Bismillah,

Instalasi SPSE v4.3 dengan Menggunakan CentOS 7

Asumsi:

  • Hanya untuk di Virtual Machine, bukan di server utama dan tulisan ini hanya ditujukan kepada Admin System LPSE.

  • CentOS 7.1 yang di gunakan

    lihat versi yang ada saat ini:

[muntaza@lpse ~]$ cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
[muntaza@lpse ~]$ uname -a
Linux lpse.muntaza.id 3.10.0-229.1.2.el7.x86_64 #1 SMP Fri Mar 27 03:04:26 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
  • Bahan instalsi berupa Java1.8.0, curl-7.28.1.tar.gz, modsecurity-apache_2.6.5.tar.gz, file dblat.zip, Anda bisa menghubungi Admin LKPP untuk mendapatkannya. Penulis memperoleh nya saat bimtek Admin System 16 Mei 2017 di LKPP Jakarta

  • Bahan instalasi berupa SPSE v4.3 latihan, Anda bisa menghubungi Admin LKPP untuk mendapatkannya. Penulis memperolehnya saat bimtek Admin System 27 September 2018 Banjarmasin

Langkah-langkah:

0. Pembuatan User biasa

[root@lpse ssh]# useradd muntaza
[root@lpse ssh]# passwd muntaza

[root@lpse ssh]# cat /etc/group | grep wheel
wheel:x:10:
[root@lpse ssh]# id muntaza
uid=1000(muntaza) gid=1000(muntaza) groups=1000(muntaza)
[root@lpse ssh]# cat /etc/group | grep wheel
wheel:x:10:
[root@lpse ssh]# usermod muntaza -G muntaza,wheel
[root@lpse ssh]# cat /etc/group | grep wheel
wheel:x:10:muntaza
[root@lpse ssh]# id
uid=0(root) gid=0(root) groups=0(root)
[root@lpse ssh]# id muntaza
uid=1000(muntaza) gid=1000(muntaza) groups=1000(muntaza),10(wheel)

1. SSH dengan Authentication Public key only

A. Buat key pair dari host yang akan melakukan koneksi

openbsd$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/muntaza/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/muntaza/.ssh/id_rsa.
Your public key has been saved in /home/muntaza/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:iL8JYFQhsv2TX3tQndjyIIw8j0371SiW5GByLHkqEzI muntaza@openbsd.muntaza.id
The key's randomart image is:
+---[RSA 2048]----+
|. . o.           |
| + o . =   + .   |
|. E . B X * +    |
| . + + # B = o   |
|  o B + S = + .  |
| . . * . = o     |
|    . o . o      |
|     . o .       |
|      o          |
+----[SHA256]-----+

Saat pembuatan kunci ini, password di biarkan kosong

B. Buat direktory .ssh di VM

[muntaza@lpse ~]$ mkdir .ssh
[muntaza@lpse ~]$ ls -la
total 28
drwx------ 3 muntaza muntaza 4096 Sep 30 00:52 .
drwxr-xr-x 3 root    root    4096 Sep 30 00:33 ..
- -rw------- 1 muntaza muntaza   37 Sep 30 00:42 .bash_history
- -rw-r--r-- 1 muntaza muntaza   18 Mar  5  2015 .bash_logout
- -rw-r--r-- 1 muntaza muntaza  193 Mar  5  2015 .bash_profile
- -rw-r--r-- 1 muntaza muntaza  231 Mar  5  2015 .bashrc
drwxrwxr-x 2 muntaza muntaza 4096 Sep 30 00:52 .ssh
[muntaza@lpse ~]$ ls -lad .ssh/
drwxrwxr-x 2 muntaza muntaza 4096 Sep 30 00:52 .ssh/
[muntaza@lpse ~]$ chmod -R og-rwx .ssh/
[muntaza@lpse ~]$ ls -lad .ssh/
drwx------ 2 muntaza muntaza 4096 Sep 30 00:52 .ssh/

C. Copy Public key ke server VM

openbsd$ scp .ssh/id_rsa.pub muntaza@lpse.muntaza.id:/home/muntaza/.ssh/authorized_keys
muntaza@lpse.muntaza.id's password:
id_rsa.pub                                                      100%  408   181.7KB/s   00:00
openbsd$
openbsd$ ssh muntaza@lpse.muntaza.id
Last login: Sun Sep 30 00:51:47 2018 from 182.1.190.37
[muntaza@lpse ~]$

Terlihat kalau koneksi sudah berhasil dengan public key

D. Non aktifkan Authentication lain selain public key

[muntaza@lpse ~]$ cd /etc/ssh/
[muntaza@lpse ssh]$ sudo vi sshd_config

Setting pada file /etc/ssh/sshd_config, pastikan bahwa Autentikasi lainnya di disable

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no

Restart sshd

[muntaza@lpse ssh]$ sudo systemctl restart sshd

cek koneksi dari host atau server lain

openbsd$ ssh muntaza@lpse.muntaza.id
Last login: Sun Sep 30 00:57:58 2018 from 45.64.99.182
[muntaza@lpse ~]$
[muntaza@lpse ~]$ exit
logout
Connection to lpse.muntaza.id closed.
openbsd$
openbsd$ ssh hasan@lpse.muntaza.id
hasan@lpse.muntaza.id: Permission denied (publickey).
openbsd$

Terlihat, bahwa koneksi dengan user muntaza bisa, karena sudah punya public key, sedangkan dari user hasan, yang tidak eksis di sistem, tidak bisa, dan menampilkan error bahwa hanya Authentication publickey yang diterima.

2. Update OS ke versi terakhir

[muntaza@lpse ssh]$ sudo yum update

Transaction Summary
==========================================================================================================================
Install    5 Packages (+21 Dependent packages)
Upgrade  183 Packages

Total download size: 238 M
Is this ok [y/d/N]:

Weh 238 MB, lumayan juga besarnya (senyum)

[muntaza@lpse ssh]$ cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[muntaza@lpse ssh]$

nah, sudah di versi 7.5

3. Setting firewall dengan Firewalld

Kenapa firewall di aktifkan, ibarat sebuah rumah, maka agar udara masuk, kita perlu membuka jendela, yang dilindungi dengan jeruji besi, tidak harus membuka pintu depan setiap saat.

A. Instalasi firewalld

[muntaza@lpse ssh]$ sudo yum install firewalld

B. Reboot system

[muntaza@lpse ~]$ sudo /sbin/reboot

C. Disable iptables dan aktifkan firewalld

[muntaza@lpse ~]$ sudo systemctl status iptables
[sudo] password for muntaza:
iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

[muntaza@lpse ~]$ sudo systemctl stop iptables
[muntaza@lpse ~]$ sudo systemctl disable iptables

[muntaza@lpse ~]$ sudo systemctl start firewalld
[muntaza@lpse ~]$ sudo systemctl enable firewalld

[muntaza@lpse ~]$ sudo systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2018-09-30 01:28:54 UTC; 1min 3s ago
     Docs: man:firewalld(1)
 Main PID: 339 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─339 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Sep 30 01:28:52 lpse.muntaza.id systemd[1]: Starting firewalld - dynamic firewall daemon...
Sep 30 01:28:54 lpse.muntaza.id systemd[1]: Started firewalld - dynamic firewall daemon.

D. Buka port https untuk koneksi dari luar

[muntaza@lpse ~]$ sudo firewall-cmd --list-services
ssh dhcpv6-client
[muntaza@lpse ~]$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[muntaza@lpse ~]$ sudo firewall-cmd --add-service=https
success
[muntaza@lpse ~]$ sudo firewall-cmd --add-service=https --permanent
success
[muntaza@lpse ~]$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources:
  services: ssh dhcpv6-client https
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[muntaza@lpse ~]$ sudo firewall-cmd --list-all --permanent
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh dhcpv6-client https
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[muntaza@lpse ~]$

Kenapa hanya port https yang dibuka, karena pada contoh kali ini port 80 tidak akan aktif, kita hanya menjalankan service di port 443 saja

4. SElinux

SElinux kita aktifkan, SElinux ini fitur bukan bug, malah meningkatkan keamanan server kita kalau SElinux ini aktif.

[muntaza@lpse ~]$ sudo vi /etc/sysconfig/selinux
[muntaza@lpse ~]$ cat /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

A. Instalasi paket-paket pendukung SElinux

[muntaza@lpse ~]$ sudo yum install policycoreutils policycoreutils-python selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot-server setools setools-console mcstrans

[muntaza@lpse ~]$ sudo /sbin/reboot

B. Cek status SElinux

[muntaza@lpse ~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
[muntaza@lpse ~]$

Terlihat bahwa SElinux sudah aktif

C. Setting SElinux agar SPSE v4.3 bisa berjalan

[muntaza@lpse ~]$ cat setting_selinux.sh
setsebool httpd_anon_write 1
setsebool httpd_builtin_scripting 1
setsebool httpd_can_network_connect 1
setsebool httpd_enable_cgi 1
setsebool httpd_graceful_shutdown 1
setsebool named_tcp_bind_http_port 1
[muntaza@lpse ~]$
[muntaza@lpse ~]$ sudo sh setting_selinux.sh
[sudo] password for muntaza:
[muntaza@lpse ~]$
[muntaza@lpse ~]$  getsebool -a| grep http| grep "> on"
httpd_anon_write --> on
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_enable_cgi --> on
httpd_graceful_shutdown --> on
named_tcp_bind_http_port --> on
[muntaza@lpse ~]$

5. setting file /etc/resolv.conf

[muntaza@lpse ~]$ cat /etc/resolv.conf
nameserver 27.50.20.21
nameserver 27.50.30.21
nameserver 8.8.8.8
[muntaza@lpse ~]$

6. Postgresql 10

A. Instalasi Postgresql 10

[muntaza@lpse ~]$ sudo yum install https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-7-x86_64/pgdg-centos10-10-2.noarch.rpm

[muntaza@lpse ~]$ sudo yum install postgresql10 postgresql10-server postgresql10-contrib vim unzip

Disamping menginstall postgresql, penulis menginstall vim karena lupa, dan menginstall juga unzip

B. Setting Postgresql 10

Buat Cluster Database:

[muntaza@lpse ~]$ sudo /usr/pgsql-10/bin/postgresql-10-setup initdb
Initializing database ... OK

[muntaza@lpse ~]$

Pastikan bahwa Postgresql hanya aktif untuk localhost dan koneksi dari Localhost menggunakan metode md5

[muntaza@lpse ~]$ sudo su postgres
bash-4.2$ cd
bash-4.2$ ls
10

bash-4.2$ cp 10/data/postgresql.conf 10/data/postgresql.conf_asli
bash-4.2$ vi 10/data/postgresql.conf
bash-4.2$ cp 10/data/pg_hba.conf 10/data/pg_hba.conf_asli
bash-4.2$ vi 10/data/pg_hba.conf
bash-4.2$ diff 10/data/postgresql.conf 10/data/postgresql.conf_asli
59c59
< listen_addresses = 'localhost'		# what IP address(es) to listen on;
- ---
> #listen_addresses = 'localhost'		# what IP address(es) to listen on;
bash-4.2$ diff 10/data/pg_hba.conf 10/data/pg_hba.conf_asli
82c82
< host    all             all             127.0.0.1/32            md5
- ---
> host    all             all             127.0.0.1/32            ident
84c84
< host    all             all             ::1/128                 md5
- ---
> host    all             all             ::1/128                 ident
bash-4.2$

restart service postgresql

bash-4.2$ exit
exit
[muntaza@lpse ~]$ id
uid=1000(muntaza) gid=1000(muntaza) groups=1000(muntaza),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[muntaza@lpse ~]$ sudo systemctl restart postgresql-10
[sudo] password for muntaza:
[muntaza@lpse ~]$ sudo systemctl enable postgresql-10
Created symlink from /etc/systemd/system/multi-user.target.wants/postgresql-10.service to /usr/lib/systemd/system/postgresql-10.service.
[muntaza@lpse ~]$ sudo systemctl status postgresql-10
postgresql-10.service - PostgreSQL 10 database server
   Loaded: loaded (/usr/lib/systemd/system/postgresql-10.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2018-09-30 02:28:45 UTC; 10s ago
     Docs: https://www.postgresql.org/docs/10/static/
 Main PID: 9520 (postmaster)
   CGroup: /system.slice/postgresql-10.service
           ├─9520 /usr/pgsql-10/bin/postmaster -D /var/lib/pgsql/10/data/
           ├─9521 postgres: logger process
           ├─9523 postgres: checkpointer process
           ├─9524 postgres: writer process
           ├─9525 postgres: wal writer process
           ├─9526 postgres: autovacuum launcher process
           ├─9527 postgres: stats collector process
           └─9528 postgres: bgworker: logical replication launcher

Sep 30 02:28:45 lpse.muntaza.id systemd[1]: Starting PostgreSQL 10 database server...
Sep 30 02:28:45 lpse.muntaza.id postmaster[9520]: 2018-09-30 02:28:45.856 UTC [9520] LOG:  listening on IPv6 addre... 5432
Sep 30 02:28:45 lpse.muntaza.id postmaster[9520]: 2018-09-30 02:28:45.858 UTC [9520] LOG:  listening on IPv4 addre... 5432
Sep 30 02:28:45 lpse.muntaza.id postmaster[9520]: 2018-09-30 02:28:45.861 UTC [9520] LOG:  listening on Unix socke...5432"
Sep 30 02:28:45 lpse.muntaza.id postmaster[9520]: 2018-09-30 02:28:45.866 UTC [9520] LOG:  listening on Unix socke...5432"
Sep 30 02:28:45 lpse.muntaza.id postmaster[9520]: 2018-09-30 02:28:45.882 UTC [9520] LOG:  redirecting log output ...ocess
Sep 30 02:28:45 lpse.muntaza.id postmaster[9520]: 2018-09-30 02:28:45.882 UTC [9520] HINT:  Future log output will...log".
Sep 30 02:28:45 lpse.muntaza.id systemd[1]: Started PostgreSQL 10 database server.
Hint: Some lines were ellipsized, use -l to show in full.
[muntaza@lpse ~]$

C. Buat user epns

Password user epns jangan epns, tapi suatu password yang bersifat rahasia, di contoh ini, passwordnya adalah “inirahasia” dan setting ini nanti di sesuaikan saat konfigurasi SPSE, jadi tidak masalah apapun password epns, yang penting di sesuaikan konfigurasi SPSE nya

[muntaza@lpse ~]$ cd
[muntaza@lpse ~]$ pwd
/home/muntaza
[muntaza@lpse ~]$ sudo su postgres
bash-4.2$ cd
bash-4.2$ id
uid=26(postgres) gid=26(postgres) groups=26(postgres) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bash-4.2$ psql
psql (10.5)
Type "help" for help.

postgres=# \q
bash-4.2$
bash-4.2$ createuser -U postgres epns -P
Enter password for new role:
Enter it again:
bash-4.2$ createdb -O epns epns_lat
bash-4.2$
bash-4.2$
bash-4.2$ exit
exit
[muntaza@lpse ~]$

D. Restore

Untuk merestore data, copy file sql nya dan sekalian copy juga bahan-bahan lainnya

openbsd$ scp *
curl-7.28.1.tar.gz                      jdk1.8.0.tgz                            spse.conf
dblat.zip                               modsecurity-apache_2.6.5.tar.gz         spselat_asli.tgz
openbsd$ scp * muntaza@lpse.muntaza.id:/home/muntaza
curl-7.28.1.tar.gz                                                                      100% 3114KB   6.9MB/s   00:00
dblat.zip                                                                               100%   12MB   6.3MB/s   00:01
jdk1.8.0.tgz                                                                            100%  288MB   6.1MB/s   00:47
modsecurity-apache_2.6.5.tar.gz                                                         100%  763KB   6.6MB/s   00:00
spse.conf                                                                               100% 4473     1.5MB/s   00:00
spselat_asli.tgz                                                                        100%  160MB   6.2MB/s   00:25
openbsd$

Restore database

[muntaza@lpse ~]$ ls
curl-7.28.1.tar.gz  jdk1.8.0.tgz                     setting_selinux.sh  spselat_asli.tgz
dblat.zip           modsecurity-apache_2.6.5.tar.gz  spse.conf
[muntaza@lpse ~]$ cd /tmp/
[muntaza@lpse tmp]$ unzip ~/dblat.zip
Archive:  /home/muntaza/dblat.zip
  inflating: epns_lat_23-01-2017-14-32-28.sql
[muntaza@lpse tmp]$ sudo su postgres
bash-4.2$ cd
bash-4.2$ id
uid=26(postgres) gid=26(postgres) groups=26(postgres) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

bash-4.2$ psql epns_lat < /tmp/epns_lat_23-01-2017-14-32-28.sql

bash-4.2$ exit
exit
[muntaza@lpse tmp]$ id
uid=1000(muntaza) gid=1000(muntaza) groups=1000(muntaza),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Test koneksi

[muntaza@lpse ~]$ id
uid=1000(muntaza) gid=1000(muntaza) groups=1000(muntaza),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[muntaza@lpse ~]$ psql -U epns epns_lat -h localhost
Password for user epns:
psql (10.5)
Type "help" for help.

epns_lat=>
epns_lat=> \q
[muntaza@lpse ~]$

7. Java

Ekstrak file java1.8.0

[muntaza@lpse src]$ cd /usr/local/src/
[muntaza@lpse src]$ sudo tar -xzf /home/muntaza/jdk1.8.0.tgz
[muntaza@lpse src]$ ls
jdk1.8.0_copy
[muntaza@lpse src]$ sudo mv jdk1.8.0_copy jdk1.8.0
[muntaza@lpse src]$
[muntaza@lpse src]$ ls
jdk1.8.0

8. Apache HTTPD, Mod SSL dan Tools Development

[muntaza@lpse src]$ sudo yum install httpd httpd-devel gcc-c++ mod_evasive mod_security pcre-devel libxml2-devel
[muntaza@lpse ~]$ sudo yum install mod_ssl

9. Curl dan Mod Security

A. Curl

[muntaza@lpse ~]$ tar -xzf curl-7.28.1.tar.gz
[muntaza@lpse ~]$ cd curl-7.28.1
[muntaza@lpse curl-7.28.1]$ ./configure --with-apxs=/usr/bin/apxs
[muntaza@lpse curl-7.28.1]$ make
[muntaza@lpse curl-7.28.1]$ sudo make install

B. Mod Security

[muntaza@lpse ~]$ tar -xzf modsecurity-apache_2.6.5.tar.gz
[muntaza@lpse ~]$ cd modsecurity-apache_2.6.5
[muntaza@lpse modsecurity-apache_2.6.5]$ ./configure --with-apxs=/usr/bin/apxs
[muntaza@lpse modsecurity-apache_2.6.5]$ make
[muntaza@lpse modsecurity-apache_2.6.5]$ sudo make install

10. Mod Evasive

Ada di EPEL repository, dan repo ini untuk Fedora sehingga kualitas untuk paket ini agak meragukan, konsultasi kan dengan Admin LKPP tentang paket ini

[muntaza@lpse ~]$ sudo rpm -ivh https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/m/mod_evasive-1.10.1-22.el7.x86_64.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/m/mod_evasive-1.10.1-22.el7.x86_64.rpm
warning: /var/tmp/rpm-tmp.SalqCq: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:mod_evasive-1.10.1-22.el7        ################################# [100%]

11. SPSE v43

A. Buat folder, setting agar file spse4 bisa di eksekusi

[muntaza@lpse ~]$ sudo mkdir /home/appserv
[muntaza@lpse ~]$ cd /home/appserv/

[muntaza@lpse appserv]$ sudo tar -xzf ~/spselat_asli.tgz
[muntaza@lpse appserv]$ ls
spselat_asli
[muntaza@lpse appserv]$ sudo mv spselat_asli spselat
[muntaza@lpse appserv]$ cd spselat/
[muntaza@lpse spselat]$ ls
README.md  framework  spse4.original  webapp
[muntaza@lpse spselat]$ sudo cp spse4.original spse4
[muntaza@lpse spselat]$ sudo chmod +x spse4
[muntaza@lpse spselat]$

B. Konfigurasi SPSE v4.3

[muntaza@lpse spselat]$ cd webapp/conf/
[muntaza@lpse conf]$ sudo cp application.conf.lat application.conf
[muntaza@lpse conf]$ sudo vi application.conf
[muntaza@lpse conf]$ diff application.conf application.conf.lat
9c9
< http.path=/eproc43lat
- ---
> http.path=/eproc4lat
28c28
< db.pass=inirahasia
- ---
> db.pass=epns
91,92c91,92
< http.port=9909
< sikap.url=https://latihan-lpse.lkpp.go.id/sikap
- ---
> http.port=9009
> sikap.url=https://latihan-lpse.lkpp.go.id/sikap

12. Setting Apache HTTPD

Aktifkan httpd dan cek modul evasive, security dan ssl sudah aktif

[muntaza@lpse ~]$ sudo systemctl restart httpd
[muntaza@lpse ~]$ sudo systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[muntaza@lpse ~]$ sudo systemctl status httpd
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2018-09-30 03:30:32 UTC; 18s ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 26949 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─26949 /usr/sbin/httpd -DFOREGROUND
           ├─26950 /usr/sbin/httpd -DFOREGROUND
           ├─26951 /usr/sbin/httpd -DFOREGROUND
           ├─26952 /usr/sbin/httpd -DFOREGROUND
           ├─26953 /usr/sbin/httpd -DFOREGROUND
           └─26954 /usr/sbin/httpd -DFOREGROUND

Sep 30 03:30:30 lpse.muntaza.id systemd[1]: Starting The Apache HTTP Server...
Sep 30 03:30:32 lpse.muntaza.id httpd[26949]: AH00557: httpd: apr_sockaddr_info_get() failed for lpse.muntaza.id
Sep 30 03:30:32 lpse.muntaza.id httpd[26949]: AH00558: httpd: Could not reliably determine the server's fully qual...ssage
Sep 30 03:30:32 lpse.muntaza.id systemd[1]: Started The Apache HTTP Server.
Hint: Some lines were ellipsized, use -l to show in full.

[muntaza@lpse ~]$
[muntaza@lpse ~]$ sudo  httpd -M | grep -e ssl -e evasive -e security
 ssl_module (shared)
 security2_module (shared)
 evasive20_module (shared)
[muntaza@lpse ~]$

File konfigurasi spse.conf

[muntaza@lpse ~]$ ls
curl-7.28.1         dblat.zip     modsecurity-apache_2.6.5         setting_selinux.sh  spselat_asli.tgz
curl-7.28.1.tar.gz  jdk1.8.0.tgz  modsecurity-apache_2.6.5.tar.gz  spse.conf
[muntaza@lpse ~]$ sudo cp spse.conf /etc/httpd/conf.d/
[muntaza@lpse ~]$ cd /etc/httpd/conf.d/
[muntaza@lpse conf.d]$ sudo vi spse.conf
[muntaza@lpse conf.d]$ cd ..
[muntaza@lpse httpd]$ ls
conf  conf.d  conf.modules.d  logs  modsecurity.d  modules  run
[muntaza@lpse httpd]$ cd conf
[muntaza@lpse conf]$ pwd
/etc/httpd/conf
[muntaza@lpse conf]$

Isi file spse.conf :

Alias /file_latihan /home/file_latihan
Alias /file_prod /home/file_prod


SetOutputFilter DEFLATE
DeflateBufferSize 65536
DeflateCompressionLevel 9
DeflateFilterNote Input instream
DeflateFilterNote Output outstream
DeflateFilterNote Ratio ratio
DeflateMemLevel 9
DeflateWindowSize 15
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch "Windows 98" gzip-only-text/html
BrowserMatch "MSIE [45]" gzip-only-text/html
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpeg|jpe|jpg|png|ico|t?gz|zip|rar|pdf|doc|xls|dat)$ no-gzip dont-vary
LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%)' deflate
CustomLog /var/log/httpd/deflate_log deflate

<IfModule mod_headers.c>
   Header append Vary User-Agent env=!dont-vary
</IfModule>

##Update By JF##
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
ProxyTimeout 600
ProxyPass /eproc43lat http://localhost:9909/eproc43lat
ProxyPassReverse /eproc43lat http://localhost:9909/eproc43lat


#<VirtualHost *:80>
# LogLevel warn
# CustomLog /var/log/httpd/access.log combined
# RedirectMatch ^/$ /eproc4
# RedirectMatch ^/latihan$ /latihan/
# AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript application/x-httpd-php
# SetInputFilter DEFLATE
# SetOutputFilter DEFLATE
#</VirtualHost>

<IfModule mod_evasive20.c>
    DOSHashTableSize    6194
    DOSPageCount        25
    DOSSiteCount        80
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>

SecAuditEngine RelevantOnly
SecRequestBodyAccess On
SecResponseBodyAccess On
SecAuditLogParts ABCFHZ
SecAuditLog /var/log/httpd/audit_apache.log
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 3
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:none
SecRuleEngine On
SecServerSignature "Netscape-Enterprise/6.0 PHP5.2.0 mod_asp/3.4.5"
SecRule ARGS "\.\./"
SecRule ARGS "<[[:space:]]*script"
#SecRule ARGS "<(.|\n)+>"
SecRule REQUEST_BODY "(document\.cookie|Set-Cookie|SessionID=)"
SecRule REQUEST_BODY "<[^>]*meta*\"?[^>]*>"
SecRule REQUEST_BODY "<[^>]*style*\"?[^>]*>"
SecRule REQUEST_BODY "<[^>]*script*\"?[^>]*>"
SecRule REQUEST_BODY "<[^>]*iframe*\"?[^>]*>"
SecRule REQUEST_BODY "<[^>]*object*\"?[^>]*>"
SecRule REQUEST_BODY "<[^>]*img*\"?[^>]*>"
SecRule REQUEST_BODY "<[^>]*applet*\"?[^>]*>"
SecRule REQUEST_BODY "<[^>]*form*\"?[^>]*>"
SecRule REQUEST_HEADERS:User-Agent "Nikto" "log,deny,status:403,msg:'Nikto Scanners Identified'"
SecRule HTTP_HOST "\x25"
SecRule HTTP_HOST "^$" "log,allow,msg:'no http host'"
SecRule HTTP_USER_AGENT "^$" "log,allow,msg:'No user agent'"
SecRule REQUEST_BODY "/^(etc|bin|sbin|tmp|var|opt|dev|kernel|exe)$/"
SecRule ARGS "delete[[:space:]]+from"
SecRule ARGS "insert[[:space:]]+into"
SecRule ARGS "select.+from"
SecRule ARGS "\<\!--\#"
#SecRule ARGS "((=))[^\n]*(<)[^\n]+(>)"
SecRule REQUEST_BODY "(\'|\")"
#### bikin logut denied ####
#SecRule REQUEST_BODY "!^[\x20-\x7f]+$"
SecRule REQUEST_URI "^/(bin|cgi|cgi(\.cgi|-91[45]|-sys|-local|s|-win|-exe|-home|-perl)|(mp|web)cgi|(ht|ows-)bin|scripts|fcgi-bin)/"
SecRule REQUEST_BODY "/bin/ps"
SecRule ARGS "wget\x20"
SecRule ARGS "uname\x20-a"
SecRule REQUEST_BODY "/nessus_is_probing_you_"
SecRule REQUEST_URI "^OR 1=1--*"

SecRequestBodyLimit 800000000
SecResponseBodyLimit 800000000


<LocationMatch /cgi-bin/>
SecRule REQUEST_URI "!(script1\.cgi|script2\.cgi|custom_email\.pl|form\.cgi\.exe)"
</LocationMatch>

SecReadStateLimit 15

SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass,setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60"
SecRule IP:SLOW_DOS_COUNTER "@gt 15" "phase:1,t:none,log,drop,msg:'Client Connection Dropped due to high # of slow DoS alerts'"

Disable port 80

[muntaza@lpse conf]$ ls
httpd.conf  magic
[muntaza@lpse conf]$ sudo cp httpd.conf httpd.conf_asli
[muntaza@lpse conf]$ sudo vi httpd.conf
[muntaza@lpse conf]$ diff httpd.conf httpd.conf_asli
42c42
< #Listen 80
- ---
> Listen 80
[muntaza@lpse conf]$

Setting SSL

[muntaza@lpse conf]$ pwd
/etc/httpd/conf
[muntaza@lpse conf]$ cd ../conf.d/
[muntaza@lpse conf.d]$ ls
README  autoindex.conf  mod_evasive.conf  mod_security.conf  spse.conf  ssl.conf  userdir.conf  welcome.conf
[muntaza@lpse conf.d]$ sudo cp ssl.conf ssl.conf_asli
[muntaza@lpse conf.d]$ sudo vi ssl.conf

Tambahkan 7 baris ini di bawah tulisan <VirtualHost default:443>

<VirtualHost _default_:443>
 LogLevel warn
 CustomLog /var/log/httpd/access.log combined
 RedirectMatch ^/$ /eproc43lat
 RedirectMatch ^/latihan$ /latihan/
 AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript application/x-httpd-php
 SetInputFilter DEFLATE
 SetOutputFilter DEFLATE

Sehingga menjadi seperti di atas

13. Mulai SPSE v4.3

[muntaza@lpse spselat]$ sudo sh spse4 stop
[sudo] password for muntaza:
Stop SPSE 4 ... /home/appserv/spselat
SPSE 4 stopped

[muntaza@lpse spselat]$ sudo sh spse4 migration
Using JAVA_HOME: /usr/local/src/jdk1.8.0
Sistem akan Melakukan Migration
Harap Dilakukan Backup Database SPSE
[muntaza@lpse spselat]$ sudo sh spse4 start
Starting SPSE 4 ... /home/appserv/spselat
Using JAVA_HOME: /usr/local/src/jdk1.8.0
SPSE 4 started

Cek log

[muntaza@lpse logs]$ pwd
/home/appserv/spselat/webapp/logs
[muntaza@lpse logs]$ sudo tail -f spse4.3.log

Buat folder file_latihan

[muntaza@lpse spselat]$ sudo mkdir -p /home/file/file_latihan

[muntaza@lpse spselat]$ sudo sh spse4 restart
Stop SPSE 4 ... /home/appserv/spselat
SPSE 4 stopped
Starting SPSE 4 ... /home/appserv/spselat
Using JAVA_HOME: /usr/local/src/jdk1.8.0
SPSE 4 started
[muntaza@lpse spselat]$ sudo systemctl restart httpd
[muntaza@lpse spselat]$

14. cek hasil nya di https://lpse.muntaza.id/eproc43lat

Alhamdulillah berhasil

Aktifkan tiap booting

[muntaza@lpse ~]$ cd /home/appserv/
[muntaza@lpse appserv]$ ls
spselat
[muntaza@lpse appserv]$ cd spselat/
[muntaza@lpse spselat]$ ls
README.md  framework  spse4  spse4.original  webapp
[muntaza@lpse spselat]$ sudo su
[root@lpse spselat]# echo

[root@lpse spselat]#
[root@lpse spselat]# echo "/home/appserv/spselat/spse4 restart" >> /etc/rc.local
[root@lpse spselat]#

Aktifkan Konfigurasi SElinux

[muntaza@lpse ~]$ sudo cp setting_selinux.sh /root/
[muntaza@lpse ~]$ sudo su
[root@lpse muntaza]# cd
[root@lpse ~]# echo "sh /root/setting_selinux.sh" >> /etc/rc.local
[root@lpse ~]# exit
exit
[muntaza@lpse ~]$ cat /etc/rc.local
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.

touch /var/lock/subsys/local
/home/appserv/spselat/spse4 restart
sh /root/setting_selinux.sh
[muntaza@lpse ~]$

Testing hasilnya dengan reboot

[muntaza@lpse ~]$ sudo /sbin/reboot

Alhamdulillah, kembali berhasil

15. Perbaharui sertifikat SSL

Karena sertifikat SSL yang ada adalah bawaan dari Mod SSL, kita harus buat baru agar dapat di gunakan untuk membeli sertifikat asli dari Penyedia Jasa/Penjual Sertifikat SSL seperti Comodo.

[muntaza@lpse ~]$ sudo su
[root@lpse muntaza]# cd /etc/ssl
[root@lpse ssl]# ls
certs
[root@lpse ssl]# mkdir private
[root@lpse ssl]# openssl genrsa -out /etc/ssl/private/server.key 2048
Generating RSA private key, 2048 bit long modulus
........+++
............+++
e is 65537 (0x10001)
[root@lpse ssl]# ls
certs  private
[root@lpse ssl]# ls private/
server.key
[root@lpse ssl]# openssl req -new -key /etc/ssl/private/server.key \
> -out /etc/ssl/private/lpse.muntaza.id.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
- -----
Country Name (2 letter code) [XX]:ID
State or Province Name (full name) []:KALIMANTAN SELATAN
Locality Name (eg, city) [Default City]:PARINGIN
Organization Name (eg, company) [Default Company Ltd]:LATIHAN
Organizational Unit Name (eg, section) []:LATIHAN
Common Name (eg, your name or your server's hostname) []:lpse.muntaza.id
Email Address []:muhammad@muntaza.id

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@lpse ssl]#

Isikan dengan benar pada proses pembuatan file .csr diatas, karena contoh yang ada hanya ilustrasi

[root@lpse ssl]# ls private/
lpse.muntaza.id.csr  server.key
[root@lpse ssl]#

Seleteh file .csr jadi, maka file ini di gunakan untuk copy paste saat ini membeli sertifikat asli. Penulis menyarankan beli Comodo saja karena Positive SSL dari Comodo harganya hanya Rp99.000 untuk 1 (satu) tahun

Karena ini hanya latihan, penulis menggunakan tanda tangan sendiri pada proses penerbitan file .crt

[root@lpse ssl]# ls private/
lpse.muntaza.id.csr  server.key
[root@lpse ssl]# openssl x509 -sha256 -req -days 3650 \
> -in /etc/ssl/private/lpse.muntaza.id.csr \
> -signkey /etc/ssl/private/server.key \
> -out /etc/ssl/server.crt
Signature ok

Nah sudah selesai di tanda tangani he…he…, segera kita rubah file konfigurasi ssl.conf

[muntaza@lpse ~]$ cd /etc/httpd/conf.d/
[muntaza@lpse conf.d]$ ls
README          mod_evasive.conf   spse.conf  ssl.conf_asli  welcome.conf
autoindex.conf  mod_security.conf  ssl.conf   userdir.conf

[muntaza@lpse conf.d]$ sudo vi ssl.conf
[muntaza@lpse conf.d]$ sudo diff ssl.conf ssl.conf_asli
57,63d56
<  LogLevel warn
<  CustomLog /var/log/httpd/access.log combined
<  RedirectMatch ^/$ /eproc43lat
<  RedirectMatch ^/latihan$ /latihan/
<  AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript application/x-httpd-php
<  SetInputFilter DEFLATE
<  SetOutputFilter DEFLATE
107c100
< SSLCertificateFile /etc/ssl/server.crt
- ---
> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
114c107
< SSLCertificateKeyFile /etc/ssl/private/server.key
- ---
> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Yah sudah aktif, sudah di ganti key default dengan key sementara coba restart httpd

[muntaza@lpse conf.d]$ sudo systemctl restart httpd

16. Install AIDE

security cek, disini di contohkan AIDE

[muntaza@lpse ~]$ sudo yum install aide

initialisasi aide, lalu copy ke tempat lain
[muntaza@lpse ~]$ sudo su
[root@lpse muntaza]# aide --init

AIDE, version 0.15.1

AIDE database at /var/lib/aide/aide.db.new.gz initialized.

[root@lpse muntaza]# exit
exit
[muntaza@lpse ~]$ sudo cp /var/lib/aide/aide.db.new.gz .
[muntaza@lpse ~]$ sudo chown muntaza aide.db.new.gz
[muntaza@lpse ~]$

Copy ke tempat lain

muntaza@E202SA ~ $ scp muntaza@lpse.muntaza.id:/home/muntaza/aide*  .
aide.db.new.gz                                                                          100% 2122KB 303.1KB/s   00:07

Testing check

[muntaza@lpse ~]$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[muntaza@lpse ~]$ sudo aide --check

AIDE, version 0.15.1

All files match AIDE database. Looks okay!

[muntaza@lpse ~]$

Testing buat file baru di /root/

[muntaza@lpse ~]$ sudo touch /root/.coba
[muntaza@lpse ~]$ sudo aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2018-09-30 07:58:05

Summary:
  Total number of files:	59884
  Added files:			1
  Removed files:		0
  Changed files:		0


- ---------------------------------------------------
Added files:
- ---------------------------------------------------

added: /root/.coba
[muntaza@lpse ~]$

Terlihat kalau pembuatan file .coba tertangkap oleh AIDE (senyum)

17. CHKrootkit

Untuk scan root kit di server

[muntaza@lpse ~]$ mkdir chkrootkit
[muntaza@lpse ~]$ cd chkrootkit/
[muntaza@lpse chkrootkit]$ wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
[muntaza@lpse chkrootkit]$ wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5

[muntaza@lpse chkrootkit]$ cat chkrootkit.md5
0c864b41cae9ef9381292b51104b0a04  chkrootkit.tar.gz
[muntaza@lpse chkrootkit]$ md5sum chkrootkit.tar.gz
0c864b41cae9ef9381292b51104b0a04  chkrootkit.tar.gz
[muntaza@lpse chkrootkit]$

muntaza@lpse chkrootkit]$ ls
chkrootkit.md5  chkrootkit.tar.gz
[muntaza@lpse chkrootkit]$ tar -xzvf chkrootkit.tar.gz
chkrootkit-0.52/ACKNOWLEDGMENTS
chkrootkit-0.52/check_wtmpx.c
chkrootkit-0.52/chkdirs.c
chkrootkit-0.52/chklastlog.c
chkrootkit-0.52/chkproc.c
chkrootkit-0.52/chkrootkit
chkrootkit-0.52/chkrootkit.lsm
chkrootkit-0.52/chkutmp.c
chkrootkit-0.52/chkwtmp.c
chkrootkit-0.52/COPYRIGHT
chkrootkit-0.52/ifpromisc.c
chkrootkit-0.52/Makefile
chkrootkit-0.52/README
chkrootkit-0.52/README.chklastlog
chkrootkit-0.52/README.chkwtmp
chkrootkit-0.52/strings.c
[muntaza@lpse chkrootkit]$ sudo yum install wget gcc-c++ glibc-static

[muntaza@lpse chkrootkit]$ cd chkrootkit-0.52/
[muntaza@lpse chkrootkit-0.52]$ sudo make sense
cc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c
cc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c
cc -DHAVE_LASTLOG_H   -D_FILE_OFFSET_BITS=64 -o ifpromisc ifpromisc.c
cc  -o chkproc chkproc.c
cc  -o chkdirs chkdirs.c
cc  -o check_wtmpx check_wtmpx.c
cc -static  -o strings-static strings.c
cc  -o chkutmp chkutmp.c
[muntaza@lpse chkrootkit-0.52]$

Test jalankan

[muntaza@lpse chkrootkit-0.52]$ sudo ./chkrootkit

18.Firewall Tambahan

Firewall ini adalah dengan menggunakan System Operasi OpenBSD dan Firewall PF, dengan fitur Synproxy, Anti DOS, dan Hanya menerima koneksi dari IP Indonesia. ini adalah contoh script pf.conf:

#       $Id: pf.conf_gateway,v 1.9 2015/01/05 05:37:27 muntaza Exp $
#       $OpenBSD: pf.conf,v 1.53 2014/01/25 10:28:36 dtucker Exp $

# macros
ext_if = "axe0"
int_if = "axe1"

server = "10.0.0.3"
tcp_services = "https"

laptop_admin = "192.168.0.1"
local = "ssh"

# options
set skip on lo

# match rules
match out on $ext_if inet from $server to any nat-to $ext_if:0

# filter rules
block return    # block stateless traffic

# block ip attacker
table <ip_attacker> persist file "/etc/ip_attacker"
block in quick from <ip_attacker>

table <abusive_hosts> persist
block in quick from <abusive_hosts>

table <ip_indonesia> persist file "/etc/ip_indonesia"

pass in on $ext_if inet proto tcp from <ip_indonesia> to $ext_if \
    port $tcp_services rdr-to $server port $tcp_services \
    flags S/SA synproxy state \
    (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush)

pass in on $ext_if inet proto tcp from <ip_indonesia> to $ext_if \
    port ssh \
    flags S/SA synproxy state \
    (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush)

# izinkan website Qualys melakukan scan kualitas SSL
pass in on $ext_if inet proto tcp from 64.41.200.0/24 to $ext_if \
    port $tcp_services rdr-to $server port $tcp_services \
    flags S/SA synproxy state


pass out on $int_if inet proto tcp to $server \
    port $tcp_services


# izinkan dari firewall ke server
pass out on $int_if inet proto tcp to $server \
    port 22

block in quick from urpf-failed to any  # use with care

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

Penjelasan lebih lanjut terkait OpenBSD PF ini ada di blog penulis yang penulis cantumkan di bagian paling bawah daftar pustaka

19. Hal-hal yang masih belum di selesaikan

Karena terbatasnya waktu, maka ada beberapa hal yang belum penulis tuntaskan, yaitu:

  • Setting cron agar menjalankan AIDE dan CHKrootKIT tiap jam 00.00
  • Back up database tiap jam 01.00
  • Instalasi Mail Server untuk mengirimkan hasil cron pengecekan AIDE dan CHKrootKIT ke Alamat email administrator (percuma ada AIDE tapi admin tidak dapat alert tiap ada gejala mencurigakan)
  • Membuka port untuk Cloud LPSE
  • etc.

Dan masih ada hal-hal lain yang kurang, dan penulis tidak bisa berjanji untuk menyelesaikan toturial ini, sehingga di harapkan admin system lain yang punya waktu dan kesempatan untuk menyempurnakannya.

Sementara sampai di sini dulu kawan-kawan para System Admin LPSE. Semoga bermanfaat.

Alhamdulillah

Abu Muhammad Muhammad Muntaza bin Hatta

Admin LPSE Kabupaten Balangan - KALSEL (s.d 2018)

muhammad@muntaza.id

Daftar Pustaka

  • https://info.timlpse.lomboktengahkab.go.id/?p=6157
  • http://kloxo.web.id/?p=44
  • https://www.digitalocean.com/community/tutorials/how-to-protect-against-dos-and-ddos-with-mod_evasive-for-apache-on-centos-7
  • https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts
  • https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-apache-for-centos-7
  • https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-centos7
  • https://www.tecmint.com/check-integrity-of-file-and-directory-using-aide-in-linux/
  • http://www.chkrootkit.org
  • https://linoxide.com/linux-how-to/install-chkrootkit-linux/
  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/index
  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/index
  • https://www.cyberciti.biz/tips/linux-security.html
  • https://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0.pdf
  • https://www.tecmint.com/linux-server-hardening-security-tips/
  • https://muntaza.wordpress.com/2016/08/17/openbsd-pf-firewall-untuk-terima-koneksi-hanya-dari-ip-indonesia/