Skip to content

Instantly share code, notes, and snippets.

@rkennesson

rkennesson/lockdown.md

Created December 27, 2019 16:05
Show Gist options
  • Save rkennesson/fea2f13a49c8a947f1bfda43aaaa7274 to your computer and use it in GitHub Desktop.
Save rkennesson/fea2f13a49c8a947f1bfda43aaaa7274 to your computer and use it in GitHub Desktop.
Download ZIP
lockdown ubuntu 16.04+
Raw
gistfile1.txt
https://github.com/netwayfind/cp-lockdown
Raw
lockdown.md

Lockdown Ubuntu 16.04+

Users and Groups

Users

Option 1 (GUI)

  1. Open System Settings
  2. Click on Users
  3. For each user:
    • Check the readme if the user is supposed to be on this computer
    • Lock out or delete extra or prohibited users, keep their files
    • Set Account Type to match user role
    • Change and write down password for refence

Option 2 (Command Line)

  1. Open Terminal
  2. cat /etc/passwd
  3. Check Default Users
  • Check that the users specified in the readme exist. Double check the default users. Look out for unmentioned users.
  • Line reference = [user]:x:[user id]:[group id]:[description]:[home directory]:[default shell]
  • User ID number less than 1000 are hidden users
  • only user root should have User ID of 0
  1. To disable a user (unable to log in, keep files):
  • sudo passwd -l [user]
  1. To remove a user:
  • sudo userdel [user]
    • use userdel -r [user] to remove user files
  1. To add a user:
  • sudo useradd [user] -m -s /bin/bash
  1. Update all allowed users' passwords (including root)
  • sudo passwd [user]
  • Write down user and password for reference

Groups

Location

  1. Open Terminal
  2. cat /etc/group

Settings

  1. Check Default Groups
  • root group should be empty
  • sudo group should only have administrator users
  • users group should only have users specified in the readme
  • each user may have a corresponding group
  1. To add a user to a group:
    • sudo gpasswd -a [user] [group]
  2. To remove a user from a group:
    • sudo gpasswd -d [user] [group]

Guest Access

  1. Open file /etc/lightdm/lightdm.conf

  2. Make sure the file has the following content:

    [SeatDefaults]
    greeter-session=unity-greeter
    allow-guest=false

  3. Note: Any mistakes will break the GUI

  4. Save the file

  5. sudo systemctl restart lightdm

  6. The GUI should restart and guest access should be disabled.

sudo

Location

Option 1

  1. sudo visudo

Option 2

  1. Open file /etc/sudoers

Settings

  • Comment lines start with #
  • The following are the default settings:
    • Defaults env_reset
    • Defaults mail_badpass
    • Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    • root ALL=(ALL:ALL) ALL
    • %admin ALL=(ALL) ALL
    • %sudo ALL=(ALL:ALL) ALL
  • Comment out all other entries

Networking

Firewall

Option 1: gufw

  1. Open Terminal
  2. sudo apt-get update
  3. sudo apt-get install gufw
  4. sudo gufw
  5. Set to the following settings:
    • Profile: Office
    • Status: ON
    • Incoming: Deny
    • Outgoing: Allow
  6. For new inbound rules
    1. Click on Rules
    2. Click on +
    3. Click on Simple
    4. Name: [set name here]
    5. Policy: Allow
    6. Direction: In
    7. Protocol: [protocol]
    8. Port: [port]
    9. Click on Add

Option 2: iptables

  1. Open Terminal
  2. Check IPv4 firewall rules
    1. sudo iptables -nvL
  3. Reset IPv4 firewall rules
    1. sudo iptables -F
    2. sudo iptables -X
  4. Set default IPv4 firewall rules
    1. sudo iptables -A INPUT -m state --state INVALID -j DROP
    2. sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    3. sudo iptables -A INPUT -i lo -j ACCEPT
  5. Add allowed INPUT rule to IPv4 firewall
    1. sudo iptables -A INPUT -p [protocol] --dport [port] -j ACCEPT
    2. Check Readme for required services. Research any required ports that need to be opened on firewall.
      • Example for SSH: sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  6. Set default IPv4 firewall policy
    1. sudo iptables -P INPUT DROP
    2. sudo iptables -P FORWARD DROP
    3. sudo iptables -P OUTPUT ACCEPT
  7. Check IPv6 firewall rules
    1. sudo ip6tables -nvL
  8. Reset IPv6 firewall rules
    1. sudo ip6tables -F
    2. sudo ip6tables -X
  9. Set default IPv6 firewall rules
    1. sudo ip6tables -A INPUT -m state --state INVALID -j DROP
    2. sudo ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    3. sudo ip6tables -A INPUT -i lo -j ACCEPT
  10. Add allowed INPUT rule to IPv6 firewall 1. sudo ip6tables -A INPUT -p [protocol] --dport [port] -j ACCEPT 2. Check Readme for required services. Research any required ports that need to be opened on firewall.
    • Example for SSH: sudo ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
  11. Set default IPv6 firewall policy 1. sudo ip6tables -P INPUT DROP 2. sudo ip6tables -P FORWARD DROP 3. sudo ip6tables -P OUTPUT ACCEPT

Network Connections

Location

  1. Open Terminal
  2. sudo netstat [options]

Settings

  1. Check listening network connections

  2. netstat -ntulp

  3. Make sure only necessary services have listening connections on the correct ports

  4. Check established network connections

  5. netstat -ntup

Installation Check

Applications

Location

  1. Press Ubuntu icon button
  2. Type Ubuntu Software Center
  3. Click on icon

Settings

  1. Press Installed button
  2. Review readme for applications or categories that must be removed
  3. For each application category (e.g. Accessories)
    • Check against readme if it should be removed
    • It's safer to leave program alone than to remove it
    • To remove application, click on it, then press Remove button

Services

Location

  1. Open Terminal

Settings

Check status of all services

  • systemctl list-unit-files

Check status of one service

  • systemctl status [service-name]

Other common service commands

  • systemctl start [service-name]
  • systemctl stop [service-name]
  • systemctl restart [service-name]

Disable service autostart

  • systemctl stop [service-name]
  • systemctl disable [service-name]

Common Services

The following services should be disabled if they are not required:

Database

  • mysqld
  • postgres

E-mail

  • dovecot
  • exim4
  • postfix

File Sharing

  • nfs
  • nmbd
  • rpc.mountd
  • rpc.nfsd
  • smbd
  • vsftpd

Music

  • mpd

Networking

  • avahi-daemon
  • bind
  • dnsmasq
  • xinetd
  • inetd
  • sshd
  • telnet

Printing, Scanning

  • cupsd
  • saned

Time

  • ntpd

Web/Application Server

  • apache2
  • httpd
  • jetty
  • nginx
  • tomcat

Updates

  1. Open System Settings
  2. Under System section, find and click on Software & Updates
  3. Press Revert for default settings
  4. For Ubuntu Software tab
    • Canonical-supported free and open-source software (main)
    • Community-maintained free and open-source software (universe)
    • Proprietary drivers for devices (restricted)
    • Software restricted by copyright or legal issues (multiverse)
    • Source code
    • For Download from:, select Other
    • Click Select Best Server. Wait for tests to complete.
    • Click Choose Server
  5. For Updates tab
    • Important security updates (*-security)
    • Recommended updates (*-updates)
    • Unsupported updates (*-backports)
    • Automatic check for updates: Daily
    • When there are security updates: Display immediately
    • When there are other updates: Display weekly
    • Notify me of a new Ubuntu version: For long-term support version
  6. For Developer Options
    • Pre-released updates (*-proposed)
  7. Click Close
  8. Open Terminal
  9. sudo apt-get update && sudo apt-get upgrade -y

Scans

chkrootkit

  1. Open Terminal
  2. sudo apt-get install chkrootkit
  3. Follow installation instructions
  4. sudo chkrootkit
  5. After scan completes, review findings.

rkhunter

  1. Open Terminal
  2. sudo apt-get install rkhunter
  3. Follow installation instructions
  4. sudo rkhunter --update
  5. sudo rkhunter -c
  6. Follow scan instructions
  7. After scan completes, review findings, and fix issues

Filesystem

Find Unauthorized Files

Option 1

  1. Open Terminal
  2. find /home -name ".mp3"
    • This will search for .mp3 files in /home
  3. If there are any results, inspect the files and remove as necessary
  4. Repeat from step 2 for the following file extensions
    • (music) - .mp3, .wav, .wma, .aac
    • (movie/video) - .mp4, .mov, .avi

Option 2

Manually search for files in all user directories and remove unauthorized files.

Hosts File

Location

  1. Open Terminal
  2. cat /etc/hosts

Settings

  • Disable any entry lines by adding a # to the start of the line
  • Default file entries:
    • 127.0.0.1 localhost
    • 127.0.1.1 ubuntu
  • Ignore IPv6 lines

Filesystem Permissions

  1. Open Terminal

  2. ls -la /
    Default permissions:

    • drwxr-xr-x root root home
    • drwx------ root root root

    To fix:

    • sudo chown root:root /home
    • sudo chmod 755 /home
    • sudo chown root:root /root
    • sudo chown 700 /root

  3. cd /home

  4. ls -la
    Default permissions for every user:

    • drwxr-xr-x
    • For example: drwxr-xr-x ubuntu ubuntu ubuntu

    To fix:

    • sudo chown :
    • For example: sudo chown ubuntu:ubuntu ubuntu
    • sudo chmod 755
    • For example: sudo chmod 755 ubuntu

Configuration

auditd

  1. Open Terminal
  2. sudo apt-get install auditd
  3. sudo auditctl -e 1

boot-up manager

  1. Open Terminal
  2. sudo apt-get install bum
  3. sudo bum
  4. Click checkmark for Advanced
  5. Review list of programs that are set to start automatically at boot
  6. Add checkmark for services required to be running
  7. Remove checkmark for services that are not necessary to run

Reference: https://help.ubuntu.com/community/BootServices

cron

Review the following files or directories:

  • /etc/crontab
  • /etc/cron.d/
  • /etc/cron.hourly/
  • /etc/cron.daily/
  • /etc/cron.weekly/
  • /etc/cron.monthly/
  • /var/spool/cron/crontabs/

Reference: https://help.ubuntu.com/community/CronHowto

libpam-cracklib

  1. Open Terminal
  2. sudo apt-get install libpam-cracklib

Password Policy

Location

  1. Open file /etc/pam.d/common-password
  2. Open file /etc/login.defs

Settings

For /etc/pam.d/common-password

  1. Find the following line in the file:
    • password requisite pam_cracklib.so retry=3 minlen=8 difok=3
  2. To require at least 10 characters, change to the following:
    • minlen=10
  3. To require password complexity, add to the end of the line:
    • ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
  4. The line should now look like the following
    • password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
  5. Find the following line in the file:
    • password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
  6. To remember last 5 passwords, add to the end of the line:
    • remember=5
  7. To require at least 10 characters, add to the end of the line:
    • minlen=10
  8. The line should now look like the following
    • password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 remember=5 minlen=10
  9. Save the file

For /etc/login.defs

  1. Find PASS_MAX_DAYS, set to 90
  2. Find PASS_MIN_DAYS, set to 10
  3. Find PASS_WARN_AGE, set to 7

Account Lockout Policy

Location

  1. Open file /etc/pam.d/common-auth

Settings

  1. Add the following to the end of the file:
    • auth required pam_tally2.so deny=5 onerr=fail unlock_time=1800
    • this will set lockout to 5 attempts and lock out for 1800 seconds (30 minutes)

Logs

System Log

Location

  1. Press Ubuntu icon
  2. Type System Log
  3. Click on icon
  • Review logs prior to today for system changes
  • Pay attention to user accounts, especially root/sudo

Reference: https://help.ubuntu.com/community/LinuxLogFiles

References

Default Groups

  • root
  • daemon
  • bin
  • sys
  • adm
  • tty
  • disk
  • lp
  • mail
  • news
  • uucp
  • man
  • proxy
  • kmem
  • dialout
  • fax
  • voice
  • cdrom
  • floppy
  • tape
  • sudo
  • audio
  • dip
  • www-data
  • backup
  • operator
  • list
  • irc
  • src
  • gnats
  • shadow
  • utmp
  • video
  • sasl
  • plugdev
  • staff
  • games
  • users
  • nogroup
  • libuuid
  • crontab
  • syslog
  • fuse
  • messagebus
  • bluetooth
  • scanner
  • colord
  • lpadmin
  • ssl-cert
  • lightdm
  • nopasswdlogin
  • netdev
  • whoopsie
  • mlocate
  • ssh
  • avahi-autoipd
  • avahi
  • pulse
  • pulse-access
  • utempter
  • rtkit
  • saned
  • ubuntu
  • sambashare

Default Users

  • root
  • daemon
  • bin
  • sys
  • sync
  • games
  • man
  • lp
  • mail
  • news
  • uucp
  • proxy
  • www-data
  • backup
  • list
  • irc
  • gnats
  • nobody
  • libuuid
  • syslog
  • messagebus
  • colord
  • lightdm
  • whoopsie
  • avahi-autoipd
  • avahi
  • usbmux
  • kernoops
  • pulse
  • rtkit
  • speech-dispatcher
  • dispatcher
  • hplip
  • saned
  • ubuntu

Open file

Option 1 (gedit)

  • sudo gedit [file path]

Option 2 (nano)

  • sudo nano [file path]

Option 3 (vi or vim)

  • sudo vi [file path]
  • sudo vim [file path]

Terminal

Option 1

  1. Press Ubuntu icon button
  2. Type terminal, press Enter

Option 2

  1. Click on Applications menu
  2. Go to Accessories
  3. Click on Terminal

System Settings

  1. Press the gear-like icon at the top right of the screen. (Next to the current time)
  2. Click on System Settings
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment