A quick way to secure a VPS.

1. # +----------------------------------------------------+
2. # | ssh -P-your-port-number-here root@your-server-here |
3. # | ssh -P67993 root@echelon.nsa.gov                   |
4. # |                                                    |
5. # | Title: This is what I do when i'm bored.           |
6. # | Author: _St0rm                                     |
7. # +----------------------------------------------------+
8.  
9. # Adding new user
10. root@echelon:~$ adduser comrade
11.  
12. # Getting sudoers file + nano file to edit it
13. root@echelon:~$ apt-get install sudo
14. root@echelon:~$ apt-get install nano
15.  
16. # Adding new user to sudoers file + giving root priveliges
17. root@echelon:~$ nano /etc/sudoers
18.  
19. root    ALL=(ALL:ALL) ALL
20. comrade ALL=(ALL:ALL) ALL
21.  
22. root@echelon:~$ login
23.  
24. Login: comrade
25. Password for comrade:
26. Comrade@echelon:~$
27.  
28. # upgrading and updating apt-get archive
29. comrade@echelon:~$ sudo apt-get upgrade
30. comrade@echelon:~$ sudo apt-get update
31.  
32. # Installing apache, iptables, mysql and php5
33. comrade@echelon:~$ sudo apt-get install apache2
34. comrade@echelon:~$ sudo apt-get install iptables
35. comrade@echelon:~$ sudo apt-get install mysql-server mysql-client
36. comrade@echelon:~$ sudo apt-get install php5-mysql
37.  
38. # creating a 404 page for visitors. EG: http://www.website.com/Nuclear-Launch-Codes == 404.html - Redirects all to defense.gov
39. comrade@echelon:~$ nano /var/www/404.html
40.  
41. <html><head><meta http-equiv="REFRESH" content="0;url=https://www.defense.gov/"></head></html>
42.  
43. # Creating the same but for Forbidden documents instead, this one will redirect to: nsa.gov
44. comrade@echelon:/var/www$ nano 403.html
45.  
46. <html><head><meta http-equiv="REFRESH" content="0;url=https://www.nsa.gov/"></head></html>
47.  
48. comrade@echelon:~$ nano /var/www/robots.txt
49.  
50. User-agent: Googlebot
51. Disallow: /
52. Crawl-delay: 10
53.  
54. User-agent: Slurp
55. Disallow: /
56. Crawl-delay: 10
57.  
58. User-agent: *
59. Disallow: /
60. Crawl-delay: 10
61.  
62. User-agent: Bingbot
63. Disallow: /
64. Crawl-delay: 10
65.  
66. User-agent: Msnbot
67. Disallow: /
68. Crawl-delay: 10
69.  
70. User-agent: Scanner
71. Disallow: /
72. Crawl-delay: 10
73.  
74. User-agent:
75. Disallow: /
76. Crawl-delay: 10
77.  
78. User-agent: YahooBot
79. Disallow: /
80. Crawl-delay: 10
81.  
82. User-agent: baiduspider
83. Disallow: /
84. Crawl-delay: 10
85.  
86. User-agent: naverbot
87. Disallow: /
88. Crawl-delay: 10
89.  
90. User-agent: seznambot
91. Disallow: /
92. Crawl-delay: 10
93.  
94. User-agent: teoma
95. Disallow: /
96. Crawl-delay: 10
97.  
98. User-agent: Yandex
99. Disallow: /
100. Crawl-delay: 10
101.  
102. User-agent: Bot
103. Disallow: /
104. Crawl-delay: 10
105.  
106. # Installing fail2ban -- IPS.
107. comrade@echelon:~$ sudo apt-get install fail2ban
108.  
109. # Changing MOTD for when users login to my server
110. comrade@echelon:~$ sudo nano /etc/motd
111.  
112. ******Welcome back to the server!******
113. -bla bla bla this is message of the day-
114.  
115. # Installing aide
116. comrade@echelon:~$ sudo apt-get install aide
117.  
118. # Changing apache conf, these are the one's i have changed the rest are left as default
119. comrade@echelon:/etc/apache2$ sudo nano apache2.conf
120.  
121. Timeout 300
122. KeepAlive Off
123. HostnameLookups On
124. LogLevel warn
125.  
126. # Changing apache's httpd.conf file to give away less information
127. comrade@echelon:/etc/apache2$ sudo nano httpd.conf
128.  
129. ServerSignature Off
130. ServerTokens Prod
131.  
132. <Directory />
133.   Options None
134.   AllowOverride None
135.   Order allow,deny
136.   Allow from all
137. </Directory>
138.  
139. ErrorDocument 404 /404.html
140. ErrorDocument 403 /403.html
141.  
142.  
143. # Here you can change icons and default icons.
144. comrade@echelon:~$ sudo nano /etc/apache2/mods-enabled/autoindex.conf
145.  
146. # Changing fail2ban's settings here are the ones i have changed
147. comrade@echelon:~$ sudo nano /etc/fail2ban/fail2ban.conf
148.  
149. loglevel = 2
150. logtarget = /var/log/fail2ban.log
151. socket = /var/run/fail2ban/fail2ban.sock
152.  
153. # Changing jail.conf
154. comrade@echelon:~$ sudo nano /etc/fail2ban/jail.conf
155.  
156. ignoreip = 127.0.0.1
157. bantime = 6000
158. maxretry = 3
159. backend = poiling
160. destemail = never.gonna.know@yahoo.com
161. mta = sendmail
162. protocol = tcp
163.  
164. [ssh]
165. enabled = true
166. port    = ssh
167. filter  = sshd
168. logpath  = /var/log/auth.log
169. maxretry = 3
170.  
171. [ssh-ddos]
172.  
173. enabled = true
174. port    = ssh
175. filter  = sshd-ddos
176. logpath  = /var/log/auth.log
177. maxretry = 3
178.  
179. [postfix]
180.  
181. enabled  = true
182. port     = smtp,ssmtp
183. filter   = postfix
184. logpath  = /var/log/mail.log
185.  
186. [couriersmtp]
187.  
188. enabled  = true
189. port     = smtp,ssmtp
190. filter   = couriersmtp
191. logpath  = /var/log/mail.log
192.  
193.  
194. # Installing irssi for irc
195. comrade@echelon:~$ sudo apt-get install irssi
196.  
197. # Installing Python
198. comrade@echelon:~$ sudo apt-get install python
199.  
200. # Installing perl
201. comrade@echelon:~$ sudo apt-get install perl
202.  
203. # Installing PPP for a VPN connection
204. comrade@echelon:~$ sudo apt-get install ppp
205.  
206. # Changing ssh configurations to my own settings
207. comrade@echelon:~$ sudo nano /etc/shh/ssh_config
208.  
209.  HashKnownHosts yes
210.  GSSAPIAuthentication yes
211.  GSSAPIDelegateCredentials no
212.  
213. # Changing sshd configurations to my own settings
214. comrade@echelon:~$ sudo nano /etc/ssh/sshd_config
215.  
216. Port 65326
217. Protocol 2
218. HostKey /etc/ssh/ssh_host_rsa_key
219. HostKey /etc/ssh/ssh_host_dsa_key
220. HostKey /etc/ssh/ssh_host_ecdsa_key
221. LogLevel WARN
222. StrictModes yes
223. PermitRootLogin yes
224.  
225. # Debatable to you if you remove root login or not.
226.  
227. IgnoreRhosts yes
228. PermitEmptyPasswords no
229. HostbasedAuthentication no
230.  
231. # You can add host auths here, for example things like "only accept root login from this ip" etc. Also for PAM and RSA authing.
232.  
233. PrintLastLog yes
234. UsePAM yes
235.  
236.  
237. comrade@echelon:~$ sudo apt-get install vim
238. comrade@echelon:~$ sudo apt-get install yum
239.  
240. # Editing the hash encryption level - taking out passwords in /etc/passwd - adding hashs to /etc/shadow
241. comrade@echelon:~$ sudo nano /etc/pam.d
242.  
243. password        [success=1 default=ignore]      pam_unix.so obscure sha512
244. password        requisite                       pam_deny.so
245. password        required                        pam_permit.so
246. password        optional                        pam_ecryptfs.so
247.  
248.  
249. # Rather than this; $1$jmG9uZUU$j2diNHCtKEC/0KLchlw96.
250. # You now have this: $8$gMLLKls.$p0713lEoDgwZPQwEnP9r.xkSXUzldol7dAOgUQ88ZCswZmwkgg/jzHV.HlznaY/sMFx6C2leEog3dF/XvCDwn/
251.  
252. # Editing the /var/www/.htaccess file -- this file should be: chmod 644
253.  
254. LimitRequestBody 10240000 #bytes, 0-2147483647(2GB)
255.  
256. IndexIgnore *
257.  
258. ServerSignature Off
259. Include httpd.conf
260.  
261. <Directory "/var/www">
262.                 Options +Indexes FollowSymLinks +ExecCGI
263.                 AllowOverride AuthConfig FileInfo
264.                 Order allow,deny
265.                 Allow from all
266. </Directory>
267.  
268. ErrorDocument 403 /var/www/403.html
269. ErrorDocument 404 /var/www/404.html
270.  
271. AllowOverride All
272. KeepAlive Off
273. Include httpd.conf
274.  
275. Server: Apache
276.  
277. <Directory />
278.   Options None
279.   AllowOverride None
280.   Order allow,deny
281.   deny from someones-ip-address
282.   deny from someones-ip-address
283.   deny from someones-ip-address
284.   allow from all
285.  
286.  
287. # to check server headings
288. comrade@echelon:~$ sudo apt-get install wget
289.  
290. # Getting commands like dig, to get dns records
291. comrade@echelon:~$ sudo apt-get install dnsutils
292.  
293. # Setting up the directories for webserver
294.  
295. ls /var/www/
296.  
297. /404.html    
298. /403.html  
299. /Style.css  
300. /Videos.html  
301. /dot.gif  
302. /favicon.ico  
303. /images/
304. /index.html  
305. /robots.txt
306.  
307. So lets say you upload a photo to your /var/www/
308. so there is /var/www/test.jpg -- You forgot to add /images/
309. so... just simply....
310. chmod 711 /images/
311. mv test.jpg /var/www/images/test.jpg
312. cd images
313. chmod o+r test.jpg
314.  
315. So now: http://www.website.com/images/test.jpg -- you can see this.
316. But: http://www.website.com/images/ -- takes you to www.nsa.gov (Forbidden) (403.html)
317.  
318. Also, rather than defining http://www.website.com/about-us.html
319. try linking from index.html : http://www.website.com/about-us
320. you won't need .html and it makes it look more professional.
321.  
322. The robots.txt will stop alot of scanners.
323. #--------------------------------------------------------------------------------------------------------------------
324.                                     The advantages i have outlined:
325.  
326. When you have a 404, for example:
327. http://www.website.com/lol-derp-i-like-turtles-lolololol-derpereprerperp/
328. You will be redirected to: https://www.defense.gov/
329.  
330. When you have a 403 for example:
331. http://www.website.com/directory-full-of-launch-codes/
332. You will be redirected to: https://www.nsa.gov/
333. #--------------------------------------------------------------------------------------------------------------------
334. When you do a server header check:
335.  
336. comrade@echelon:/$ wget -S tweetstats.com
337. Server: Apache/2.2.8 (Ubuntu) Phusion_Passenger/2.2.2
338. Content-Type: text/html; charset=utf-8
339. X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.2
340. Connection: keep-alive
341.  
342. You NOW get:
343. comrade@echelon:/$ wget -S your-website-here
344.  
345. Server: Apache
346. Content-Type: text/html
347. Connection: close
348. #--------------------------------------------------------------------------------------------------------------------
349. Connecting to server:
350.  
351. Instead of port 22 for ssh: You now have your port on: 65326
352.  
353. This is alot more harder to find with port scanners.
354. Also now:
355.  
356. comrade@echelon:~$ nmap -F your-website-here
357.  
358. Not shown: 97 closed ports
359. PORT     STATE SERVICE
360. 25/tcp   open  smtp        <-- SMTP for mail
361. 80/tcp   open  http        <-- Web server
362. 1829/tcp open  pptp        <-- VPN
363. #--------------------------------------------------------------------------------------------------------------------
364. Passwords:
365.  
366. For example, this is default for apache /etc/passwd file for DestructiveSecurity.com #LulzFailz
367.  
368. root@delta [~]# cat /etc/passwd
369.  
370. root:$1$g1S8g.ii$nO7SGH/50ukFA7rJwEBaX/:15180:0:99999:7:::
371. erichar:$1$XC/IeALY$9tJjQ4pfOWgpBWCIsHhIh/:15333:0:99999:7:::
372. lulzhost:$1$1GqRNaKA$W9bKI3UQIfQeQeaTleLu2/:15333:0:99999:7:::
373. desec:$1$wmdS8V7f$WEokt8bnhTNTki2IxovIW.:15342:0:99999:7:::
374. murtazaa:$1$R9CjAd.I$43tTmrrlaVtrmBCb7kwpN.:15338:0:99999:7:::
375.  
376. So here is mine:
377.  
378. comrade@echelon:~$ sudo cat /etc/passwd
379.  
380. root:x:0:0:root:/root:/bin/bash
381. sjoko:x:1001:1001:,,,:/home/sjoko:/bin/bash
382. comrade:x:1000:1000:,,,:/home/comrade:/bin/bash
383. #--------------------------------------------------------------------------------------------------------------------
384. The Passwords are now stored within /etc/shadow file.
385. But the passwords are not shitty MD5 hash with salt.
386. They are SHA512 with salt. Is very good imo.
387.  
388. comrade@echelon:~$ sudo cat /etc/shadow
389.  
390. sjoko:$8$Tqt.X03MO1euILPmQPmQQWW7loTqPb.yeuILPmQ/euILPmQ.qnZdYdMiQN/l1P/Q6srz1cS.X03MO1qnZdYdgHueuILPmWGgP:15408:0:99999:7:::
391. comrade:$8$T61Xa.euILPmQ35CT0Mo8IeuILPmQ/X03MO1qnZdYdg250cf8b51c773f3f.hVeuILPmQX0.3MO1qnZdYdgyfeuILPmQRcOg1m4164UzKbLF.:15411:0:99999:7:::
392. #--------------------------------------------------------------------------------------------------------------------
393. MySQL-PHP
394.  
395. Rather than just .html maybe you want to have mysql/php on website? So that is why is added above. :)
396. #--------------------------------------------------------------------------------------------------------------------
397. This was more for just a quick vps setup. This can take you around 10 minutes.
398.  
399. Then all you do: reboot
400. wait 2 minutes, log into new ssh port, change password to something like:
401. rH<.T2177'e}r#y;Rp584|t<%I9_eX
402.  
403. Then you have a fairly decent protected server.
404. There are lots more ways to add more protection. But in 10 minutes setting all of this up is not bad imo.
405. #--------------------------------------------------------------------------------------------------------------------
406. Now all you need to do is register a domain.
407. Then you can host on cloudflare:
408.  
409. A record: website.com - Points to: cloudflare-IP
410. CNAME record: www.website.com - Points to: Cloudflare-IP
411.  
412. Delete any other records if you do not wish to have them. etc.
413.  
414. Now that you're hosting on cloudflare, you dont have any subdomains except maybe mail.website.com but then
415. that would be on a different host.
416. You are protected against -some- ddos attacks.
417.  
418. Using the /var/log/apache2/access.log as a guide to see who to block and why.
419.  
420. Think about blocking country by country. makes life alot easier.
421. #--------------------------------------------------------------------------------------------------------------------
422.  
423. _St0rm - twitter.com/_St0rm - twitter.com/St0rmSec
424. http://stormsecurity.bislr.com
425.  
426. #--------------------------------------------------------------------------------------------------------------------