[Help] Setting up a new Debian server to host Apache (Airtime, Icecast, Shoutcast, Steamcast), psad/portsentry, iptables, and NGINX (fail2ban)

[Diluculo_DelFuego]

Hi all,

Im tasked with setting up a Debian server already connected to the internet, for a client who has had cyber enemies for over a decade, or fellow hacker friends of mine trying to screw with my head. The problem is, within five minutes count on it being hacked. Im familiar with Ubuntu at intermediate level, but with Debian Im wet behind the ears.

My first thoughts are:
Restrict iptables to only allow traffic from hosts.allow
Configure NGINX and Apache to do the same.
Install a good monitor.
Install portsentry/psad
Install fail2ban
Configure both two above
Install a script to drop any hack attempt (bash)
Audit server via bash script based on CID audit doc for Debian
Install applictions and configure and test
Penetration/web server/web app test
Handoff to client when clean and stable and uptime for a month
Until then also tasked with admin support.


What is your fastest method of standing up a Debian server already connected to the internet? What instructions do you use?

Care/Thanks.

 

[Viktor]

The problem is, within five minutes count on it being hacked.

if system was hacked soon after being installed then first step is to isolate local network.
this means going offline and reinstalling and configuring server offline until it's ready to go online again.

Restrict iptables to only allow traffic from hosts.allow

iptables is no longer a thing, nftables is a replacement:

Please, Log in or Register to view URLs content!

to make a good firewall a lot of time is needed, most important is to ensure that inbound traffic allows only what's needed to connect to server.
2nd important thing is to have up to date web server.

if local network contains multiple computers you need to make sure that none of them is zombie because otherwise all your work is in vain no matter how well you do things.

 

[Diluculo_DelFuego]

Thank you

 

[Viktor]

you're welcome.
btw. cleaning up computers on local network requires a lot of work, so the best one could suggest to you is to give general directions.
step by step instructions would take 20+ pages at least.

you might also want to use nmap to scan your network from the outside once all is done, to scan for holes, that's what hackers do first anyway, so you want to see what hackers see to be able to fix problems and to prevent them.

 

[Diluculo_DelFuego]

Yeah, there are two guides im following once everything is setup and configured, the first is an audit document from Center for Internet Security, and the other OWASP, which helps you pentest/audit web servers. Good advice on pen testing. Yeah, step by step would be quite a bit.

 

[Viktor]

There are basically only 3 possibilities how system might get compromised:
1. from outside world (from internet trough service ports)
2. from inside world (behind hardware firewall, ex. from other compromised computers on same local network)
3. from same computer (ex. call home)

for point 1:

• you open ports on both hardware and software firewall to allow inbound connection only to service, ex. web server, port 80, 443
• patch\update the service on a regular basis
• watch out for known vulnerabilities of installed service version, 2 well known resources are:
• -
  Please, Log in or Register to view URLs content!
  (this is for apache 2.4)
• -
  Please, Log in or Register to view URLs content!
  (hint: search for apache in search box)

for point 2:

• to ensure no zombie exists you need to reinstall all systems on local network in offline mode.
• configure software firewall (ex. nftables) on all local PC's to either block local network or allow only what's needed on LN
• preferably you want to isolate server from other computers on same network if possible, because server is secure no more than the weakest computer on LN, problem is that compromised PC on LN usually let's attacker bypass firewall.

for point 3:
- if web server is used for purposes other than hosting a web site, such as surfing or installing programs for personal use you also want to block outbound to prevent call home scenarios (ex. downloading or installing a trojan), by allowing only programs which are used to connect to the outside.
however it's better if web server is used only for hosting, this way most other scenarios are eliminated

 

[Diluculo_DelFuego]

There are basically only 3 possibilities how system might get compromised:
1. from outside world (from internet trough service ports)
2. from inside world (behind hardware firewall, ex. from other compromised computers on same local network)
3. from same computer (ex. call home)

for point 1:

• you open ports on both hardware and software firewall to allow inbound connection only to service, ex. web server, port 80, 443
• patch\update the service on a regular basis
• watch out for known vulnerabilities of installed service version, 2 well known resources are:
• -
  Please, Log in or Register to view URLs content!
  (this is for apache 2.4)
• -
  Please, Log in or Register to view URLs content!
  (hint: search for apache in search box)

for point 2:

• to ensure no zombie exists you need to reinstall all systems on local network in offline mode.
• configure software firewall (ex. nftables) on all local PC's to either block local network or allow only what's needed on LN
• preferably you want to isolate server from other computers on same network if possible, because server is secure no more than the weakest computer on LN, problem is that compromised PC on LN usually let's attacker bypass firewall.

for point 3:
- if web server is used for purposes other than hosting a web site, such as surfing or installing programs for personal use you also want to block outbound to prevent call home scenarios (ex. downloading or installing a trojan), by allowing only programs which are used to connect to the outside.
however it's better if web server is used only for hosting, this way most other scenarios are eliminated

Thank you, I appreciate and respect your replies, very detailed and precise to the point. Thank you. Will implement your suggestions. Unfortunately the VPS (virtual private server is internet ready when booted up or re-flashed. So I need to work smart and quick in securing a DMZ asap.