What is Lemonstand
If you have ever trawled the interwebs for a half decent Ecommerce solution chances are you have encountered PHP based solutions like Magento, OSCommerce, OpenCart etc. These are quite well established players but a recent addition to the gang has really impressed us and a bunch of other like minded people too. Lemonstand feels lightweight yet powerful, the core covers the shop fundamentals very well and it is supported by a growing community. Check out the video.
This is the first part in a multi part post that will hopefully finish up with a production ready virtual machine running Lemonstand for your online store.
Ubuntu and VMWare Fusion
First things first, you have to run up a new virtual machine. Eventually you will do this with some cloud provider (OrionVM, RackSpace etc) but for development or testing your configuration a local VM is all you need. Note that there are VMWare alternatives and in this case you could use the excellent VirtualBox from Sun/Oracle http://www.virtualbox.org.
After Ubuntu is installed in Fusion
Depending on what route you took with installing Ubuntu on a local VM (simple or manual) theres a chance SSH might not be installed. If this is the case just work directly in the console for now. First thing you need to do is login with the username and password you configured.
Keyboard
I had to reset the keyboard as command repeat didn’t work on Fusion/Ubuntu 10.04
Type the following and accept the defaults.
sudo dpkg-reconfigure console-setup
Passwords
Reset your password if either logging in as root or you accepted some default password
passwd
you can also change another users password by appending their username to the command
passwd devuser
Even though we won’t be allowing root to login via SSH, we want to make sure it has a strong password.
Type this command and enter your new strong password twice.
sudo passwd root
Remove non essential accounts from etc/passwd, you likely don’t require games,news,list,irc,gnats
Shell
Also set the users shell to /bin/false
You could also change the shell like this (for the user ‘list’)
chsh -s /usr/sbin/nologin list
Verify No Accounts Have Empty Passwords
sudo awk -F: '($2 == "") {print}' /etc/shadow
Lock all empty password accounts
passwd -l account_name
Make Sure No Non-Root Accounts Have UID Set To 0
sudo awk -F: '($3 == "0") {print}' /etc/passwd
You should see a single line like this:
root:x:0:0:root:/root:/bin/bash
Timezone
Set the correct timezone for your location.
dpkg-reconfigure tzdata
or
echo "Australia/Adelaide" | sudo tee /etc/timezone. sudo dpkg-reconfigure --frontend noninteractive tzdata
Hostname and hosts file
Set the correct hostname by editing the “hostname” file.
sudoedit /etc/hostname
Check hosts file as default can sometimes be Ubuntu depending on how you installed the OS.
You should have a line that contains your IP address and then your long hostname separated by a space then your hostname on its own.
Running “hostname –f” should return the long version.
sudoedit /etc/hosts
…
127.0.0.1 localhost
172.16.16.10 cortina.example.com cortina
Configure admin group
Check that your part of the admin group
cat /etc/group
or
grep devuser /etc/group
you should see a line like this (the number 109 may differ), this means the user ‘devuser’ is a member of the admin group.
admin:x:109:devuser
If the admin group doesn’t exist or your not a member of it follow these steps.
sudo groupadd admin sudo usermod -a -G admin devuser
Configure sudo
Edit the sudo configuration
sudo /usr/sbin/visudo
Check that the admin group has full sudo privileges, add this line if it doesn’t exist.
%admin ALL=(ALL) ALL
Restrict access to /bin/su to admin group members
sudo dpkg-statoverride --update --add root admin 4750 /bin/su
Secure shared memory
/dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure.
sudo nano /etc/fstab
Add this line
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
Remount /dev/shm or reboot
sudo mount -o remount /dev/shm
Setup SSH server
Install SSH server & client
sudo apt-get install openssh-client sudo apt-get install openssh-server
Backup original config file and make read only
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig sudo chmod a-w /etc/ssh/sshd_config.orig
Edit SSH server config file and make the following changes:
sudoedit /etc/ssh/sshd_config
Disable root login but allow forced commands
PermitRootLogin forced-commands-only
Reduce the login grace time
LoginGraceTime 20
The SSH daemon will allow a message to be displayed to users attempting to log in to the SSH server. To enable login messages, remove the pound sign from this line:
Banner /etc/issue.net
Hide “Ubuntu” from the OpenSSH headers
DebianBanner no
Add line for allowed users
AllowUsers devuser
Update the login warning in the file “/etc/issue.net”
sudoedit /etc/issue.net
Restart SSH
sudo /etc/init.d/ssh restart
You can now login to the server using Putty on Windows or the built-in SSH client on OSX and Linux.
Harden TCP/IP Stack
Some of these will be set by default anyway but it doesn’t hurt to check.
These commands change the current runtime variables only, to make them persist edit the following file
sudoedit /etc/sysctl.conf
Disable ICMP broadcast echo activity.
sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
Disable ICMP routing redirects. Otherwise, your system could have its routing table misadjusted by an attacker.
sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 sudo sysctl -w net.ipv4.conf.all.send_redirects=0
Disable IP source routing. The only use of IP source routing these days is by attackers trying to spoof IP addresses that you would trust as internal hosts.
sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 sudo sysctl -w net.ipv4.conf.all.forwarding=0
Enforce sanity checking, also called ingress filtering or egress filtering.
sudo sysctl -w net.ipv4.conf.all.rp_filter=1
Log and drop “Martian” packets.
sudo sysctl -w net.ipv4.conf.all.log_martians=1
Randomize your address space
sudo sysctl -w kernel.randomize_va_space = 1
Setup NTP
Install NTP support
sudo apt-get install ntp
Change the contents of /etc/ntp.conf to include additional server lines. Use a different pool if not in Australia.
server 0.au.pool.ntp.org server 1.au.pool.ntp.org server 2.au.pool.ntp.org server 3.au.pool.ntp.org
Restart ntp process
sudo /etc/init.d/ntp restart
You can check the status of peers by running
/usr/bin/ntpq -np
File security
Check for World-Writable files and investigate.
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
Find any files not owned by any user or group.
find / -xdev \( -nouser -o -nogroup \) -print
Enable and configure firewall
UFW is Ubuntu’s “uncomplicated firewall”, it just simplifies the setup of iptables rules.
Install UFW and set the default mode to deny.
sudo apt-get install ufw sudo ufw default deny
Allow SSH, HTTP, HTTPS
sudo ufw allow 22 sudo ufw allow 80 sudo ufw allow 443
Enable UFW
sudo ufw enable
Switch on logging.
sudo ufw logging on
By default, UFW allows ping requests. To disable You need to edit /etc/ufw/before.rules and remove or edit the following lines: Change ‘ACCEPT’ to ‘DROP’
# ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT