An Ultimate Guide to Secure Ubuntu Host

July 29, 2016 | By
| Reply More

Ubuntu is termed as the highly secured operating system available but it has flaws in its default install like every other operating system. To remove these weaknesses, IT Security specialist has issued guidelines to combat your system's back-doors/weaknesses and protect you from some of the common Ubuntu exploits. In this guide we will look at few important security settings that every system administrator want to apply in his server.

1. Harden boot settings

To prevent non root users from changing the boot loader configuration file which is /boot/grub/grub.cfg, set the owners and groups of this file to root. Execute the following command to change the ownership to root.

# chown root:root /boot/grub/grub.cfg

To prevent the non root users from reading the boot parameters, set the permission for boot loader file to read and write only. Execute the following command to achieve this benchmark.

# chmod og-rwx /boot/grub/grub.cfg

Also set a password for boot loader, so that any unauthorized user trying to reboot the system must provide a password to proceed to next step. This ensures an unauthorized user will be unable to change the boot parameter like disabling the SELinux or changing the boot partition. Execute the following command to create a boot loader password.

# grub-mkpasswd-pbkdf2

Now create a new file by the name /etc/grub.d/00_header and add the following lines.

set superusers="<user-list>"
password_pbkdf2 <user> <encrypted-password>

Remove the --unrestricted option in CLASS parameter of the file /etc/grub.d/10_linux . This ensures a mandatory password requirement to proceed to next step i.e editing boot parameters.

Update the grub

# update-grub

2. Secure file-system

Create partitions based under different categories like users data in /home partition, swap files in /swap partition, temporary files in /tmp partition, system configurations files in /etc partition, device files in /dev partition etc. This will prevent resource exhaustion as well as flexible mounting options based on intended usage of data.

2.1 Create partition for /tmp

The first reason for creating separate partition for /tmp is there are chances of resource exhaustion since /tmp directory is world-writable. Also making a separate partition for /temp allows to set noexec option marking it useless for unauthorized user to execute code and hard-link to system setuid program.

2.2 Set nodev option for /tmp

Set nodev option for /tmp partition to prevent users from creating block/character device file. Edit /etc/fstab file and add the following line.

# mount -o remount,nodev /tmp

2.3 Set nosuid option for /tmp

To prevent users from creating set userid files in /tmp file system add the following line in /etc/fstab since /tmp file-system is used for temporary file storage.

# mount -o remount,nosuid /tmp

2.4 Set noexec option for /tmp

To prevent users from running executable binaries, set noexec option for /tmp partition. Add the following line in /etc/fstab to block running executable binaries.

# mount -o remount,noexec /tmp

2.5 Create separate partition for /var

The systems daemons and other services temporarily store dynamic data in /var with some directories may be world writable. Therefore there is chances of resource exhaustion in /var. To prevent the resource exhaustion in /var, create a separate partition for /var in new installation and for previously installed system, use LVM to create new partition.

2.6 Bind /var/tmp to /tmp

Binding mounting of /var/tmp to /tmp will allow /var/tmp to be protected in the same way as /tmp is protected. This will also prevent /var from exhausting memory in /var/tmp with temporary files. Execute the following command to bind /tmp and /var/tmp

# sudo mount --bind /tmp /var/tmp

To make it permanent add the following line in /etc/fstab

# /tmp /var/tmp none bind 0 0

2.7 Create separate partition for /var/log

To protect sensitive audit data and protection against resource exhaustion, create a separate partition for /var/log in new installation and for previously installed system, use LVM to create new partition.

2.8 Create separate partition for /var/log/audit

The audit daemon stores log data in /var/log/audit directory. To protect against resource exhaustion as audit log can grow to a large size and also to protect sensitive audit data, create a separate partition for /var/log/audit in new installation and for previously installed system, use LVM to create new partition.

2.9 Create separate partition for /home

The users data are stored in /home directory. It is possible to restrict the type of files that can be stored in /home. To achieve this create a separate partition for /home in new installation and for previously installed system, use LVM to create new partition. Also a separate partition for /home protect against resource exhaustion.

2.10 Set nodev for /home

To prevent the /home directory is being used for defining character and block special device, set nodev option so that users cannot create these types of file. Edit /etc/fstab file and add the following lines in it.

# mount -o remount, nodev /home

2.11 Set nodev for removable media

An user can deceive security controls by using character and block special device from removable media to access sensitive device files like /dev/kmem. Edit /etc/fstab file and add the following lines in it.

# mount -o remount, nodev { removable device like floppy or cdrom or USB stick etc. }

2.12 Set noexec to removable media

To prevent programs from being executed from removable media so that no malicious programs can be placed in the system, add the following lines in /etc/fstab

# mount -o remount,noexec { removable device like floppy or cdrom or USB stick etc. }

2.13 Add nosuid to removable media

To prevent the removable media from being used as setuid/setgid, which allows non root users to place privileged programs in the system. Edit /etc/fstab and add the following lines in it

# mount -o remount,nosuid { removable device like floppy or cdrom or USB stick etc. }

2.14 Add nodev option for /run/shm partition

To prevent the users from creating special device files in /run/shm partitions, add the following line in /etc/fstab. This ensures users will be unable to create devices in /run/shm

# mount -o remount,nodev /run/shm

2.15 Add nosuid option to /run/shm partition

To prevent the /run/shm from being used as setuid/setgid, that allows non root users to place privileged programs in the system. The users can execute the program with his own uid and gid. Edit /etc/fstab and add the following lines in it

# mount -o remount,nosuid /run/shm

2.16 Add noexec to /run/shm partition

To prevent /run/shm partition from being used for executing programs, add the following lines in /etc/fstab

# mount -o remount, noexec /run/shm

2.17 Set sticky bit on to world writable directories

To prevent the users from deleting or renaming files in this directory that are not owned by them , set sticky bit on.

# chmod +t /tmp
or
# chmod 1777 /tmp

3. Discard legacy systems

Don't install/use the following legacy services and utilities as there are vulnerabilities in these system/utilities . These are - NIS , RSH server/client , talk server/client , Telenet, TFTP, XINETD, Chargen, Daytime, echo, discard, time

4. Discard special purpose services

Don't install/use the following services as there are vulnerabilities in these services. These are-
X Window system, Avahi Server Print server, DHCP server, LDAP, NFS and RPC, DNS server, FTP, Samba, SNMP, Rsync, BIOSDEVNAME. Few of the above services are indeed needed for day to day operation like DNS server. In that situation, it is advisable to install these server in a separate host that does not contain any sensitive data.

5. Network configuration and firewall

5.1 Disable IP forwarding

To prevent the server is being used to forward packets i.e to act as a router, set net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf

net.ipv4.ip_forward = 0

Now reload sysctl configuration

# sudo sysctl -p

5.2 Disable sendpacket redirect

An unauthorized user can use a compromised host from sending ICMP redirects packets to other routing device to corrupt routing. To disable redirecting of packets set net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameter to 0 in /etc/sysctl.conf

# net.ipv4.conf.all.send_redirects = 0

# net.ipv4.conf.default.send_redirects = 0

Now reload sysctl configuration

# sudo sysctl -p

5.3 Disable source route packet acceptance

Using source routed packets, an user can gain access to the private address of the system since route can be specified.
Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf

# net.ipv4.conf.all.accept_source_route=0
# net.ipv4.conf.default.accept_source_route=0

Now reload sysctl configuration

# sudo sysctl -p

5.4 Disable ICMP redirect acceptance

An user can alter the routing table to send packets to incorrect networks using bogus ICMP redirect thus allowing the packets to be captured. To disable ICMP Redirect Acceptance set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf

# net.ipv4.conf.all.accept_redirects = 0
# net.ipv4.conf.default.accept_redirects parameters = 0

Now reload sysctl configuration

# sudo sysctl -p

5.5 Disable Secure ICMP Redirect Acceptance

Secure ICMP redirects and ICMP redirects are almost same, only difference is being Secure ICMP redirects packets's source is a gateway. If the source gateway is compromised then an user can update the routing table using Secure ICMP redirects.
Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf to disable Secure ICMP Redirect Acceptance.

net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0

Now reload sysctl configuration

# sudo sysctl -p

5.6 Log Suspicious Packets

An administrator can diagnose the system when an attacker is sending spoofed packets.

Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf to prevent this.

# net.ipv4.conf.all.log_martians=1

# net.ipv4.conf.default.log_martians=1

Now reload sysctl configuration

# sudo sysctl -p

 5.7 Enable ignore broadcast request

To prevent smurf attack in a network set net.ipv4.icmp_echo_ignore_broadcasts to 1 which will enable the system to ignore all ICMP echo and timestamps requests to broadcast and multicast addresses. Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf

# net.ipv4.icmp_echo_ignore_broadcasts=1

Now reload sysctl configuration

# sudo sysctl -p

5.8 Enable bad error message protection

To prevent the attacker from sending responses that violates RFC-1122 in an attempt to insert system log files with useless error messages. Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf to block bogus error responses.

# net.ipv4.icmp_ignore_bogus_error_responses=1

Now reload sysctl configuration

# sudo sysctl -p

5.9 Enable RFC recommended source route validation

Using reverse path filtering , kernel can determine if the packet is valid otherwise it will drop the packet.
Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf

# net.ipv4.conf.all.rp_filter=1
# net.ipv4.conf.default.rp_filter=1

Now reload sysctl configuration

# sudo sysctl -p

5.10 Enable TCP SYN cookies

An attacker can start a DOS attack in the server by flooding SYN packets without initializing three way handshake.To prevent this set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf

# net.ipv4.tcp_syncookies=1

Now reload sysctl configuration

# sudo sysctl -p

5.10 Disable IPv6 router advertisement

Enable server to not accept router advertisements since this can trap into routing traffic to compromised systems.
Set the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra parameter to 0 in /etc/sysctl.conf

# net.ipv6.conf.all.accept_ra=0
# net.ipv6.conf.default.accept_ra=0

Now reload sysctl configuration

# sudo sysctl -p

5.12 Disable IPv6 redirect acceptance

Enable server to not accept router advertisements since this can trap into routing traffic to compromised systems. It is recommended to set hard routes within the system to protect the system from bad routes.

Set the net.ipv6.conf.all.accept_redirects and net.ipv6.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf

# net.ipv6.conf.all.accept_redirects=0
# net.ipv6.conf.default.accept_redirects=0

Now reload sysctl configuration

# sudo sysctl -p

5.13 Disable IPv6

To reduce the probability of attack in the system, disable IPv6
Edit the file /etc/sysctl.conf and add the following lines:

# net.ipv6.conf.all.disable_ipv6=1
# net.ipv6.conf.default.disable_ipv6=1
# net.ipv6.conf.lo.disable_ipv6=1

Now reload sysctl configuration

# sudo sysctl -p

5.14 Install TCP wrappers

Use TCP wrappers for all services that support TCP wrappers.

Install tcpd:

# apt-get install tcpd

5.15 Create /etc/hosts.allow

To ensure that only authorized systems can connect to the server, use /etc/hosts.allow
Edit /etc/hosts.allow and add the following

"ALL: <net>/<mask>, <net>/<mask>, …"
e.g <net> = 192.168.10.100 , <mask> = 255.255.255.0

5.16 Verify permissions on /etc/hosts.allow

It is important to protect /etc/hosts.allow from unauthorized write access. Execute the following command to find the permission of /etc/hosts.allow

# ls -l /etc/hosts.allow

-rw-r--r-- 1 root root 2055 Feb 15 11:30 /etc/hosts.allow

If the permission is incorrect then use the following command to correct it

#chmod 644 /etc/hosts.allow

5.17 Create /etc/hosts.deny

Deny access to the server using /etc/hosts.deny . The file /etc/hosts.deny is configured to deny

all hosts those are not mentioned in /etc/hosts.allow. Create the file /etc/hosts.deny

echo "ALL: ALL" >> /etc/hosts.deny

5.18 Verify permissions on /etc/hosts.deny

It is important to protect /etc/hosts.deny from unauthorized write access. Execute the following command to find the permission of /etc/hosts.deny

# ls -l /etc/hosts.deny
-rw-r--r-- 1 root root 2055 Feb 15 11:30 /etc/hosts.deny

5.19 Ensure firewall is active

To limit the communication in and out of the box to specific IP address and port, use firewall. Ubuntu provides Uncomplicated Firewall (UFW) to easily configure firewall configuration.
Install UFW

# sudo apt-get install ufw

Activate ufw:

# sudo ufw enable

example:
Allow SSH and http services.

# sudo ufw allow TCP/80
# sudo ufw allow TCP/22
# sudo ufw reload

6. Logging and Auditing

By using a powerful audit framework, the system can track many event types to monitor and audit the system.
Install auditd using following command

sudo apt-get install auditd audispd-plugins

If needed create proper start links for auditd in /etc/rc*.d by running the following command from each of the relevant directories:

# ln -s /etc/init.d/auditd S37auditd

Start links should be created for run levels

6.1 Configure Audit Log Storage Size

The audit log file size should be chosen carefully so that it does not effect the system and no audit data is lost.
Set the max_log_file parameter in /etc/audit/auditd.conf

max_log_file = <MB>

6.2 Disable System on Audit Log Full

The auditd daemon can be configured to halt the system when the audit logs are full. Perform the following to determine if auditd is configured to notify the administrator and halt the system when audit logs are full.

space_left_action = email
action_mail_acct = root
admin_space_left_action = halt

6.3 Keep All Auditing Information

In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. Add the following line to the /etc/audit/auditd.conf file.

max_log_file_action = keep_logs

6.4 Record Events That Modify Date and Time Information

To monitor unusual changes in system date and/or time which is an indication of unauthorized activity on the system.
For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change

# Execute the following command to restart auditd

# sudo service auditd restart

For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change

# Execute the following command to restart auditd

# sudo service auditd restart

6.6 Record Events That Modify User/Group Information

Unexpected changes to /etc/group, /etc/passwd, /etc/gshadow, /etc/shadow, /etc/security/opasswd is clear indication of unauthorized user is trying to hide their activities or compromise additional accounts.
Add the following lines to the /etc/audit/audit.rules file.

-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

# Execute the following command to restart auditd

# sudo service auditd restart

6.7 Record Events That Modify the System's Network Environment

To prevent unauthorized changes to host and domain-name of a system to break security parameters that are set based on those names, add the following lines in /etc/audit/audit.rules
For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale

# Execute the following command to restart auditd

# sudo service auditd restart

For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale

# Execute the following command to restart auditd

# sudo service auditd restart

6.8 Record Events That Modify the System's Mandatory Access Controls

Any changes to files in /etc/selinux is an indication of unauthorized user is attempting to modify access controls and change security contexts to gain access to the system.
Add the following lines to /etc/audit/audit.rules

-w /etc/selinux/ -p wa -k MAC-policy

# Execute the following command to restart auditd

# sudo service auditd restart

6.9 Collect Login and Logout Events

To monitor information related to login/logout/brute force attacks add the following lines to the /etc/audit/audit.rules file.

-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins

# Execute the following command to restart auditd

# sudo service auditd restart

6.10 Collect Session Initiation Information

Monitor session initiation events. A system administrator can monitor logins occurring at unusual time, which could indicate an unauthorized activity.
Add the following lines to the /etc/audit/audit.rules file.

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

# Execute the following command to restart auditd

# sudo service auditd restart

6.11 Collect Discretionary Access Control Permission Modification Events

Find changes in file attributes which is an indication of intruder activity.
For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

# Execute the following command to restart auditd

# sudo service auditd restart

For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

# Execute the following command to restart auditd

# sudo service auditd restart

6.12 Collect Unsuccessful Unauthorized Access Attempts to Files

Find failed attempts to open, create or truncate files to gain unauthorized access to the system.
For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

# Execute the following command to restart auditd

# sudo service auditd restart

For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

# Execute the following command to restart auditd

# sudo service auditd restart

6.13 Collect Use of Privileged Commands

Find out if there is any uses of privileged commands by non-privileged users to gain access to the system. First execute the following comand then add the output of the following command to /etc/audit/audit.rules file

# find PART -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 \ -k privileged" }'

6.14 Collect Unsuccessful File System Mounts

To track mounting of the file systems by non privileged user add the following rules in /etc/audit/audit.rules file
For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts

# Execute the following command to restart auditd

# sudo service auditd restart

For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts

# Execute the following command to restart auditd

# sudo service auditd restart

6.15 Collect File Deletion Events by User

To find out if any removal of files and file attributes associated with protected files is occurring add the following rules.
For 64 bit systems, add the following to the /etc/audit/audit.rules file.

-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

Execute the following command to restart auditd

# sudo service auditd restart

For 32 bit systems, add the following to the /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

# Execute the following command to restart auditd

# sudo service auditd restart

6.16 Collect Changes to System Administration Scope

Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.

Add the following lines to the /etc/audit/audit.rules file.

-w /etc/sudoers -p wa -k scope

# Execute the following command to restart auditd

# sudo service auditd restart

6.17 Collect System Administrator Actions (sudolog)

To prevent unauthorized users from using privileged command, find out if any changes takes place in /var/log/sudo.log.
Add the following lines to the /etc/audit/audit.rules file.

-w /var/log/sudo.log -p wa -k actions

Restart auditd

# sudo service auditd restart

6.18 Collect Kernel Module Loading and Unloading

To find out if any unauthorized user is using insmod, rmmod and modprobe and thus compromising the security of the system, Add the following lines to the /etc/audit/audit.rules file.

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules

For 32 bit systems, add

-a always,exit -F arch=b32 -S init_module -S delete_module -k modules

For 64 bit systems, add

-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

Restart auditd

# sudo service auditd restart

6.19 Make the Audit Configuration Immutable

To prevent unauthorized users to make changes to the audit system to hide their malicious activity and then revert the audit rules back, add the following lines to the

/etc/audit/audit.rules file.

-e 2

This must be the last line in the /etc/audit/audit.rules file
Restart auditd

# sudo service auditd restart

7. System Access, Authentication and Authorization

7.1 Set User/Group Owner and Permission on cron

Execute the following commands to restrict read/write and search access to root user and groups, preventing normal users from accessing these files/directories.

# chown root:root /etc/crontab
# chmod og-rwx /etc/crontab
# chown root:root /etc/cron.hourly
# chmod og-rwx /etc/cron.hourly
# chown root:root /etc/cron.daily
# chmod og-rwx /etc/cron.daily
# chown root:root /etc/cron.weekly
# chmod og-rwx /etc/cron.weekly
# chown root:root /etc/cron.monthly
# chmod og-rwx /etc/cron.monthly
# chown root:root /etc/cron.d
# chmod og-rwx /etc/cron.d

7.2 Configure PAM

PAM (Pluggable Authentication Modules) is a service that implements modular authentication modules on UNIX systems. PAM must be carefully configured to secure system authentication.

7.2.1 Set Password Creation Requirement Parameters Using pam_cracklib

The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more.
Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password

password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1

7.2.2 Set Lockout for Failed Password Attempts

Locking out users after unsuccessful consecutive login attempts to prevent brute force password attacks against your systems.
Edit the /etc/pam.d/login file and add the auth line below:

auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900

7.2.3 Limit Password Reuse

Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Set the pam_unix.so remember parameter to 5 in /etc/pam.d/common-password

password sufficient pam_unix.so remember=5

8. Configure SSH

Edit the /etc/ssh/sshd_config file to set the following parameter as follows to make it secure.

Protocol 2
LogLevel INFO
X11Forwarding no
MaxAuthTries 4
IgnoreRhosts yes
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
PermitUserEnvironment no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
ClientAliveInterval 300
ClientAliveCountMax 0
AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>
Banner <your bannerfile>

9. Restrict Access to the su Command

Use sudo instead of su as it provides a better logging out and audit mechanism. The another motivation for using sudo is to restrict the uses of su. Uncomment the pam_wheel.so line in /etc/pam.d/su, so that su command will be available to users in the wheel group to execute su.

# grep pam_wheel.so /etc/pam.d/su
auth required pam_wheel.so use_uid
# grep wheel /etc/group
wheel:x:10:root, <user list>.....

10. User Accounts and Environment

10.1 Set Password Expiration Days

Reduce the maximum age of a password.

Set the PASS_MAX_DAYS parameter to 120 in /etc/login.defs

PASS_MAX_DAYS 60

Modify active user parameters to match:

# chage --maxdays 120 <user>

10.2 Set Password Change Minimum Number of Days

To prevent the user from changing their password until a minimum no of days have passed since the user changed the password. Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs

PASS_MIN_DAYS 7

Modify active user parameters to match:
# chage --mindays 7 <user>

10.3 Set Password Expiring Warning Days

The administrator can notify the users about the expiry of their password using ASS_WARN_AGE parameter in /etc/login.defs.

Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs

PASS_WARN_AGE  7

Modify active user parameters to match

# chage --warndays 7 <user>

11. System Accounts

11.1 Disable System Accounts

To prevent the system account from being used to get an interactive shell, append “/usr/sbin/nologin” at the end of each system accounts in /etc/passwd

11.2 Set Default

umask for Users
Set umask of 022 will make files readable by every user on the system.
Edit the /etc/login.defs file and add the following line

UMASK 022

11.3 Lock Inactive User Accounts

To make the system more secure, execute the following command to lock the inactive accounts.

# useradd -D -f 35

11.4 Remove OS Information from Login Warning Banners

To prevent the OS and patch level information from login banners, edit the /etc/motd, /etc/issue and /etc/issue.net files and remove any lines containing \m, \r, \s or \v.

12. Verify System File Permissions

12.1 Verify Permissions on /etc/passwd, /etc/shadow, /etc/group

These file needs to be protected from unauthorized changes by non-privileged users as well as needs to be readable as this information is used by non-privileged programs.
Execute the following commands to correct the permissions for these files

# chmod 644 /etc/passwd
# chmod o-rwx,g-rw /etc/shadow
# chmod 644 /etc/group

12.2 Verify User/Group Ownership on /etc/passwd, /etc/shadow, /etc/group

These file needs to be protected from unauthorized changes by non-privileged users as well as needs to be readable as this information is used by non-privileged programs.
Execute the following commands to correct the ownership for these files

# chown root:root /etc/passwd
# chown root:shadow /etc/shadow
# chown root:root /etc/group

13. Check for rootkits

There are few tools available through which you can check for rootkit in the server. The two popular rootkit hunters are RKHunte and CHKRootKit, use anyone of them periodically to check for rootkit in the system

Install chkrootkit

# sudo apt-get install chkrootkit

To run chkrootkit, execute the following command in the terminal

# chkrootkit

14. PSAD IDS/IPS

To detect the intrusion in your network, you can use toos like snort or cipherdyne's psad. The later has the capability of intrusion detection and log analysis with iptables. PSAD is a lightweight system daemons that analyze the iptables log message to detect scans and other spurious traffic.

Install PSAD

#sudo apt-get install psad

Now configure psad to detect scans, Intrusion Detection and Intrusion Prevention

15. Prevent IP Spoofing

Add following lines in /etc/host.conf to prevent IP spoofing

order bind,hosts
nospoof on

16. Enabling automatic security updates

It is highly recommended to enable automatic security updates and patches to keep the system secure. You will be notified every time you logged in to the system using SSH about security updates and patches. In Ubuntu Desktop, to enable automatic security updates, click on "System" select "Administration" and then "Software Sources" menu. Now select the "Internet Updates" and enable "Check for updates automatically" specifying daily". If Ubuntu issues a new security release then you will be notified via the "Update Manager" icon in the system tray. You can use unattended-upgrades which can handle automatic installation of security upgrades in Ubuntu system. Running sudo unattended-upgrade will install all the security package available for upgrade.

Install this package if it isn't already installed using

# sudo apt-get install unattended-upgrades

To enable it type

# sudo dpkg-reconfigure unattended-upgrades

and select "yes".

17. Harden PHP

Edit the php.ini file /etc/php5/apache2/php.ini and add uncomment/add following lines.

safe_mode = On

safe_mode_gid = On

disable_functions = hp_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec,

system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid,

posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit,

posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times,

posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo

register_globals = Off

expose_php = Off

display_errors = Off

track_errors = Off

html_errors = Off

magic_quotes_gpc = Off

mail.add_x_header = Off

session.name = NEWSESSID

allow_url_fopen = Off

allow_url_include = Off

session.save_path = A secured location in the server

18. Harden Apache

Edit Apache2 configuration security file /etc/apache2/conf-available/security.conf and add the following-

ServerTokens Prod

ServerSignature Off

TraceEnable Off

Header unset ETag

FileETag None

The web application firewall ModSecurity is effective way to protect web server so that it's much less vulnerable to probes/scans and attacks. First install mod_security using following command.

# sudo apt-get install libapache2-mod-security2

# mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Edit /etc/modsecurity/modsecurity.conf

Activate the rules by editing the SecRuleEngine option and set to On and modify your server signature

SecRuleEngine On

SecServerSignature FreeOSHTTP

Now edit the following to increase the request limit to 16 MB

SecRequestBodyLimit 16384000

SecRequestBodyInMemoryLimit 16384000

Download and install the latest OWASP ModSecurity Core Rule Set from their website.

# wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/master.zip

# unzip master.zip

# cp -r owasp-modsecurity-crs-master/* /etc/modsecurity/

# mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf

# ls /etc/modsecurity/base_rules | xargs -I {} ln -s /etc/modsecurity/base_rules/{} /etc/modsecurity/activated_rules/{}

# ls /etc/modsecurity/optional_rules | xargs -I {} ln -s /etc/modsecurity/optional_rules/{} /etc/modsecurity/activated_rules/{}

Now add the following line in /etc/apache2/mods-available/mod-security.conf

Include "/etc/modsecurity/activated_rules/*.conf"

Check if the modules has been loaded-

# sudo a2enmod headers

# sudo a2enmod mod-security

Now restart Apache2

# service apache2 restart

Apart from ModSecurity, install modevasive to protect your server from DDOS (Denial of Service) attacks

Once you've hardened the system, run some vulnerability scans and penetration tests against it in order to check that it's actually rock solid as you're now expecting it. However attack on your server can happen, it is up-to you to scan the log files regularly to find out any breaches have been occurred. You can use log analyzer tool like ELK stack to drill through servers log files quickly. If you find evidences of breaches then quickly disconnect your server from the internet and take remedial measures.

Filed Under : SECURITY, UBUNTU HOWTO

Tagged With :

Free Linux Ebook to Download

Leave a Reply

All comments are subject to moderation.