| SHARE: |
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
██ ██
█▌ - SECURITY & OS UPDATE TIPS FOR LINUX - █▌
█▌ █▌
█ ▐▌
█ These are just my mini security notes to easily and safely keep your ▐▌
█ system up to date. I'm using Debian to do this. On a newly installed OS ▐▌
█ it is best to install 'full-upgrade' before you start installing all your ▐▌
█ programs/packages. It is fine to do before but x program might require ▐▌
█ more tweaking to function properly after. ▐▌
█ ▐▌
█ Always upgrade packages first before doing an OS dist upgrade. ▐▌
█ ▐▌
█ ___________..___________ ▐▌
█ ▐▌
█ INSTALL SYSTEM & SECURITY UPDATES ▐▌
█ METHODS TO BE AUTO NOTIFIED OF SECURITY UPDATES ▐▌
█ OTHER EASY CRUCIAL SECURITY STEPS ▐▌
█ VIEW CONNECTIONS TO YOUR SERVER ▐▌
█ HOW TO VIEW YOUR OS VERSION, DISTRO & KERNEL ▐▌
█ MISC COMMANDS ▐▌
█ ___________..___________ ▐▌
█ ▐▌
█ ▐▌
█ INSTALL SYSTEM & SECURITY UPDATES: ▐▌
█ `````````````````````````````````` ▐▌
█ su ▐▌
█ aptitude :shows aptitude's list only, hit enter key to expand list ▐▌
█ aptitude update or apt-get update :downloads the updated 'list' of ▐▌
█ package meta-data ▐▌
█ aptitude upgrade or apt-get upgrade :to upgrade packages ▐▌
█ apt-get update && apt-get upgrade) :common method to update list and ▐▌
█ upgrade packages ▐▌
█ aptitude -P upgrade :to view packages and agree before installing ▐▌
█ This list of servers that aptitude or apt-get uses is here: ▐▌
█ cat /etc/apt/sources.list ▐▌
█ When doing a full dist upgrade to another flavor you'll need to edit that ▐▌
█ list accordingly. ▐▌
█ ▐▌
█ aptitude -s -y safe-upgrade :to simulate/test run a safe-upgrade ▐▌
█ aptitude safe-upgrade :main command for upgrades; will install only the ▐▌
█ security updates for the OS and the programs safely. Won't upgrade ▐▌
█ packages if: ▐▌
█ Relied dependencies have not been updated to the required version. ▐▌
█ Installing the upgrade means removing dependencies that other packages ▐▌
█ need ▐▌
█ ▐▌
█ aptitude -s -y full-upgrade :to simulate/test run an OS upgrade. ▐▌
█ aptitude full-upgrade :previously known (and still recognized) as ▐▌
█ dist-upgrade, performs major upgrades to the OS or: ▐▌
█ apt-get dist-upgrade ▐▌
█ exit ▐▌
█ ▐▌
█ man aptitude and here is good article. ▐▌
█ Security updates normally don't require reboot, where dist upgrade does. ▐▌
█ ▐▌
█ When running an update and there is a prompt to read, to leave that ▐▌
█ window press q and aptitude or apt-get will resume. An example of this ▐▌
█ type of output: ▐▌
█ [snip] ▐▌
█ clients, uncomment the 'SSLInsecureRenegotiation on' line in ▐▌
█ /etc/apache2/mods-available/ssl.conf ▐▌
█ -- Stefan Fritsch <sf@debian.org> Mon, 15 Nov 2010 22:53:03 +0100 ▐▌
█ ▐▌
█ After completing an upgrade I always have had to redo a number of Apache ▐▌
█ modules. If you use Apache view the log for errors: ▐▌
█ tail -50 /var/log/apache2/error.log ▐▌
█ ▐▌
█ ___________..___________ ▐▌
█ ▐▌
█ METHODS TO BE AUTO NOTIFIED OF SECURITY UPDATES: ▐▌
█ ```````````````````````````````````````````````` ▐▌
█ 1. E-MAILED FROM YOUR SERVER: ▐▌
█ Use apticron to be auto e-mailed when there are packages currently pending ▐▌
█ an upgrade. The man page is HERE. Super easy to setup: ▐▌
█ su ▐▌
█ aptitude update ▐▌
█ aptitude install apticron ▐▌
█ y ▐▌
█ ▐▌
█ Enter the account you would like the updates sent to: ▐▌
█ pico /etc/apticron/apticron.conf ▐▌
█ Has this, which means it will send local mail to the 'root' account: ▐▌
█ EMAIL="root" ▐▌
█ To receive the notifications to your own e-mail, for example: ▐▌
█ EMAIL="you@whatever.com" ▐▌
█ Or to be notified in your shell and your e-mail: ▐▌
█ EMAIL="user,you@whatever.com" ▐▌
█ ▐▌
█ Done :) ▐▌
█ NOTE: Your mail program must be configured to send mail outside of your ▐▌
█ box if you want it sent to outside e-mail accounts. I'm doing a tutorial ▐▌
█ for setting up outgoing mail- will put link here once I have finished it. ▐▌
█ ▐▌
█ BTW if you would like root's e-mail sent to another location: ▐▌
█ pico /etc/aliases ▐▌
█ The last line where it has: ▐▌
█ root: admnin1 ▐▌
█ Change to your user name, for example: ▐▌
█ root: mewbies ▐▌
█ Or you could assign an e-mail: ▐▌
█ root: youremail@whatever.com ▐▌
█ Or both: ▐▌
█ root: mewbies, youremail@whatever.com ▐▌
█ ▐▌
█ 2. SIGN-UP FOR NOTICES: ▐▌
█ Sign-up to the mailing list for 'Ubuntu security notices' HERE and the ▐▌
█ 'Debian Security Advisories' HERE or the RSS feeds, which for Ubuntu is ▐▌
█ HERE and Debian is HERE or a longer feed HERE. ▐▌
█ ▐▌
█ 3. IRC BOT TO INFORM OF NOTICES: ▐▌
█ Add the RSS feeds to your bot/eggdrop to receive the notices live in IRC a ▐▌
█ nd/or manually check. I use the script 'rss-synd.tcl' v0.4 by Andrew Scott ▐▌
█ which can be found HERE. Later versions can now be found on GitHub HERE. ▐▌
█ For your convenience this is code I use for the feeds: ▐▌
set rss(ubu) {
"url" "http://www.ubuntu.com/usn/rss.xml"
"channels" "#YOURCHANNEL"
"database" "ubuntu.db"
"output" "[\002\00304Ubuntu Security Notices\003\002] @@item!title@@@@entry!title@@ - @@item!link@@@@entry!link!=href@@"
"trigger" "!ubu"
}
set rss(deb) {
"url" "http://www.us.debian.org/security/dsa-long"
"channels" "#YOURCHANNEL"
"database" "deb.db"
"output" "[\002\00308Debian Security Notices\003\002] @@item!title@@@@entry!title@@ - @@item!link@@@@entry!link!=href@@"
"trigger" "!deb"
}
█ Text format note in the code above: ▐▌
█ \002 = bold ▐▌
█ \00304= red ▐▌
█ \003\002 = Closing tag for color and bold ▐▌
█ \00308 = yellow ▐▌
█ ▐▌
█ Read this post for more text format options HERE. ▐▌
█ ▐▌
█ ___________..___________ ▐▌
█ ▐▌
█ OTHER EASY CRUCIAL SECURITY STEPS: ▐▌
█ `````````````````````````````````` ▐▌
█ For some other easy and minor, but very affective security steps: ▐▌
█ 1. When you aren't using the webmin turn it off: ▐▌
█ /etc/init.d/webmin stop ▐▌
█ ▐▌
█ 2. Change the port of your SSH / SSHD from 22 to a port with at least ▐▌
█ 5 digits, like this: ▐▌
█ pico /etc/ssh/sshd_config ▐▌
█ Has this: ▐▌
█ # What ports, IPs and protocols we listen for ▐▌
█ Port 22 ▐▌
█ change to for example: Port 39687 ▐▌
█ ▐▌
█ Or depending on your setup you might also need to change port here: ▐▌
█ pico /etc/xinetd.d/sshd ▐▌
█ port = 22 ▐▌
█ ▐▌
█ Now to restart your SSH: ▐▌
█ /etc/init.d/ssh restart ▐▌
█ Or: ▐▌
█ service sshd reload ▐▌
█ ▐▌
█ A reboot 'might' be needed for the port change to take effect. ▐▌
█ ▐▌
█ Just doing these 2 steps the failed attempts (brute force attacks) to ▐▌
█ login to the server in the /var/log/auth.log went from a few 1,000 ▐▌
█ literally to 0. To view just the failed attempts: ▐▌
█ grep Failed /var/log/auth.log ▐▌
█ ▐▌
█ 3. If you have a FTP server, put it on a port with at least 5 digits. For ▐▌
█ example port 39234 ▐▌
█ ▐▌
█ ___________..___________ ▐▌
█ ▐▌
█ VIEW CONNECTIONS TO YOUR SERVER: ▐▌
█ ````````````````````````````````` ▐▌
█ Using netstat with various switches yields a ton of info. The man page is ▐▌
█ HERE. ▐▌
█ ▐▌
█ Active Internet connections (w/o servers): ▐▌
█ netstat ▐▌
█ If the output is too long for your scroll back, you can save the results ▐▌
█ to a file by adding to the end of any of the cmds to output to a file, for ▐▌
█ example: netstat > netstat_results.txt ▐▌
█ ▐▌
█ Active Internet connections (servers and established): ▐▌
█ netstat -an ▐▌
█ ▐▌
█ As above, but to count connections to apache on port 80: ▐▌
█ netstat -an |grep -w 80 |wc -l ▐▌
█ ▐▌
█ Without DNS lookup - faster: ▐▌
█ netstat -ant ▐▌
█ Or try like this: ▐▌
█ netstat -ant | sort | uniq -c | sort -n ▐▌
█ ▐▌
█ Active Internet connections (servers and established) with the program ▐▌
█ attached to it: ▐▌
█ netstat -tap ▐▌
█ ▐▌
█ View packets sent and recieved by a user-replace mewbie with a user name: ▐▌
█ netstat -e | grep mewbie ▐▌
█ ▐▌
█ If you find IPs you want to ban from connecting to your server: ▐▌
█ pico /etc/hosts.deny ▐▌
█ For example to ban IP 76.219.68.12, add this at the end of the file: ▐▌
█ ALL: 76.219.68.12 ▐▌
█ ▐▌
█ Kernel IP routing table: ▐▌
█ netstat -rn ▐▌
█ ▐▌
█ ___________..___________ ▐▌
█ ▐▌
█ HOW TO VIEW YOUR OS VERSION, DISTRO & KERNEL: ▐▌
█ ````````````````````````````````````````````` ▐▌
█ There are various commands to output system OS information. ▐▌
█ - Standard text file, but it doesn't store distribution version: ▐▌
█ cat /etc/issue ▐▌
█ Output example: Debian GNU/Linux 7 \n \l ▐▌
█ ▐▌
█ - To view distribution version for Debian: ▐▌
█ cat /etc/debian_version ▐▌
█ Output example: 7.2 ▐▌
█ ▐▌
█ - To view hostname, kernel version, date and architecture: ▐▌
█ uname -a ▐▌
█ Output example for Squeeze: ▐▌
█ Linux Hostname 2.6.32-5-486 #1 Day MMM dd Time TZ YYYY i686 GNU/Linux ▐▌
█ Output example for Wheezy: ▐▌
█ Linux Hostname 3.2.0-4-486 #1 Debian i686 GNU/Linux ▐▌
█ ▐▌
█ Which means: ▐▌
█ i686 : 32-bit OS ▐▌
█ x86_64 : 64-bit OS ▐▌
█ Linux: Kernel name ▐▌
█ 2.6.32-5-486: Kernel version ▐▌
█ ▐▌
█ - Or to view only kernel version and architecture: uname -mrs ▐▌
█ Output example: Linux 2.6.32-5-486 i686 ▐▌
█ ▐▌
█ - Or to view kernel version, distribution and GCC version used to build it:▐▌
█ cat /proc/version ▐▌
█ Output example: ▐▌
█ Linux version 3.2.0-4-486 (debian-kernel@lists.debian.org) ▐▌
█ (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 Debian 3.2.51-1 ▐▌
█ After and updating distribution you might need to reboot for /proc/version ▐▌
█ to output the latest. ▐▌
█ ▐▌
█ - If you have the python module lsb_release you can view distribution name:▐▌
█ lsb_release -a ▐▌
█ Output example: ▐▌
█ No LSB modules are available. ▐▌
█ Distributor ID: Debian ▐▌
█ Description: Debian GNU/Linux 7.2 (wheezy) ▐▌
█ Release: 7.2 ▐▌
█ Codename: wheezy ▐▌
█ ▐▌
█ To install: aptitude install lsb-release ▐▌
█ Note the package name has '-', not '_'. ▐▌
█ ▐▌
█ ___________..___________ ▐▌
█ ▐▌
█ MISC COMMANDS: ▐▌
█ `````````````` ▐▌
█ Just a few that I always seem to forget- ▐▌
█ ERRORS WHEN DOING AN UPGRAGE: ▐▌
█ If you receive these types of errors when doing an upgrade or installing ▐▌
█ a package similar to this: ▐▌
█ dpkg: warning: parsing file '/var/lib/dpkg/available' near line 52298 package 'am-utils':
█ 'Replaces' field, reference to 'amd': error in version: version number does not start with digit
█ Try this to clean it up / fix it: ▐▌
█ su ▐▌
█ dpkg --clear-avail ▐▌
█ aptitude update ▐▌
█ If you still receive the same type of errors try this. ▐▌
█ ▐▌
█ VIEW ALL OUTPUT AND REDIRECT IT TO A FILE: ▐▌
█ During upgrades sometimes I like to save the output to a file, for ▐▌
█ example: ▐▌
█ ls -al > output.txt ▐▌
█ To append (not overwrite contents) the output to file: ▐▌
█ Example: who >> output.txt ▐▌
█ View results: cat output.txt ▐▌
█ ▐▌
█ To save the output AND view it on my terminal: ▐▌
█ ls -al | tee output.txt ▐▌
█ To append using tee: ▐▌
█ who | tee -a output.txt ▐▌
█ View results: cat output.txt ▐▌
█ ▐▌
█ To View And Copy All Of The Terminal Output To A File On Your Local Box ▐▌
█ During A SSH Session: ▐▌
█ Most SSH software has an option for doing that. For example SecureCRT ▐▌
█ before you are connected to a site: Connect button, then right click on ▐▌
█ the site you want, select Properties /Options/Terminal/Log File/Browse to ▐▌
█ location to save it, select Start log upon connect, Append to file. ▐▌
█ Connect to site and it will log everything in your terminal. ▐▌
█ ▐▌
█ PuTTY and KiTTY: Session/Logging ▐▌
█ ▐▌
█ MONITOR LIVE RESOURCE USAGE: ▐▌
█ Monitor live resource usage by a user, for example user root: ▐▌
█ top -u root ▐▌
█ q (to quit) ▐▌
█ Good examples HERE for top. ▐▌
█ ▐▌
█ NTOP - DISPLAY TOP NETWORK USER: ▐▌
█ Display top network user, ntop man page is HERE. ntop ▐▌
█ ▐▌
█ Find files by modification date; here. ▐▌
█ find /path -iname "*.txt" -mtime -2 -print >> find_results ▐▌
█ Sort by date: ▐▌
█ ls -alt ▐▌
█ ▐▌
█ //---------------------------------------------------------------------- ▐▌
█ ▐▌
█ If you find mistakes, have suggestions, and or questions please post at ▐▌
█ mewbies forum HERE - thank you. ▐▌
█ ▐▌
█ Last update on 06 Dec '13 ▐▌
█ ▐▌
█▌ █▌
█▌ - mewbies.com - █▌
█▌ █▌
██▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄██