module:

Log into your webmin interface and go to Webmin > Webmin Configuration > Webmin Modules.

On local file you fill in the path to the webmin module installed by csf,

/etc/csf/csfwebmin.tgzAnd press Install Module.

If this goes well you will now see “ConfigServer Security & Firewall” Under the SYSTEM tab in webmin.

Step 3: Configuring ConfigServer Security & Firewall

Go to the ConfigServer Security & Firewall tab in webmin and press “Firewall Configuration”
For this tutorial we will just fill out the easiest part of the configuration but feel free to explore more of the big potentials of CSF.

Change these areas of the config,

Stop running CSF in testmode:

TESTING=1 to TESTING=0

Set the open ports (here we will just fill in what we need at the moment)

TCP_IN=21,22,80,10000

21 for ftp, 22 for ssh, 80 for the www and 10000 for webmin (the last one here is very important to remember)

TCP_OUT=21,22,80,10000

Changing ICMP requests (optional) This will disable ping requests and answers. I personaly like to set this to off, so no specific ping attacks can be made with special packets.

ICMP_IN=0

ICMP_OUT=0

Protection against synflood (for webservers etc)

SYNFLOOD=1

Protection against portfloods

PORTFLOOD=1

That should be all, scroll down to the end and press CHANGE to save all the changes you have made to the config.

The usage of CSF will be explained in another tutorial later on, but the interface is very easy to understand. “View iptable logs” To see what csf have banned and why, “View LFD logs” to see what it has picked up as suspicious processes, who has logged in through ssh and if any portscans have been detected.

Step 4: Installing PSAD

As mentioned before, you would need to have syslog-ng installed before running psad properly, with this done, let’s start!

Download and install psad:

apt-get install psad

http://www.cipherdyne.org/psad/download/

Setup syslog-ng to log things from PSAD (You don’t need to use nano if you like other editing tools better.

nano /etc/syslog-ng/syslog-ng.conf

Search for the “# Destinations” Section and add this to the list:

destination psadpipe { pipe("/var/lib/psad/psadfifo"); };

Search for the “# filters” section of the config and add this line

filter f_kerninfo { facility(kern); };

And all the way on the bottom of the config, add these lines:

log { source(s_src); filter(f_kerninfo); destination(psadpipe); };

Restart syslog-ng:

/etc/init.d/syslog-ng restart

Now we have the logging in place, and we can start configure psad:

nano /etc/psad/psad.conf

The most important parts will be these, fill them in with your own information:
Your email address

EMAIL_ADDRESSES Your Hostname (like http://localhost)

HOSTNAME 

Set home_net to not used:

HOME_NET                NOT_USED;  ### only one interface on box

If you want to set ports to ignore on scans you can do it like this (optional):

IGNORE_PORTS                tcp/88, udp/3000;

For IDS and iptable support:

ENABLE_AUTO_IDS             Y;
IPTABLES_BLOCK_METHOD       Y;

Now save and close the config.
Restart PSAD:

/etc/init.d/psad restart

Now all we need is to add two iptable rules so psad can use iptable logging, done with these four commands:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG

That was all for PSAD, it should now be up and running and scan reports can be made using this command:

psad -S

Step 5: Anti-DDoS

Setting up DDoS-Deflate is easier than you think, with just a few commands and changes, Downloading and installing DDoS-Deflate:

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

To configure ddos deflate you will need to do a few small changes:
Open up the script in your favourite editor,

nano /usr/local/ddos/ddos.sh

Scroll down to add_to_cron() and you will find 2x of these lines

service crond restart

Change it to:

service cron restart

change the shebang line from /bin/sh to /bin/bash so your first line in ddos.sh should be #!/bin/bash

Save and close the script and open up the ddos.conf:

nano /usr/local/ddos/ddos.conf

Here you can change how ddos should react in different situations and you can put your own config on these lines,

How often the script is going to run (minutes):

FREQ=1

Number of connections a user will need to have at the same time before he get’s banned by the script:

NO_OF_CONNECTIONS=30

Set this to 0 to use IPtables since we don’t use APF:

APF_BAN=0

Kill connections or not:

KILL=1

If you want emails of the banned IP’s then set your email inside the “”:

EMAIL_TO=""

Now save and close the config and run this command to add the script to crontab so it runs every minute:

/usr/local/ddos/ddos.sh --cron