Hello everyone,
Recently I started my own self managed FreeBSD serverto host one of my own websites. For certain reasons I used DirectAdmin hosting control panel to ease up some processes for myself.
I have already done some server and SSH hardening thanks to online articles however, when I checked my server using Lynis Audit I noticed that there are some warnings still.
I would really appreciate if you help me regarding this issue.
This is my the Audit report:
Recently I started my own self managed FreeBSD serverto host one of my own websites. For certain reasons I used DirectAdmin hosting control panel to ease up some processes for myself.
I have already done some server and SSH hardening thanks to online articles however, when I checked my server using Lynis Audit I noticed that there are some warnings still.
I would really appreciate if you help me regarding this issue.
This is my the Audit report:
Code:
+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
2018-07-16 15:00:44 cwd=/ 2 args: /usr/sbin/exim -bV
[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete
- Plugins enabled [ NONE ]
[+] Boot and services
------------------------------------
- Service Manager [ bsdrc ]
- Checking presence FreeBSD loader [ FOUND ]
- Checking services at startup (service/rc.conf) [ DONE ]
Result: found 25 services/options set
[+] Kernel
------------------------------------
- Checking active kernel modules
Found 3 kernel modules [ DONE ]
[+] Memory and Processes
------------------------------------
- Searching for dead/zombie processes [ OK ]
- Searching for IO waiting processes [ OK ]
[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ WARNING ]
- Unique UIDs [ WARNING ]
- Checking chkgrp tool [ FOUND ]
- Checking consistency of /etc/group file [ OK ]
- Login shells [ WARNING ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Query system users (non daemons) [ DONE ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ ENABLED ]
- sudoers file [ NOT FOUND ]
- PAM password strength tools [ OK ]
- PAM configuration file (pam.conf) [ NOT FOUND ]
- PAM configuration files (pam.d) [ FOUND ]
- Determining default umask
- umask (/etc/profile and /etc/profile.d) [ OK ]
- umask (/etc/login.conf) [ WEAK ]
- LDAP authentication support [ NOT ENABLED ]
[+] Shells
------------------------------------
- Checking console TTYs [ WARNING ]
- Checking shells from /etc/shells
Result: found 3 shells (valid shells: 3).
- Session timeout settings/tools [ NONE ]
- Checking default umask values
- Checking default umask in /etc/csh.cshrc [ NONE ]
- Checking default umask in /etc/profile [ NONE ]
[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ SYMLINK ]
- Checking /tmp mount point [ SUGGESTION ]
- Checking /var mount point [ SUGGESTION ]
- Querying FFS/UFS mount points (fstab) [ FOUND ]
- Querying ZFS mount points (mount -p) [ NONE ]
- Query swap partitions (fstab) [ OK ]
- Testing swap partitions [ OK ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- Checking /var/tmp sticky bit [ OK ]
[+] USB Devices
------------------------------------
[+] Storage
------------------------------------
[+] NFS
------------------------------------
- Query rpc registered programs [ DONE ]
- Query NFS versions [ DONE ]
- Query NFS protocols [ DONE ]
- Check running NFS daemon [ NOT FOUND ]
[+] Name services
------------------------------------
- Checking /etc/resolv.conf options [ FOUND ]
- Searching DNS domain name [ FOUND ]
Domain name: aionets
- Checking Unbound status [ RUNNING ]
- Checking configuration file [ OK ]
- Checking BIND status [ FOUND ]
- Checking BIND configuration file [ FOUND ]
- Checking BIND configuration consistency [ OK ]
- Checking BIND version in banner [ WARNING ]
- Checking /etc/hosts
- Checking /etc/hosts (duplicates) [ OK ]
- Checking /etc/hosts (hostname) [ OK ]
- Checking /etc/hosts (localhost) [ OK ]
- Checking /etc/hosts (localhost to IP) [ OK ]
[+] Ports and packages
------------------------------------
- Searching package managers
- Checking pkg audit to obtain vulnerable packages [ NONE ]
- Checking package audit tool [ INSTALLED ]
Found: pkg audit
[+] Networking
------------------------------------
- Checking configured nameservers
- Testing nameservers
Nameserver: 127.0.0.1 [ OK ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
* Found 44 ports
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ RUNNING ]
[+] Printers and Spools
------------------------------------
- Integrity check of printcap file [ OK ]
- Checking cups daemon [ NOT FOUND ]
- Checking lp daemon [ NOT RUNNING ]
[+] Software: e-mail and messaging
------------------------------------
- Exim status [ RUNNING ]
- Dovecot status [ RUNNING ]
[+] Software: firewalls
------------------------------------
- Checking IPFW status [ RUNNING ]
- IPFW enabled in /etc/rc.conf [ YES ]
- Checking host based firewall [ ACTIVE ]
[+] Software: webserver
------------------------------------
- Checking Apache [ NOT FOUND ]
- Checking nginx [ FOUND ]
- Searching nginx configuration file [ FOUND ]
- Parsing configuration options
- /usr/local/etc/nginx/nginx.conf
- SSL configured [ NO ]
- Checking log file configuration
- Missing log files (access_log) [ NO ]
- Disabled access logging [ NO ]
- Missing log files (error_log) [ NO ]
- Debugging mode on error_log [ NO ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- SSH option: AllowTcpForwarding [ SUGGESTION ]
- SSH option: ClientAliveCountMax [ SUGGESTION ]
- SSH option: ClientAliveInterval [ OK ]
- SSH option: Compression [ SUGGESTION ]
- SSH option: FingerprintHash [ OK ]
- SSH option: GatewayPorts [ OK ]
- SSH option: IgnoreRhosts [ OK ]
- SSH option: LoginGraceTime [ OK ]
- SSH option: LogLevel [ SUGGESTION ]
- SSH option: MaxAuthTries [ SUGGESTION ]
- SSH option: MaxSessions [ SUGGESTION ]
- SSH option: PermitRootLogin [ OK ]
- SSH option: PermitUserEnvironment [ OK ]
- SSH option: PermitTunnel [ OK ]
- SSH option: Port [ SUGGESTION ]
- SSH option: PrintLastLog [ NOT FOUND ]
- SSH option: Protocol [ OK ]
- SSH option: StrictModes [ OK ]
- SSH option: TCPKeepAlive [ SUGGESTION ]
- SSH option: UseDNS [ SUGGESTION ]
- SSH option: UsePrivilegeSeparation [ OK ]
- SSH option: VerifyReverseMapping [ NOT FOUND ]
- SSH option: X11Forwarding [ SUGGESTION ]
- SSH option: AllowAgentForwarding [ SUGGESTION ]
- SSH option: AllowUsers [ FOUND ]
- SSH option: AllowGroups [ NOT FOUND ]
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]
[+] Databases
------------------------------------
- MySQL process status [ FOUND ]
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]
[+] PHP
------------------------------------
- Checking PHP [ FOUND ]
- Checking PHP disabled functions [ FOUND ]
- Checking expose_php option [ ON ]
- Checking enable_dl option [ OFF ]
- Checking allow_url_fopen option [ ON ]
- Checking allow_url_include option [ OFF ]
[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]
[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking systemd journal status [ NOT FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ NOT FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking remote logging [ NOT ENABLED ]
- Checking /etc/newsyslog.conf [ FOUND ]
- Checking log directories (newsyslog.conf) [ DONE ]
- Checking log files (newsyslog.conf) [ DONE ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ DONE ]
[+] Insecure services
------------------------------------
- Checking inetd status [ NOT ACTIVE ]
- Checking inetd.conf services [ OK ]
[+] Banners and identification
------------------------------------
- /COPYRIGHT [ FOUND ]
- /etc/COPYRIGHT [ NOT FOUND ]
- /etc/issue [ NOT FOUND ]
- /etc/issue.net [ NOT FOUND ]
[+] Scheduled tasks
------------------------------------
- Checking crontab/cronjob [ DONE ]
[+] Accounting
------------------------------------
- Checking accounting information [ NOT FOUND ]
[+] Time and Synchronization
------------------------------------
- NTP daemon found: ntpd [ FOUND ]
- Checking for a running NTP daemon or client [ OK ]
- Checking valid association ID's [ FOUND ]
- Checking high stratum ntp peers [ OK ]
- Checking unreliable ntp peers [ NONE ]
- Checking selected time source [ OK ]
- Checking time source candidates [ OK ]
- Checking falsetickers [ OK ]
[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [0/3] [ NONE ]
[+] Virtualization
------------------------------------
[+] Containers
------------------------------------
[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ NOT FOUND ]
- Checking presence SELinux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
- Checking for implemented MAC framework [ NONE ]
[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- mtree [ FOUND ]
- Checking presence integrity tool [ FOUND ]
[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Automation tooling [ NOT FOUND ]
- Checking for IDS/IPS tooling [ NONE ]
[+] Software: Malware
------------------------------------
- Checking ClamAV scanner [ FOUND ]
- Checking ClamAV daemon [ FOUND ]
- Checking freshclam [ FOUND ]
[+] File Permissions
------------------------------------
- Starting file permissions check
/root/.ssh [ OK ]
[+] Home directories
------------------------------------
- Checking shell history files [ OK ]
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- hw.kbd.keymap_restrict_change (exp: 4) [ DIFFERENT ]
- kern.sugid_coredump (exp: 0) [ OK ]
- net.inet.icmp.bmcastecho (exp: 0) [ OK ]
- net.inet.icmp.drop_redirect (exp: 1) [ DIFFERENT ]
- net.inet.ip.accept_sourceroute (exp: 0) [ OK ]
- net.inet.ip.check_interface (exp: 1) [ DIFFERENT ]
- net.inet.ip.forwarding (exp: 0) [ OK ]
- net.inet.ip.process_options (exp: 0) [ DIFFERENT ]
- net.inet.ip.random_id (exp: 1) [ DIFFERENT ]
- net.inet.ip.redirect (exp: 0) [ DIFFERENT ]
- net.inet.ip.sourceroute (exp: 0) [ OK ]
- net.inet.tcp.always_keepalive (exp: 0) [ DIFFERENT ]
- net.inet.tcp.blackhole (exp: 2) [ DIFFERENT ]
- net.inet.tcp.drop_synfin (exp: 1) [ DIFFERENT ]
- net.inet.tcp.icmp_may_rst (exp: 0) [ DIFFERENT ]
- net.inet.tcp.nolocaltimewait (exp: 1) [ DIFFERENT ]
- net.inet.tcp.path_mtu_discovery (exp: 0) [ DIFFERENT ]
- net.inet.udp.blackhole (exp: 1) [ DIFFERENT ]
- net.inet6.icmp6.rediraccept (exp: 0) [ DIFFERENT ]
- net.inet6.ip6.forwarding (exp: 0) [ OK ]
- net.inet6.ip6.fw.enable (exp: 1) [ OK ]
- net.inet6.ip6.redirect (exp: 0) [ DIFFERENT ]
- security.bsd.hardlink_check_gid (exp: 1) [ DIFFERENT ]
- security.bsd.hardlink_check_uid (exp: 1) [ DIFFERENT ]
- security.bsd.see_other_gids (exp: 0) [ OK ]
- security.bsd.see_other_uids (exp: 0) [ OK ]
- security.bsd.stack_guard_page (exp: 1) [ OK ]
- security.bsd.unprivileged_proc_debug (exp: 0) [ OK ]
- security.bsd.unprivileged_read_msgbuf (exp: 0) [ OK ]
[+] Hardening
------------------------------------
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ FOUND ]
[+] Custom Tests
------------------------------------
- Running custom tests... [ NONE ]
[+] Plugins (phase 2)
------------------------------------
================================================================================
-[ Lynis 2.6.4 Results ]-
Warnings (6):
----------------------------
! Multiple users with UID 0 found in passwd file [AUTH-9204]
- Solution :
https://cisofy.com/controls/AUTH-9204/
! Multiple accounts found with same UID [AUTH-9208]
- Solution :
https://cisofy.com/controls/AUTH-9208/
! Possible harmful shell found (for passwordless account!) [AUTH-9218]
- Solution :
https://cisofy.com/controls/AUTH-9218/
! Found unprotected console in /etc/ttys [SHLL-6202]
- Solution :
https://cisofy.com/controls/SHLL-6202/
! Found BIND version in banner [NAME-4210]
- Solution :
https://cisofy.com/controls/NAME-4210/
! PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [PHP-2372]
- Solution :
https://cisofy.com/controls/PHP-2372/
Suggestions (26):
----------------------------
* Version of Lynis outdated, consider upgrading to the latest version [LYNIS]
- Solution :
https://cisofy.com/controls/LYNIS/
* Determine if account is needed, as shell /usr/local/libexec/uucp/uucico does not exist [AUTH-9218]
- Solution :
https://cisofy.com/controls/AUTH-9218/
* Umask in /etc/login.conf could be more strict like 027 [AUTH-9328]
- Solution :
https://cisofy.com/controls/AUTH-9328/
* Symlinked mount point needs to be checked manually [FILE-6310]
- Details : /home
- Solution :
https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
- Solution :
https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310]
- Solution :
https://cisofy.com/controls/FILE-6310/
* The version in BIND can be masked by defining 'version none' in the configuration file [NAME-4210]
- Solution :
https://cisofy.com/controls/NAME-4210/
* Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy [HTTP-6710]
- Solution :
https://cisofy.com/controls/HTTP-6710/
* Consider hardening SSH configuration [SSH-7408]
- Details : AllowTcpForwarding (YES --> NO)
- Solution :
https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : ClientAliveCountMax (3 --> 2)
- Solution :
https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : Compression (DELAYED --> NO)
- Solution :
https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : LogLevel (INFO --> VERBOSE)
- Solution :
https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : MaxAuthTries (3 --> 2)
- Solution :
https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : MaxSessions (10 --> 2)
- Solution :
https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : Port (22 --> )
- Solution :
https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : TCPKeepAlive (YES --> NO)
- Solution :
https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : UseDNS (YES --> NO)
- Solution :
https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : X11Forwarding (YES --> NO)
- Solution :
https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : AllowAgentForwarding (YES --> NO)
- Solution :
https://cisofy.com/controls/SSH-7408/
* Change the expose_php line to: expose_php = Off [PHP-2372]
- Solution :
https://cisofy.com/controls/PHP-2372/
* Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376]
- Solution :
https://cisofy.com/controls/PHP-2376/
* Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]
- Solution :
https://cisofy.com/controls/LOGG-2154/
* Enable process accounting [ACCT-2754]
- Solution :
https://cisofy.com/controls/ACCT-2754/
* Determine if automation tools are present for system management [TOOL-5002]
- Solution :
https://cisofy.com/controls/TOOL-5002/
* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
- Solution :
https://cisofy.com/controls/KRNL-6000/
* Harden compilers like restricting access to root user only [HRDN-7222]
- Solution :
https://cisofy.com/controls/HRDN-7222/
Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
================================================================================
Lynis security scan details:
Hardening index : 66 [############# ]
Tests performed : 189
Plugins enabled : 0
Components:
- Firewall [V]
- Malware scanner [V]
Lynis Modules:
- Compliance Status [?]
- Security Audit [V]
- Vulnerability Scan [V]