Hardening is the process of reducing vulnerabilities and securing a system from possible attack points. Reducing vulnerabilities includes the removal of unnecessary services, usernames and logins and disabling unnecessary ports. In this article we are going to show you how you can harden a Ubuntu server.
Requirements
Ubuntu 14.04 LTS server with Open SSH installed.
Getting started: Update the system
Keeping the system up to date is necessary after installing any operating system. This will reduce known vulnerabilities that are in your system.
For Ubuntu 14.04 run the following:
sudo apt-get update sudo apt-get upgrade sudo apt-get autoremove sudo apt-get autoclean
Enable automatic security updates
Enabling automatic updates can be very important to secure your server. To install the “unattended-upgrades,” run
sudo apt-get install unattended-upgrades
To enable it, run the following command:
sudo dpkg-reconfigure -plow unattended-upgrades
This will create the “/etc/apt/apt.conf.d/20auto-upgrades” file shown below.
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
Create “shadow user” with sudo powers
Using a “shadow user” instead of the root account is necessary for security reasons. You can create a user that will not be easy for other users to guess. In this tutorial we will use “maketech111” as the username.
To create a user, run the following command:
sudo useradd -d /home/maketech111 -s /bin/bash -m maketech111
To give the user sudo access, run the following command:
sudo usermod -a -G sudo maketech111
To set a password, run the following command:
sudo passwd maketech111
Note: make sure your password is at least eight characters long and contains a complex combination of numbers, letters, and punctuation marks.
To remove the password prompt for sudo, edit the sudoers file.
sudo nano /etc/sudoers
Add / edit as described below.
maketech111 ALL=(ALL) NOPASSWD: ALL
Save the file and exit.
Disable root account
Disabling the root account is necessary for security reasons.
To disable the root account, use the following command:
sudo passwd -l root
If you need to re-enable the account, run the following command:
sudo passwd -u root
Add a SWAP Partition
Some Ubuntu servers are not configured with SWAP. SWAP is used when the amount of total physical memory (RAM) is full.
To check for SWAP space, run the following command:
sudo swapon -s
If there’s no SWAP file, you should get a the following output.
Filename Type Size Used Priority
To create the 4 GB SWAP file you will need to use the “dd” command.
sudo dd if=/dev/zero of=/swapfile bs=4M count=1000
To set up the SWAP file, run the following command:
sudo mkswap /swapfile
To activate the swap file, run
sudo swapon /swapfile sudo swapon -s
This will output like the following:
Filename Type Size Used Priority /swapfile file 4096000 0 -1
To enable it permanently, edit the “/etc/fstab” file.
sudo nano /etc/fstab
Add the following line:
/swapfile swap swap defaults 0 0
Improve SWAP performance
Set proper swappiness value to improve overall performance of the system.
You can do this with the following command:
sudo echo 0 >> /proc/sys/vm/swappiness sudo echo vm.swappiness = 0 >> /etc/sysctl.conf
Reboot the system to check whether SWAP gets activated properly.
Disable IPv6
It is recommended to disable IPv6 because it cause issues with the Internet connection being slow.
To disable IPv6, edit the “/etc/sysctl.conf” file.
sudo nano /etc/sysctl.conf
Edit as described below:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
To reload the configuration, run
sudo sysctl -p
Disable IRQBALANCE
IRQBALANCE is used to distribute hardware interrupts across multiple CPU to increase system performance. It is recommended to disable IRQBALANCE to avoid hardware interrupts in your threads.
To disable IRQBALANCE, edit “/etc/default/irqbalance”
sudo nano /etc/default/irqbalance
and change the ENABLED value to 0:
ENABLED=0
Fix OpenSSL heartbleed bug
The Heartbleed is a serious vulnerability in the OpenSSL. It allows a remote user to leak the memory in up to 64k chunks. Hackers can then retrieve the private keys to decrypt any data like user’s user name and passwords.
The heartbleed bug was found in OpenSSL 1.0.1 and is present in the following versions:
- 1.0.1
- 1.0.1a
- 1.0.1b
- 1.0.1c
- 1.0.1d
- 1.0.1e
- 1.0.1f
To check the version of OpenSSL in your system, run the following commands:
sudo openssl version -v sudo openssl version -b
This will output something like the following:
OpenSSL 1.0.1 10 Mar 2012 built on: Wed Jan 2 18:45:51 UTC 2015
If the date is older than “Mon Apr 7 20:33:29 UTC 2014,” and the version is “1.0.1,” then your system is vulnerable to the Heartbleed bug.
To fix this bug, update OpenSSL to the latest version and run
sudo apt-get update sudo apt-get upgrade openssl libssl-dev sudo apt-cache policy openssl libssl-dev
Now check the version and run
sudo openssl version -b
This will output something like the following:
built on: Mon Apr 7 20:31:55 UTC 2014
Secure the Console, shared memory, /tmp and /var/tmp
Secure the Console
By default, lots of terminals are enabled in your system. You can allow only one terminal and disable the other terminals.
To allow only “tty1” and disable other terminals, edit the “/etc/securetty” file.
sudo nano /etc/securetty
Add / Edit the following lines:
tty1 #tty2 #tty3 #tty4 # etc ...
To secure the “/etc/securetty” file, change the permission of the file and run the following commands:
sudo chown root:root /etc/securetty sudo chmod 0600 /etc/securetty
Secure Shared Memory
Any user can use shared memory to attack against a running service, like apache or httpd. By default, shared memory is mounted read/write with execute permission.
To make it more secure, edit the “/etc/fstab” file.
sudo nano /etc/fstab
Add the following line:
tmpfs /run/shm tmpfs ro,noexec,nosuid 0 0
To make the changes without rebooting, you can run
sudo mount -a
Secure /tmp and /var/tmp
Temporary directories such as /tmp, /var/tmp, and /dev/shm open the door for attackers to provide space to run scripts and malicious executables.
Secure /tmp folder
Create a 1GB filesystem file for the /tmp partition.
sudo dd if=/dev/zero of=/usr/tmpDSK bs=1024 count=1024000 sudo mkfs.ext4 /usr/tmpDSK
Create a backup of the current /tmp folder:
sudo cp -avr /tmp /tmpbackup
Mount the new /tmp partition, and set the right permissions.
sudo mount -t tmpfs -o loop,noexec,nosuid,rw /usr/tmpDSK /tmp sudo chmod 1777 /tmp
Copy the data from the backup folder, and remove the backup folder.
sudo cp -avr /tmpbackup/* /tmp/ sudo rm -rf /tmpbackup
Set the /tmp in the fbtab.
sudo nano /etc/fstab
Add the following line:
/usr/tmpDSK /tmp tmpfs loop,nosuid,noexec,rw 0 0
Test your fstab entry.
sudo mount -a
Secure /var/tmp:
Some software uses this folder as a temporary folder, so we should also secure this one.
To secure /var/tmp, create a symbolic link that makes /var/tmp point to /tmp.
sudo mv /var/tmp /var/tmpold sudo ln -s /tmp /var/tmp sudo cp -avr /var/tmpold/* /tmp/
Set security limits and disable unwanted services
Set security limits
To protect your system from fork bomb attacks, you should set up a process limit for your users.
To set this up, edit the “/etc/security/limits.conf” file,
sudo nano /etc/security/limits.conf
and edit the following line:
user1 hard nproc 100 @group1 hard nproc 20
This will prevent users of a specific group from having a maximum of twenty processes and maximize the number of processes to one hundred to user1.
Disable unnecessary services
Lots of services in Ubuntu takes memory and disk space that you might need to use. Disabling or removing unnecessary services can improve overall system performance.
To find out which services are currently running, run the following command:
sudo initctl list | grep running
You can disable it by running this command.
sudo update-rc.d -f service_name remove sudo apt-get purge service_name
Fix Shellshock Bash vulnerability:
The Shellshock vulnerability allows hackers to assign Bash environment variables and gain unauthorized access to the system. This vulnerability is very easy to exploit.
To check system vulnerability, run the following command:
sudo env i='() { :;}; echo Your system is Bash vulnerable' bash -c "echo Bash vulnerability test"
If you see the below output, it means your system is vulnerable.
Your system is Bash vulnerable Bash vulnerability test
To fix this vulnerability, run the following command:
sudo apt-get update ; sudo apt-get install --only-upgrade bash
If you run the command again, you will see:
bash: warning: VAR: ignoring function definition attempt bash: error importing function definition for `VAR' Bash vulnerability test
Conclusion:
Here we have explained basic things that you could do to harden Ubuntu. You should now have enough understanding of basic security practices that you can implement on your Ubuntu server. I hope that this post will be useful to you.