Configuring and Securing Ubuntu Server Installasi Ubuntu Server [ oke ] Paket Manajemen dpkg # dpkg -l # dpkg -L # dpkg

-S # dpkg -i # dpkg -r

# ---> listing paket yg diinstall # ---> listing file2 yg di install dari suatu paket # ---> melihat suatu file termasuk dalam paket apa # ---> install file paket .deb # ---> remove paket tertentu yg sudah diinstall

apt-get # apt-get install <nama paket> # ---> install paket # apt-get remove <nama paket> # ---> remove paket # apt-get upgrade # ---> upgrade paket2 dlm server # apt-get update # ---> update index source repository (/etc/ apt/sources.list) log file ada di /var/log/dpkg.log Aptitude Manajemen paket secara menu. Setting Extra repository ( /etc/apt/source.list ), contoh :

deb http://archive.ubuntu.com/ubuntu natty universe multiverse deb-src http://archive.ubuntu.com/ubuntu natty universe multiverse deb http://us.archive.ubuntu.com/ubuntu/ natty universe deb-src http://us.archive.ubuntu.com/ubuntu/ natty universe deb cdrom:[Ubuntu 11.04 _Natty Narwhal_ - Release i386 (20070419.1)]/ natty main restricted unattended-upgrades digunakan untuk menginstall update, atau hanya menginstall update security saja, penggunaannya adalah : # sudo apt-get install unattended-upgrades konfigurasinya ada di file : /etc/apt/apt.conf.d/50unattended-upgrades

( silakan di buka dan disimak isinya ) apticron Paket ini berguna untuk mengkonfigurasikan cron, kemudian memberitahu administrator lewat email, apabila ada update baru, untuk melakukan installasi apticron silakan ketikkan :

# apt-get install apticron Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: apt-listchanges Suggested packages: x-terminal-emulator python-glade2 python-gtk2 The following NEW packages will be installed: apt-listchanges apticron 0 upgraded, 2 newly installed, 0 to remove and 153 not upgraded. Need to get 61.1 kB of archives. After this operation, 378 kB of additional disk space will be used. Do you want to continue [Y/n]? Y Get:1 http://id.archive.ubuntu.com/ubuntu/ precise/universe apticron all 1.1.52 [13.9 kB] Get:2 http://id.archive.ubuntu.com/ubuntu/ precise/main apt-listchanges all 2.85.8ubuntu2 [47.2 kB] Fetched 61.1 kB in 2s (22.7 kB/s) Preconfiguring packages ... Selecting previously unselected package apticron. (Reading database ... 43303 files and directories currently installed.) Unpacking apticron (from .../apticron_1.1.52_all.deb) ... Selecting previously unselected package apt-listchanges. Unpacking apt-listchanges (from .../apt-listchanges_2.85.8ubuntu2_all.deb) ... Processing triggers for man-db ... Setting up apticron (1.1.52) ... Creating config file /etc/apticron/apticron.conf with new version Creating config file /etc/cron.d/apticron with new version Setting up apt-listchanges (2.85.8ubuntu2) ... Creating config file /etc/apt/listchanges.conf with new version

silakan buka file /etc/apticron/apticron.conf ganti dgn email anda, misal :

EMAIL="yc2int@yahoo.com"

PROSES update-rc.d update-rc.d --help usage: update-rc.d [-n] [-f] <basename> remove update-rc.d [-n] <basename> defaults [NN | SS KK] update-rc.d [-n] <basename> start|stop NN runlvl [runlvl] [...] . update-rc.d [-n] <basename> disable|enable [S|2|3|4|5] -n: not really -f: force The disable|enable API is not stable and might change in the future.

# ps ax # lsof -i tcp # lsof -i udp Setting default runlevel : /etc/init/rc-sysinit.conf baris : env DEFAULT_RUNLEVEL=2

perhatikan file2 yg di load diawali dgn hurus S : /etc/rc2.d utk disable, diawali dgn huruf K

NETWORKING Melihat ethernet yg tersedia, beserta MAC Addressnya : # ifconfig -a | grep eth eth0 Link encap:Ethernet HWaddr 00:50:8d:77:01:8c

atau ketikkan : # lshw -class network PCI (sysfs) *-network description: Ethernet interface product: SiS900 PCI Fast Ethernet vendor: Silicon Integrated Systems [SiS] physical id: 4 bus info: pci@0000:00:04.0 logical name: eth0 version: 91 serial: 00:50:8d:77:01:8c size: 100Mbit/s capacity: 100Mbit/s width: 32 bits clock: 33MHz capabilities: pm bus_master cap_list rom ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation configuration: autonegotiation=on broadcast=yes driver=sis900 driverversion=v1.08.10 Apr. 2 2006 duplex=full ip=10.11.11.223 latency=32 link=yes maxlatency=11 mingnt=52 multicast=yes port=MII speed=100Mbit/s resources: irq:19 ioport:d800(size=256) memory:e1103000e1103fff memory:30000000-3001ffff

tools lain yg cukup berguna adalah ethtools, utk melakukan installasi silakan ketikkan :

root@server:~# apt-get install ethtool Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ethtool 0 upgraded, 1 newly installed, 0 to remove and 153 not upgraded. Need to get 91.6 kB of archives. After this operation, 293 kB of additional disk space will be used. Get:1 http://id.archive.ubuntu.com/ubuntu/ precise/main ethtool i386 1:3.1-1 [91.6 kB] Fetched 91.6 kB in 3s (28.4 kB/s) Selecting previously unselected package ethtool. (Reading database ... 43330 files and directories currently installed.) Unpacking ethtool (from .../ethtool_1%3a3.1-1_i386.deb) ... Processing triggers for man-db ... Setting up ethtool (1:3.1-1) ...

contoh penggunaan :

root@server:~# ethtool eth0 Settings for eth0: Supported ports: [ TP MII ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Supported pause frame use: No Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Advertised pause frame use: No Advertised auto-negotiation: Yes Link partner advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Link partner advertised pause frame use: Symmetric Link partner advertised auto-negotiation: Yes Speed: 100Mb/s Duplex: Full Port: MII PHYAD: 9 Transceiver: internal Auto-negotiation: on Supports Wake-on: pg Wake-on: d Current message level: 0x000000c5 (197) drv link rx_err tx_err Link detected: yes

kegunaan dari ethtool diantaranya untuk mengkonfigurasikan/locking ethernet di 1000Mbps, # /usr/sbin/ethtool -s eth0 speed 1000 duplex full atau bisa juga di tambahkan di /etc/network/interfaces auto eth0 iface eth0 inet static pre-up /usr/sbin/ethtool -s eth0 speed 1000 duplex full

IP ADDRESSING

Konfig ip address : # ifconfig eth0 10.0.0.100 netmask 255.255.255.0 atau # ip address add address 10.0.0.100/24 DEFAULT ROUTE : # route add default gw 10.0.0.1 eth0 atau # ip route add default via 10.0.0.1 lihat tabel routing : # route -n atau # ip route show flushing konfigurasi IP address : # ip addr flush eth0 setting DNS Server mana yg akan kita gunakan : edit file /etc/resolv.conf , isinya :
domain domainkita.com # ---> domain kita search domain.com domain2.com # ---> domain yg akan di cari apabila suatu host tertentu tidak ketemu nameserver 8.8.8.8 # ---> menggunakan DNS Server 8.8.8.8

Request IP ke DHCP Server : pastikan di /etc/network/interfaces : auto eth0 iface eth0 inet dhcp

kemudian down, dan up kan kembali eth0 dgn mengetikkan : # ifdown eth0 # ifup eth0 Setting IP Address static :

auto eth0 iface eth0 inet static address 10.0.0.100 netmask 255.255.255.0 gateway 10.0.0.1

static hostname : file /etc/hosts 127.0.0.1 localhost 127.0.1.1 ubuntu-server 10.0.0.11 server1 vpn s1.contoh.com 10.0.0.12 server2 mail s2.contoh.com 10.0.0.13 server3 www s3.contoh.com 10.0.0.14 server4 file s4.contoh.com

NAMESERVER SWITCH CONFIGURATION filenya : /etc/nsswitch.conf. perhatikan baris : hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 files first tries to resolve static hostnames di /etc/hosts. mdns4_minimal resolve nama dgn menggunakan Multicast DNS.

 [NOTFOUND=return] jika sampai disini tidak ketemu, tidak usah dilanjutkan mencari jawaban resolve hostnamenya dns legacy unicast DNS query. mdns4 Multicast DNS query.

BRIDGING
paket yg dibutuhkan : bridge-utils
root@server:/etc/network# dpkg -l | grep bridge ii bridge-utils 1.5-2ubuntu6 the Linux Ethernet bridge ii ebtables 2.0.9.2-2ubuntu2 table administration

Utilities for configuring Ethernet bridge frame

kemudian edit /etc/network/interfaces : auto lo iface lo inet loopback auto br0 iface br0 inet static address 192.168.0.10 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 gateway 192.168.0.1 bridge_ports eth0 bridge_fd 9 bridge_hello 2 bridge_maxage 12 bridge_stp off

untuk mengkontrol, menggunakan brctl :

root@server:/etc/network# brctl --help Usage: brctl [commands] commands: addbr <bridge> add bridge delbr <bridge> delete bridge addif <bridge> <device> add interface to bridge delif <bridge> <device> delete interface from bridge hairpin <bridge> <port> {on|off} turn hairpin on/off setageing <bridge> <time> set ageing time setbridgeprio <bridge> <prio> set bridge priority setfd <bridge> <time> set bridge forward delay sethello <bridge> <time> set hello time setmaxage <bridge> <time> set max message age setpathcost <bridge> <port> <cost> set path cost setportprio <bridge> <port> <prio> set port priority show [ <bridge> ] show a list of bridges showmacs <bridge> show a list of mac addrs showstp <bridge> show bridge stp info stp <bridge> {on|off} turn stp on/off

DHCP SERVER paket yg dibutuhkan dhcp3-server utk installasi : # apt-get install dhcp3-server konfigurasi ada di /etc/dhcpd.conf

# Sample /etc/dhcpd.conf # (add your comments here) default-lease-time 600; max-lease-time 7200; option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.254; option domain-name-servers 192.168.1.1, 192.168.1.2; option domain-name "domainku.com"; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.10 192.168.1.100; range 192.168.1.150 192.168.1.200; } running dhcp server : # dhcpd -cf /etc/dhcpd.conf utk setting netbios name server, bisa juga anda tambahkan baris sbb : option netbios-name-servers 192.168.1.1;

NTP SERVER
sinkronisasi waktu berdasar ntp server :

root@server:/var/run# date Tue Jan 1 00:00:02 WIT 1980 root@server:/var/run# ntpdate -s ntp.ubuntu.com root@server:/var/run# date Mon Sep 3 15:33:35 WIT 2012

ntpd ntpd lebih halus daripada ntpdate, ntp daemon akan melakukan sinkronisasi secara halus dan mengkoreksi waktu sedikit demi sedikit, dengan acuan ntp server. utk installasi :

root@server:/var/run# apt-get install ntp Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libopts25 Suggested packages: ntp-doc The following NEW packages will be installed: libopts25 ntp 0 upgraded, 2 newly installed, 0 to remove and 171 not upgraded. Need to get 654 kB of archives. After this operation, 1,618 kB of additional disk space will be used. Do you want to continue [Y/n]? Y Get:1 http://id.archive.ubuntu.com/ubuntu/ precise/main libopts25 i386 1:5.12-0.1ubuntu1 [58.4 kB] Get:2 http://id.archive.ubuntu.com/ubuntu/ precise-updates/main ntp i386 1:4.2.6.p3+dfsg-1ubuntu3.1 [595 kB] Fetched 654 kB in 12s (51.6 kB/s) Selecting previously unselected package libopts25. (Reading database ... 43364 files and directories currently installed.) Unpacking libopts25 (from .../ libopts25_1%3a5.12-0.1ubuntu1_i386.deb) ... Selecting previously unselected package ntp. Unpacking ntp (from .../ ntp_1%3a4.2.6.p3+dfsg-1ubuntu3.1_i386.deb) ... Processing triggers for ureadahead ... Processing triggers for man-db ... Setting up libopts25 (1:5.12-0.1ubuntu1) ... Setting up ntp (1:4.2.6.p3+dfsg-1ubuntu3.1) ... * Starting NTP server ntpd [ OK ] Processing triggers for libc-bin ... ldconfig deferred processing now taking place

merubah sinkronisasi waktu server, ntpdate : di file /etc/cron.daily/ntpdate isi dgn : ntpdate -s ntp.ubuntu.com pool.ntp.org

atau bila anda menggunakan ntpd : edit file : /etc/ntp.conf isi dgn baris : server ntp.ubuntu.com server pool.ntp.org utk menemukan ntp server di seluruh dunia, silakan kunjungi alamat : http://www.pool.ntp.org

REMOTE ADMINISTRASI Ada banyak cara utk melakukan remote administrasi, tapi kali ini kita hanya membahas openSSH. installasi openssh client : # apt-get install openssh-client installasi openssh server : # apt-get install openssh-server konfigurasi openssh ada di : /etc/ssh/sshd_config beberapa baris penting :

Port 2222 Banner /etc/issue.net Protocol 2 PermitRootLogin no

SSH TANPA PASSWORD generate key :

admin@localhost .ssh]$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/admin/.ssh/id_dsa): /home/admin/.ssh/id_dsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_dsa. Your public key has been saved in /home/admin/.ssh/id_dsa.pub. The key fingerprint is: 56:aa:95:98:c1:d2:52:a7:bd:c1:77:24:e9:69:cb:e1 admin@localhost.localdomain The key's randomart image is: +--[ DSA 1024]----+ | . . ... | | + = .o | | o = +.o.. | | o + B=. | | o S+ o | | + E | | . | | | | | +-----------------+

kemudian :

[admin@localhost .ssh]$ ssh-copy-id -i ./id_dsa.pub new@10.11.12.13 new@10.11.12.13's password: [admin@localhost .ssh]$

setelah itu anda dapat melakukan ssh tanpa password :

[admin@localhost .ssh]$ ssh -l new 10.11.12.13 Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686) * Documentation: https://help.ubuntu.com/ System information as of Mon Sep 3 16:26:50 WIT 2012 System load: 0.25 Users logged in: 2 Usage of /: 5.6% of 37.17GB IP address for eth0: 10.11.11.223 Memory usage: 38% IP address for eth0:0: 123.123.12.13 Swap usage: 0% IP address for virbr0: 192.168.122.1 Processes: 129 Graph this data and manage this system at https://landscape.canonical.com/ Last login: Mon Sep 3 16:23:28 2012 from 180.246.112.240 new@server:~$

DNS SERVER
Installasi BIND9 : # apt-get install bind9 Paket untuk melakukan pengecekan DNS Server : # apt-get install dnsutils kalau sudah terinstall bisa anda lakukan update :

Get:1 Changelog for libisc83 (http://changelogs.ubuntu.com/ changelogs/pool/main/b/bind9/bind9_9.8.1.dfsg.P1-4ubuntu0.2/ changelog) [53.0 kB] bind9 (1:9.8.1.dfsg.P1-4ubuntu0.2) precise-security; urgency=low * SECURITY UPDATE: denial of service via dnssec validation load - lib/dns/resolver.c: don't use bad->expire before it has been set. - Patch backported from 9.8.3-P2. - CVE-2012-3817 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jul 2012 16:21:36 -0400 bind9 (1:9.8.1.dfsg.P1-4ubuntu0.1) precise-security; urgency=low * SECURITY UPDATE: ghost domain names attack - lib/dns/rbtdb.c: Restrict the TTL of NS RRset to no more than that of the old NS RRset when replacing it. - Patch backported from 9.8.2. - CVE-2012-1033 * SECURITY UPDATE: denial of service via zero length rdata handling - lib/dns/rdata.c,lib/dns/rdataslab.c: use sentinel pointer for duplicate rdata. - Patch backported from 9.8.3-P1. - CVE-2012-1667 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 04 Jun 2012 13:12:43 -0400

primary configuration ada di : /etc/bind/named.conf isinya adalah : include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";

pada file2 tersebutlah sebaiknya kita konfigurasi detail dari DNS Server kita. CACHING NAMESERVER utk melakukan caching nameserver, kita bisa mengedit file named.conf.options, dan menambahkan baris :

forwarders { 8.8.8.8; }; PRIMARY NAMESERVER /etc/bind/named.conf.options zone "example.com" { type master; file "/etc/bind/db.example.com"; }; # cp /etc/bind/db.local /etc/bind/db.example.com edit /etc/bind/db.example.com : ; ; BIND data file for local loopback interface ; $TTL 604800 @ IN SOA localhost. root.localhost. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS localhost. @ IN A 127.0.0.1 @ IN AAAA ::1 ns IN A 192.168.0.10

REVERSE ZONE FILE /etc/bind/named.conf.options zone "1.168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192"; };

# cp /etc/bind/db.127 /etc/bind/db.192 edit file /etc/bind/db.192 ; ; BIND reverse data file for local loopback interface ; $TTL 604800 @ IN SOA localhost. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS localhost. 1.0.0 IN PTR localhost. 10 IN PTR ns.example.com. SECONDARY MASTER Di Primary Master harus mengijinkan transfer ke ip secondary :

zone "example.com" { type master; file "/etc/bind/db.example.com"; allow-transfer { 192.168.1.11; }; }; zone "1.168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192"; allow-transfer { 192.168.1.11; }; }; Konfig di Secondary Master : zone "example.com" { type slave; file "db.example.com"; masters { 192.168.1.10; }; }; zone "1.168.192.in-addr.arpa" { type slave; file "db.192"; masters { 192.168.1.10; }; }; restart bind : # /etc/init.d/bind9 restart log di /var/log/syslog akan terdapat : slave zone "example.com" (IN) loaded (serial 6) slave zone "100.18.172.in-addr.arpa" (IN) loaded (serial 3)

PENGECEKAN BIND # dig -x ip_addr # dig namadomain

# dig @dns a www.namadomain.com # ping namadomain

yc2int@server:~$ nslookup > server 8.8.8.8 Default server: 8.8.8.8 Address: 8.8.8.8#53 > set type=a > www.google.com. Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: www.google.com canonical name = www.l.google.com. Name: www.l.google.com Address: 173.194.38.177 Name: www.l.google.com Address: 173.194.38.178 Name: www.l.google.com Address: 173.194.38.179 Name: www.l.google.com Address: 173.194.38.180 Name: www.l.google.com Address: 173.194.38.176 > set type=mx > gmail.com. Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: gmail.com mail exchanger = 5 gmail-smtp-in.l.google.com. gmail.com mail exchanger = 30 alt3.gmail-smtp-in.l.google.com. gmail.com mail exchanger = 20 alt2.gmail-smtp-in.l.google.com. gmail.com mail exchanger = 40 alt4.gmail-smtp-in.l.google.com. gmail.com mail exchanger = 10 alt1.gmail-smtp-in.l.google.com. > set type=any > gmail.com. Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: gmail.com Address: 173.194.38.181 Name: gmail.com Address: 173.194.38.182 gmail.com has AAAA address 2404:6800:4003:803::1016 gmail.com mail exchanger = 40 alt4.gmail-smtp-in.l.google.com. gmail.com nameserver = ns4.google.com.

DNS LOGGING Tanpa logging : logging { category default { default_syslog; default_debug; }; category unmatched { null; }; };

Konfig logging query : logging { channel query.log { file "/var/log/query.log"; severity debug 3; }; category queries { query.log; }; };

SECURITY
USER MANAGEMENT - Gunakan Password yg baik $ sudo passwd locking/disable password user (user tidak bisa masuk) : $ sudo passwd -l user unlock password root : $ sudo passwd -u user tambah user : $ sudo adduser username delete user : $ sudo deluser username kepemilikan : $ sudo chown -R root:root /home/username/ $ sudo mkdir /home/archived_users/ $ sudo mv /home/username /home/archived_users/ manajemen group : $ sudo addgroup groupname $ sudo delgroup groupname

tambah user baru dalam grup tertentu : $ sudo adduser username groupname list user dan permission : $ ls -ld /home/username Change mod : $ sudo chmod 0750 /home/username konfigurasi adduser : /etc/adduser.conf DIR_MODE=0750 $ sudo adduser username $ ls -ld /home/username drwxr-x--- 2 username username 4096 2007-10-02 20:03 username

PASSWORD POLICY MINIMAL KARAKTER UTK PASSWORD perhatikan file : /etc/pam.d/common-password utk setting minimal character utk password menjadi 8 : ganti baris : password [success=2 default=ignore] pam_unix.so obscure sha512 menjadi : password [success=2 default=ignore] pam_unix.so obscure sha512 min=8 PASSWORD EXPIRATION

root@server:/etc/pam.d# chage -l new Last password change : Sep 03, 2012 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change :0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7

root@server:/etc/pam.d# chage new Changing the aging information for new Enter the new value, or press ENTER for the default Minimum Password Age [0]: 0 Maximum Password Age [99999]: 7 Last Password Change (YYYY-MM-DD) [2012-09-03]: Password Expiration Warning [7]: Password Inactive [-1]: Account Expiration Date (YYYY-MM-DD) [1969-12-31]: 2013-01-01 root@server:/etc/pam.d# chage -l new Last password change : Sep 03, 2012 Password expires : Sep 10, 2012 Password inactive : never Account expires : Jan 01, 2013 Minimum number of days between password change :0 Maximum number of days between password change :7 Number of days of warning before password expires : 7

root@server:/etc/pam.d# chage -E 01/31/2013 -m 5 -M 90 -I 30 -W 14 new root@server:/etc/pam.d# chage -l new Last password change : Sep 03, 2012 Password expires : Dec 02, 2012 Password inactive : Jan 01, 2013 Account expires : Jan 31, 2013 Minimum number of days between password change :5 Maximum number of days between password change : 90 Number of days of warning before password expires : 14

WARNING DISABLED USER BISA MASUK LEWAT SSH Selalu periksa homedirektori , dan .ssh terutama file : authorized_keys , yg memungkinkan user melakukan ssh tanpa password (perhatikan pada pembahasan sebelumnya ttg ssh) PEMBATASAN USER SSH Untuk membatasi user mana saja yang boleh melakukan ssh, anda bisa mengedit file sshd_config, dan menambahkan baris : AllowGroups sshlogin sshlogin adalah group dari user2 yang diperbolehkan melakukan ssh

CONSOLE SECURITY Untuk disable control+alt+del : /etc/init/control-alt-delete.conf silakan comment out baris berikut : # exec shutdown -r now "Control-Alt-Delete pressed"

FIREWALL UFW ( Uncomplicated Firewall ) adalah tools mudah untuk menangani firewall sederhana, secara default ubuntu server sudah menyertakan. perhatikan command2 berikut : # ufw enable # ufw allow 22 # ufw insert 1 allow 80 # ufw deny 22 # ufw delete deny 22 # ufw allow proto tcp from 192.168.0.2 to any port 22 # ufw disable # ufw status # ufw status verbose # ufw status numbered ufw application integration File konfigurasi terletak di /etc/ufw/applications.d/ contoh konfigurasi : /etc/ufw/applications.d//etc/ufw/applications.d

[Apache] title=Web Server description=Apache v2 is the next generation of the omnipresent Apache web server. ports=80/tcp [Apache Secure] title=Web Server (HTTPS) description=Apache v2 is the next generation of the omnipresent Apache web server. ports=443/tcp [Apache Full] title=Web Server (HTTP,HTTPS) description=Apache v2 is the next generation of the omnipresent Apache web server. ports=80,443/tcp

root@server:/etc/ufw/applications.d# ufw app list Available applications: Apache Apache Full Apache Secure Bind9 CUPS Dovecot IMAP Dovecot POP3 Dovecot Secure IMAP Dovecot Secure POP3 OpenSSH Postfix Postfix SMTPS Postfix Submission root@server:/etc/ufw/applications.d# # sudo ufw allow Apache # ufw allow from 192.168.0.0/24 to any app Apache

root@server:/etc/ufw/applications.d# ufw app info Apache Profile: Apache Title: Web Server Description: Apache v2 is the next generation of the omnipresent Apache web server. Port: 80/tcp

IP MASQUERADING ufw Masquerading file : /etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT" file : /etc/ufw/sysctl.conf net/ipv4/ip_forward=1 file : /etc/ufw/before.rules # nat Table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic from eth1 through eth0. -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't be processed COMMIT restart ufw : # ufw disable && sudo ufw enable IPTABLES MASQUERADING File /etc/sysctl.conf : net.ipv4.ip_forward=1

# sysctl -p # iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE # iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT # iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT edit file : /etc/rc.local # iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE LOGGING # ufw logging on
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: "

Otomatis akan generate logging di dmesg

AppArmor

Modul AppArmor secara default sudah terinstall di ubuntu server,

root@server:/etc/ufw/applications.d# dpkg -l | grep apparmor ii apparmor 2.7.102-0ubuntu3 for AppArmor ii libapparmor1 2.7.102-0ubuntu3 library User-space parser utility changehat AppArmor

utk menginstall apparmor-profiles dan utils : # apt-get install apparmor-profiles # apt-get install apparmor-utils root@server:/etc/ufw/applications.d# apparmor_status apparmor module is loaded. 12 profiles are loaded. 12 profiles are in enforce mode. /sbin/dhclient /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/libvirt/virt-aa-helper /usr/sbin/cupsd /usr/sbin/dhcpd /usr/sbin/libvirtd /usr/sbin/mysqld /usr/sbin/named /usr/sbin/ntpd /usr/sbin/tcpdump 0 profiles are in complain mode. 6 processes have profiles defined. 6 processes are in enforce mode. /usr/sbin/cupsd (578) /usr/sbin/dhcpd (6189) /usr/sbin/libvirtd (1245) /usr/sbin/mysqld (1045) /usr/sbin/named (9399) /usr/sbin/ntpd (6791) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. AppArmor dijalankan untuk mengawasi suatu program dalam 2 mode :

- Complaining/Learning : akses dari suatu program yg diawasi semua diperbolehkan dan di log ( tujuannya untuk mempelajari dan membuat profile baru) - Enforce/Confined : Suatu program diawasi dan dijalankan sesuai profile, serta di log untuk merubah suatu profile program dijalankan dalam complain mode : # aa-complain /path/to/bin untuk merubah suatu profile program dijalankan dalam enforce mode : # aa-enforce /path/to/bin profle dari apparmor di simpan dalam : /etc/apparmor.d/* apparmor_parser digunakan untuk memanggil profile ke dalam kernel, contohnya : # cat /etc/apparmor.d/profile.name | apparmor_parser -a atau untuk mereload profile yg sudah di load / running : # cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r mereload profile : # /etc/init.d/apparmor reload anda bisa mendisable suatu profile dengan cara di symlink ke /etc/ apparmor.d/disable # ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ # apparmor_parser -R /etc/apparmor.d/profile.name untuk me-enable kembali : # rm /etc/apparmor.d/disable/profile.name # cat /etc/apparmor.d/profile.name | apparmor_parser -a untuk stop apparmor dan mendisable supaya tidak dijalankan saat boot up :

# /etc/init.d/apparmor stop # update-rc.d -f apparmor remove PROFILE APPARMOR Profile apparmor adalah file teks biasa yg diletakkan di /etc/apparmor.d : nama file menunjukkan path dari program yg di setting profilenya, hanya tanda / diganti dgn tanda titik (.), contoh : /etc/apparmor.d/bin.ping (pathnya dari programnya adalah ke /bin/ping)

#include <tunables/global> /bin/ping flags=(complain) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> capability net_raw, capability setuid, network inet raw, /bin/ping mixr, /etc/modules.conf r, } berikut adalah arti dari baris2nya : #include <tunables/global>: include statements from other files. This allows statements pertaining to multiple applications to be placed in a common file. /bin/ping flags=(complain): path to the profiled program, also setting the mode to complain. capability net_raw,: allows the application access to the CAP_NET_RAW Posix.1e capability. /bin/ping mixr,: allows the application read and execute access to the file.

Bagaimana membuat PROFILE BARU AppArmor

untuk membuat profile baru langkah2nya adalah : - jalan kan program, hentikan, dan perhatikan prilaku dari program tersebut - generate profile baru dgn perintah : # aa-genprof <nama program> - kemudian buka konfigurasi profilenya di /etc/apparmor/ nama_file_profile tentukan akses program nya dalam file tsb, contoh :

/usr/sbin/mysqld { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/user-tmp> #include <abstractions/mysql> #include <abstractions/winbind> capability dac_override, capability sys_resource, capability setgid, capability setuid, network tcp, /etc/hosts.allow r, /etc/hosts.deny r, /etc/mysql/*.pem r, /etc/mysql/conf.d/ r, /etc/mysql/conf.d/* r, /etc/mysql/*.cnf r, /usr/lib/mysql/plugin/ r, /usr/lib/mysql/plugin/*.so* mr, /usr/sbin/mysqld mr, /usr/share/mysql/** r, /var/log/mysql.log rw, /var/log/mysql.err rw, /var/lib/mysql/ r, /var/lib/mysql/** rwk, /var/log/mysql/ r, /var/log/mysql/* rw, /var/run/mysqld/mysqld.pid w, /var/run/mysqld/mysqld.sock w, /run/mysqld/mysqld.pid w, /run/mysqld/mysqld.sock w, /sys/devices/system/cpu/ r, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.mysqld> }

CERTIFICATE KROPTOGRAFI

Salahsatu teknik enkripsi populer saat ini adalah menggunakan system public-key dan private-key, untuk melakukan enkripsi menggunakan public-key, dan hasil enkripsi tersebut hanya dapat di de-crypt oleh private-key. Certificate Untuk mensetup secure server dengan menggunakan public key cryptography, biasanya anda harus mengirimkan permintaan sertifikat ke CA (Certification Athority). yaitu perusahaan/badan pihak ketiga yang bertanggung jawab utk mengeluarkan sertifikat public key (mis. Verisign dll) Certificate yang di keluarkan oleh CA mempunyai karakteristik kelebihan bila dibanding dgn certificate yg di generate sendiri, diantaranya adalah : - Browser mengenali secara otomatis, dan langsung membentuk secure connection tanpa konfirmasi apa2. - CA menjamin identitas organisasi/badan dari webserver. GENERATE CSR (Certificate Signing Request) Generate server.key : root@server:~# openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus ................................................................................................................... ...................................+++ ................................................................................................................... .......+++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: Generate server.key.insecure : root@server ~# openssl rsa -in server.key -out server.key.insecure Enter pass phrase for server.key: writing RSA key rename server.key menjadi server.key.secure : # mv server.key server.key.secure

rename server.key.insecure menjadi server.key : # mv server.key.insecure server.key GENERATE CSR (Certificate Signing Request ) : root@server:~/key# openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [AU]:ID State or Province Name (full name) [Some-State]:Central Java Locality Name (eg, city) []:Semarang Organization Name (eg, company) [Internet Widgits Pty Ltd]:Multisolusi Informatika Organizational Unit Name (eg, section) []:Network and Programming Solutions Common Name (e.g. server FQDN or YOUR name) []:Multisolusi Informatika Email Address []:info@multisolusi.info Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:tantangan An optional company name []: root@server:~/key# ls server.csr server.key server.key.secure

Membuat Self Signed Certificate :

root@server:~/key# openssl x509 -req -days 365 -in server.csr -signkey server.key out server.crt Signature ok subject=/C=ID/ST=Central Java/L=Semarang/O=Multisolusi Informatika/OU=Network and Programming Solutions/CN=Multisolusi Informatika/ emailAddress=info@multisolusi.info Getting Private key

Install Serfikat # cp server.crt /etc/ssl/certs # cp server.key /etc/ssl/private Sampai dengan langkah ini sertifikat SSL sudah terinstall, dan dapat digunakan untuk apa enkripsi apa saja sesuai dengan service yang kita konfigurasikan (mis HTTPS, Dovecot IMAPS dan POP3-S) dll.

WEBSERVER Apache2 Apabila apache2 di ubuntu server anda belum terinstall, silakan ketikkan perintah : # apt-get install apache2 Konfigurasi Esensi Dasar Apache /etc/apache2/apache2.conf -> berisi konfigurasi dasar apache. /etc/apache2/conf.d -> berisi file2 konfigurasi2 tambahan dengan tema tertentu /etc/apache2/envvars -> Setting environtment variabel /etc/apache2/httpd.conf -> di Apache2 file ini biasanya kosong, dan hanya berisi konfig2 yang sifatnya spesifik /etc/apach2/mods-available: berisi file2 konfigurasi untuk memanggil modul2 dan mengkonfigurasi modul2 tsb. mods-enabled: berisi modul2 yg di enable, isinya symlink dari file2 yg terdapat di /etc/apache2/mods-available /etc/apache2/ports.conf: berisi port2 yg listen /etc/apache2/sites-enabled: berisi symlink dari direktori /etc/apache2/ sites-available, isinya adalah daftar site yang enable dari apache tsb. Apache2 memberikan kemudahan kita dalam mengkonfigurasi virtual Host. Default Virtual Host dikonfigurasikan di : /etc/apache2/sites-available/ default

jika anda ingin membuat VirtualHost baru, langkah2nya adalah copy kan file tersebut (/etc/apache2/sites-available/default), menjadi nama baru, kemudian konfigurasikan sesuai dengan keinginan kita. # cp /etc/apache2/sites-available/default /etc/apache2/sitesavailable/mynewsite beberapa directive yang penting untuk di perhatikan adalah : ServerAdmin -> untuk mengkonfigurasikan email dari webmaster Listen -> menentukan listen di port berapa (default 80) ServerName -> menentukan virtual domain tersebut bernama apa (mis. www.domainku.com ) ServerAlias -> membuat nama alias dari ServerName, bisa menggunakan wildchar, contoh : ServerAlias *.serverku.com DocumentRoot -> menentukan direktori tempat root dokumen html yang akan di display.

setelah virtual host baru sudah di di konfigurasikan, silakan jalankan perintah sbb :

root@server:/etc/apache2/sites-available# a2ensite sitebaru Enabling site sitebaru. To activate the new configuration, you need to run: service apache2 reload root@server:/etc/apache2/sites-available# service apache2 reload * Reloading web server config apache2 apache2: Could not reliably determine the server's fully qualified domain name, using 202.122.14.202 for ServerName [ OK ]

Default Setting Default Setting adalah konfigurasi default yang akan di panggil, apabila konfigurasi khusus tidak di definisikan pada virtual host. DirectoryIndex Directive Digunakan untuk menentukan file apa yang akan di load by default, saat tidak di definisikan pada URL, di konfigurasi pada file : /etc/apache2/ mods-available/dir.conf isinya kurang lebih :

DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm ErrorDocument Directive Digunakan untuk mengatur tampilan/pesan saat suatu error tertentu terjadi. silakan buka file : /etc/apache2/conf.d/localized-error-pages Log File By default akses thd website dilogging pada file : /var/log/apache2/ access.log tapi anda bisa merubah logging akses untuk masing2 virtual host dengan cara menggunakan Directive : CustomLog di masing2 virtual host perhatikan file : /etc/apache2/conf.d/other-vhosts-access-log

Option Directory <Directory /var/www/mysite> ... ... ... </Directory> Options ExecCGI Mengijinkan eksekusi file2 tertentu dlm system sebagai CGI. Options Includes Mengijinkan SSI/Server Side Include, yaitu memungkinkan suatu HTML menginclude file lain dan di tempilkan pada browser secara otomatis. Options IncludesNOEXEC

Allow server-side includes, but disable the #exec and #include commands in CGI scripts.

mengenai SSI, bisa anda pelajari di situs : http:// httpd.apache.org/docs/2.2/howto/ssi.html

What are SSI?

SSI (Server Side Includes) are directives that are placed in HTML pages, and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology. The decision of when to use SSI, and when to have your page entirely generated by some program, is usually a matter of how much of the page is static, and how much needs to be recalculated every time the page is served. SSI is a great way to add small pieces of information, such as the current time. But if a majority of your page is being generated at the time that it is served, you need to look for some other solution.

Options Indexes Mengijinkan menampilkan file2 apa saja yang terdapat dalam suatu direktori, apabila DirectoryIndex tidak ditetapkan SymLinksIfOwnerMatch Symlink di ijinkan untuk dibaca apabila pemilik dari filenya sama.

httpd setting
User -> Directive ini menentukan akses dari apache ke server server saat terjadi request.

Group -> Directive ini mirip dengan User, tapi menentukan Group aksesnya terhadap server. Apache2 Modules Apache di design sangat modular, sehingga kita bisa memanggil suatu modul tertentu untuk dijalankan bersama dengan apache. Untuk meload modul, kita menggunakan directive : LoadModule , untuk konfigurasi modulenya di lakukan di dalam directive <IfModule> ! </IfModule> Contoh installasi Module di Ubuntu :
root@server:/etc/apache2/mods-enabled# apt-get install libapache2-mod-authmysql Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: libapache2-mod-auth-mysql 0 upgraded, 1 newly installed, 0 to remove and 161 not upgraded. Need to get 22.1 kB of archives. After this operation, 94.2 kB of additional disk space will be used. Get:1 http://id.archive.ubuntu.com/ubuntu/ precise/main libapache2-mod-auth-mysql i386 4.3.9-13ubuntu3 [22.1 kB] Fetched 22.1 kB in 6s (3,273 B/s) Selecting previously unselected package libapache2-mod-auth-mysql. (Reading database ... 45844 files and directories currently installed.) Unpacking libapache2-mod-auth-mysql (from .../libapache2-mod-authmysql_4.3.9-13ubuntu3_i386.deb) ... Setting up libapache2-mod-auth-mysql (4.3.9-13ubuntu3) ... root@server:/etc/apache2/mods-enabled# a2enmod auth_mysql Enabling module auth_mysql. To activate the new configuration, you need to run: service apache2 restart root@server:/etc/apache2/mods-enabled# service apache2 restart

root@server:/etc/apache2/mods-enabled# a2dismod auth_mysql Module auth_mysql disabled. To activate the new configuration, you need to run: service apache2 restart root@server:/etc/apache2/mods-enabled# service apache2 restart * Restarting web server apache2 [ OK ] root@server:/etc/apache2/mods-enabled#

Konfigurasi HTTPS (HTTP-SSL)

root@server:/etc/apache2/mods-enabled# a2enmod ssl Enabling module ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: service apache2 restart root@server:/etc/apache2/mods-enabled# service apache2 restart * Restarting web server apache2 [ OK ] root@server:/etc/apache2/mods-enabled# a2ensite default-ssl Enabling site default-ssl. To activate the new configuration, you need to run: service apache2 reload root@server:/etc/apache2/mods-enabled# /etc/init.d/apache2 reload * Reloading web server config apache2 [ OK ]

direktori : /etc/ssl/certs dan /etc/ssl/private adalah default dari kita meletakkan certificate dan key, apabila anda ingin merubahnya, anda harus menggunakan directive : SSLCertificateFile SSLCertificateKeyFile

PHP 5
Installasi PHP5 di ubuntu server : silakan anda ketikkan perintah :

# apt-get install php5 libapache2-mod-php5 untuk menginstall, dan mengupdate apabila masih terdapat bug sbb :

Get:1 Changelog for php5-common (http://changelogs.ubuntu.com/changelogs/pool/ main/p/php5/php5_5.3.10-1ubuntu3.2/changelog) [190 kB] php5 (5.3.10-1ubuntu3.2) precise-security; urgency=low * SECURITY UPDATE: denial of service via invalid tidy objects - debian/patches/CVE-2012-0781.patch: track initialization in ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt, ext/tidy/tests/bug54682.phpt. - CVE-2012-0781 * SECURITY UPDATE: denial of service or possible directory traversal via invalid filename. - debian/patches/CVE-2012-1172.patch: ensure brackets get closed in main/rfc1867.c, add test to tests/basic/bug55500.phpt. - CVE-2012-1172 * SECURITY UPDATE: password truncation via invalid byte - debian/patches/CVE-2012-2143.patch: improve logic in ext/standard/crypt_freesec.c, add test to ext/standard/tests/strings/crypt_chars.phpt. - CVE-2012-2143 * SECURITY UPDATE: improve php5-cgi query string parameter parsing - debian/patches/CVE-2012-233x.patch: improve parsing in sapi/cgi/cgi_main.c. - CVE-2012-2335 - CVE-2012-2336 * SECURITY UPDATE: phar extension heap overflow - debian/patches/CVE-2012-2386.patch: check for overflow in ext/phar/tar.c. - CVE-2012-2386 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 12 Jun 2012 13:40:37 -0400 php5 (5.3.10-1ubuntu3.1) precise-security; urgency=low * SECURITY UPDATE: php5-cgi query string parameters parsing vulnerability - debian/patches/php5-CVE-2012-1823.patch: filter query strings that are prefixed with '-' - CVE-2012-1823 - CVE-2012-2311 -- Steve Beattie <sbeattie@ubuntu.com> Thu, 03 May 2012 15:42:08 -0700

Installasi php-cli : # apt-get install php5-cli installasi php sebagai CGI :

# apt-get install php5-cgi Installasi php support mysql : # apt-get install php5-mysql Installasi php support postgreSQL : # apt-get install php5-pgsql halaman testing : <?php phpinfo(); ?>

Hardening apache/php
TUTUP FASILITAS BROWSING DIREKTORI buka file : /etc/apache2/sites-available/default

Agar direktori dan file2 dalam direktori yang tidak mengandung index.html (DirectoryIndex), tidak dapat dibrowse isinya, silakan edit tambahkan tanda -Indexes : <Directory /var/www/> Options -Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory>

Enable the rewrite module of Apache. modul ini berguna untuk me-rewrite request2 dengan pola2 tertentu. root@server:/etc/apache2/sites-available# a2enmod rewrite Enabling module rewrite. To activate the new configuration, you need to run: service apache2 restart root@server:/etc/apache2/sites-available# service apache2 restart * Restarting web server apache2 [ OK ] kemudian untuk menghindari serangan Cross Site Tracking, silakan pada <VirtualHost *:80> anda tambahkan Rewrite sbb : <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] </IfModule>

INSTALL Mod Evasive Modul ini berguna untuk menghindari httpd DoS, Brute force Attack, # apt-get install libapache2-mod-evasive

Install Libapache Mod Security dan libapache2-modsecurity # apt-get install libapache2-modsecurity kemudian enable kan dengan perintah : # a2enmod mod-security

Tutup semua informasi tentang server dan apache saat error terjadi edit : /etc/apache2/conf.d/security ServerToken Prod ServerSignature Off Edit file php.ini buka file /etc/php5/apache2/php.ini display_errors = Off log_errors = On allow_url_fopen = Off safe_mode = On expose_php = Off enable_dl = Off
register_globals = Off magic_quotes_gpc = On

jika memungkinkan/tidak mengganggu service, disable kan beberapa fungsi berbahaya : disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd, proc_open,curl_exec,curl_multi_exec,parse_ini_file,show_source

/etc/sysctl.conf
edit juga file /etc/sysctl.conf :

# IP Spoofing protection net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Ignore ICMP broadcast requests net.ipv4.icmp_echo_ignore_broadcasts = 1 # Disable source packet routing net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Ignore send redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Block SYN attacks net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 # Log Martians net.ipv4.conf.all.log_martians = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Ignore Directed pings net.ipv4.icmp_echo_ignore_all = 1

To reload sysctl with the latest

changes, enter:

sudo sysctl -p

kemudian ketikkan : # sysctl -p

Secure Shared Memory /dev/shm seringkali digunakan untuk melakukan serangan terhadap running daemon, spt apache/httpd dll, untuk itu silakan anda edit /etc/ fstab rubah menjadi berikut :
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0

Disable DNS Recursion edit file : /etc/bind/named.conf.options tambahkan baris :

recursion no;

IP Spoofing
order bind,hosts nospoof on

setelah suatu ip address di lihat nama hostnya, kemudian akan dibalik apakah hostname tsb ip nya sama dengan ip address tsb, apabila ternyata beda, maka query akan digagalkan. Periksa Log, dan ban semua host2 mencurigakan DenyHosts -> adalah scripts phyton yang akan menganalisa log ssh, dan mem-ban host2 mencurigakan, dengan cara memasukkan ke dalam /etc/hosts.deny INSTALLASI :

root@server:/home/yc2int# apt-get install denyhosts Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: denyhosts 0 upgraded, 1 newly installed, 0 to remove and 157 not upgraded. Need to get 66.1 kB of archives. After this operation, 317 kB of additional disk space will be used. Get:1 http://id.archive.ubuntu.com/ubuntu/ precise/universe denyhosts all 2.6-10 [66.1 kB] Fetched 66.1 kB in 2s (25.8 kB/s) Selecting previously unselected package denyhosts. (Reading database ... 45994 files and directories currently installed.) Unpacking denyhosts (from .../denyhosts_2.6-10_all.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up denyhosts (2.6-10) ... * Starting DenyHosts denyhosts [ OK ] 16635 ? S 0:00 python /usr/sbin/denyhosts --daemon --purge -config=/etc/denyhosts.conf 16653 pts/0 S+ 0:00 grep --color=auto denyhost

edit /etc/denyhosts.conf, konfigurasikan sesuai dengan kebutuhan :

ADMIN_EMAIL = root@localhost SMTP_HOST = localhost SMTP_PORT = 25 #SMTP_USERNAME=foo #SMTP_PASSWORD=bar SMTP_FROM = DenyHosts nobody@localhost #SYSLOG_REPORT=YES

Fail2ban
Installasi fail2ban : # apt-get install fail2ban kemudian konfigurasikan :

/etc/fail2ban/jail.conf

sesuai dengan situasi dan kondisi.

RKHunter and CHKRootKit

kedua tools ini melakukan tugas yang hampir sama, diantaranya yaitu mencari keberadaan rootkit. untuk menginstall silakan anda ketikkan :
# apt-get install rkhunter chkrootkit

silakan anda coba :

sudo rkhunter --update sudo rkhunter --propupd sudo rkhunter --check

berikut adalah manual singkat tentang cara menggunakan rkhunter :

rkhunter "debugging" howto . Don't be afraid of the RKhunter warnings in the terminal. . Using RKhunter is always a work in progress. . To install RKhunter: sudo apt-get install rkhunter . Before running RKhunter you will need to fill the file properties database by running the following command: rkhunter --propupd Do no forget to set rkhunter in sysconfig to run the --propupd every time new software is installed or else you will get "false positives" after every software and system update. sudo rkhunter --propupd . To run rkhunter --propupd, automatic after software updates, add the line APT_AUTOGEN="yes" to /etc/default/rkhunter (this gets read by /etc/apt/ apt.conf.d/90rkhunter). . Wait till it completes gathering the new values, then exit. This should eliminate all the warnings except the hidden files related to the /dev folder. They show up occassionally and disappear with a next reboot of your system. . Additionally, the --versioncheck option of rkhunter itself will indicate if a new version is available. sudo rkhunter --versioncheck . The first run of 'rkhunter' after installation may give some warning messages. They are is some way normal. Even on clean installed system, with no additional software installed, these warnings occur. You could take a at the FAQ of RKhunter. I got these warnings on Xubuntu beta, clean install: sudo rkhunter --checkall . warnings: /usr/bin/mail /usr/bin/bsd/mail-x checking /dev for susp. files checking hidden files and direct /usr/bin/lwp-request . It is possible for a package manager database to become maliciously corrupted. RKhunter can only report on changes, but not on what has caused the change, it is reactive. . Help Rootkit Hunter users on the rkhunter-users mailing list. the rkhunter mailinglist It is also a source of information on "false positives". . "Intruder Detection Checklist". This list is available via the intruder detection list . What to do with "common" warnings as: Warning: Hidden directory found: /dev/.static Warning: Hidden directory found: /dev/.udev Warning: Hidden directory found: /dev/.initramfs To avoid these warnings, you can reconfigure rkhunter to ignore these files via whitelisting these warnings. Edit the rkhunter.conf file: gedit /etc/rkhunter.conf and remove the # in front of these lines: #ALLOWHIDDENDIR=/dev/.udev #ALLOWHIDDENDIR=/dev/.static #ALLOWHIDDENDIR=/dev/.initramfs ALLOWHIDDENDIR=/dev/.udev ALLOWHIDDENDIR=/dev/.static ALLOWHIDDENDIR=/dev/.initramfs . Linkage for debugging rkhunter via watchdog: debugging linkage You can disable the 'os_specific' check in your rkhunter.conf file. Add it to the DISABLE_TESTS list.You can stop rkhunter from checking these by editing /etc/rkhunter.conf Un-comment the related ALLOWHIDDENDIR and ALLOWHIDDENFILE lines.

Scan open port dengan menggunakan NMAP

installasi : # apt-get install nmap
# nmap -v -sT localhost # nmap -v -sS localhost

LOGWATCH analisa log dengan menggunakan logwatch :

# apt-get install logwatch libdate-manip-perl

untuk melihat output dari logwatch, ketikkan perintah :

# logwatch | less

TIGER Tiger adalah tools security yang bisa digunakan untuk audit sekuriti, dan intrusion detection. installasi : # apt-get install tiger utk menjalankan : # tiger

MENJALANKAN VHOSTS PADA UID/GID BERBEDA install Apache-mpm-itk : # apt-get install apache-mpm-itk tambahkan group baru dan user baru :

# groupadd web1 # adduser sitebaru -g web1 tambahkan virtual host, mis: sitebaru.multisolusi.info : konfignya kurang lebih :

<VirtualHost *:80> ServerAdmin webmaster@localhost ServerName sitebaru.multisolusi.info DocumentRoot /home/sitebaru/html/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /home/sitebaru/html/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /home/sitebaru/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost>

<IfModule mpm_itk_module> AssignUserId sitebaru web1 </IfModule>

kemudian restart apache : # /etc/init.d/apache2 restart

TAMBAHAN

User quotas with Ubuntu

This step by step tutorial shows how to install and implement user quotas, to limit disk space available for selected users in a Linux system (tested on Ubuntu, using repositories).To add support for user disk quotas on Ubuntu: Install quota from repository: sudo apt-get install quota Edit, as root, /etc/fstab adding usrquota and grpquota to desired partitions: /dev/hda3 /home ext3 defaults,usrquota,grpquota 0 2 Reboot the system. Then sudo edquota -u username -f /dev/desiredpartition Editing the file: Disk quotas for user username (uid 1050): Filesystem blocks soft hard inodes soft hard /dev/hdaN 0 31457280 31457280 0 0 0 Save that file! now do: sudo edquota -t -f /dev/hda3 set grace periods to 0 seconds like this:

Grace period before enforcing soft limits for users: Time units may be: days, hours, minutes, or seconds Filesystem Block grace period Inode grace period /dev/hda3 0seconds 0seconds Save, and finally: quotaoff -a Code: quotaon /dev/hda3

VSFTPD Installasi : apt-get install vsftpd merubah homedir default : sudo mkdir /srv/ftp sudo usermod -d /srv/ftp ftp restart vsftpd : /etc/init.d/vsftpd restart mengijinkan localuser utk login dan upload edit file /etc/vsftpd.conf : local_enable=YES write_enable=YES mengijinkan anonymous utk upload : anon_upload_enable=YES melimit user hanya pada homedirnya : chroot_local_user=YES

me list user2 tertentu supaya chroot : chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list untuk alasan keamanan, dalam chrooted environtment, menulis ke / tidak diijinkan. silakan ubah permission homedir menjadi 555 user ftp only : tambahkan valid shell pada : /etc/shells, baris berikut : /usr/sbin/nologin rubah shell dari user ybs pada /etc/passwd menjadi /usr/sbin/nologin

Howto: Backup and restore your system! More recent up to date information this tutorial deals with can be found on the Ubuntu Wiki https://help.ubuntu.com/community/BackupYourSystem https://help.ubuntu.com/community/BackupYourSystem/TAR https://help.ubuntu.com/community/Ca...BackupRecovery

Hi, and welcome to the Heliode guide to successful backing-up and restoring of a Linux system! Most of you have probably used Windows before you started using Ubuntu. During that time you might have needed to backup and restore your system. For Windows you would need

proprietary software for which you would have to reboot your machine and boot into a special environment in which you could perform the backing-up/restoring (programs like Norton Ghost). During that time you might have wondered why it wasn't possible to just add the whole c:\ to a big zip-file. This is impossible because in Windows, there are lots of files you can't copy or overwrite while they are being used, and therefore you needed specialized software to handle this. Well, I'm here to tell you that those things, just like rebooting, are Windows CrazyThings (tm). There's no need to use programs like Ghost to create backups of your Ubuntu system (or any Linux system, for that matter). In fact; using Ghost might be a very bad idea if you are using anything but ext2. Ext3, the default Ubuntu partition, is seen by Ghost as a damaged ext2 partition and does a very good job at screwing up your data. 1: Backing-up "What should I use to backup my system then?" might you ask. Easy; the same thing you use to backup/compress everything else; TAR. Unlike Windows, Linux doesn't restrict root access to anything, so you can just throw every single file on a partition in a TAR file! To do this, become root with Code: sudo su and go to the root of your filesystem (we use this in our example, but you can go anywhere you want your backup to end up, including remote or removable drives.) Code: cd / Now, below is the full command I would use to make a backup of my system: Code:

tar cvpzf backup.tgz --exclude=/proc --exclude=/lost+found -exclude=/backup.tgz --exclude=/mnt --exclude=/sys / Now, lets explain this a little bit. The 'tar' part is, obviously, the program we're going to use. 'cvpfz' are the options we give to tar, like 'create archive' (obviously), 'preserve permissions'(to keep the same permissions on everything the same), and 'gzip' to keep the size down. Next, the name the archive is going to get. backup.tgz in our example. Next comes the root of the directory we want to backup. Since we want to backup everything; / Now come the directories we want to exclude. We don't want to backup everything since some dirs aren't very useful to include. Also make sure you don't include the file itself, or else you'll get weird results. You might also not want to include the /mnt folder if you have other partitions mounted there or you'll end up backing those up too. Also make sure you don't have anything mounted in /media (i.e. don't have any cd's or removable media mounted). Either that or exclude /media. EDIT : kvidell suggests below we also exclude the /dev directory. I have other evidence that says it is very unwise to do so though. Well, if the command agrees with you, hit enter (or return, whatever) and sit back&relax. This might take a while. Afterwards you'll have a file called backup.tgz in the root of your filessytem, which is probably pretty large. Now you can burn it to DVD or move it to another machine, whatever you like! EDIT2: At the end of the process you might get a message along the lines of 'tar: Error exit delayed from previous errors' or something, but in most cases you can just ignore that.

Alternatively, you can use Bzip2 to compress your backup. This means higher compression but lower speed. If compression is important to you, just substitute the 'z' in the command with 'j', and give the backup the right extension. That would make the command look like this: Code: tar cvpjf backup.tar.bz2 --exclude=/proc --exclude=/lost +found --exclude=/backup.tar.bz2 --exclude=/mnt --exclude=/ sys / 2: Restoring Warning: Please, for goodness sake, be careful here. If you don't understand what you are doing here you might end up overwriting stuff that is important to you, so please take care! Well, we'll just continue with our example from the previous chapter; the file backup.tgz in the root of the partition. Once again, make sure you are root and that you and the backup file are in the root of the filesystem. One of the beautiful things of Linux is that This'll work even on a running system; no need to screw around with bootcd's or anything. Of course, if you've rendered your system unbootable you might have no choice but to use a live-cd, but the results are the same. You can even remove every single file of a Linux system while it is running with one command. I'm not giving you that command though! Well, back on-topic. This is the command that I would use: Code: tar xvpfz backup.tgz -C / Or if you used bz2; Code:

tar xvpfj backup.tar.bz2 -C / WARNING: this will overwrite every single file on your partition with the one in the archive! Just hit enter/return/your brother/whatever and watch the fireworks. Again, this might take a while. When it is done, you have a fully restored Ubuntu system! Just make sure that, before you do anything else, you re-create the directories you excluded: Code: mkdir proc mkdir lost+found mkdir mnt mkdir sys etc... And when you reboot, everything should be the way it was when you made the backup! 2.1: GRUB restore Now, if you want to move your system to a new harddisk or if you did something nasty to your GRUB (like, say, install Windows), You'll also need to reinstall GRUB. There are several very good howto's on how to do that here on this forum, so i'm not going to reinvent the wheel. Instead, take a look here: http://www.ubuntuforums.org/showthre...t=grub+restore There are a couple of methods proposed. I personally recommend the second one, posted by remmelt, since that has always worked for me.

Well that's it! I hope it was helpful! As always, any feedback is appreciated!

HOWTO: Restore GRUB (if your MBR is messed up) Restore GRUB quite simple in Ubuntu, instead going through all the "gain root access" and play with shell commands, you

can use the Ubuntu installation CD to restore it without going through all kinds of hassles. Here are the steps: 1. Boot your computer up with Ubunto CD 2. Go through all the process until you reech "[!!!] Disk Partition" 3. Select Manual Partition 4. Mount your appropriate linux partions / /boot swap ..... 5. DO NOT FORMAT THEM. 6. Finish the manual partition 7. Say "Yes" when it asks you to save the changes 8. It will give you errors saying that "the system couldn't install ....." after that 9. Ignore them, keep select "continue" until you get back to the Ubuntu installation menu 10. Jump to "Install Grub ...." 11. Once it is finished, just restart your computer Good luck!.