motorscript.com

Security: Hardening Ubuntu Server

Published:
A default installation of Ubuntu server is fairly secure. However, one can follow the following instructions to harden the security further.

Improve SSH Security

Hardening SSH is vital in keeping your server secure. Refer to this article for in-depth instructions for SSH hardening.

Secure Shared Memory

Since multiple processes can use the same memory space, making shared memory read only prevents exploitation of vulnerabilities in services running in the server.
sudo vi /etc/fstab
none /run/shm tmpfs defaults,ro 0 0

Secure the networking layer

sudo vi /etc/sysctl.conf
# Configuration from https://github.com/konstruktoid/hardening/blob/master/misc/sysctl.conf, with some added explainations
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.suid_dumpable = 0
kernel.core_uses_pid = 1
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
kernel.panic = 60
kernel.panic_on_oops = 60
kernel.perf_event_paranoid = 2
kernel.randomize_va_space = 2
kernel.sysrq = 0
kernel.unprivileged_bpf_disabled = 1
kernel.yama.ptrace_scope = 2
net.core.bpf_jit_harden = 2
net.ipv4.conf.all.accept_redirects = 0 # Discard ICMP redirects
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.rp_filter = 1 # Enable source validation by reverse path for IP Spoofing Protection
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0 # Disable send redirects
net.ipv4.conf.all.shared_media = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.rp_filter= 1 # Enable source validation by reverse path for IP Spoofing Protection
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0 # Disable send redirects
net.ipv4.conf.default.shared_media = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0 # Disable packet forwarding for IPv4
net.ipv4.tcp_challenge_ack_limit = 1000000
net.ipv4.tcp_invalid_ratelimit = 500
net.ipv4.tcp_max_syn_backlog = 20480
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syncookies = 1 # Enable TCP/IP SYN cookies: blocks SYN attacks
net.ipv4.tcp_timestamps = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.eth0.accept_ra_rtr_pref = 0
net.netfilter.nf_conntrack_max = 2000000
net.netfilter.nf_conntrack_tcp_loose = 0

Use a Firewall

Ubuntu comes with UFW, Uncomplicated Firewall. It is a simple alternative to iptables.

Install and enable UFW:

sudo apt install ufw
      sudo ufw enable

UFW by default denies all incoming connection and allows all outgoing connections.

Allow SSH:

sudo ufw allow 22 # Or sudo ufw allow 23456 if SSH is listening on another port

Allow HTTP and HTTPS:
sudo ufw allow http # OR sudo ufw allow 80
      sudo ufw allow https # OR sudo ufw allow 443
View status and configuration:
sudo ufw status verbose

Keep your system up-to-date

sudo apt update
sudo apt upgrade
Enable automatic security updates (unattended-upgrades)

Remove unwanted user accounts

If there are users not in use, remove them. Cloud providers create a default user like ubuntu in fresh instances. You can remove them if they aren't used.
deluser --remove-home ubuntu

Cleanup unncessary packages and services

List all running services and disable the services you are certain you won't need.
service --status-all
Also remove orphan packages.
apt autoremove --purge

Other Security Measures

  • Use fail2ban.
  • Try using single network service per VM instance.
  • Make use of security extensions like AppArmor and SELinux.
  • Implement service specific security measures like securing Nginx, Apache, PostgreSQL, MySQL.
  • Use firewall provided by our cloud service provider.
  • Access your system with security audit tools like Lynis.
  • Watch your logs. Use tools like LogWatch.
  • Try things you'd do if you lost access to your system but you need to get in. You may find some security holes. Fix them.
  • Get consultancy from a security expert.