diff --git a/README.md b/README.md index d345b31..efe65d3 100644 --- a/README.md +++ b/README.md @@ -31,4 +31,5 @@ This guide assumes the following: - [Automating upgrades](./upgrade.md) ### Tips -- [Moving data between servers](./data.md) \ No newline at end of file +- [Moving data between servers](./data.md) +- [Set up unattended-upgrades](./unattended-upgrades.md) diff --git a/iptables.md b/iptables.md new file mode 100644 index 0000000..0ab37ab --- /dev/null +++ b/iptables.md @@ -0,0 +1,57 @@ +### 1: Drop invalid packets ### +/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP + +### 2: Drop TCP packets that are new and are not SYN ### +/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP + +### 3: Drop SYN packets with suspicious MSS value ### +/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP + +### 4: Block packets with bogus TCP flags ### +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP + +### 5: Block spoofed packets ### +/sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP + +### 6: Drop ICMP (you usually don't need this protocol) ### +/sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP + +### 7: Drop fragments in all chains ### +/sbin/iptables -t mangle -A PREROUTING -f -j DROP + +### 8: Limit connections per source IP ### +/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset + +### 9: Limit RST packets ### +/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT +/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP + +### 10: Limit new TCP connections per second per source IP ### +/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT +/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP + +### 11: Use SYNPROXY on all ports (disables connection limiting rule) ### +# Hidden - unlock content above in "Mitigating SYN Floods With SYNPROXY" section + +### SSH brute-force protection ### +/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set +/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP + +### Protection against port scanning ### +/sbin/iptables -N port-scanning +/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN +/sbin/iptables -A port-scanning -j DROP diff --git a/unattended-upgrades.md b/unattended-upgrades.md new file mode 100644 index 0000000..03f9c48 --- /dev/null +++ b/unattended-upgrades.md @@ -0,0 +1,80 @@ +# Set up automatic updates + +The unattended-upgrades package can be used to automatically install updated packages, and can be configured to update all packages or just install security updates, follow the next steps: + +**Install the unattended-upgrades package:** +```bash +sudo apt install unattended-upgrades +``` + +**configure automatic updates by editing the configuration file:** + +```bash +sudo nano /etc/apt/apt.conf.d/50unattended-upgrades +``` +The beginning of the configuration file should look like this: +``` +// Automatically upgrade packages from these (origin:archive) pairs +// +// Note that in Ubuntu security updates may pull in new dependencies +// from non-security sources (e.g. chromium). By allowing the release +// pocket these get automatically pulled in. +Unattended-Upgrade::Allowed-Origins { + "${distro_id}:${distro_codename}"; + "${distro_id}:${distro_codename}-security"; + // Extended Security Maintenance; doesn't necessarily exist for + // every release and this system may not have it installed, but if + // available, the policy for updates is such that unattended-upgrades + // should also install from here by default. + "${distro_id}ESM:${distro_codename}"; +// "${distro_id}:${distro_codename}-updates"; +// "${distro_id}:${distro_codename}-proposed"; +// "${distro_id}:${distro_codename}-backports"; +}; +``` +Anything after a double slash `//` is a comments and has no effect. +To `enable` a line, remove the double slash at the beginning of the line (replace with nothing or with spaces to keep alignment). + +The most important: uncomment the “updates” line by deleting the two slashes at the beginning of it: +``` +"${distro_id}:${distro_codename}-updates"; +``` + +Optional: You should uncomment and adapt the following lines to ensure you’ll be notified if an error happens: +``` +Unattended-Upgrade::Mail "user@example.com"; +Unattended-Upgrade::MailOnlyOnError "true"; +``` + +Recommended: remove unused kernel packages and dependencies and make sure the system automatically reboots if needed by uncommenting and adapting the following lines: +``` +Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; +``` +↑ You may have to add a semicolon at the end of this line. ↑ +``` +Unattended-Upgrade::Remove-Unused-Dependencies "true"; +Unattended-Upgrade::Automatic-Reboot "true"; +Unattended-Upgrade::Automatic-Reboot-Time "02:38"; +``` +To save your changes in nano, use `Ctrl + O` followed by `Enter`. To quit, use `Ctrl + X`. + +**Enable automatic updates and set up update intervals by running:** +```bash +sudo nano /etc/apt/apt.conf.d/20auto-upgrades +``` + +In most cases, the file will be empty. Copy and paste the following lines: + +``` +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::AutocleanInterval "7"; +APT::Periodic::Unattended-Upgrade "1"; +``` + +The time interval are specified in days, feel free to change the values. Save changes and exit. + +**You can see if the auto-upgrades work by launching a dry run:** +``` +sudo unattended-upgrades --dry-run --debug +```