Installing Lemonstand on Ubuntu Part 2

Logwatch without an MTA like Postfix

Logwatch is a log analysis tool for Linux based servers with the general gist being you get emailed reports when suspicious activity occurs. It does this by parsing your log files and looking for patterns that you can configure.

By default Logwatch will install Postfix MTA which is a little more heavy duty than I want on a web server, I would rather use a service like Mailgun as a smarthost. This essentially means all outgoing email from your app will be routed through Mailgun, giving you the ability to easily view logs and data on opens, bounces etc. We will configure it in such a way that it will only send email for localhost, it will not deliver anything locally and certainly wont be able to be used as a relay from a third party. To do this we will install and configure Exim as a simple relay.

These steps have only been tested with Ubuntu 12.04.

Install Exim

aptitude install exim4-daemon-light mailutils

Configure Exim

dpkg-reconfigure exim4-config

You’ll be presented with a welcome screen, followed by a screen asking what type mail delivery you’d like to support. Choose the option for “mail sent by smarthost; no local mail” and select “Ok” to continue

image

Enter your system’s FQDN (fully qualified domain name) in the “mail name” configuration screen.

image

Enter “127.0.0.1″ when asked which IP address to listen on for SMTP connections. The ::1 is for ipv6 so you may not need it.

image

List your FQDN, hostname, and localhost entries when you’re asked which destinations mail should be accepted for.

image

Since we are hiding the local mail name we must specify the domain name for local users.

image

Specify the smart host we are sending through.

image

As the server is not on a dial-up account we select No to keeping DNS queries minimal.

image

Don’t split configuration files.

image

We will authenticate to Mailgun SMTP servers so we need to add those details to “passwd.client”. Instead of the asterisk we could add the hostname of the SMTP server.

sudo nano /etc/exim4/passwd.client

Add a line like this.

*:postmaster@mydomain.mailgun.org:password

Generate the certificate for Exim to use by running this and answering the prompts. This is so we can configure the server for TLS.

sudo /usr/share/doc/exim4-base/examples/exim-gencert

Add the following file so we can enable TLS.

sudo touch /etc/exim4/exim4.conf.localmacros
sudo nano /etc/exim4/exim4.conf.localmacros

Add this line to the “localmacros” file. Restart Exim.

MAIN_TLS_ENABLE = 1
sudo /etc/init.d/exim4 restart

Test your configuration

echo "This is a test." | mail -s Testing someone@example.com sudo cat /var/log/exim4/mainlog

Install Logwatch

To see what packages Logwatch depends on we can run the following.

aptitude show logwatch

Notice how in the “Depends” line it says “Depends: perl, postfix | mail-transport-agent”.

Well because Exim ‘implements’ mail-transport-agent it wont install postfix as a dependency.

Install Logwatch and edit its config.

sudo aptitude install logwatch
sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Update the config with these values.

Output = mail
Format = html
Mailto = someone@example.com
MailFrom = server@example.com
Range = Yesterday
Detail = 4 or Med (get long kernel messages)

By default the logwatch process will run as part of cron.daily which in Ubuntu 12.04 is 06:26AM.

Installing Lemonstand on Ubuntu Part 1

What is Lemonstand

If you have ever trawled the interwebs for a half decent Ecommerce solution chances are you have encountered PHP based solutions like Magento, OSCommerce, OpenCart etc. These are quite well established players but a recent addition to the gang has really impressed us and a bunch of other like minded people too. Lemonstand feels lightweight yet powerful, the core covers the shop fundamentals very well and it is supported by a growing community. Check out the video.

Lemonstand Introduction

This is the first part in a multi part post that will hopefully finish up with a production ready virtual machine running Lemonstand for your online store.

Ubuntu and VMWare Fusion

First things first, you have to run up a new virtual machine. Eventually you will do this with some cloud provider (OrionVM, RackSpace etc) but for development or testing your configuration a local VM is all you need. Note that there are VMWare alternatives and in this case you could use the excellent VirtualBox from Sun/Oracle http://www.virtualbox.org.

After Ubuntu is installed in Fusion

Depending on what route you took with installing Ubuntu on a local VM (simple or manual) theres a chance SSH might not be installed. If this is the case just work directly in the console for now. First thing you need to do is login with the username and password you configured.

Keyboard

I had to reset the keyboard as command repeat didn’t work on Fusion/Ubuntu 10.04

Type the following and accept the defaults.

sudo dpkg-reconfigure console-setup

Passwords

Reset your password if either logging in as root or you accepted some default password

passwd

you can also change another users password by appending their username to the command

 

passwd devuser

Even though we won’t be allowing root to login via SSH, we want to make sure it has a strong password.

Type this command and enter your new strong password twice.

sudo passwd root

Remove non essential accounts from etc/passwd, you likely don’t require games,news,list,irc,gnats

Shell

Also set the users shell to /bin/false

You could also change the shell like this (for the user ‘list’)

chsh -s /usr/sbin/nologin list

Verify No Accounts Have Empty Passwords

sudo awk -F: '($2 == "") {print}' /etc/shadow

Lock all empty password accounts

passwd -l account_name

Make Sure No Non-Root Accounts Have UID Set To 0

sudo awk -F: '($3 == "0") {print}' /etc/passwd

You should see a single line like this:

root:x:0:0:root:/root:/bin/bash

Timezone

Set the correct timezone for your location.

dpkg-reconfigure tzdata

or

 

echo "Australia/Adelaide" | sudo tee /etc/timezone. sudo dpkg-reconfigure --frontend noninteractive tzdata

Hostname and hosts file

Set the correct hostname by editing the “hostname” file.

sudoedit /etc/hostname

Check hosts file as default can sometimes be Ubuntu depending on how you installed the OS.

You should have a line that contains your IP address and then your long hostname separated by a space then your hostname on its own.

Running “hostname –f” should return the long version.

sudoedit /etc/hosts
…
127.0.0.1	localhost
172.16.16.10	cortina.example.com cortina

Configure admin group

Check that your part of the admin group

cat /etc/group

or

 

grep devuser /etc/group

you should see a line like this (the number 109 may differ), this means the user ‘devuser’ is a member of the admin group.

admin:x:109:devuser

If the admin group doesn’t exist or your not a member of it follow these steps.

sudo groupadd admin sudo usermod -a -G admin devuser

Configure sudo

Edit the sudo configuration

sudo /usr/sbin/visudo

Check that the admin group has full sudo privileges, add this line if it doesn’t exist.

 

%admin ALL=(ALL) ALL

Restrict access to /bin/su to admin group members

 

sudo dpkg-statoverride --update --add root admin 4750 /bin/su

Secure shared memory

/dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure.

sudo nano /etc/fstab

Add this line

 

tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0

Remount /dev/shm or reboot

 

sudo mount -o remount /dev/shm

Setup SSH server

Install SSH server & client

sudo apt-get install openssh-client sudo apt-get install openssh-server

Backup original config file and make read only

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig sudo chmod a-w /etc/ssh/sshd_config.orig

Edit SSH server config file and make the following changes:

sudoedit /etc/ssh/sshd_config

Disable root login but allow forced commands

 

PermitRootLogin forced-commands-only

Reduce the login grace time

 

LoginGraceTime 20

The SSH daemon will allow a message to be displayed to users attempting to log in to the SSH server. To enable login messages, remove the pound sign from this line:

 

Banner /etc/issue.net

Hide “Ubuntu” from the OpenSSH headers

 

DebianBanner no

Add line for allowed users

 

AllowUsers devuser

Update the login warning in the file “/etc/issue.net”

 

sudoedit /etc/issue.net

Restart SSH

 

sudo /etc/init.d/ssh restart

You can now login to the server using Putty on Windows or the built-in SSH client on OSX and Linux.

Harden TCP/IP Stack

Some of these will be set by default anyway but it doesn’t hurt to check.

These commands change the current runtime variables only, to make them persist edit the following file

sudoedit /etc/sysctl.conf

Disable ICMP broadcast echo activity.

 sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 

Disable ICMP routing redirects. Otherwise, your system could have its routing table misadjusted by an attacker.

 sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 sudo sysctl -w net.ipv4.conf.all.send_redirects=0 

Disable IP source routing. The only use of IP source routing these days is by attackers trying to spoof IP addresses that you would trust as internal hosts.

 sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 sudo sysctl ­-w net.ipv4.conf.default.accept_source_route=0 sudo sysctl -w net.ipv4.conf.all.forwarding=0 

Enforce sanity checking, also called ingress filtering or egress filtering.

sudo sysctl -w net.ipv4.conf.all.rp_filter=1

Log and drop “Martian” packets.

sudo sysctl -w net.ipv4.conf.all.log_martians=1

Randomize your address space

sudo sysctl ­-w kernel.randomize_va_space = 1

Setup NTP

Install NTP support

sudo apt-get install ntp

Change the contents of /etc/ntp.conf to include additional server lines. Use a different pool if not in Australia.

 server 0.au.pool.ntp.org server 1.au.pool.ntp.org server 2.au.pool.ntp.org server 3.au.pool.ntp.org 

Restart ntp process

sudo /etc/init.d/ntp restart

You can check the status of peers by running

 

/usr/bin/ntpq -np

File security

Check for World-Writable files and investigate.

find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

Find any files not owned by any user or group.

find / -xdev \( -nouser -o -nogroup \) -print

Enable and configure firewall

UFW is Ubuntu’s “uncomplicated firewall”, it just simplifies the setup of iptables rules.

Install UFW and set the default mode to deny.

sudo apt-get install ufw sudo ufw default deny

Allow SSH, HTTP, HTTPS

sudo ufw allow 22 sudo ufw allow 80 sudo ufw allow 443 

Enable UFW

 

sudo ufw enable

Switch on logging.

 

sudo ufw logging on

By default, UFW allows ping requests. To disable You need to edit /etc/ufw/before.rules and remove or edit the following lines: Change ‘ACCEPT’ to ‘DROP’

# ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

think big | think loud | think often