Skip to content

Instantly share code, notes, and snippets.

@brainv

brainv/ubuntu-hardening.md

Forked from lokhman/ubuntu-hardening.md
Created March 12, 2021 10:53
Show Gist options
  • Save brainv/d14725df285e3eea7de046965a22c956 to your computer and use it in GitHub Desktop.
Save brainv/d14725df285e3eea7de046965a22c956 to your computer and use it in GitHub Desktop.
Download ZIP
List of things for hardening Ubuntu
Raw
ubuntu-hardening.md

System Updates

http://bookofzeus.com/harden-ubuntu/initial-setup/system-updates/

Keeping the system updated is vital before starting anything on your system. This will prevent people to use known vulnerabilities to enter in your system.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get autoremove
sudo apt-get autoclean

Enable automatic updates can be crucial for your server security. It is very important to stay up to date.

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

To enable ONLY security updates, please change the code to look like this:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
: Unattended-Upgrade::Allowed-Origins {
:     "${distro_id}:${distro_codename}-security";
: //  "${distro_id}:${distro_codename}-updates";
: //  "${distro_id}:${distro_codename}-proposed";
: //  "${distro_id}:${distro_codename}-backports";
: };
: // Unattended-Upgrade::Mail "my_user@my_domain.com";

Disable Root Account

http://bookofzeus.com/harden-ubuntu/initial-setup/disable-root-account/

For security reasons, it is safe to disable the root account. Removing the account might not be a good idea at first, instead we simply need to disable it.

# To disable the root account, simply use the -l option:
sudo passwd -l root

# If for some valid reason you need to re-enable the account, simply use the -u option:
sudo passwd -u root

Add Swap

http://bookofzeus.com/harden-ubuntu/server-setup/add-swap/

Some pre-installed Ubuntu Server are not configured with SWAP. Linux swaps allow a system to harness more memory than was originally physically available

# Let's check if a SWAP file exists and it's enabled before we create one.
sudo swapon -s

# To create the SWAP file, you will need to use this.
sudo fallocate -l 4G /swapfile	# same as "sudo dd if=/dev/zero of=/swapfile bs=1G count=4"

# Secure SWAP.
sudo chown root:root /swapfile
sudo chmod 0600 /swapfile

# Prepare the swap file by creating a Linux swap area.
sudo mkswap /swapfile

# Activate the swap file.
sudo swapon /swapfile

# Confirm that the swap partition exists.
sudo swapon -s

# This will last until the server reboots. Let's create the entry in the fstab.
sudo nano /etc/fstab
: /swapfile	none	swap	sw	0 0

# Swappiness in the file should be set to 0.
# Skipping this step may cause both poor performance,
# whereas setting it to 0 will cause swap to act as an emergency buffer, preventing out-of-memory crashes.
echo 0 | sudo tee /proc/sys/vm/swappiness
echo vm.swappiness = 0 | sudo tee -a /etc/sysctl.conf

sysctl.conf

http://bookofzeus.com/harden-ubuntu/hardening/sysctl-conf/

These settings can:

  • Limit network-transmitted configuration for IPv4
  • Limit network-transmitted configuration for IPv6
  • Turn on execshield protection
  • Prevent against the common 'syn flood attack'
  • Turn on source IP address verification
  • Prevents a cracker from using a spoofing attack against the IP address of the server.
  • Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.

"/etc/sysctl.conf" file is used to configure kernel parameters at runtime. Linux reads and applies settings from this file.

sudo nano /etc/sysctl.conf

# IP Spoofing protection
: net.ipv4.conf.default.rp_filter = 1
: net.ipv4.conf.all.rp_filter = 1
# Block SYN attacks
: net.ipv4.tcp_syncookies = 1
# Controls IP packet forwarding
: net.ipv4.ip_forward = 0
# Ignore ICMP redirects
: net.ipv4.conf.all.accept_redirects = 0
: net.ipv6.conf.all.accept_redirects = 0
: net.ipv4.conf.default.accept_redirects = 0
: net.ipv6.conf.default.accept_redirects = 0
# Ignore send redirects
: net.ipv4.conf.all.send_redirects = 0
: net.ipv4.conf.default.send_redirects = 0
# Disable source packet routing
: net.ipv4.conf.all.accept_source_route = 0
: net.ipv6.conf.all.accept_source_route = 0
: net.ipv4.conf.default.accept_source_route = 0
: net.ipv6.conf.default.accept_source_route = 0
# Log Martians
: net.ipv4.conf.all.log_martians = 1
# Block SYN attacks
: net.ipv4.tcp_max_syn_backlog = 2048
: net.ipv4.tcp_synack_retries = 2
: net.ipv4.tcp_syn_retries = 5
# Log Martians
: net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP broadcast requests
: net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore Directed pings
: net.ipv4.icmp_echo_ignore_all = 1
: kernel.exec-shield = 1
: kernel.randomize_va_space = 1
# disable IPv6 if required [http://hardenubuntu.com/server-setup/disable-ipv6/]
: net.ipv6.conf.all.disable_ipv6 = 1
: net.ipv6.conf.default.disable_ipv6 = 1
: net.ipv6.conf.lo.disable_ipv6 = 1
# Accept Redirects? No, this is not router
: net.ipv4.conf.all.secure_redirects = 0
# Log packets with impossible addresses to kernel log? yes
: net.ipv4.conf.default.secure_redirects = 0

# [IPv6] Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
: net.ipv6.conf.default.router_solicitations = 0
# Accept Router Preference in RA?
: net.ipv6.conf.default.accept_ra_rtr_pref = 0
# Learn Prefix Information in Router Advertisement
: net.ipv6.conf.default.accept_ra_pinfo = 0
# Setting controls whether the system will accept Hop Limit settings from a router advertisement
: net.ipv6.conf.default.accept_ra_defrtr = 0
# Router advertisements can cause the system to assign a global unicast address to an interface
: net.ipv6.conf.default.autoconf = 0
# How many neighbor solicitations to send out per address?
: net.ipv6.conf.default.dad_transmits = 0
# How many global unicast IPv6 addresses can be assigned to each interface?
: net.ipv6.conf.default.max_addresses = 1

# Apply new settings
sudo sysctl -p

Disable IRQ Balance

http://hardenubuntu.com/server-setup/disable-irqbalance/

sudo nano /etc/default/irqbalance
: ENABLED="0"

OpenSSL heartbleed bug

http://hardenubuntu.com/server-setup/fix-openssl-heartbleed/

openssl version -v	# should be not 1.0.1f or below, otherwise:
sudo apt-get update
sudo apt-get upgrade openssl libssl-dev
apt-cache policy openssl libssl-dev
sudo apt-get install make
curl https://www.openssl.org/source/openssl-1.0.2f.tar.gz | tar xz && cd openssl-1.0.2f && sudo ./config && sudo make && sudo make install
sudo ln -sf /usr/local/ssl/bin/openssl `which openssl`
openssl version

Secure /tmp and /var/tmp

http://hardenubuntu.com/server-setup/secure-tmp-var-tmp/

sudo fallocate -l 1G /tmpdisk
sudo mkfs.ext4 /tmpdisk
sudo chmod 0600 /tmpdisk
sudo mount -o loop,noexec,nosuid,rw /tmpdisk /tmp
sudo chmod 1777 /tmp
sudo nano /etc/fstab
: /tmpdisk	/tmp	ext4	loop,nosuid,noexec,rw	0 0
sudo mount -o remount /tmp
sudo mv /var/tmp /var/tmpold
sudo ln -s /tmp /var/tmp
sudo cp -prf /var/tmpold/* /tmp/
sudo rm -rf /var/tmpold/

Secure Shared Memory

http://hardenubuntu.com/server-setup/secure-shared-memory/

sudo nano /etc/fstab
: tmpfs	/run/shm	tmpfs	ro,noexec,nosuid	0 0

Set your hostname and host file

http://hardenubuntu.com/server-setup/set-hostname-and-host/

sudo nano /etc/hostname
: <ip/hostname>
sudo nano /etc/hosts
: 127.0.0.1	localhost localhost.localdomain <ip/hostname>

Set the timezone

http://hardenubuntu.com/server-setup/set-timezone/

sudo dpkg-reconfigure tzdata

IP Spoofing

http://hardenubuntu.com/hardening/ip-spoofing/

IP spoofing is the creation of Internet Protocol (IP) packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system.

sudo nano /etc/host.conf
: order bind,hosts
: nospoof on

php.ini

http://hardenubuntu.com/hardening/php/php-ini/

sudo nano /etc/php/fpm/php.ini
: expose_php = Off
: track_errors = Off
: display_errors = Off
: disable_functions = ... system,exec,shell_exec,php_uname,getmyuid,getmypid,leak,listen,diskfreespace,link,ignore_user_abord,dl,set_time_limit,highlight_file,source,show_source,passthru,fpaththru,virtual,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,phpinfo
# exceptions: getmypid
: allow_url_fopen = Off
: allow_url_include = Off
: sql.safe_mode = On
: session.cookie_httponly = 1

sshd_config

http://hardenubuntu.com/hardening/ssh/sshd-config/

sudo nano /etc/ssh/sshd_config
: Port <port>
: Protocol 2
: LogLevel VERBOSE
: PermitRootLogin no
: StrictModes yes
: RSAAuthentication yes
: IgnoreRhosts yes
: RhostsAuthentication no
: RhostsRSAAuthentication no
: PermitEmptyPasswords no
: PasswordAuthentication no
: ClientAliveInterval 300
: ClientAliveCountMax 0
: AllowTcpForwarding no
: X11Forwarding no
: UseDNS no
sudo nano /etc/pam.d/sshd	(comment lines below)
: #session	optional	pam_motd.so motd=/run/motd.dynamic noupdate
: #session	optional	pam_motd.so # [1]
sudo service ssh restart

Antivirus (clamav)

sudo apt-get install clamav
sudo freshclam
sudo apt-get install clamav-daemon
sudo crontab -e
: 00 00 * * * clamscan -r /location_of_files_or_folder | grep FOUND >> /path/to/save/report/myfile.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment