R. Cybersecurity best practices and reinforcement
Disclaimer! Article is work in under "construction". Please bear with me as I gather my thoughts on paper.
In the previous chapter we discussed about the perils of the world wide web as discovered on my very own web server, now we will extend that chapter with what are the best practices to stay safe and how to reinforce them.
In the noon of this pandemic and of ever present lockdowns, cybersecurity risks discoveries and attacks have risen, people are staying more indoors and hackers are too, definitely thriving and getting ever more creative in terms of automations, penetration method attacks and code complexity, nobody is safe and at the increasing rate of technology development I do foresee a slowdown in these maleficent/malevolent/ill intentions.
Just to get an idea oh how bad things are and why cybersecurity is a mission critical and detrimental business I recommend that you read this report on 2020 statistics.
The most shocking one I found was this comment from the FBi: "Since the pandemic began, the FBI reported a 300% increase in reported cybercrimes."
But enough with the chit chat, let's get down to business!
After my extensive research I've reached the conclusion that the bare minimum necessities with the least resource consumption are : a firewall, an antivirus and intrusion prevention software, this is besides strong passwords and user configurations with restricted access (which I had implemented from the beginning).
- What is an antivirus?
Antivirus is a software that helps protect your computer against malware and cybercriminals. Antivirus software looks at data — web pages, files, software, applications from your device. It searches for known threats and monitors the behavior of all programs, flagging suspicious behavior. It seeks to block or remove malware as quickly as possible.
- What does antivirus software help protect us from?
The beauty of malware for hackers is its ability to gain access to or damage a computer without our knowledge. It’s important to be aware of the many different types of malicious codes, or “malware,” against which antivirus software is designed to protect:
-- Spyware: stealing sensitive information
-- Ransomware: extorting money
-- Viruses
-- Worms: spreading copies between computers
-- Trojans: promising one thing but delivering another
-- Adware: advertising
-- Spam: spreading unwanted email
a. Update system
$ sudo apt-get update
b. Install ClamAV
$ sudo apt-get install clamav clamav-daemon
c. Check status
$ sudo systemctl status clamav-freshclam
● clamav-freshclam.service - ClamAV virus database updater
Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-03-14 12:32:47 CET; 20min ago
Docs: man:freshclam(1)
man:freshclam.conf(5)
https://www.clamav.net/documents
Main PID: 90349 (freshclam)
Tasks: 1 (limit: 9022)
CGroup: /system.slice/clamav-freshclam.service
└─90349 /usr/bin/freshclam -d --foreground=true
Mar 14 12:32:47 ubuntu systemd[1]: Started ClamAV virus database updater.
Mar 14 12:32:47 ubuntu freshclam[90349]: Sun Mar 14 12:32:47 2021 -> ClamAV update process started at Sun Mar 14 12:32:47 2021
Mar 14 12:32:47 ubuntu freshclam[90349]: Sun Mar 14 12:32:47 2021 -> daily.cld database is up to date (version: 26107, sigs: 3959602, f-level: 63, builder: raynman)
Mar 14 12:32:47 ubuntu freshclam[90349]: Sun Mar 14 12:32:47 2021 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Mar 14 12:32:47 ubuntu freshclam[90349]: Sun Mar 14 12:32:47 2021 -> bytecode.cld database is up to date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
d. Update virus definition database
Stop ClamAV
$ sudo systemctl stop clamav-freshclam
Start update
$ sudo freshclam
Sun Mar 14 12:56:43 2021 -> ClamAV update process started at Sun Mar 14 12:56:43 2021
Sun Mar 14 12:56:43 2021 -> daily.cld database is up to date (version: 26107, sigs: 3959602, f-level: 63, builder: raynman)
Sun Mar 14 12:56:43 2021 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Sun Mar 14 12:56:43 2021 -> bytecode.cld database is up to date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Start ClamAV
$ sudo systemctl stop clamav-freshclam
e. Start scanning
On a specific directory, recursively
$ sudo clamscan --infected --remove --recursive /home/ubuntu/Desktop/
----------- SCAN SUMMARY -----------
Known viruses: 8509251
Engine version: 0.102.4
Scanned directories: 269
Scanned files: 1471
Infected files: 0
Data scanned: 55.71 MB
Data read: 33.38 MB (ratio 1.67:1)
Time: 91.890 sec (1 m 31 s)
Full computer scan
$ clamscan -r /
-
What is a firewall?
-
Cisco: A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Firewalls have been a first line of defense in network security for over 25 years.
They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.
A firewall can be hardware, software, or both.
I'm not going to go into details as there are tons of articles online regarding what firewalls are and how they can help you, what I am going to mention is the fact that you can also use firewalls to restrict access only for certain IPs, routes or people, and that is exactly what I did.
UFW, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. It’s well-supported and popular in the Linux community—even installed by default in a lot of distros. As such, it’s a great way to get started securing your server.
a. Installing UFW
$ sudo apt-get install ufw
b. Enable UFW
$ sudo ufw enable
c. Check status
$ sudo ufw status
d. Adding rules
I only want to add rules that allow traffic from Apache and from my internal ip address.
$ sudo ufw allow 'Apache'
$ sudo ufw allow from 192.168.1.21 to any port 22 proto tcp
e. Verifying your configuration
$ sudo ufw status
Status: active
To Action From
-- ------ ----
Apache ALLOW Anywhere
Anywhere ALLOW 192.168.1.21
22/tcp ALLOW 192.168.1.21
Apache (v6) ALLOW Anywhere (v6)
Additional resources
Quick and dirty from Digital Ocean
**Congrats, you're done!**
We have learned about the bare minimum security reinforcements that you can have on your webserver. We have also learned about antiviruses, firewalls and intrusion prevention software Finally, for each subchapter we went over the installation and configuration steps.
If you hit a problem or have feedback (which is highly welcomed) please feel free to get in touch, more details in the footer.