Automated Hardening of a Linux Web Server

Automated Hardening of a Linux Web Server

Automated Hardening of a Linux Web Server Olencin,ˇ Michal and Perhác,ˇ Ján Abstract: This article is dedicated to the de- web servers. In this paper, we are focused on sign and implementation of automated hardening the results of our recent work with the automated a Linux web server after the clean installation. The securing of the Linux webserver. We start with article deals with the analysis of the cybersecurity, focus, and scope of the configuration. Based on a brief description of the current state in the that, was made a design of an automated security area. We compare existing solutions, and analyze configuration with a detailed description. The main technological possibilities. Then, we describe the accomplishment of the work is a configuration details of the designs and our implementation. in script. The script is compared and evaluated with the final section, we evaluate our implementation. existing solutions and it achieved the best rating in security audits. We compare it with other popular solutions in the field by performing standard security audits. Index Terms: cybersecurity, Linux security, Web 2. MOTIVATION security The cybersecurity and protection of sensitive data are frequently discussed topics today. There 1. INTRODUCTION is a growing interest in this area mainly due to the increase in cyberattacks and theft of sensitive HE PAPER is oriented on designing an au- data. tomated hardening of a Linux web server T After installation of a web server, a basic con- and subsequently on implementing and evaluation figuration is used and it is necessary to configure of the designed solution. At first, a motivation it as needed. The basic server setup includes for creating this paper is specified, afterward the many security issues that need to be corrected by current state of cybersecurity is analyzed. Then an appropriate configuration for security reasons. a focus of security and analysis is specified. The The basic configurations are customized to maxi- results of the analysis are taken into account in mize support and make development easier. The proposing a design of our configuration according configuration process can be automated using to a wide range of resources. programs written in a scripting language. Creating The output of the implementation is an open- an automated configuration makes the process of source script [12], [13] of an automated config- configuration quicker and more effective. uration implemented according to the proposed Currently, there are very few solutions dealing design. Finally, an evaluation of the implemented with the automation of a Linux web server configu- configuration was performed. That evaluation con- ration in the desired complexity and with adequate sists of a functional test, a compatibility test of protection. The main goal of this work is to create the webserver configuration, and security audits of a solution on an appropriate level of protection and default and designed configurations. Also security complexity by creating an automated configuration audit by the Lynis tool was performed and also a of a Linux web server. score of existing open-source solutions measured and compared. 3. THE CURRENT STATE OF CYBERSECURITY Our recent research in the field of computer se- We have defined the current state of cyberse- curity was focused on intrusion detection systems curity by summarizing the most interesting results [10], [14], its formal description, and developing from following reports: their models [11], [15] and securing the Linux • “Cisco 2018 Annual Cybersecurity Report” by Manuscript received May 2, 2020. Cisco [3], This work was supported by the Faculty of Electrical Engineering • “Executive Summary - 2018 Internet Security and Informatics at the Technical University of Košice under contract Threat Report” by Symantec [18], No. FEI-2020-70: "Behavioral model of component systems based on coalgebras and linear logic", and by the project KEGA 011TUKE- • “Cloud Security Report” by Alert Logic [9]. 4/2020: "A development of the new semantic technologies in educat- The most interesting results e.g. occurrences ing of young IT experts". of malicious programs dedicated to various areas M. Olencinˇ (contact person) is an MSc student at the Faculty of Electrical Engineering and Informatics, Technical University of increased in the years from 2015 to 2017 as Košice, Slovakia (e-mail: [email protected]). following: J. Perhácˇ (contact person) is an assistant professor at the Faculty of Electrical Engineering and Informatics, Technical University of • cryptocurrencies by 8500%, Košice, Slovakia (e-mail: [email protected]). • IOT devices by 600%, 61 • ransomware attacks by 46%, 3.2. Existing Solutions • malware on mobile devices by 54%. There are several automated Web Linux server 3.1. Used technologies configuration solutions. Unfortunately, most so- lutions are not complex and only address the In the first step, we have analyzed the usage of configuration of the Apache web service itself, or current technologies. We have taken into account address a small configuration range. The solutions the following criteria: with the required complexity currently rarely exist. • a Linux distribution, Among the proprietary license solutions, the • a web service, Lynis Enterprise solution is available [4]. Unfortu- • database service, nately, this solution is too complex for common • programming language. needs and requires the purchase of a license, Our main goal was to create a configuration for which is a disadvantage. This solution offers se- a wide group of potential users, therefore our main curity audit, system security, vulnerability manage- criterion was the popularity of the technology. ment, ample support for Unix operating systems, Because of long-term support and the high mar- macOS and many more. ket share, we have chosen an Ubuntu Server as Among the open-source solutions, the the supported distribution. Version Ubuntu Server “JShielder” [17] and the “Ubuntu hardening” 16.04.5 64-bit has been chosen, because of its [16] solutions are available. Both solutions are stability. Ubuntu has 37:8% market share alto- not overwriting existing configurations and do gether. If the Debian distribution had been added not use the latest versions of services. Ubuntu as a supported distribution, the solution would hardening solution also includes a smaller range have covered 61:1% of the whole market. of configurations compared to the JShielder We have chosen an Apache webserver as a solution. support web server, because of its 45:5% market Each of the mentioned solutions is implemented share in its latest version Apache 2.4. The choice as a bash script. of the Nginx as a supported web server was also While analyzing existing solutions, deficiencies taken into account, but based on the balance have been identified that proposed solution seeks between quantity and quality, Apache won. Both to eliminate. The proposed solution compared to are comparable in performance, flexibility, and existing solutions includes: reliability [7]. If the Nginx web server had been added as a support web server, the solution would • configuration backup, • use of the latest versions of services, have covered 3⁄4 of the market share. As the support database service, MariaDB • it overwrites existing configurations, was chosen in its latest version of a database with open-source availability, with the required server, specifically MariaDB 10.3. The selec- complexity and configuration range for basic tions of MySQL and PostgreSQL as the support needs. database server were also taken into account. PostgreSQL is robust, has a complex configu- 4. DESIGN OF OUR SOLUTION ration, but is less powerful compared to others. The design of our solution is proposed accord- MariaDB is a fork of MySQL, which is 5% more ing to the CIS Ubuntu Linux 16.04 LTS Benchmark powerful [6] than MySQL. Also, its popularity tends [1], the CIS Distribution Independent Linux Bench- to increase. But both, MySQL and PostgreSQL, mark [5], the CIS Apache HTTP Server 2.4 Bench- are efficient and reliable database services and mark [2], the book “Practical Apache, PHP-FPM their support could be added in the future. & Nginx Reverse Proxy: How to Build a Secure, PHP was chosen as the support programming Fast and Powerful Webserver from scratch” [8], language in the latest version, because of its the configuration instructions from the non-profit dominance on the market with 78:9%. organization Mozilla, the proposed Lynis configu- Results are summarized in the table 1 “Result ration, the proposed Tiger configuration and the of selected security focus” covering a wide range recommended set of rules for security2 module of usability. from the non-profit organization OWASP. TABLE 1: Result of selected security focus The design is targeted to achieve the highest possible security for common web servers and Scope Focus includes: Linux distribution Ubuntu Server • Installation and hardening of the Apache 16.04.5 64-bit web server and also security2, SSL, evasive, Web service Apache 2.4 headers, include, http2 and reqtimeout mod- Database service MariaDB 10.3 ules. Programming language PHP 7.2 • Installation and hardening of the MariaDB database server. 62 • Installation and hardening of the PHP pro- the port. The MariaDB database server does not gramming language. require complex hardening configuration in gen- • Installation and hardening of the OpenSSH eral. server. The table 4 presents our configuration of the • Security configuration of an operation system: MariaDB in detail. – Hardening of directory

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us