Une sécurisation maximal seul service utilisé pour le web et ssh via iptable et fail2ban sous linux de n'importe qu'elles distribution de votre choix.que ce soit desktop ou serveur.
sudo -i
apt update && apt upgrade -y && apt install -y fail2ban # iptables-persistent
#dpkg-reconfigure iptables-persistent
nano /etc/resolv.conf
nameserver 1.1.1.1
nameserver 1.0.0.1
#nameserver 2606:4700:4700::1111
#nameserver 2606:4700:4700::1001
iptables -L #info
nano /etc/ssh/sshd_config
******
PermitRootLogin no # Ne pas permettre de login en root
AllowUsers alexonbstudio # N'autoriser qu'un utilisateur précis
#changé le Port SSH n'est pas une solution
*******
/etc/init.d/ssh restart
nano /etc/init.d/firewall
===========================================
#!/bin/sh
# Vider les tables actuelles
iptables -t filter -F
# Vider les règles personnelles
iptables -t filter -X
#Autorisé une IP exeptionnel
iptables -t filter -A INPUT -s adresse_ip -j ACCEPT
# Interdire toute connexion entrante et sortante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
#Reject all
iptables -t filter -A INPUT -j DROP
# --- Fail2ban
iptables -t filter -N fail2ban-nginx
#iptables -t filter -N fail2ban-apache
iptables -t filter -N fail2ban-nginx-badbots
#iptables -t filter -N fail2ban-apache-badbots
iptables -t filter -N fail2ban-nginx-nohome
#iptables -t filter -N fail2ban-apache-nohome
iptables -t filter -N fail2ban-nginx-noscript
#iptables -t filter -N fail2ban-apache-noscript
iptables -t filter -N fail2ban-nginx-overflows
#iptables -t filter -N fail2ban-apache-overflows
iptables -t filter -N fail2ban-ssh
iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-nohome
#iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-nohome
iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-badbots
#iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-badbots
iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-overflows
#iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows
iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-noscript
#iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript
iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx
#iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
iptables -t filter -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
iptables -t filter -A fail2ban-nginx -j RETURN
#iptables -t filter -A fail2ban-apache -j RETURN
iptables -t filter -A fail2ban-nginx-badbots -j RETURN
#iptables -t filter -A fail2ban-apache-badbots -j RETURN
iptables -t filter -A fail2ban-nginx-nohome -j RETURN
#iptables -t filter -A fail2ban-apache-nohome -j RETURN
iptables -t filter -A fail2ban-nginx-noscript -j RETURN
#iptables -t filter -A fail2ban-apache-noscript -j RETURN
iptables -t filter -A fail2ban-nginx-overflows -j RETURN
#iptables -t filter -A fail2ban-apache-overflows -j RETURN
iptables -t filter -A fail2ban-ssh -j RETURN
# Ne pas casser les connexions etablies
iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# SSH In/Out
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
# HTTP + HTTPS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
#Ajouter les autres règle IPTABLE ici
===========================================
chmod +x /etc/init.d/firewall
update-rc.d firewall defaults # ajouter aux scripts appelés au démarrage
update-rc.d -f firewall remove # Pour le retirer
/etc/init.d/firewall
########
# iptables -A INPUT -s adresse_ip -j DROP #bannir une IP
# iptables -A INPUT -s adresse_ip -j ACCEPT #autorisé une IP
-------------------
fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
systemctl enable fail2ban
nano /etc/fail2ban/jail.local
===============
[DEFAULT]
# Ban hosts for one hour:
bantime = 3600
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
#action = $(action_)s
[ssh]
enabled = true
port = ssh
filter = sshd
maxretry = 2
ignoreip = 123.123.123.123 #iplocal myip
###### APACHE OR NGINX
[nginx]
#[apache]
enabled = true
port = http,https
filter = nginx-auth
#filter = apache-auth
logpath = /var/log/nginx/*custom_log_location.log
#logpath = /var/log/apache*/*custom_log_location.log
maxretry = 3
findtime = 600
[nginx-noscript]
#[apache-noscript]
enabled = true
port = http,https
filter = nginx-noscript
#filter = apache-noscript
logpath = /var/log/nginx/*error.log
#logpath = /var/log/apache*/*error.log
maxretry = 3
findtime = 600
[nginx-overflows]
#[apache-overflows]
enabled = true
port = http,https
filter = nginx-overflows
#filter = apache-overflows
logpath = /var/log/nginx/*error.log
#logpath = /var/log/apache*/*error.log
maxretry = 2
[nginx-badbots]
#[apache-badbots]
enabled = true
port = http,https
filter = nginx-badbots
#filter = apache-badbots
logpath = /var/log/nginx/*error.log
#logpath = /var/log/apache*/*error.log
maxretry = 2
[nginx-nohome]
#[apache-nohome]
enabled = true
port = http,https
filter = nginx-nohome
#filter = apache-nohome
logpath = /var/log/nginx/*error.log
#logpath = /var/log/apache*/*error.log
maxretry = 2
================
systemctl restart fail2ban
#OR -> /etc/init.d/fail2ban restart
fail2ban-client status
================
cd /etc/fail2ban/filter.d
nano nginx-http-auth.conf
[Definition]
failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$,
^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTPS/\d+\.\d+", host: "\S+"\s*$,
^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$,
^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTPS/\d+\.\d+", host: "\S+"\s*$
ignoreregex =
cp apache-badbots.conf nginx-badbots.conf
nano nginx-noscript.conf
[Definition]
failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi)
ignoreregex =
nano nginx-nohome.conf
[Definition]
failregex = ^<HOST> -.*GET .*/~.*
ignoreregex =
nano nginx-noproxy.conf
[Definition]
failregex = ^<HOST> -.*GET http.*,
^<HOST> -.*GET https.*
ignoreregex =
#Ne veulent plus utilisé apache
apt remove apache2 -y && apt autoremove && apt install -y nginx && apt clean
# reste plus installé un SSL
#Auto supprimé log
crontab -e
@monthly rm /var/log/nginx/*custom_log_location.log
#@monthly rm /var/log/apache*/*custom_log_location.log
@monthly rm /var/log/nginx/*error.log
#@monthly rm /var/log/apache*/*error.log
@weekly apt update && apt upgrade -y
Antivirus - ClamAV
apt install clamav clamav-daemon libclamunrar6
systemctl enable clamav-freshclam
systemctl stop clamav-freshclam
freshclam #mise à jour
# mAj - autre méthode
#or -> mkdir -p /var/lib/clamav && cd /var/lib/clamav
#or -> wget https://database.clamav.net/daily.cvd
#or -> chmod +x daily.cvd
systemctl start clamav-freshclam
#scan:
clamscan --infected --recursive --remove / >> /home/alexonbstudio/finale-scan.txt
# https://github.com/alexonbstudio/sysadmin (Desktop & Server)
0 Commentaires