Ubuntu Server Hardening

My take on what’s out there, specifically targeted at 12.04 LTS release.

Checklist
1- Reset root password

passwd

2- Enable sudo/set-up users (I use a generic user “deploy” and SSH keys rather than password authentication)

useradd deploy
mkdir /home/deploy
mkdir /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
vim /home/deploy/.ssh/authorized_keys
Add the contents of the id_rsa.pub on your local machine and any other public keys that you want to have access to this server to this file.
chmod 400 /home/deploy/.ssh/authorized_keys
chown deploy:deploy /home/deploy -R
passwd deploy (and change password to something else)
visudo
Comment all existing user/group grant lines and add the following lines:
root ALL=(ALL) ALL
deploy ALL=(ALL) ALL

3- Lock down SSH (change SSH port if standard, port 111111 in the example below), prevent root login, lock down to specific IP ranges)

vim /etc/ssh/sshd_config
Port 111111
PermitRootLogin no
PasswordAuthentication no (only if doing it through SSH keys!)
service ssh restart
AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)

4- Dont’ allow system users access to FTP server

Open "/etc/ftpusers"
Add system users to deny use of ftpd:
backup
bin
daemon
games
gnats
irc
libuuid
list
lp
mail
man
mysql
news
ntp
postfix
proxy
sshd
sync
sys
syslog
uucp
www-data

5- Minimize packages to only those needed
6- Shut off unneeded service (in rc.d, like DNS server/print server…)
7- Hardening Kernel – compile GRSecurity/Pax
Good tutorial at http://www.insanitybit.com/2012/05/31/compile-and-patch-your-own-secure-linux-kernel-with-pax-and-grsecurity/
8- Upgrade OS

apt-get update && apt-get -y -q upgrade
apt-get install language-pack-en-base -y -q

9- Turn on automatic security updates

apt-get install unattended-upgrades
vim /etc/apt/apt.conf.d/10periodic
Update the file to look like this:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
vim /etc/apt/apt.conf.d/50unattended-upgrades
Update the file to look like below. Keep updates disabled and stick with security updates only:
Unattended-Upgrade::Allowed-Origins {
 "Ubuntu lucid-security";
// "Ubuntu lucid-updates";
};

10- Sysctl Hardening
Check config example at http://joshrendek.com/2013/01/securing-ubuntu/#sysctl
11- Password protect GRUB bootloader
12- Secure shared memory (/tmp)

Open "/etc/fstab" and add the following line of code:
tmpfs /dev/shm tmpfs defaults,ro 0 0

13- Install/Set-up fail2ban

apt-get install -q -y fail2ban

Check http://joshrendek.com/2013/01/securing-ubuntu/#fail2ban for config example

14- Install/Set up ufw firewall

apt-get install -y ufw
ufw allow from {your-ip} to any port 22
ufw allow ssh (or ufw enable 111111/tcp if non standard port like 111111 in this example)
ufw allow http
ufw enable
ufw status

15- Install/Set up logwatch

apt-get -y install logwatch

16- Install/Set-up denyhosts (avoid SSH attacks)

apt-get install -q -y denyhosts

17- Install/Set-up tiger (system security scanner)

apt-get -y install tiger
tiger

18- Install/set-up psad (detect attempted intrusions)

apt-get -y install psad

19- Install/Set-up aide (file monitoring)

apt-get install aide -y -q
sed -i 's_COPYNEWDB=no_COPYNEWDB=yes_' /etc/default/aide
sed -i 's_FILTERUPDATES=no_FILTERUPDATES=yes_ ' /etc/default/aide
sed -s 's_FILTERINSTALLATIONS=no_FILTERINSTALLATIONS=yes_' /etc/default/aide
aideinit

20- Install/Set-up antivirus (ClamAV – http://www.clamav.net/lang/en/)
21- Install/Set-up rootkit detection (chkrootkit)

apt-get install -q -y chkrootkit

To set up a regular run in the crontab

sed -i 's/RUN_DAILY="false"/RUN_DAILY="true"/' /etc/chkrootkit.conf

Sources:

http://www.itsecurity.com/features/ubuntu-secure-install-resource/
https://www.hedgehogsecurity.co.uk/index.php/blog/hardening-an-ubuntu-server
http://www.insanitybit.com/2012/12/17/hardening-ubuntu-linux/
http://joshrendek.com/2013/01/securing-ubuntu/
http://1stpcb.com/?p=67
http://cs.ncs.nova.edu/DeathStarMediaWiki/index.php/Ubuntu_Server_Security_Hardening
http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers

Advertisements