An extremely crucial part of hardening any system is to ensure that it is always kept up to date. Doing this will keep any known bugs or vulnerabilities patched. The following commands are ways to update an Ubuntu system:
apt-get update && apt-get upgradeShared memory is an efficient means of passing data between programs. Because two or more processes can use the same memory space, it has been discovered that, since shared memory is, by default, mounted as read/write, the /run/shm space can be easily exploited.
That translates to a weakened state of security.
If you’re unaware, shared memory can be used in an attack against a running service. Because of this, you’ll want to secure that portion of system memory.
You can do this by modifying the /etc/fstab file.
sudo vim /etc/fstab
Next, add the following line to the bottom of that file:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0Save and close the file. In order for the changes to take effect, you must reboot the server with the command:
sudo rebootUnder most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. The common solution to this problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP.
Type the following command to delete NIS, rsh and other outdated service:
sudo apt --purge remove xinetd nis yp-tools tftpd atftpd tftpd-hpa telnetd rsh-server rsh-redone-serverOnly root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:
awk -F: '($3 == "0") {print}' /etc/passwdYou should only see one line as follows:
root:x:0:0:root:/root:/bin/bashAccounts that have no password essentially have no security. The command below will print all accounts that have an empty password:
cat /etc/shadow | awk -F: '($2==""){print $1}'In addition, you can use the command below to lock any accounts (i.e., it prepends a ! to the user’s password hash):
passwd -l accountNameIt’s a best practice to keep use of the root account to a minimum. To do this, add a new account that will be primarily used with the command below:
adduser accountNameThis will automatically create a user with the default configuration defined in ‘/etc/skel’.
Never ever login as root user.
You should use sudo to execute root level commands as and when required.
sudo does greatly enhances the security of the system without sharing root password with other users and admins.
sudo provides simple auditing and tracking features too
To disable root ssh access by editing /etc/ssh/sshd_config to contain:
sudo vim /etc/ssh/sshd_config
and set
PermitRootLogin noSecure Shell (SSH) is the tool you’ll use to log into your remote Linux servers. Although SSH is fairly secure, by default, you can make it even more so, by enabling SSH login only for specific users. Let's say you want to only allow SSH entry for the user abc, from IP address 192.168.1.12. Here's how you would do this.
- Open a terminal window.
- Open the ssh config file for editing with the command
sudo vim /etc/ssh/sshd_config. - At the bottom of the file, add the line
AllowUsers [email protected]. - Save and close the file.
- Restart
sshdwith the commandsudo systemctl restart sshd.
Secure Shell will now only allow entry by user abc, from IP address 192.168.1.12. If a user, other than abc, attempts to SSH into the server, they will be prompted for a password, but the password will not be accepted (regardless if it's correct), and entrance will be denied.
This line will specify which port to host the SSH service on. It’s recommended to change this to a non-default high port number. Remember to fix your Iptables accordingly!
Port 22222This line ensures that no user can log in with an empty password. This adds a nice layer of security if there is a user without a password set:
PermitEmptyPasswords noThe fail2ban system is an intrusion prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban will block access from that IP address.
To install fail2ban, open a terminal window and issue the command:
sudo apt install fail2banWithin the directory /etc/fail2ban, you'll find the main configuration file, jail.conf. Also in that directory is the subdirectory, jail.d. The jail.conf file is the main configuration file and jail.d contains the secondary configuration files. Do not edit the jail.conf file. Instead, we’ll create a new configuration that will monitor SSH logins with the command:
sudo vim /etc/fail2ban/jail.d/jail.localIn this new file add the following contents:
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
mode = ddos
port = ssh
logpath = %(sshd_log)s
backend = systemd
#backend = %(sshd_backend)sSave and close that file. Restart fail2ban with the command:
sudo systemctl restart fail2banTurn on your firewall if it isn't already enabled. You can follow This Tutorial
Read the following: An extremely short summary of the best security practice in Linux Mint is this:
- Use good passwords.
- Install updates as soon as they become available.
- Only install software from the official software sources of Linux Mint and Ubuntu.
- Don't install antivirus (yes, really!).
- Don't install Windows emulators like Wine.
- Enable the firewall.
- Above all: use your common sense.
You must protect Linux servers physical console access. Configure the BIOS and disable the booting from external devices such as DVDs / CDs / USB pen. Set BIOS and grub boot loader password to protect these settings. All production boxes must be locked in IDCs (Internet Data Centers) and all persons must pass some sort of security checks before accessing your server.
In addition to the server hardening tips above, below are some useful things to remember when hardening an Ubuntu server:
The below command can be an Ubuntu sysadmin's best friend. It will list all current connections and listening services on a system along with the processes and PIDs for each connection:
netstat -tulpnThe command below will list all services on the system and their status:
service --status-allUse grep to specify the running services only:
service --status-all | grep "[ + ]"
Antivirus is useless
A virus or rootkit can't install itself in Linux unless you let it. In order to install itself on your computer, a virus or rootkit needs your password. And that it doesn't have.
Or in case it's malware ( a script) that can execute itself in your home directory without password: you'll have to make it executable first. Any script that you download, is not executable: you have to set the executable bit of the script yourself, by hand.
THEN:
The permission-based structure in Linux prevents regular users from performing administrative actions because each app needs authorization by the superuser (root) before it’s executed. This barrier makes it difficult for any virus to sneak into the system and make disasters.
Without being a root, you won’t be able to run/install new programs on Linux. Only the superuser has the privilege to access all files in the system.
Linux does not process executables without explicit permission as this is not a separate and independent process. So you’ll have to chmod +x a file before running it.
On Linux, it is harder for the virus to get system-level access. This is because the root account owns system-related files. Therefore, if infected, viruses can be easily removed as they can only affect the user account where they were installed and do not affect the root account.
In other words, the Linux architecture makes it almost impossible for a virus to do anything. This is one of the main reasons we still don’t need antivirus software on Linux.
Also...a GOOD read