Hardening Ubuntu
It's a harsh environment for any server out there. A fresh installation of the popular Ubuntu Server 22.04 gets a security rating of 63, far from 100. That is why the survival rate is low among home servers.
It's a harsh environment for any server out there. They are like old knight, needing a support crew to even be able to start the day of work. Hardening servers is a key work in any IT department, and has been so for decades.
In IT security, knowing what to do is important, but doing it is even more important. Do a Security Audit – NOW.
As today's Linux/GNU systems are very complex and bloated, security is more and more important. The environment is very toxic. Many hackers, from professionals and criminals to curious teenagers, are trying to hack into any server they can find. Computers are being bombarded with junk. We need to be smarter than most to stay alive. In IT security, knowing what to do is important, but doing it is even more important.
Today's servers comes bloated with tons of GNU apps that each one is a possible security risk, do we need 75 000 files on a fresh server?
For the sake of convenience, numerous ports are open, and networks are set to listen. Apps are not secured. Apparmor does not enforce things. Many configurations are in read/write mode, and some are even accessible to anyone. The list is long, very long in fact.
There is a reason, we need to have access during the setup face to these things. During the setup, we then set on armor and close all dangerous openings.
Install ClamAV and rkhunter
Defense against Virus and Rootkit attacks. There are a lot to configure.
Please read the documentation and configure and run accordingly, ClamAV, RKH.
apt install clamav clamav-daemon rkhunter
ClamAV Quick Guide
cp /usr/share/doc/clamav-freshclam/examples/freshclam.conf.sample /etc/clamav//freshclam.conf
Edit all config files an clamscan
a file or a directory. Then edit the clamd.conf
.
rkhunter (RKH) Quick Guide
Edit /etc/rkhunter.conf
Run rkhunter with rkhunter --check
or rkhunter --check --rwo --sk
.
Use the options to:
--sk
to avoid pressing[Enter]
and--rwo
to display only warnings
Update rkhunter
Update rkhunter --update
verify rkhunter --versioncheck
set the baseline rkhunter --propupd
.
The RKH Logs
The logs: /var/log/rkhunter.log
.
Schedule with Cron
You can configure it by editing the file /etc/default/rkhunter
#Perform security check daily
CRON_DAILY_RUN="true"
#Enable weekly database updates.
CRON_DB_UPDATE="true"
#Enable automatic database updates
APT_AUTOGEN="true"
An Example of Hardening a Server
This is some of the things that security staff do to servers to raise an Ubuntu server from a bad 63 (fresh install) to close to 100, and that's pretty safe.
First, we want to use netplan
, do not install as minimized. Minimized uses the older /etc/network/interfaces
-file, as Debian still do.
Then, we will also ensure that the disk is what we want it to be. We use a Proxmox virtual disk 64 G, ext4, and we edit the file settings.
- /24.000G ext4
- /boot/efi 1.049G fat32
- /home 24.000G ext4
- /var/10.000G ext4
I usually reserve a bit for something future me will use.
We leave OpenSSH still uninstalled, the script will do it later. We will use a script from konstruktoid (Thomas Sjögren).
1st Security Audit
Just update and upgrade the system for now. You might need to add git
.
sudo git clone https://github.com/CISofy/lynis.git
cd lynis
- To check view all the commands available in Lynis we can execute the following
./lynis show
. And the following command to list the number of commands to execute,./lynis show commands
- Run the SA
sudo ./lynis audit system
Hardening Ubuntu – Systemd edition
- Do not install the OpenSSH server, "Featured Server Snaps", or any other packages.
- Finish the installation and reboot.
- Log in.
- If wanted, set a Grub2 password with
grub-mkpasswd-pbkdf2
. See https://help.ubuntu.com/community/Grub2/Passwords for more information. - Install necessary packages:
sudo apt-get -y install git net-tools procps --no-install-recommends
. - Download the script:
git clone
https://github.com/konstruktoid/hardening.git
. - Change the configuration options in the
ubuntu.cfg
file.
Make sure to update the variable CHANGEME, otherwise the script will fail. - Change your options
Configuration options
In the file ubuntu.cfg
do your changes
- The IP addresses that will be able to connect with SSH, separated by spaces.
- Which group the users have to be a member of in order to access via SSH, separated by spaces.
- Configure SSH port.
- Stricter sysctl settings.
- Auditd failure mode. 0=silent 1=printk 2=panic.
- Auditd rules.
- Log rotate settings.
- NTP server pool.
- Add a specific time zone or use the system default by leaving it empty.
- If you want all the details or not.
- Let the script guess the
FW_ADMIN
andSSH_GRPS
settings. - Add a valid email address, so PSAD can send notifications.
- If
'Y'
then, thesnapd
package will be held to prevent removal. - Add something just to verify that you actually glanced the code.
- Default configuration file locations.
FW_ADMIN='127.0.0.1' // (1)
SSH_GRPS='sudo' // (2)
SSH_PORT='22' // (3)
SYSCTL_CONF='./misc/sysctl.conf' // (4)
AUDITD_MODE='1' // (5)
AUDITD_RULES='./misc/audit-base.rules ./misc/audit-aggressive.rules ./misc/audit-docker.rules' // (6)
LOGROTATE_CONF='./misc/logrotate.conf' // (7)
NTPSERVERPOOL='0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org pool.ntp.org' // (8)
TIMEDATECTL='' // (9)
VERBOSE='N' // (10)
AUTOFILL='N' // (11)
ADMINEMAIL="root@localhost" // (12)
KEEP_SNAPD='Y' // (13)
CHANGEME='' // (14)
# Configuration files // (15
...
Run and Reboot
- Run the script:
sudo bash ubuntu.sh
. - Reboot
sudo reboot
sudo ufw status
–sudo ufw allow ssh
sudo systemctl status ssh
–sudo systemctl restart ssh
sudo apt install git btop glances
sudo git clone https://github.com/CISofy/lynis.git
Change permissions so you can get in
Add Lynis and test
See my post Security Audit and Lynis for more details
2nd Security Audit
Not there yet, but a huge improvement, jumping from 64 → 90!
Now we need to be able to SSH into the server. Check status sudo ufw status
and then sudo ufw allow ssh
if needed. Next, sudo systemctl status ssh
Lynis Quick Guide
Run Lynis without any installation.
git clone https://github.com/CISOfy/lynis
cd lynis
How to Run
We can now use Lynis to perform security audits on our system, to view what we can do, use the show
command.
./lynis show
./lynis show commands
Lynis can be run without pre-configuration, but you can also configure it for your audit needs. Lynis can run in both privileged and non-privileged mode (pentest). There are tests that require root privileges, so these are skipped.
./lynis audit system
sudo ./lynis audit system
Adding the --quick
parameter, will enable Lynis to run without pauses and will enable us to work on other things simultaneously while it scans.
./lynis audit system --quick
sudo ./lynis audit system --quick
Lynis will perform system audits and there are a number of tests divided into categories. After every audit test, results debug information and suggestions are provided for hardening the system.
More detailed information is stored in /var/log/lynis/log
, while the data report is stored in /var/log/lynis-report.data
.
Install Lynis
I have a ready-made script for installing Lynis from apt
, download link.
Download wget
https://github.com/nallej/MyJourney/raw/main/scripts/
, read the code and make your choice, then chmod 700
and ./LynisInstall.sh
.
As the script uses sudo
you might need to edit it.
After Thoughts
The Basic of a Secure Environment
Secure the Perimeter
Use UFW firewall and configure it. UFW is good as it doesn't usually break things. As in the corporate word, there is no such ting as too many Firewalls. Use Firewalls on all devices possible.
ISP routers are the cheapest crap they can get, and so is the built-in firewall.
Encrypt your data
Whole disk encryption do not make it secure after you open it by logging in.
Do not travel with your data (on a laptop), use a secure server.
Encrypt your disks, if stolen they are made useless.
Secure access to Personal Data
You do not want anybody to have access to health and financial records.
Lock down the app and encrypt the data and keep secure backups.
Keep your system Up to Date
It is imperative to update and adhere to security recommendations to ensure the safety of your software, such as the OpenSSH issue that we are currently experiencing.
Don't trust cloud storage because they have been breached, send only encrypted data, then they only get garbage.
Remove old software
Remove any software that is not updated, archived, or you do not use anymore.
Don't tell
Please refrain from disclosing excessive personal information on the internet. Segregate data into; family, friends and work and do consider what you share.
Consider what Browser you use
All browsers are not friendly. Firefox, Chromium, Brave and DuckDuckGo have fine features. But, Chrome and Edge track everything and all the time. A VPN blocks geolocation, but not much more.
Social Media is full of Dangers
The tracking cookies do follow you all around the web. You need to work hard to make that jungle safe. First, choose a safe browser. The Meta sites and Ticktock are terrible. Mastodon and Discord groups are to prefer.
Gaming
I don't know much, but there are a lot of the same issues as with Social media in general. But there are some special concerns on some plugins.
Rootkit and Virus
Yes, you need to scan for them
Don't talk to Strangers
If someone is asking for banking codes – run.
Don't trust strange stories or too good offers.
Be aware of honey traps and blackmailing.
References
Lynis [1] Ativirus and Rootkit [2] [3] [4] [5] Authentication [6] [7] [8]
ClamAV is the open-source standard for mail gateway-scanning software. High Performance ClamAV includes a multi-threaded scanner daemon, command-line utilities for on-demand file scanning and automatic signature updates. homepage ↩︎
Linux Malware Detect scans Linux computer systems for malicious software, using existing threat data from intrusion detection platforms to identify threats. LMD serves the shared hosting sector, which traditionally doesn’t receive a lot of dedicated and quality antivirus resources. LMD features include quarantining scan results, HEX pattern matching, and an integration with ClamAV, another open source malware scanner. homepage ↩︎
Rootkit Hunter (commonly abbreviated as RKH) is a security monitoring and analyzing tool for POSIX compliant systems, to help you detect known rootkits, malware and signal general bad security practices. Rootkits have a certain structure and files in certain areas, known to the Rootkit Hunter team. This is similar to virus signatures. RKH offers additional scans that may assist you. homepage ↩︎
Chrootkit is a rootkit detection scanner. Chrootkit runs on Linux operating systems, Solaris, OpenBSD, and macOS X as well as other systems. It searches locally on a computer for signs of rootkits and also looks for potential trojans and lastlog deletions. Chrootkit scans for more than 70 types of rootkits, LKMs, and computer worms. homepage ↩︎
Authelia is a lightweight, fast, and secure solution for authentication and authorization of web applications via a web portal. It supports multi-factor authentication, single sign-on, authorization policies, identity validation, and more. homepage ↩︎
Authentik is a secure and flexible solution for managing your identity needs. It covers both B2B and B2C use cases, supports various protocols and workflows, and lets you own your data and control your infrastructure. homepage ↩︎