Kategori arşivi: Security

ubuntu 14 apache ssl activate, create self signed certificate, configure virtual host

sudo a2enmod ssl
sudo service apache2 restart
sudo mkdir /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/your_domain.key -out /etc/apache2/ssl/your_domain.crt
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company
Organizational Unit Name (eg, section) []:Department of Kittens
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:your_email@domain.com
sudo nano /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
       		....
  </VirtualHost>

  <VirtualHost _default_:443>
	ServerName www.your_domain.com
	ServerAlias your_domain.com
	DocumentRoot /var/www/your_domain.com
		
	ErrorLog ${APACHE_LOG_DIR}/error_your_domain_com_ssl.log
	CustomLog ${APACHE_LOG_DIR}/access_your_domain_ssl.log common	
			
	SSLEngine on
	SSLCertificateFile /etc/apache2/ssl/apache.crt
        SSLCertificateKeyFile /etc/apache2/ssl/apache.key
  </VirtualHost>
</IfModule>
sudo a2ensite default-ssl.conf
sudo service apache2 restart
RewriteEngine on

RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

RewriteCond %{HTTPS} !on
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# If a directory or a file exists, use the request directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# Otherwise forward the request to index.php
RewriteRule . index.php
https://your_domain.com

Adding SSH Public Key to a user

If your SSH folder does not yet exist, create it manually:

mkdir /home/username/.ssh
chmod 0700 /home/username/.ssh
touch /home/username/.ssh/authorized_keys
chmod 0644 /home/username/.ssh/authorized_keys
sudo nano /home/username/.ssh/authorized_keys

or

cat /home/username/.ssh/authorized_keys << ..............one line public key copy..............

Fail2Ban Banning service

Source: https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04

Official Source: http://www.fail2ban.org/wiki/index.php/Main_Page

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Generate SSH Public/Private Keys with PuTTY

Source: https://www.digitalocean.com/community/tutorials/how-to-create-ssh-keys-with-putty-to-connect-to-a-vps

  1. Open PuTTY
  2. On Parameters section select type: SSH-2 RSA bits: 2048
  3. Click Generate button
  4. Move your mouse randomly
  5. Write a username on keycomment(maybe your linux username)
  6. Press Save Public Key (Example filename: username.public.key)
  7. Press Save Private Key (Example filename: username.private.ppk)
    This private key is for PuTTY and PuTTY Key Generator
  8. Click Conversions->Export OpenSSH Key (Example file name: htokatli.private.ssh)
    This private key is for other programs for example PhpStorm ext.
  9. Right-click in the text field labeled Public key for pasting into OpenSSH authorized_keys file and choose Select All;
    Right-click again in the same text field and choose Copy.
    NOTE: PuTTY and OpenSSH use different formats for public SSH keys. If the SSH Key you copied starts with “—- BEGIN SSH2 PUBLIC KEY …”, it is in the wrong format. Be sure to follow the instructions carefully. Your key should start with “ssh-rsa AAAA ….”
  10. Save The Public Key On The Server

    Now, you need to paste the copied public key in the file /home/username/.ssh/authorized_keys on your server.

      1. Log in to your destination server; see How to Log Into Your Droplet with PuTTY (for windows users)
      2. If your SSH folder does not yet exist, create it manually:
        mkdir /home/username/.ssh chmod 0700 /home/username/.ssh touch /home/username/.ssh/authorized_keys chmod 0644 /home/username/.ssh/authorized_keys
      3. Paste the SSH public key into your /home/username/.ssh/authorized_keys file (see Installing and Using the Vim Text Editor on an Cloud Server):
      4. sudo vim /home/username/.ssh/authorized_keys
      5. Tap the i key on your keyboard & right-click your mouse to paste.
      6. To save, tap the following keys on your keyboard (in this order): Esc, :, w, q, Enter.

 

After this you can disable ssh direct login by following: http://blog.hasantokatli.com/?p=39