Setelah mencoba bbrp distro, lg mau nyobain centos buat server. Kerennya si centos ini compare to ubuntu menurut aku adalah lebih secure by default. Linux digadang2 sebagai OS yang aman, tapi kalau by default atau istilahnya abis install langsung aman sepengalamanku ya si Centos ini, krn SELinuxnya lgsg keinstall (CMIIW). SELinux adalah Security-Enhanced Linux.
Kenapa tadi dibilang ubuntu by default ga secure? Salah satunya yg ngeganjel ya : kalo ubuntu misal nih abis instalasi, user yang dibuat otomatis jadi sudoers, kalo si Centos sama Debian kaga, SELinuxnya atau semacamnya ndak ada, iptables ga aktif dsb. Malah kalau ngga salah di Debian sudoers itu nggak by default, tapi harus install dulu. Lha Centos ini abis install SELinuxnya udah ada, firewall lgsg aktif dan user yang dibuat belum masuk sudoers.
Tapi ya gitu, keamanan tidak berbanding lurus dengan kenyaman, kalau SELinux kita aktifkan, itu juga jadi keribetan sendiri, karena apachenya musti disetting2 ga karuan.
Di artikel ini akan dibahas cara2 mengamankan tapi mengakibatkan ketidaknyamanan pas setting servernya. Instal2 beberapa ga ta bahas ya.
Tambah sudoers :
seperti di linux lainnya, untuk ubah sudoers, harus install sudo, editnya pake visudo. Untuk nambah sudoers ada 2 pendekatan; usernya ditambahkan ke group wheel atau langsung sejajar dengan root. IMHO mendingan ditambahkan ke wheel aja, kecuali kepepet :). caranya :
masuk ke root
su - usermod -aG wheel namauser
Kalau lgsg bikin sejajar ya tinggal jalanin visudo dan copas otorisasi root, kemudian ganti root jadi user yang mau jadi sudoers. Sebetulnya sudo ini banyak settingnya, jadi tiap user yang dijadiin sudoers ini bisa diatur lagi privilegesnya, tapi ntar bahasan lain aja.
Securing SSH
ada 3 yang pasti ta ubah kalo setting server :
- root kaga boleh login
- ubah port ssh (standar 22, diubah terserah ke berapa)
- Menentukan user yang boleh melakukan ssh ke server
Ubah konfigurasi di /etc/ssh/sshd_config
Port 22 ke Port 2202 (atau terserah)
PermitRootLogin yes diubah ke no
AllowUsers namauser1 namauser2 dst
Kalau SELinuxnya nyala, konfigurasi di atas ini masi kurang, akan dibahas dibawah yang berhubungan sama SELinux
Firewall
secara default firewall di centos lgsg aktif dan kalo ga salah ngeblok semua. Untuk periksa status firewall, pake perintah
systemctl status firewalld
Ntar akan keluar statusnya
[detanto@namaserver ~]$ sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-04-30 21:57:00 WIB; 5min ago
Docs: man:firewalld(1)
Main PID: 15906 (firewalld)
Tasks: 2 (limit: 26213)
Memory: 23.7M
CGroup: /system.slice/firewalld.service
└─15906 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
Apr 30 21:57:00 namaserver systemd[1]: Stopped firewalld - dynamic firewall daemon.
Apr 30 21:57:00 namaserver systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 30 21:57:00 namaserver systemd[1]: Started firewalld - dynamic firewall daemon.
pas ngerubah port ssh yang diatas, jangan lupa allow port yang dipilih dengan perintah
firewall-cmd --add-port=portnya/tcp --permanent
trus restart firewallnya
systemctl restart firewalld
ini berlaku buat semua ya, bahkan port 80 tadi ditutup sama si firewall kampret ini
Install Apache
sudo yum install httpd sudo firewall-cmd --permanent --add-service=http sudo firewall-cmd --permanent --add-service=https sudo firewall-cmd --reload
Start dan check
sudo systemctl start httpd sudo systemctl status httpd
kalo jalan ntar muncul
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: active (running) since Thu 2020-04-30 21:55:48 WIB; 1h 2min ago
Docs: man:httpd.service(8)
Main PID: 9086 (httpd)
Status: "Total requests: 17; Idle/Busy workers 100/0;Requests/sec: 0.00454; Bytes served/sec: 186 B/sec"
Tasks: 278 (limit: 26213)
Memory: 57.0M
CGroup: /system.slice/httpd.service
├─ 9086 /usr/sbin/httpd -DFOREGROUND
├─ 9087 /usr/sbin/httpd -DFOREGROUND
├─ 9088 /usr/sbin/httpd -DFOREGROUND
├─ 9089 /usr/sbin/httpd -DFOREGROUND
├─ 9090 /usr/sbin/httpd -DFOREGROUND
└─19291 /usr/sbin/httpd -DFOREGROUND
Apr 30 21:55:48 namaserver systemd[1]: Starting The Apache HTTP Server...
Apr 30 21:55:48 namaserver systemd[1]: Started The Apache HTTP Server.
Apr 30 21:55:48 namaserver httpd[9086]: Server configured, listening on: port 80
Setting Virtual Host
Buat folder sites-available dan sites-enabled di folder /etc/httpd (kalo di ubuntu apache2)
trus edit httpd.conf, tambahkan
IncludeOptional sites-enabled/*.conf
buat file namavirtualhost.conf di folder sites-available, yang isinya standarlah buat virtualhost
<VirtualHost>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/namaapp"
ServerName namaserver.detanto.net
ServerAlias namaserver.detanto.net
ErrorLog "logs/namaserver_error_log"
CustomLog "logs/namaserver_access_log" common
<Directory "/var/www/namaapp/">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
buat link di folder sites-enabled
sudo ln -s /etc/httpd/sites-available/namaapp.conf /etc/httpd/sites-enabled/namaapp.conf
Securing Apache
Directory Browsing
nah untuk ini penting banget, karena kalo boleh pengunjung akan bisa melihat dalam folder aplikasi web kita, kek gini.
Untuk nge-disable directory browsing di aplikasi kita, hilangkan Option Indexes di konfigurasi sites-available, sehingga jadi kek gini
<VirtualHost>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/namaapp"
ServerName namaserver.detanto.net
ServerAlias namaserver.detanto.net
ErrorLog "logs/namaserver_error_log"
CustomLog "logs/namaserver_access_log" common
<Directory "/var/www/namaapp/">
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
ServerTokens Prod
Tambahkan opsi ini di httpd.conf, supaya gak keliatan versi OS Servernya, jadinya kek gini :
tapi tetep muncul web servernya pake apa, jadi harus dihilangkan semua
ServerSignature Off
Tambahkan opsi ini di httpd.conf, supaya ilang semua
TraceEnable Off
Kalo idup, pengunjung bisa nyolong informasi cookie web kita, karena boleh Cross Site Tracing
Sembunyiin Versi PHP
biar ga ketauan kita pake php versi berapa, bisa disetting di php.ini, untuk tau lokasi php.ini yang dipake
php -i | grep "Loaded Configuration File"
Kalo udah tau tinggal edit php.ini-nya, cari text expose_php, defaultnya on, dibikin off. Sebelum di offkan ntar kalo kita akses pake lynx (browser cli), hasilnya akan seperti ini
[root@namaserver ~]# lynx -head -mime_header http://alamatserver HTTP/1.1 200 OK Date: Sat, 02 May 2020 08:54:28 GMT Server: Apache X-Powered-By: PHP/7.3.17 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: ci_session=2gm6ee0hieona2vnkq58dj7k8o2np0hm; expires=Sat, 02-May-2020 10:54:28 GMT; Max-Age=7200; path=/; HttpOnly Connection: close Content-Type: text/html; charset=UTF-8
Setelah dioffkan, hasilnya akan kek gini, X-powerednya ilang
[root@namaserver ~]# lynx -head -mime_header http://alamatserver HTTP/1.1 200 OK Date: Sat, 02 May 2020 08:55:49 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: ci_session=4vb2vkcpdnj9u88d2d4d9509pses88f6; expires=Sat, 02-May-2020 10:55:50 GMT; Max-Age=7200; path=/; HttpOnly Connection: close Content-Type: text/html; charset=UTF-8
SELinux Permission untuk Apache
check SELinux keinstall ndak
[root@namaserver perawatan_app]# rpm -qa | grep selinux libselinux-2.9-2.1.el8.x86_64 python3-libselinux-2.9-2.1.el8.x86_64 selinux-policy-3.14.3-20.el8.noarch container-selinux-2.124.0-1.module_el8.1.0+298+41f9343a.noarch selinux-policy-targeted-3.14.3-20.el8.noarch libselinux-devel-2.9-2.1.el8.x86_64 libselinux-utils-2.9-2.1.el8.x86_64 rpm-plugin-selinux-4.14.2-26.el8_1.x86_64
Kalo keluar kek gitu, brarti SELinux udah keinstall, trus check dulu status SELinuxnya
[root@namaserver www]# sestatus SELinux status: disabled
Kalau tulisannya kek yang diatas, berarti disabled ato nggak aktif. Kalo mau aktifin, edit konfigurasi SELinuxnya yang ada di /etc/selinux/config. setiap level ada keterangannya seperti tulisan dibawah ini
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - WModification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Tinggal kita set sesuai kebutuhan kita. Kalo udah kita idupin, trus reboot servernya. abis itu kalo kita ketik sestatus munculnya kek gini
[root@namaserver ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
Untuk testing, tak saranin permissive dulu, jadi ntar tetep bisa diakses cuman akan muncul log-nya, cara liat lognya di
cat /var/log/messages | grep "SELinux is preventing"
Ntar akan muncul lognya, tak kasi sebagian ya
May 1 20:55:57 namaserver platform-python[1976]: SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port 1122. ***** Plugin bind_ports (92.2 confidence) suggests ************************ If you want to allow /usr/sbin/sshd to bind to network port 1122 Then you need to modify the port type. Do semanage port -a -t PORT_TYPE -p tcp 1122 where PORT_TYPE is one of the following: ssh_port_t, vnc_port_t, xserver_port_t. ***** Plugin catchall_boolean (7.83 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (1.41 confidence) suggests ************************** If you believe that sshd should be allowed name_bind access on the port 1122 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: ausearch -c 'sshd' --raw | audit2allow -M my-sshd semodule -X 300 -i my-sshd.pp
Karena port ssh tadi diubah, makanya muncul log ini, jadi kita musti jalanin
semanage port -a -t ssh_port_t -p tcp 1122 setsebool -P nis_enabled 1 ausearch -c 'sshd' --raw | audit2allow -M my-sshd semodule -X 300 -i my-sshd.pp
Jadi kalau permissive, dikasi tau semua tuh stepnya. Misal nih kita mau liat yang web, kita akses dulu webnya, trus kita liat lognya lag, akan muncul hasilnya kek gini:
May 1 22:18:58 namaserver setroubleshoot[20155]: SELinux is preventing /usr/sbin/php-fpm from name_connect access on the tcp_socket port 389. For complete SELinux messages run: sealert -l f26d0490-06e1-4932-8c5b-78df5f0aa9b0 May 1 22:18:58 namaserver platform-python[20155]: SELinux is preventing /usr/sbin/php-fpm from name_connect access on the tcp_socket port 389. ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow httpd to can network connect Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean. Do setsebool -P httpd_can_network_connect 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow httpd to can connect ldap Then you must tell SELinux about this by enabling the 'httpd_can_connect_ldap' boolean. Do setsebool -P httpd_can_connect_ldap 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow authlogin to nsswitch use ldap Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean. Do setsebool -P authlogin_nsswitch_use_ldap 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (3.53 confidence) suggests ************************** If you believe that php-fpm should be allowed name_connect access on the port 389 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm # semodule -X 300 -i my-phpfpm.pp
Jadi setting SELinuxnya musti dibenerin satu2. mati ga lo? kita musti liat daftar policy yang berhubungan sama urusan web, caranya :
[root@perawatan perawatan_app]# getsebool -a | grep httpd httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_graceful_shutdown --> off httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> off httpd_run_ipa --> off httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> on httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off
Sesuai dengan yang di log tadi, beberapa harus kita buka; yaitu
setsebool -P httpd_can_connect_ldap 1
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P authlogin_nsswitch_use_ldap 1
setsebool -P nis_enabled 1
Habis itu kita liat log lagi, kalo udah bener settingnya, harusnya ga akan muncul lg di /var/log/messages
setelah yakin baru kita set SELinuxnya enforcing bukan permissive lagi, trus reboot. selesai dah
Masi ada materi lain si, ntar ta bahas lagi
semoga bisa membantu yg lg setting Centos ato yang lain, Thx!
GaRis - Gatal Riset 