Setelah mencoba bbrp distro, lg mau nyobain centos buat server. Kerennya si centos ini compare to ubuntu menurut aku adalah lebih secure by default. Linux digadang2 sebagai OS yang aman, tapi kalau by default atau istilahnya abis install langsung aman sepengalamanku ya si Centos ini, krn SELinuxnya lgsg keinstall (CMIIW). SELinux adalah Security-Enhanced Linux.
Kenapa tadi dibilang ubuntu by default ga secure? Salah satunya yg ngeganjel ya : kalo ubuntu misal nih abis instalasi, user yang dibuat otomatis jadi sudoers, kalo si Centos sama Debian kaga, SELinuxnya atau semacamnya ndak ada, iptables ga aktif dsb. Malah kalau ngga salah di Debian sudoers itu nggak by default, tapi harus install dulu. Lha Centos ini abis install SELinuxnya udah ada, firewall lgsg aktif dan user yang dibuat belum masuk sudoers.
Tapi ya gitu, keamanan tidak berbanding lurus dengan kenyaman, kalau SELinux kita aktifkan, itu juga jadi keribetan sendiri, karena apachenya musti disetting2 ga karuan.
Di artikel ini akan dibahas cara2 mengamankan tapi mengakibatkan ketidaknyamanan pas setting servernya. Instal2 beberapa ga ta bahas ya.
Tambah sudoers :
seperti di linux lainnya, untuk ubah sudoers, harus install sudo, editnya pake visudo. Untuk nambah sudoers ada 2 pendekatan; usernya ditambahkan ke group wheel atau langsung sejajar dengan root. IMHO mendingan ditambahkan ke wheel aja, kecuali kepepet :). caranya :
masuk ke root
su -
usermod -aG wheel namauser
Kalau lgsg bikin sejajar ya tinggal jalanin visudo dan copas otorisasi root, kemudian ganti root jadi user yang mau jadi sudoers. Sebetulnya sudo ini banyak settingnya, jadi tiap user yang dijadiin sudoers ini bisa diatur lagi privilegesnya, tapi ntar bahasan lain aja.
Securing SSH
ada 3 yang pasti ta ubah kalo setting server :
- root kaga boleh login
- ubah port ssh (standar 22, diubah terserah ke berapa)
- Menentukan user yang boleh melakukan ssh ke server
Ubah konfigurasi di /etc/ssh/sshd_config
Port 22 ke Port 2202 (atau terserah)
PermitRootLogin yes diubah ke no
AllowUsers namauser1 namauser2 dst
Kalau SELinuxnya nyala, konfigurasi di atas ini masi kurang, akan dibahas dibawah yang berhubungan sama SELinux
Firewall
secara default firewall di centos lgsg aktif dan kalo ga salah ngeblok semua. Untuk periksa status firewall, pake perintah
systemctl status firewalld
Ntar akan keluar statusnya
[detanto@namaserver ~]$ sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-04-30 21:57:00 WIB; 5min ago
Docs: man:firewalld(1)
Main PID: 15906 (firewalld)
Tasks: 2 (limit: 26213)
Memory: 23.7M
CGroup: /system.slice/firewalld.service
└─15906 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
Apr 30 21:57:00 namaserver systemd[1]: Stopped firewalld - dynamic firewall daemon.
Apr 30 21:57:00 namaserver systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 30 21:57:00 namaserver systemd[1]: Started firewalld - dynamic firewall daemon.
pas ngerubah port ssh yang diatas, jangan lupa allow port yang dipilih dengan perintah
firewall-cmd --add-port=portnya/tcp --permanent
trus restart firewallnya
systemctl restart firewalld
ini berlaku buat semua ya, bahkan port 80 tadi ditutup sama si firewall kampret ini
Install Apache
sudo yum install httpd
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
Start dan check
sudo systemctl start httpd
sudo systemctl status httpd
kalo jalan ntar muncul
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: active (running) since Thu 2020-04-30 21:55:48 WIB; 1h 2min ago
Docs: man:httpd.service(8)
Main PID: 9086 (httpd)
Status: "Total requests: 17; Idle/Busy workers 100/0;Requests/sec: 0.00454; Bytes served/sec: 186 B/sec"
Tasks: 278 (limit: 26213)
Memory: 57.0M
CGroup: /system.slice/httpd.service
├─ 9086 /usr/sbin/httpd -DFOREGROUND
├─ 9087 /usr/sbin/httpd -DFOREGROUND
├─ 9088 /usr/sbin/httpd -DFOREGROUND
├─ 9089 /usr/sbin/httpd -DFOREGROUND
├─ 9090 /usr/sbin/httpd -DFOREGROUND
└─19291 /usr/sbin/httpd -DFOREGROUND
Apr 30 21:55:48 namaserver systemd[1]: Starting The Apache HTTP Server...
Apr 30 21:55:48 namaserver systemd[1]: Started The Apache HTTP Server.
Apr 30 21:55:48 namaserver httpd[9086]: Server configured, listening on: port 80
Setting Virtual Host
Buat folder sites-available dan sites-enabled di folder /etc/httpd (kalo di ubuntu apache2)
trus edit httpd.conf, tambahkan
IncludeOptional sites-enabled/*.conf
buat file namavirtualhost.conf di folder sites-available, yang isinya standarlah buat virtualhost
<VirtualHost>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/namaapp"
ServerName namaserver.detanto.net
ServerAlias namaserver.detanto.net
ErrorLog "logs/namaserver_error_log"
CustomLog "logs/namaserver_access_log" common
<Directory "/var/www/namaapp/">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
buat link di folder sites-enabled
sudo ln -s /etc/httpd/sites-available/namaapp.conf /etc/httpd/sites-enabled/namaapp.conf
Securing Apache
Directory Browsing
nah untuk ini penting banget, karena kalo boleh pengunjung akan bisa melihat dalam folder aplikasi web kita, kek gini.
Untuk nge-disable directory browsing di aplikasi kita, hilangkan Option Indexes di konfigurasi sites-available, sehingga jadi kek gini
<VirtualHost>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/namaapp"
ServerName namaserver.detanto.net
ServerAlias namaserver.detanto.net
ErrorLog "logs/namaserver_error_log"
CustomLog "logs/namaserver_access_log" common
<Directory "/var/www/namaapp/">
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
ServerTokens Prod
Tambahkan opsi ini di httpd.conf, supaya gak keliatan versi OS Servernya, jadinya kek gini :
tapi tetep muncul web servernya pake apa, jadi harus dihilangkan semua
ServerSignature Off
Tambahkan opsi ini di httpd.conf, supaya ilang semua
TraceEnable Off
Kalo idup, pengunjung bisa nyolong informasi cookie web kita, karena boleh Cross Site Tracing
Sembunyiin Versi PHP
biar ga ketauan kita pake php versi berapa, bisa disetting di php.ini, untuk tau lokasi php.ini yang dipake
php -i | grep "Loaded Configuration File"
Kalo udah tau tinggal edit php.ini-nya, cari text expose_php, defaultnya on, dibikin off. Sebelum di offkan ntar kalo kita akses pake lynx (browser cli), hasilnya akan seperti ini
[root@namaserver ~]# lynx -head -mime_header http://alamatserver
HTTP/1.1 200 OK
Date: Sat, 02 May 2020 08:54:28 GMT
Server: Apache
X-Powered-By: PHP/7.3.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: ci_session=2gm6ee0hieona2vnkq58dj7k8o2np0hm; expires=Sat, 02-May-2020 10:54:28 GMT; Max-Age=7200; path=/; HttpOnly
Connection: close
Content-Type: text/html; charset=UTF-8
Setelah dioffkan, hasilnya akan kek gini, X-powerednya ilang
[root@namaserver ~]# lynx -head -mime_header http://alamatserver
HTTP/1.1 200 OK
Date: Sat, 02 May 2020 08:55:49 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: ci_session=4vb2vkcpdnj9u88d2d4d9509pses88f6; expires=Sat, 02-May-2020 10:55:50 GMT; Max-Age=7200; path=/; HttpOnly
Connection: close
Content-Type: text/html; charset=UTF-8
SELinux Permission untuk Apache
check SELinux keinstall ndak
[root@namaserver perawatan_app]# rpm -qa | grep selinux
libselinux-2.9-2.1.el8.x86_64
python3-libselinux-2.9-2.1.el8.x86_64
selinux-policy-3.14.3-20.el8.noarch
container-selinux-2.124.0-1.module_el8.1.0+298+41f9343a.noarch
selinux-policy-targeted-3.14.3-20.el8.noarch
libselinux-devel-2.9-2.1.el8.x86_64
libselinux-utils-2.9-2.1.el8.x86_64
rpm-plugin-selinux-4.14.2-26.el8_1.x86_64
Kalo keluar kek gitu, brarti SELinux udah keinstall, trus check dulu status SELinuxnya
[root@namaserver www]# sestatus
SELinux status: disabled
Kalau tulisannya kek yang diatas, berarti disabled ato nggak aktif. Kalo mau aktifin, edit konfigurasi SELinuxnya yang ada di /etc/selinux/config. setiap level ada keterangannya seperti tulisan dibawah ini
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - WModification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Tinggal kita set sesuai kebutuhan kita. Kalo udah kita idupin, trus reboot servernya. abis itu kalo kita ketik sestatus munculnya kek gini
[root@namaserver ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
Untuk testing, tak saranin permissive dulu, jadi ntar tetep bisa diakses cuman akan muncul log-nya, cara liat lognya di
cat /var/log/messages | grep "SELinux is preventing"
Ntar akan muncul lognya, tak kasi sebagian ya
May 1 20:55:57 namaserver platform-python[1976]: SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port 1122.
***** Plugin bind_ports (92.2 confidence) suggests ************************
If you want to allow /usr/sbin/sshd to bind to network port 1122
Then you need to modify the port type.
Do
semanage port -a -t PORT_TYPE -p tcp 1122
where PORT_TYPE is one of the following: ssh_port_t, vnc_port_t, xserver_port_t.
***** Plugin catchall_boolean (7.83 confidence) suggests ******************
If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
Do
setsebool -P nis_enabled 1
***** Plugin catchall (1.41 confidence) suggests **************************
If you believe that sshd should be allowed name_bind access on the port 1122 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
ausearch -c 'sshd' --raw | audit2allow -M my-sshd
semodule -X 300 -i my-sshd.pp
Karena port ssh tadi diubah, makanya muncul log ini, jadi kita musti jalanin
semanage port -a -t ssh_port_t -p tcp 1122
setsebool -P nis_enabled 1
ausearch -c 'sshd' --raw | audit2allow -M my-sshd
semodule -X 300 -i my-sshd.pp
Jadi kalau permissive, dikasi tau semua tuh stepnya. Misal nih kita mau liat yang web, kita akses dulu webnya, trus kita liat lognya lag, akan muncul hasilnya kek gini:
May 1 22:18:58 namaserver setroubleshoot[20155]: SELinux is preventing /usr/sbin/php-fpm from name_connect access on the tcp_socket port 389. For complete SELinux messages run: sealert -l f26d0490-06e1-4932-8c5b-78df5f0aa9b0
May 1 22:18:58 namaserver platform-python[20155]: SELinux is preventing /usr/sbin/php-fpm from name_connect access on the tcp_socket port 389.
***** Plugin catchall_boolean (24.7 confidence) suggests ******************
If you want to allow httpd to can network connect
Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.
Do
setsebool -P httpd_can_network_connect 1
***** Plugin catchall_boolean (24.7 confidence) suggests ******************
If you want to allow httpd to can connect ldap
Then you must tell SELinux about this by enabling the 'httpd_can_connect_ldap' boolean.
Do
setsebool -P httpd_can_connect_ldap 1
***** Plugin catchall_boolean (24.7 confidence) suggests ******************
If you want to allow authlogin to nsswitch use ldap
Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean.
Do
setsebool -P authlogin_nsswitch_use_ldap 1
***** Plugin catchall_boolean (24.7 confidence) suggests ******************
If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
Do
setsebool -P nis_enabled 1
***** Plugin catchall (3.53 confidence) suggests **************************
If you believe that php-fpm should be allowed name_connect access on the port 389 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp
Jadi setting SELinuxnya musti dibenerin satu2. mati ga lo? kita musti liat daftar policy yang berhubungan sama urusan web, caranya :
[root@perawatan perawatan_app]# getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> off
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
Sesuai dengan yang di log tadi, beberapa harus kita buka; yaitu
setsebool -P httpd_can_connect_ldap 1
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P authlogin_nsswitch_use_ldap 1
setsebool -P nis_enabled 1
Habis itu kita liat log lagi, kalo udah bener settingnya, harusnya ga akan muncul lg di /var/log/messages
setelah yakin baru kita set SELinuxnya enforcing bukan permissive lagi, trus reboot. selesai dah
Masi ada materi lain si, ntar ta bahas lagi
semoga bisa membantu yg lg setting Centos ato yang lain, Thx!