Skip to content

Instantly share code, notes, and snippets.

@lokhman
Last active October 28, 2024 23:57
Show Gist options
  • Save lokhman/cc716d2e2d373dd696b2d9264c0287a3 to your computer and use it in GitHub Desktop.
Save lokhman/cc716d2e2d373dd696b2d9264c0287a3 to your computer and use it in GitHub Desktop.
List of things for hardening Ubuntu

WARNING

May contain out of date information. Check the comments below!

The list of actions listed below was taken mostly from Book Of Zeus with minor modifications and did the job well for Ubuntu version, which was available at that moment (May 2016). This gist was created for internal use and was never meant to be discovered by the web, although Google managed to find and index this page, which was a great surprise for me. Please check the original source for the updated information (links are provided in most of the sections), and read the comments below: they provide more details about the usage experience.

System Updates

http://bookofzeus.com/harden-ubuntu/initial-setup/system-updates/

Keeping the system updated is vital before starting anything on your system. This will prevent people to use known vulnerabilities to enter in your system.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get autoremove
sudo apt-get autoclean

Enable automatic updates can be crucial for your server security. It is very important to stay up to date.

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

To enable ONLY security updates, please change the code to look like this:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
: Unattended-Upgrade::Allowed-Origins {
:     "${distro_id}:${distro_codename}-security";
: //  "${distro_id}:${distro_codename}-updates";
: //  "${distro_id}:${distro_codename}-proposed";
: //  "${distro_id}:${distro_codename}-backports";
: };
: // Unattended-Upgrade::Mail "my_user@my_domain.com";

Disable Root Account

http://bookofzeus.com/harden-ubuntu/initial-setup/disable-root-account/

For security reasons, it is safe to disable the root account. Removing the account might not be a good idea at first, instead we simply need to disable it.

# To disable the root account, simply use the -l option.
sudo passwd -l root

# If for some valid reason you need to re-enable the account, simply use the -u option.
sudo passwd -u root

Add Swap

http://bookofzeus.com/harden-ubuntu/server-setup/add-swap/

Some pre-installed Ubuntu Server are not configured with SWAP. Linux swaps allow a system to harness more memory than was originally physically available

# Let's check if a SWAP file exists and it's enabled before we create one.
sudo swapon -s

# To create the SWAP file, you will need to use this.
sudo fallocate -l 4G /swapfile	# same as "sudo dd if=/dev/zero of=/swapfile bs=1G count=4"

# Secure swap.
sudo chown root:root /swapfile
sudo chmod 0600 /swapfile

# Prepare the swap file by creating a Linux swap area.
sudo mkswap /swapfile

# Activate the swap file.
sudo swapon /swapfile

# Confirm that the swap partition exists.
sudo swapon -s

# This will last until the server reboots. Let's create the entry in the fstab.
sudo nano /etc/fstab
: /swapfile	none	swap	sw	0 0

# Swappiness in the file should be set to 0. Skipping this step may cause both poor performance,
# whereas setting it to 0 will cause swap to act as an emergency buffer, preventing out-of-memory crashes.
echo 0 | sudo tee /proc/sys/vm/swappiness
echo vm.swappiness = 0 | sudo tee -a /etc/sysctl.conf

sysctl.conf

http://bookofzeus.com/harden-ubuntu/hardening/sysctl-conf/

These settings can:

  • Limit network-transmitted configuration for IPv4
  • Limit network-transmitted configuration for IPv6
  • Turn on execshield protection
  • Prevent against the common 'syn flood attack'
  • Turn on source IP address verification
  • Prevents a cracker from using a spoofing attack against the IP address of the server.
  • Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.

"/etc/sysctl.conf" file is used to configure kernel parameters at runtime. Linux reads and applies settings from this file.

sudo nano /etc/sysctl.conf

# IP Spoofing protection
: net.ipv4.conf.default.rp_filter = 1
: net.ipv4.conf.all.rp_filter = 1
# Block SYN attacks
: net.ipv4.tcp_syncookies = 1
# Controls IP packet forwarding
: net.ipv4.ip_forward = 0
# Ignore ICMP redirects
: net.ipv4.conf.all.accept_redirects = 0
: net.ipv6.conf.all.accept_redirects = 0
: net.ipv4.conf.default.accept_redirects = 0
: net.ipv6.conf.default.accept_redirects = 0
# Ignore send redirects
: net.ipv4.conf.all.send_redirects = 0
: net.ipv4.conf.default.send_redirects = 0
# Disable source packet routing
: net.ipv4.conf.all.accept_source_route = 0
: net.ipv6.conf.all.accept_source_route = 0
: net.ipv4.conf.default.accept_source_route = 0
: net.ipv6.conf.default.accept_source_route = 0
# Log Martians
: net.ipv4.conf.all.log_martians = 1
# Block SYN attacks
: net.ipv4.tcp_max_syn_backlog = 2048
: net.ipv4.tcp_synack_retries = 2
: net.ipv4.tcp_syn_retries = 5
# Log Martians
: net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP broadcast requests
: net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore Directed pings
: net.ipv4.icmp_echo_ignore_all = 1
: kernel.exec-shield = 1
: kernel.randomize_va_space = 1
# disable IPv6 if required (IPv6 might caus issues with the Internet connection being slow)
: net.ipv6.conf.all.disable_ipv6 = 1
: net.ipv6.conf.default.disable_ipv6 = 1
: net.ipv6.conf.lo.disable_ipv6 = 1
# Accept Redirects? No, this is not router
: net.ipv4.conf.all.secure_redirects = 0
# Log packets with impossible addresses to kernel log? yes
: net.ipv4.conf.default.secure_redirects = 0

# [IPv6] Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router.
: net.ipv6.conf.default.router_solicitations = 0
# Accept Router Preference in RA?
: net.ipv6.conf.default.accept_ra_rtr_pref = 0
# Learn prefix information in router advertisement.
: net.ipv6.conf.default.accept_ra_pinfo = 0
# Setting controls whether the system will accept Hop Limit settings from a router advertisement.
: net.ipv6.conf.default.accept_ra_defrtr = 0
# Router advertisements can cause the system to assign a global unicast address to an interface.
: net.ipv6.conf.default.autoconf = 0
# How many neighbor solicitations to send out per address?
: net.ipv6.conf.default.dad_transmits = 0
# How many global unicast IPv6 addresses can be assigned to each interface?
: net.ipv6.conf.default.max_addresses = 1

# In rare occasions, it may be beneficial to reboot your server reboot if it runs out of memory.
# This simple solution can avoid you hours of down time. The vm.panic_on_oom=1 line enables panic
# on OOM; the kernel.panic=10 line tells the kernel to reboot ten seconds after panicking.
: vm.panic_on_oom = 1
: kernel.panic = 10

# Apply new settings
sudo sysctl -p

Disable IRQ Balance

http://bookofzeus.com/harden-ubuntu/server-setup/disable-irqbalance/

You should turn off IRQ Balance to make sure you do not get hardware interrupts in your threads. Turning off IRQ Balance, will optimize the balance between power savings and performance through distribution of hardware interrupts across multiple processors.

sudo nano /etc/default/irqbalance
: ENABLED="0"

OpenSSL Heartbleed Bug

http://bookofzeus.com/harden-ubuntu/server-setup/fix-openssl-heartbleed/

The OpenSSL heartbleed bug (CVE-2014-0160) bug allows a hacker to leak the memory in up to 64k chunks. Repetitively trying, he can get crutial informations about your system.

The worst a hacker can retrieve are the private keys. Which means now he has the keys to decrypt the encrypted any data. The other information a hacker can get are users' cookies information or even users' username and passwords.

It is crutial to fix this issue to version greater or equal to 1.0.1g. You also have to revoke and regenerate new keys and certificates and re-issuing of CA certs and the like in the coming days.

openssl version -v

# above should be not 1.0.1f or below, otherwise:
sudo apt-get update
sudo apt-get upgrade openssl libssl-dev
apt-cache policy openssl libssl-dev

sudo apt-get install make
curl https://www.openssl.org/source/openssl-1.0.2f.tar.gz | tar xz && cd openssl-1.0.2f && sudo ./config && sudo make && sudo make install
sudo ln -sf /usr/local/ssl/bin/openssl `which openssl`

openssl version

Secure /tmp and /var/tmp

http://bookofzeus.com/harden-ubuntu/server-setup/secure-tmp-var-tmp/

WARNING: This section is out of date! Check the original source and the comments below.

Temporary storage directories such as /tmp, /var/tmp and /dev/shm gives the ability to hackers to provide storage space for malicious executables.

# Let's create a 1GB (or what is best for you) filesystem file for the /tmp parition.
sudo fallocate -l 1G /tmpdisk
sudo mkfs.ext4 /tmpdisk
sudo chmod 0600 /tmpdisk

# Mount the new /tmp partition and set the right permissions.
sudo mount -o loop,noexec,nosuid,rw /tmpdisk /tmp
sudo chmod 1777 /tmp

# Set the /tmp in the fstab.
sudo nano /etc/fstab
: /tmpdisk	/tmp	ext4	loop,nosuid,noexec,rw	0 0
sudo mount -o remount /tmp

# Secure /var/tmp.
sudo mv /var/tmp /var/tmpold
sudo ln -s /tmp /var/tmp
sudo cp -prf /var/tmpold/* /tmp/
sudo rm -rf /var/tmpold/

Secure Shared Memory

http://bookofzeus.com/harden-ubuntu/server-setup/secure-shared-memory/

Shared memory can be used in an attack against a running service, apache2 or httpd for example.

sudo nano /etc/fstab
: tmpfs	/run/shm	tmpfs	ro,noexec,nosuid	0 0

Set Hostname and Host File

http://bookofzeus.com/harden-ubuntu/server-setup/set-hostname-and-host/

The hostname uniquely identifies your computer on the local network. The hostname can be use in many services or applications. Once the hostname is set, it is not recommended to change it.

sudo nano /etc/hostname
: <ip/hostname>

sudo nano /etc/hosts
: 127.0.0.1	localhost localhost.localdomain <ip/hostname>

Set Locale and Timezone

http://bookofzeus.com/harden-ubuntu/server-setup/set-timezone/

sudo locale-gen en_GB.UTF-8
sudo update-locale LANG=en_GB.UTF-8
sudo dpkg-reconfigure tzdata

Set Security Limits

http://bookofzeus.com/harden-ubuntu/server-setup/set-security-limits/

You might need to protect your system against fork bomb attacks. A simple way to prevent this is by setitng up processes limit for your users. All the limits can be configured in the /etc/security/limits.conf file.

sudo nano /etc/security/limits.conf
: user1 hard nproc 100
: @group1 hard nproc 20

This will prevent users from a specific group from having a maximum of 20 processs and maximize the number of processes to 100 to user1.

IP Spoofing

http://hardenubuntu.com/hardening/ip-spoofing/

IP spoofing is the creation of Internet Protocol (IP) packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system.

sudo nano /etc/host.conf
: order bind,hosts
: nospoof on

PHP

http://bookofzeus.com/harden-ubuntu/hardening/php/

sudo nano /etc/php/fpm/php.ini
: safe_mode = On
: safe_mode_gid = On
: sql.safe_mode = On

: register_globals = Off
: magic_quotes_gpc = Off

: expose_php = Off
: track_errors = Off
: html_errors = Off
: display_errors = Off

: disable_functions = ... system,exec,shell_exec,php_uname,getmyuid,getmypid,leak,listen,diskfreespace,link,ignore_user_abord,dl,set_time_limit,highlight_file,source,show_source,passthru,fpaththru,virtual,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,phpinfo
# exceptions: getmypid

: allow_url_fopen = Off
: allow_url_include = Off

: sql.safe_mode = On

: session.cookie_httponly = 1
: session.referer_check = mydomain.com

SSH

http://bookofzeus.com/harden-ubuntu/hardening/ssh/

SSH can be very helpful when configuring your server, setup domains or anything else you need to do. It also one of the first point of entry of hackers. This is why it is very important to secure your SSH.

The basic rules of hardening SSH are:

  • No password for SSH access (use private key)
  • Don't allow root to SSH (the appropriate users should SSH in, then su or sudo)
  • Use sudo for users so commands are logged
  • Log unauthorised login attempts (and consider software to block/ban users who try to access your server too many times, like fail2ban)
  • Lock down SSH to only the ip range your require (if you feel like it)

It is recommended to use SSH keys.

sudo nano /etc/ssh/sshd_config
: Port <port>
: Protocol 2
: LogLevel VERBOSE
: PermitRootLogin no
: StrictModes yes
: RSAAuthentication yes
: IgnoreRhosts yes
: RhostsAuthentication no
: RhostsRSAAuthentication no
: PermitEmptyPasswords no
: PasswordAuthentication no
: ClientAliveInterval 300
: ClientAliveCountMax 0
: AllowTcpForwarding no
: X11Forwarding no
: UseDNS no

sudo nano /etc/pam.d/sshd	(comment lines below)
: #session	optional	pam_motd.so motd=/run/motd.dynamic noupdate
: #session	optional	pam_motd.so # [1]

sudo service ssh restart

Antivirus (clamav)

sudo apt-get install clamav
sudo freshclam
sudo apt-get install clamav-daemon
sudo crontab -e
: 00 00 * * * clamscan -r /location_of_files_or_folder | grep FOUND >> /path/to/save/report/myfile.txt
@cNoveron
Copy link

cNoveron commented Oct 2, 2020

I wouldn't even recomend doing the "secure /tmp and /var/tmp" step. It made me lose innumerable hours trying to fix my broken boot.

Some days later I figured out symlinking /tmp to /var/tmp (or any kernel files or directories whatsoever) causes systemd-hostnamed to fail to set up mount namespacing. Linux kernel maintainers say that stablishing symlinks between kernel files is extremely frowned-upon among them.

It's irresponsible from the author's behalf to assume every reader knows the implications in the boot sequence of following these steps and fail to provide proper documentation of this procedure. 👎

@darkBuddha
Copy link

This is trash, and old. It breaks a lot of things. Don't do it.

@Danrancan
Copy link

This is trash, and old. It breaks a lot of things. Don't do it.

What exactly is trash and old? The entire document?

@Hough-Lab
Copy link

I wouldn't even recomend doing the "secure /tmp and /var/tmp" step. It made me lose innumerable hours trying to fix my broken boot.

Some days later I figured out symlinking /tmp to /var/tmp (or any kernel files or directories whatsoever) causes systemd-hostnamed to fail to set up mount namespacing. Linux kernel maintainers say that stablishing symlinks between kernel files is extremely frowned-upon among them.

Hi cNoveron - unfortunately I did the same thing as you and am now having problems with my tmp folder filling up and causing my machine to freeze when i'm running a lot of stuff. How did you fix/undo the changes to the "secure /tmp and /var/tmp" step?

Thanks

@superjamie
Copy link

Disabling irqbalance will ruin network performance for a server which handles a lot ot traffic from many sources. For example, disabling irqbalance is probably one of the worst things you could do for a busy webserver, database server, or storage server.

The justification of "avoiding hardware interrupts" won't be avoided by disabling irqbalance, and makes no sense in the context of a modern pre-emptive operating system anyway. Hardware interrupts and CPU scheduling are not of concern to anyone except extremely deterministic systems like low-latency share traders, where an application must respond within a set target, usually of microseconds. Such people are running a realtime kernel and won't be reading this document.

I would not disable irqbalance, and you should not recommend that people do it either.

@darkBuddha
Copy link

This is trash, and old. It breaks a lot of things. Don't do it.

What exactly is trash and old? The entire document?

Yes.

@bw-miamicounty-it
Copy link

This is trash, and old. It breaks a lot of things. Don't do it.

What exactly is trash and old? The entire document?

Yes.

What isn't trash and old then? What's the correct way to harden an Ubuntu server?

@SimonScholz
Copy link

@darkBuddha What would you recommend then to harden an Ubuntu server?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment