Ubuntu is termed as the highly secured operating system available but it has flaws in its default install like every other operating system. To remove these weaknesses, IT Security specialist has issued guidelines to combat your system's back-doors/weaknesses and protect you from some of the common Ubuntu exploits. In this guide we will look at few important security settings that every system administrator want to apply in his server.
1. Harden boot settings
To prevent non root users from changing the boot loader configuration file which is /boot/grub/grub.cfg, set the owners and groups of this file to root. Execute the following command to change the ownership to root.
# chown root:root /boot/grub/grub.cfg
To prevent the non root users from reading the boot parameters, set the permission for boot loader file to read and write only. Execute the following command to achieve this benchmark.
# chmod og-rwx /boot/grub/grub.cfg
Also set a password for boot loader, so that any unauthorized user trying to reboot the system must provide a password to proceed to next step. This ensures an unauthorized user will be unable to change the boot parameter like disabling the SELinux or changing the boot partition. Execute the following command to create a boot loader password.
# grub-mkpasswd-pbkdf2
Now create a new file by the name /etc/grub.d/00_header and add the following lines.
set superusers="<user-list>"
password_pbkdf2 <user> <encrypted-password>
Remove the --unrestricted option in CLASS parameter of the file /etc/grub.d/10_linux . This ensures a mandatory password requirement to proceed to next step i.e editing boot parameters.
Update the grub
# update-grub
2. Secure file-system
Create partitions based under different categories like users data in /home partition, swap files in /swap partition, temporary files in /tmp partition, system configurations files in /etc partition, device files in /dev partition etc. This will prevent resource exhaustion as well as flexible mounting options based on intended usage of data.
2.1 Create partition for /tmp
The first reason for creating separate partition for /tmp is there are chances of resource exhaustion since /tmp directory is world-writable. Also making a separate partition for /temp allows to set noexec option marking it useless for unauthorized user to execute code and hard-link to system setuid program.
2.2 Set nodev option for /tmp
Set nodev option for /tmp partition to prevent users from creating block/character device file. Edit /etc/fstab file and add the following line.
# mount -o remount,nodev /tmp
2.3 Set nosuid option for /tmp
To prevent users from creating set userid files in /tmp file system add the following line in /etc/fstab since /tmp file-system is used for temporary file storage.
# mount -o remount,nosuid /tmp
2.4 Set noexec option for /tmp
To prevent users from running executable binaries, set noexec option for /tmp partition. Add the following line in /etc/fstab to block running executable binaries.
# mount -o remount,noexec /tmp
2.5 Create separate partition for /var
The systems daemons and other services temporarily store dynamic data in /var with some directories may be world writable. Therefore there is chances of resource exhaustion in /var. To prevent the resource exhaustion in /var, create a separate partition for /var in new installation and for previously installed system, use LVM to create new partition.
2.6 Bind /var/tmp to /tmp
Binding mounting of /var/tmp to /tmp will allow /var/tmp to be protected in the same way as /tmp is protected. This will also prevent /var from exhausting memory in /var/tmp with temporary files. Execute the following command to bind /tmp and /var/tmp
# sudo mount --bind /tmp /var/tmp
To make it permanent add the following line in /etc/fstab
# /tmp /var/tmp none bind 0 0
2.7 Create separate partition for /var/log
To protect sensitive audit data and protection against resource exhaustion, create a separate partition for /var/log in new installation and for previously installed system, use LVM to create new partition.
2.8 Create separate partition for /var/log/audit
The audit daemon stores log data in /var/log/audit directory. To protect against resource exhaustion as audit log can grow to a large size and also to protect sensitive audit data, create a separate partition for /var/log/audit in new installation and for previously installed system, use LVM to create new partition.
2.9 Create separate partition for /home
The users data are stored in /home directory. It is possible to restrict the type of files that can be stored in /home. To achieve this create a separate partition for /home in new installation and for previously installed system, use LVM to create new partition. Also a separate partition for /home protect against resource exhaustion.
2.10 Set nodev for /home
To prevent the /home directory is being used for defining character and block special device, set nodev option so that users cannot create these types of file. Edit /etc/fstab file and add the following lines in it.
# mount -o remount, nodev /home
2.11 Set nodev for removable media
An user can deceive security controls by using character and block special device from removable media to access sensitive device files like /dev/kmem. Edit /etc/fstab file and add the following lines in it.
# mount -o remount, nodev { removable device like floppy or cdrom or USB stick etc. }
2.12 Set noexec to removable media
To prevent programs from being executed from removable media so that no malicious programs can be placed in the system, add the following lines in /etc/fstab
# mount -o remount,noexec { removable device like floppy or cdrom or USB stick etc. }
2.13 Add nosuid to removable media
To prevent the removable media from being used as setuid/setgid, which allows non root users to place privileged programs in the system. Edit /etc/fstab and add the following lines in it
# mount -o remount,nosuid { removable device like floppy or cdrom or USB stick etc. }
2.14 Add nodev option for /run/shm partition
To prevent the users from creating special device files in /run/shm partitions, add the following line in /etc/fstab. This ensures users will be unable to create devices in /run/shm
# mount -o remount,nodev /run/shm
2.15 Add nosuid option to /run/shm partition
To prevent the /run/shm from being used as setuid/setgid, that allows non root users to place privileged programs in the system. The users can execute the program with his own uid and gid. Edit /etc/fstab and add the following lines in it
# mount -o remount,nosuid /run/shm
2.16 Add noexec to /run/shm partition
To prevent /run/shm partition from being used for executing programs, add the following lines in /etc/fstab
# mount -o remount, noexec /run/shm
2.17 Set sticky bit on to world writable directories
To prevent the users from deleting or renaming files in this directory that are not owned by them , set sticky bit on.
# chmod +t /tmp
or
# chmod 1777 /tmp
3. Discard legacy systems
Don't install/use the following legacy services and utilities as there are vulnerabilities in these system/utilities . These are - NIS , RSH server/client , talk server/client , Telenet, TFTP, XINETD, Chargen, Daytime, echo, discard, time
4. Discard special purpose services
Don't install/use the following services as there are vulnerabilities in these services. These are-
X Window system, Avahi Server Print server, DHCP server, LDAP, NFS and RPC, DNS server, FTP, Samba, SNMP, Rsync, BIOSDEVNAME. Few of the above services are indeed needed for day to day operation like DNS server. In that situation, it is advisable to install these server in a separate host that does not contain any sensitive data.
5. Network configuration and firewall
5.1 Disable IP forwarding
To prevent the server is being used to forward packets i.e to act as a router, set net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf
net.ipv4.ip_forward = 0
Now reload sysctl configuration
# sudo sysctl -p
5.2 Disable sendpacket redirect
An unauthorized user can use a compromised host from sending ICMP redirects packets to other routing device to corrupt routing. To disable redirecting of packets set net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameter to 0 in /etc/sysctl.conf
# net.ipv4.conf.all.send_redirects = 0
# net.ipv4.conf.default.send_redirects = 0
Now reload sysctl configuration
# sudo sysctl -p
5.3 Disable source route packet acceptance
Using source routed packets, an user can gain access to the private address of the system since route can be specified.
Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf
# net.ipv4.conf.all.accept_source_route=0
# net.ipv4.conf.default.accept_source_route=0
Now reload sysctl configuration
# sudo sysctl -p
5.4 Disable ICMP redirect acceptance
An user can alter the routing table to send packets to incorrect networks using bogus ICMP redirect thus allowing the packets to be captured. To disable ICMP Redirect Acceptance set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf
# net.ipv4.conf.all.accept_redirects = 0
# net.ipv4.conf.default.accept_redirects parameters = 0
Now reload sysctl configuration
# sudo sysctl -p
5.5 Disable Secure ICMP Redirect Acceptance
Secure ICMP redirects and ICMP redirects are almost same, only difference is being Secure ICMP redirects packets's source is a gateway. If the source gateway is compromised then an user can update the routing table using Secure ICMP redirects.
Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf to disable Secure ICMP Redirect Acceptance.
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
Now reload sysctl configuration
# sudo sysctl -p
5.6 Log Suspicious Packets
An administrator can diagnose the system when an attacker is sending spoofed packets.
Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf to prevent this.
# net.ipv4.conf.all.log_martians=1
# net.ipv4.conf.default.log_martians=1
Now reload sysctl configuration
# sudo sysctl -p
5.7 Enable ignore broadcast request
To prevent smurf attack in a network set net.ipv4.icmp_echo_ignore_broadcasts to 1 which will enable the system to ignore all ICMP echo and timestamps requests to broadcast and multicast addresses. Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf
# net.ipv4.icmp_echo_ignore_broadcasts=1
Now reload sysctl configuration
# sudo sysctl -p
5.8 Enable bad error message protection
To prevent the attacker from sending responses that violates RFC-1122 in an attempt to insert system log files with useless error messages. Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf to block bogus error responses.
# net.ipv4.icmp_ignore_bogus_error_responses=1
Now reload sysctl configuration
# sudo sysctl -p
5.9 Enable RFC recommended source route validation
Using reverse path filtering , kernel can determine if the packet is valid otherwise it will drop the packet.
Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf
# net.ipv4.conf.all.rp_filter=1
# net.ipv4.conf.default.rp_filter=1
Now reload sysctl configuration
# sudo sysctl -p
5.10 Enable TCP SYN cookies
An attacker can start a DOS attack in the server by flooding SYN packets without initializing three way handshake.To prevent this set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf
# net.ipv4.tcp_syncookies=1
Now reload sysctl configuration
# sudo sysctl -p
5.10 Disable IPv6 router advertisement
Enable server to not accept router advertisements since this can trap into routing traffic to compromised systems.
Set the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra parameter to 0 in /etc/sysctl.conf
# net.ipv6.conf.all.accept_ra=0
# net.ipv6.conf.default.accept_ra=0
Now reload sysctl configuration
# sudo sysctl -p
5.12 Disable IPv6 redirect acceptance
Enable server to not accept router advertisements since this can trap into routing traffic to compromised systems. It is recommended to set hard routes within the system to protect the system from bad routes.
Set the net.ipv6.conf.all.accept_redirects and net.ipv6.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf
# net.ipv6.conf.all.accept_redirects=0
# net.ipv6.conf.default.accept_redirects=0
Now reload sysctl configuration
# sudo sysctl -p
5.13 Disable IPv6
To reduce the probability of attack in the system, disable IPv6
Edit the file /etc/sysctl.conf and add the following lines:
# net.ipv6.conf.all.disable_ipv6=1
# net.ipv6.conf.default.disable_ipv6=1
# net.ipv6.conf.lo.disable_ipv6=1
Now reload sysctl configuration
# sudo sysctl -p
5.14 Install TCP wrappers
Use TCP wrappers for all services that support TCP wrappers.
Install tcpd:
# apt-get install tcpd
5.15 Create /etc/hosts.allow
To ensure that only authorized systems can connect to the server, use /etc/hosts.allow
Edit /etc/hosts.allow and add the following
"ALL: <net>/<mask>, <net>/<mask>, …"
e.g <net> = 192.168.10.100 , <mask> = 255.255.255.0
5.16 Verify permissions on /etc/hosts.allow
It is important to protect /etc/hosts.allow from unauthorized write access. Execute the following command to find the permission of /etc/hosts.allow
# ls -l /etc/hosts.allow
-rw-r--r-- 1 root root 2055 Feb 15 11:30 /etc/hosts.allow
If the permission is incorrect then use the following command to correct it
#chmod 644 /etc/hosts.allow
5.17 Create /etc/hosts.deny
Deny access to the server using /etc/hosts.deny . The file /etc/hosts.deny is configured to deny
all hosts those are not mentioned in /etc/hosts.allow. Create the file /etc/hosts.deny
echo "ALL: ALL" >> /etc/hosts.deny
5.18 Verify permissions on /etc/hosts.deny
It is important to protect /etc/hosts.deny from unauthorized write access. Execute the following command to find the permission of /etc/hosts.deny
# ls -l /etc/hosts.deny
-rw-r--r-- 1 root root 2055 Feb 15 11:30 /etc/hosts.deny
5.19 Ensure firewall is active
To limit the communication in and out of the box to specific IP address and port, use firewall. Ubuntu provides Uncomplicated Firewall (UFW) to easily configure firewall configuration.
Install UFW
# sudo apt-get install ufw
Activate ufw:
# sudo ufw enable
example:
Allow SSH and http services.
# sudo ufw allow TCP/80
# sudo ufw allow TCP/22
# sudo ufw reload
6. Logging and Auditing
By using a powerful audit framework, the system can track many event types to monitor and audit the system.
Install auditd using following command
sudo apt-get install auditd audispd-plugins
If needed create proper start links for auditd in /etc/rc*.d by running the following command from each of the relevant directories:
# ln -s /etc/init.d/auditd S37auditd
Start links should be created for run levels
6.1 Configure Audit Log Storage Size
The audit log file size should be chosen carefully so that it does not effect the system and no audit data is lost.
Set the max_log_file parameter in /etc/audit/auditd.conf
max_log_file = <MB>
6.2 Disable System on Audit Log Full
The auditd daemon can be configured to halt the system when the audit logs are full. Perform the following to determine if auditd is configured to notify the administrator and halt the system when audit logs are full.
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt
6.3 Keep All Auditing Information
In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. Add the following line to the /etc/audit/auditd.conf file.
max_log_file_action = keep_logs
6.4 Record Events That Modify Date and Time Information
To monitor unusual changes in system date and/or time which is an indication of unauthorized activity on the system.
For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change
# Execute the following command to restart auditd
# sudo service auditd restart
For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change
# Execute the following command to restart auditd
# sudo service auditd restart
6.6 Record Events That Modify User/Group Information
Unexpected changes to /etc/group, /etc/passwd, /etc/gshadow, /etc/shadow, /etc/security/opasswd is clear indication of unauthorized user is trying to hide their activities or compromise additional accounts.
Add the following lines to the /etc/audit/audit.rules file.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
# Execute the following command to restart auditd
# sudo service auditd restart
6.7 Record Events That Modify the System's Network Environment
To prevent unauthorized changes to host and domain-name of a system to break security parameters that are set based on those names, add the following lines in /etc/audit/audit.rules
For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale
# Execute the following command to restart auditd
# sudo service auditd restart
For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale
# Execute the following command to restart auditd
# sudo service auditd restart
6.8 Record Events That Modify the System's Mandatory Access Controls
Any changes to files in /etc/selinux is an indication of unauthorized user is attempting to modify access controls and change security contexts to gain access to the system.
Add the following lines to /etc/audit/audit.rules
-w /etc/selinux/ -p wa -k MAC-policy
# Execute the following command to restart auditd
# sudo service auditd restart
6.9 Collect Login and Logout Events
To monitor information related to login/logout/brute force attacks add the following lines to the /etc/audit/audit.rules file.
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
# Execute the following command to restart auditd
# sudo service auditd restart
6.10 Collect Session Initiation Information
Monitor session initiation events. A system administrator can monitor logins occurring at unusual time, which could indicate an unauthorized activity.
Add the following lines to the /etc/audit/audit.rules file.
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
# Execute the following command to restart auditd
# sudo service auditd restart
6.11 Collect Discretionary Access Control Permission Modification Events
Find changes in file attributes which is an indication of intruder activity.
For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
# Execute the following command to restart auditd
# sudo service auditd restart
For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
# Execute the following command to restart auditd
# sudo service auditd restart
6.12 Collect Unsuccessful Unauthorized Access Attempts to Files
Find failed attempts to open, create or truncate files to gain unauthorized access to the system.
For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
# Execute the following command to restart auditd
# sudo service auditd restart
For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
# Execute the following command to restart auditd
# sudo service auditd restart
6.13 Collect Use of Privileged Commands
Find out if there is any uses of privileged commands by non-privileged users to gain access to the system. First execute the following comand then add the output of the following command to /etc/audit/audit.rules file
# find PART -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 \ -k privileged" }'
6.14 Collect Unsuccessful File System Mounts
To track mounting of the file systems by non privileged user add the following rules in /etc/audit/audit.rules file
For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
# Execute the following command to restart auditd
# sudo service auditd restart
For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
# Execute the following command to restart auditd
# sudo service auditd restart
6.15 Collect File Deletion Events by User
To find out if any removal of files and file attributes associated with protected files is occurring add the following rules.
For 64 bit systems, add the following to the /etc/audit/audit.rules file.
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
Execute the following command to restart auditd
# sudo service auditd restart
For 32 bit systems, add the following to the /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
# Execute the following command to restart auditd
# sudo service auditd restart
6.16 Collect Changes to System Administration Scope
Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.
Add the following lines to the /etc/audit/audit.rules file.
-w /etc/sudoers -p wa -k scope
# Execute the following command to restart auditd
# sudo service auditd restart
6.17 Collect System Administrator Actions (sudolog)
To prevent unauthorized users from using privileged command, find out if any changes takes place in /var/log/sudo.log.
Add the following lines to the /etc/audit/audit.rules file.
-w /var/log/sudo.log -p wa -k actions
Restart auditd
# sudo service auditd restart
6.18 Collect Kernel Module Loading and Unloading
To find out if any unauthorized user is using insmod, rmmod and modprobe and thus compromising the security of the system, Add the following lines to the /etc/audit/audit.rules file.
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
For 32 bit systems, add
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
For 64 bit systems, add
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
Restart auditd
# sudo service auditd restart
6.19 Make the Audit Configuration Immutable
To prevent unauthorized users to make changes to the audit system to hide their malicious activity and then revert the audit rules back, add the following lines to the
/etc/audit/audit.rules file.
-e 2
This must be the last line in the /etc/audit/audit.rules file
Restart auditd
# sudo service auditd restart
7. System Access, Authentication and Authorization
7.1 Set User/Group Owner and Permission on cron
Execute the following commands to restrict read/write and search access to root user and groups, preventing normal users from accessing these files/directories.
# chown root:root /etc/crontab
# chmod og-rwx /etc/crontab
# chown root:root /etc/cron.hourly
# chmod og-rwx /etc/cron.hourly
# chown root:root /etc/cron.daily
# chmod og-rwx /etc/cron.daily
# chown root:root /etc/cron.weekly
# chmod og-rwx /etc/cron.weekly
# chown root:root /etc/cron.monthly
# chmod og-rwx /etc/cron.monthly
# chown root:root /etc/cron.d
# chmod og-rwx /etc/cron.d
7.2 Configure PAM
PAM (Pluggable Authentication Modules) is a service that implements modular authentication modules on UNIX systems. PAM must be carefully configured to secure system authentication.
7.2.1 Set Password Creation Requirement Parameters Using pam_cracklib
The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more.
Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password
password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
7.2.2 Set Lockout for Failed Password Attempts
Locking out users after unsuccessful consecutive login attempts to prevent brute force password attacks against your systems.
Edit the /etc/pam.d/login file and add the auth line below:
auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900
7.2.3 Limit Password Reuse
Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Set the pam_unix.so remember parameter to 5 in /etc/pam.d/common-password
password sufficient pam_unix.so remember=5
8. Configure SSH
Edit the /etc/ssh/sshd_config file to set the following parameter as follows to make it secure.
Protocol 2
LogLevel INFO
X11Forwarding no
MaxAuthTries 4
IgnoreRhosts yes
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
PermitUserEnvironment no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
ClientAliveInterval 300
ClientAliveCountMax 0
AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>
Banner <your bannerfile>
9. Restrict Access to the su Command
Use sudo instead of su as it provides a better logging out and audit mechanism. The another motivation for using sudo is to restrict the uses of su. Uncomment the pam_wheel.so line in /etc/pam.d/su, so that su command will be available to users in the wheel group to execute su.
# grep pam_wheel.so /etc/pam.d/su
auth required pam_wheel.so use_uid
# grep wheel /etc/group
wheel:x:10:root, <user list>.....
10. User Accounts and Environment
10.1 Set Password Expiration Days
Reduce the maximum age of a password.
Set the PASS_MAX_DAYS parameter to 120 in /etc/login.defs
PASS_MAX_DAYS 60
Modify active user parameters to match:
# chage --maxdays 120 <user>
10.2 Set Password Change Minimum Number of Days
To prevent the user from changing their password until a minimum no of days have passed since the user changed the password. Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs
PASS_MIN_DAYS 7
Modify active user parameters to match:
# chage --mindays 7 <user>
10.3 Set Password Expiring Warning Days
The administrator can notify the users about the expiry of their password using ASS_WARN_AGE parameter in /etc/login.defs.
Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs
PASS_WARN_AGE 7
Modify active user parameters to match
# chage --warndays 7 <user>
11. System Accounts
11.1 Disable System Accounts
To prevent the system account from being used to get an interactive shell, append “/usr/sbin/nologin” at the end of each system accounts in /etc/passwd
11.2 Set Default
umask for Users
Set umask of 022 will make files readable by every user on the system.
Edit the /etc/login.defs file and add the following line
UMASK 022
11.3 Lock Inactive User Accounts
To make the system more secure, execute the following command to lock the inactive accounts.
# useradd -D -f 35
11.4 Remove OS Information from Login Warning Banners
To prevent the OS and patch level information from login banners, edit the /etc/motd, /etc/issue and /etc/issue.net files and remove any lines containing \m, \r, \s or \v.
12. Verify System File Permissions
12.1 Verify Permissions on /etc/passwd, /etc/shadow, /etc/group
These file needs to be protected from unauthorized changes by non-privileged users as well as needs to be readable as this information is used by non-privileged programs.
Execute the following commands to correct the permissions for these files
# chmod 644 /etc/passwd
# chmod o-rwx,g-rw /etc/shadow
# chmod 644 /etc/group
12.2 Verify User/Group Ownership on /etc/passwd, /etc/shadow, /etc/group
These file needs to be protected from unauthorized changes by non-privileged users as well as needs to be readable as this information is used by non-privileged programs.
Execute the following commands to correct the ownership for these files
# chown root:root /etc/passwd
# chown root:shadow /etc/shadow
# chown root:root /etc/group
13. Check for rootkits
There are few tools available through which you can check for rootkit in the server. The two popular rootkit hunters are RKHunte and CHKRootKit, use anyone of them periodically to check for rootkit in the system
Install chkrootkit
# sudo apt-get install chkrootkit
To run chkrootkit, execute the following command in the terminal
# chkrootkit
14. PSAD IDS/IPS
To detect the intrusion in your network, you can use toos like snort or cipherdyne's psad. The later has the capability of intrusion detection and log analysis with iptables. PSAD is a lightweight system daemons that analyze the iptables log message to detect scans and other spurious traffic.
Install PSAD
#sudo apt-get install psad
Now configure psad to detect scans, Intrusion Detection and Intrusion Prevention
15. Prevent IP Spoofing
Add following lines in /etc/host.conf to prevent IP spoofing
order bind,hosts
nospoof on
16. Enabling automatic security updates
It is highly recommended to enable automatic security updates and patches to keep the system secure. You will be notified every time you logged in to the system using SSH about security updates and patches. In Ubuntu Desktop, to enable automatic security updates, click on "System" select "Administration" and then "Software Sources" menu. Now select the "Internet Updates" and enable "Check for updates automatically" specifying daily". If Ubuntu issues a new security release then you will be notified via the "Update Manager" icon in the system tray. You can use unattended-upgrades which can handle automatic installation of security upgrades in Ubuntu system. Running sudo unattended-upgrade will install all the security package available for upgrade.
Install this package if it isn't already installed using
# sudo apt-get install unattended-upgrades
To enable it type
# sudo dpkg-reconfigure unattended-upgrades
and select "yes".
17. Harden PHP
Edit the php.ini file /etc/php5/apache2/php.ini and add uncomment/add following lines.
safe_mode = On
safe_mode_gid = On
disable_functions = hp_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec,
system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid,
posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit,
posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times,
posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off
mail.add_x_header = Off
session.name = NEWSESSID
allow_url_fopen = Off
allow_url_include = Off
session.save_path = A secured location in the server
18. Harden Apache
Edit Apache2 configuration security file /etc/apache2/conf-available/security.conf and add the following-
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header unset ETag
FileETag None
The web application firewall ModSecurity is effective way to protect web server so that it's much less vulnerable to probes/scans and attacks. First install mod_security using following command.
# sudo apt-get install libapache2-mod-security2
# mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Edit /etc/modsecurity/modsecurity.conf
Activate the rules by editing the SecRuleEngine option and set to On and modify your server signature
SecRuleEngine On
SecServerSignature FreeOSHTTP
Now edit the following to increase the request limit to 16 MB
SecRequestBodyLimit 16384000
SecRequestBodyInMemoryLimit 16384000
Download and install the latest OWASP ModSecurity Core Rule Set from their website.
# wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/master.zip
# unzip master.zip
# cp -r owasp-modsecurity-crs-master/* /etc/modsecurity/
# mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf
# ls /etc/modsecurity/base_rules | xargs -I {} ln -s /etc/modsecurity/base_rules/{} /etc/modsecurity/activated_rules/{}
# ls /etc/modsecurity/optional_rules | xargs -I {} ln -s /etc/modsecurity/optional_rules/{} /etc/modsecurity/activated_rules/{}
Now add the following line in /etc/apache2/mods-available/mod-security.conf
Include "/etc/modsecurity/activated_rules/*.conf"
Check if the modules has been loaded-
# sudo a2enmod headers
# sudo a2enmod mod-security
Now restart Apache2
# service apache2 restart
Apart from ModSecurity, install modevasive to protect your server from DDOS (Denial of Service) attacks
Once you've hardened the system, run some vulnerability scans and penetration tests against it in order to check that it's actually rock solid as you're now expecting it. However attack on your server can happen, it is up-to you to scan the log files regularly to find out any breaches have been occurred. You can use log analyzer tool like ELK stack to drill through servers log files quickly. If you find evidences of breaches then quickly disconnect your server from the internet and take remedial measures.
The post An Ultimate Guide to Secure Ubuntu Host appeared first on LinOxide.