Monday, August 18, 2014

Security: 10 Tips for Hardening a Linux Server

Posted by Darrel Haswell from SoftLayer Blog

In light of all the complex and specialized attacks on Internet-facing servers, it’s very important to protect your cloud assets from malicious assailants whose sole purpose is to leach, alter, expose, siphon sensitive data, or even to shut you down. From someone who does a lot of Linux deployments, I like to have handy a Linux template with some extra security policies configured.

Securing your environment starts during the ordering process when you are deploying server resources. Sometimes you want to deploy a quick server without putting it behind an extra hardware firewall layer or deploying it with an APF (Advance Policy Firewall). Here are a couple of security hardening tips I have set on my Linux template to have a solid base level of security when I deploy a Linux system.

Note: The following instructions assume that you are using CentOS or Red Hat Enterprise Linux.

1. Change the Root Password
Log in to your server and change the root password if you didn’t use a SSH key to gain access to your Linux system.

  • passwd - Make sure it’s strong.
  • Don't intend on using root.

2. Create a New User
The root user is the only user created on a new Linux install. You should add a new user for your own access and use of the server.

  • useradd <username>
  • passwd <username> (Make sure this is a strong password that’s different from your root password.)

3. Change the Password Age Requirements
Change the password age so you’ll be forced to change your password in a given period of time:

  • chage –M 60 –m 7 –w 7 <username>
    • M: Minimum of days required between password changes
    • m: Maximum days the password is valid
    • w: The number of days before password will warn of expiration

4. Disable Root Login
As Lee suggested in the last blog, you should Stop Using Root!

  • When you need super-user permissions, use sudoinstead of suSudo is more secure than using su: When a user uses sudo to execute root-level commands, all commands are tracked by default in/var/log/secure. Furthermore, users will have to authenticate themselves to run sudo commands for a short period of time.

5. Use Secure Shell (SSH)
rlogin and telnet protocols don’t use an encrypted format, just plain text. I recommend using SSH protocol for remote log in and file transfers. SSH allows you to use encryption technology while communicating with your sever. SSH is still open to many different types of attacks, though. I suggest using the following to lock SSH down a little bit more:

  • Remove the ability to SSH as root:
    1. vi /etc/ssh/sshd_config.
    2. Find #PermitRootLogin yes and change toPermitRootLogin no.
    3. Run service sshd restart.
  • Change the default SSH 22 port. You can even utilize RSA keys instead of passwords for extra protection.

6. Update Kernel and Software
Ensure your kernel and software patches are up to date. I like to make sure my Linux kernel and software are always up to date because patches are constantly being released with corrected security flaws and exploits. Remember you have access to SoftLayer’s private network for updates and patches, so you don’t have to expose your server to the public network to get updates. Run this with sudo to get updates in RedHat or CentOS: yum update.

7. Strip Your System
Clean your system of unwanted packages. I strip my system to avoid installing unnecessary software to avoid vulnerabilities. This is called “reducing the attack surface.” Packages like NFS, Samba, even the X Windows desktops (i.e., Gnome or KDE) contain vulnerabilities. Here’s how reduce the attack surface:

  • List what is installed: yum list installed
  • List the package name: yum list <package-name>
  • Remove the package: yum remove <package-name>

8. Use Security Extensions
Use a security extension such as SELinux on RHEL or CentOS when you’re able. SELinux provides a flexible Mandatory Access Control (MAC); running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. You’ll have to explore the official Red Hat documentation, which explains SELinux configuration. To check if SELinux is running, runsestatus.

9. Add a Welcome/Warning
Add a welcome or warning display for when users remote into your system. The message can be created using MOTD (message of the day). MOTD’s sole purpose is to display messages on console or SSH session logins. I like for my MOTDs to read “Welcome to <hostname>. All connections are being monitored and recorded.”

  • I recommend vi /etc/motd

10. Monitor Your Logs
Monitor logs whenever you can. Some example logs that you can audit:

  • System boot log: /var/log/boot.log
  • Authentication log: /var/log/secure
  • Log in records file: /var/log/utmp or /var/log/wtmp:
  • Where whole system logs or current activity are available: /var/log/message
  • Authentication logs: /var/log/auth.log
  • Kernel logs: /var/log/kern.log
  • Crond logs (cron job): /var/log/cron.log
  • Mail server logs: /var/log/maillog

You can even move these logs to a bare metal server to prevent intruders from easily modifying them.

This is just the tip of the iceberg when securing your Linux server. While not the most secure system, it gives you breathing room if you have to deploy quick servers for short duration tests, and so on. You can build more security into your server later for longer, more permanent-type servers.

- Darrel Haswell

Darrel Haswell is an advisory SoftLayer Business Partner Solution Architect.

Monday, December 02, 2013

Mengadopsi Visual Studio dan Team Foundation Server untuk memelihara Siklus Hidup Aplikasi (Application Lifecycle Management - ALM)

Ini hanya sekedar share bagaimana menerapkan TFS dengan Visual Studio untuk manajemen Siklus Hidup Aplikasi (ALM). Sumber diambil dari http://msdn.microsoft.com/en-US/library/vstudio/dd286491(v=vs.110)

Topik ini memperkenalkan tutorial yang mengikuti anggota tim fiktif karena secara bertahap mengadopsi Visual Studio sebagai solusi untuk manajemen siklus hidup aplikasi (ALM). Tutorial ini menunjukkan bagaimana tim dimulai dengan cepat dan kemudian mulai menggunakan Visual Studio untuk kegiatan ALM tambahan pada berbagai titik di setiap waktu.
Cerita: Irna, Andi, Fadla, dan David adalah tim yang mengembangkan aplikasi web di sebuah perusahaan minimarket. Tim ini telah memutuskan untuk menggunakan Team Foundation Server (TFS) untuk mengelola source code. Seiring waktu, tim juga mulai menggunakan Visual Studio, Team Web Access, Microsoft Test Manager, Microsoft Feedback Manager, dan PowerPoint untuk mengelola backlog, membuat storyboard, mendapatkan feedback pelanggan, dan review, tes, dan membangun source code.
Tim Anda dapat mengadopsi fitur Visual Studio untuk ALM dalam urutan apapun, kecuali satu fitur tergantung pada yang lain. Misalnya seperti yang ditunjukkan gambar berikut, tim yang ingin melakukan pengujian eksplorasi dan umpan balik permintaan dalam Visual Studio harus mengelola backlogs mereka di TFS.

ALM Incremental Adoption

Step 1 : Sebelum Anda Memulai
Irna menginstall TFS dan meletakkan source code timke dalam Version Control. Dia juga melakukan setup continuous-integration builds sehingga tim bias mengidentifikasi dan memperbaiki bug lebih dini.

Setup Version Control ...... to be continued.

Sunday, October 20, 2013

Fix Issue When Installing PostgreSQL on Windows 8 64 Bit Using Installer

This post is the answer for my previous post. After googling hard, finally I found the answer from this link

The steps I followed are:
  1. Download your latest PostgreSQL installer from here and save to C:\Download\
  2. Uninstall your previous installation PostgreSQL if any.
  3. Delete the postgres user if it still exists.
    net user postgres /delete
  4. Create the postgres user with a password you can remember
  5. Add the postgres user to the Administrators group
  6. Add the postgres user to the Power Users group
  7. Run a command window as the postgres user
    runas /user:postgres cmd.exe
  8. Run the installer file from within the command window. C:\Download\postgresql-9.3.1-1-windows-x64.exe
    This should run the installation successfully.
  9. Remove the postgres user from the Administrators group.

Installing PostgreSQL using Binary Zip Distribution on Windows 8 64 Bit

In previous version of windows (let's say windows Xp, Vista, and 7) i was install my pgsql with no problem at all using installer. But i got a problem when my laptop upgraded to windows 8 (64 bit), my installation was failed with error below :

After searching for many forums and sources, i got no suitable solution because my problem still occurred like above. I had several problems with the one click installer and after the installation process was finished, we could not start the PostgreSQL database. Since i could not solve this problem in a reasonable amount of time, so i decided to switch my installation using zip binary distribution of PostgreSQL.

Friday, September 27, 2013

Run Local network (LAN) and Wifi/Internet connection together on a laptop at the same time

We know that make an application or coding a program will keep us to connected every time to the internet, because we often need Google. If we are using a laptop, usually there are two connection available, LAN to connect to local network and WIFI to connect to the internet. If you don't know how to keep your two connections alive together, i'm sure you will very busy to plug and unplug your LAN cable or switch on and switch off your WIFI. So let's do the little tricks below to solve this :
  1. Open your command prompt as Administrator (on Win 7/8) by right click the its shortcut and select "Run As Administrator"
  2. We will use the WIFI as default route and LAN as static route. Before to do this we need to remove the two default route created by system, because this is why we couldn't connected to the internet or to the LAN network at the same time.
  3. Run this command to delete the DEFAUT route : route DELETE 0.0.0.0
  4. Add route to your LAN network As example your LAN default gateway is 192.168.100.1 and your server farm/segment is 192.168.10.0 subnet mask 255.255.255.0 so the command is: route ADD 192.168.10.0 MASK 255.255.255.0 192.168.100.1
  5. Add route to your WIFI/Internet network We will set the WIFI as the default gateway. As example your internet ip gateway is 192.20.20.1 so the command is: route ADD 0.0.0.0 MASK 0.0.0.0 192.20.20.1
  6. This's it, now you can connect to your LAN and Internet at the same time. Good luck!.

Friday, September 20, 2013

Error maximum request length exceeded on ASP.Net

I have come across this error multiple times at work. This problem occurs because the default value for the maxRequestLength parameter in the section of the Machine.config or Web.Config file is 4096 (4 megabytes). As a result, files that are larger than this value are not uploaded by default.
To resolve this problem, use one of the following methods:
  • In the Machine.config file, change the maxRequestLength attribute of the configuration section to a larger value. This change affects the whole computer.
  • In the Web.config file, override the value of maxRequestLength for the application. For example, the following entry in Web.config allows files that are less than or equal to 1 GB to be uploaded:
                        
Max value for maxRequestLength attribute is "1048576" (1 GB) for .NET Framework 1.0 or 1.1 and "2097151" (2 GB) for .NET Framework 2.0.
Note: During the upload process of large files, built-in ASP.NET loads the whole file in memory before the user can save the file to the disk. Therefore, the process may recycle because of the memoryLimit attribute of the processModel tag in the Machine.config file. More info you can find in Microsoft KB article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;295626

Sunday, February 24, 2013

Keep Application Running On Windows 2003 Server Remote Desktop Session

If you are an server Administrator, you will need sometime to run applications from remote desktop. But on the default server policy setting, that application will be shutdown during the end of remote desktop session. Because of security reason. Yesterday i found this problem and got the troubleshooting. How to keep your application execute from remote desktop session to keep running and not shutdown by the server policy? Here are the resolution (choose one of them):

Wednesday, September 26, 2012

SSH Using Windows Command Prompt

SSH is a secure remote shell networking tool to replace the telnet tool. In Linux, SSH command line was very familiar tool and have been the default tool for along time ago. So it's very user friendly for Linux user. But how do SSH command in windows? There are many ways to do that. The famous one is install Putty, the SSH client tool for windows. But how to SSH from the windows command prompt? So we feel like in Linux command line. The way is to install the OpenSSH. Look at the screenshots below :


So, it's feel like in Linux. Good Luck!

Tuesday, May 29, 2012

5 Free Open Source Security Tools


Network and server security can be expensive, but not having good security is even more expensive. Fortunately, you can have the best of both worlds thanks to the many free and open source security solutions that are available to web hosting professionals and system administrators. The following are five that will help lock down your server and keep you informed when evildoers strike.

Simply FTP Script With DateTime Manipulation

This is a new simply FTP Script related to my previous post that completed with date time manipulation argument.

@echo off
SETLOCAL

echo ################################################
echo  Source  : http://golekupo.blogspot.com
echo  Version : 1.0
echo  Syntax  : UnduhFTP dd mm yyyy flag
echo  Contoh  : UnduhFTP 16 05 2012 NOW
echo  Args    : %1=dd %2=mm %3=yyyy %4=Flag
echo            Flag Date: set with NOW or YESTERDAY
echo ################################################

set FTP_HOST=192.xxx.xxx.xxx
set FTP_USER=username
set FTP_PASSWD=password
set FTP_TRANSFER_MODE=ascii
set FTP_LOCAL_DIR_A=\\192.168.x.x\drive_d$\locationA
set FTP_LOCAL_DIR_B=\\192.168.x.x\drive_d$\locationB
set FILE_LIST_A=listA.txt
set FILE_LIST_B=listB.txt

REM Change the date to Date-1
set dd=%1
set mm=%2
set yyyy=%3
set flag=%4

Wednesday, May 23, 2012

A Simply Windows FTP Batch Script To Download Files From Multiple Different Folder To Your Multiple Different Local Folder


A few moments ago, i had a case at the office how to download reports from the ftp server from multiple locations with different folders and different dates. So we need a smart script to do that, and here is :

@echo off
SETLOCAL

REM #############################
REM Usage: UnduhFTP dd mm yyyy
REM Example: UnduhFTP 16 05 2012
REM %1=dd %2=mm %3=yyyy
REM #############################

set FTP_HOST=192.x.x.x
set FTP_USER=username
set FTP_TRANSFER_MODE=ascii

set FTP_REMOTE_DIR_A=/YourRemoteFolderA
set FTP_REMOTE_DIR_B=/YourRemoteFolderB

set FTP_LOCAL_DIR_A=D:\YourFolderA
set FTP_LOCAL_DIR_B=D:\YourFolderB

Sunday, May 06, 2012

Micro Controller Programming: Back To The Past Of Me

Dulu aku adalah pecinta Microcontroller, berikut ini adalah toko-toko penjual kit mikrokontroler online di Indonesia untuk mempermudah pencarian dan ingatan.

Digi Ware
http://www.digi-ware.com
Toko Mikon
CP : David Fernando
Jl. Jatipadang Utara No.8, Pasar Minggu
Jakarta 12540
Indonesia
SMS : +62-857-1836-3975
YM : defgee
http://tokomikon.com

Tuesday, January 10, 2012

Simple Remote Desktop Application in Fedora 16

There are many remote desktop application in linux, such as rdesktop, vnc, and etc. But in Fedora, there's no gui or desktop version for rdesktop by default. Existing version just for vnc. You still can use rdesktop for desktop remoting well but this program have to be execute from command line. If you need to embed the rdekstop command line to the Application Menu, you have to create a shorcut. Another way is use application called remmina. Remmina is remote administration application in linux that support multiprotocol packaged in pluggins.

Resolution for Wireless Not Working After Update Kernel Fedora 16

There's always a way to resolve 'bug' in fedora 16. But for some people, it seem too difficult. But we need just a little patience to do that. After that you will feel some different satisfaction. That's linux. Ok, this's my example. Yesterday i found that my wireless connection or my wireless button doesn't work after updating my Fedora 16 to newest kernel. My netbook is HP Mini with the driver installed is broadcom. Don't be panic, below the resolution:

Tuesday, January 03, 2012

Stretch/Shrink Video Size To The Panel Size in MediaPlayer Delphi Programming


Sometime, I need to stretch or shrink a video size to panel size in my program. But how? It turned out very easily and simple. That's why i like delphi/pascal. Just setting the DisplayRect property. This code will shrink or stretch a video to the size of the display panel:

MediaPlayer.DisplayRect := VideoPanel.ClientRect;