Keep System Up-To-Date
An extremely crucial part of hardening any system is to ensure that it is always kept up-to-date. Doing this will keep any known bugs or vulnerabilities patched if one exists. The following commands are ways to update an Ubuntu system:apt-get update && apt-get upgrade
Accounts
A good place to start when dealing with any operating system’s security is to ensure that user accounts are locked down.
Ensure Only root Has UID of 0
Accounts that have a UID set to 0 have the highest access to a system. In most cases, this should only be the “root” account. Using the below command will list all accounts with a UID of 0:awk -F: '($3=="0"){print}' /etc/passwd
Check for Accounts with Empty Passwords
Accounts that have no password essentially have no security. The command below will print all accounts that have an empty password:
cat /etc/shadow | awk -F: '($2==""){print $1}'
Lock Accounts
In addition, you can use the command below to lock any accounts (prepends a ! to the user’s password hash):
passwd -l accountName
Adding New User Accounts
It is best practice to keep the use of the root account to a minimum. To do this, add a new account that will be primarily used with the command below:
adduser accountName
This will automatically create a user with the default configuration defined in ‘/etc/skel’.
Sudo Configuration
The Sudo package allows a regular user to run commands in an elevated context. This means a regular user can run commands normally restricted to the root account. Often, this is the ideal way of making system configurations or running elevated commands; not by using the root account. The configuration file for Sudo is in /etc/sudoers, however it can only be edited by using the “visudo” command. There are many different configuration options for that limit the use of Sudo to certain users, groups, Ips, and commands. The general configuration format is below:
%www ALL=(ALL)NOPASSWD:/bin/cat,/bin/ls
%www – All users of the www group
ALL= – From any Host/IP
(ALL) – can run as any user
NOPASSWD – No password required (omit to require a password)
:/bin/cat,/bin/ls – Commands able to run as sudo. In this case, “cat” and “ls”
To run any elevated command, simply place “sudo” in front of it as a properly configured user.
IpTables
IpTables are essentially your operating system’s firewall. IpTables are extremely powerful in controlling the network traffic going into and out of your server. While I will give some very basic example configurations below, it is recommended that any person looking into hardening their Ubuntu OS do research into IpTables implementation. Be careful it is easy to lock yourself out of SSH which will be painful on a cloud install. If you have access to a static ip then the SSH option is hardened by allowing only access form that ip with the addition of -s x.x.x.x or a range using -s x.x.x.0/24
Running the commands below will configured your box to allow inbound connections only on ports 80, 22, and the loopback interface and drop all other packets (configure to your own server’s needs):
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -I lo -j ACCEPT
iptables -A INPUT -j DROP
(Or use iptables -P INPUT DROP
to automatically drop all packets without a rule)
SSH
It goes without saying that all services hosted on your server should be adequately configured and locked down; however since SSH is almost always going to be running on your server, it is essential to lock it down as much as possible. The SSH service configuration file can be found at ‘/etc/ssh/sshd_config’.
Disable root Login
This configuration will limit SSH only to users other than root. Find and ensure the line for “PermitRootLogin” exists and looks like the one below:
PermitRootLogin no
Allow Specific Users
This line will allow you to specify which users can log into the SSH service:
AllowUsers accountName
Change Default Port From 22
This line will specify which port to host the SSH service on. It is recommended to change this to a non-default high port number. (Remember to fix your IpTables accordingly!)
Port 22222
Disable Empty Passwords
This line ensures that no users can login with an empty password. This adds a nice layer of security if there is a user without a password set:
PermitEmptyPasswords no
Restart Service
As always, after making changes to a service be sure to restart it!
service ssh restart
Additional Tips and Tricks
In addition to the server hardening tips above, below are some useful things to remember when hardening an Ubuntu server:
Display All Current Connections, Listening Services, and Processes Handling Them
The below command can be an Ubuntu sysadmin’s best friend, it will list all current connections and listening services on a system along with the processes and PIDs for each connection:
netstat -tulpn
Display Services and Their Status
The command below will list all services on the system and their status:
service --status-all
Use grep to specify only the running services:
service --status-all | grep "[ + ]"
Check for Rootkits
The package “rkhunter” is useful for doing a quick scan of your system for any known rootkits:
apt-get install rkhunter
rkhunter -C
Common Configuration File Locations
Below are configuration file locations for just a few common services:
/etc/apache/apache2.conf #Apache 2
/etc/ssh/sshd_config #SSH Server
/etc/mysql/mysql.cnf #MySQL
/var/lib/mysql/ #This entire directory contains all of the database in MySQL
Log Locations
Below are the common default log locations:
/var/log/message — Where whole system logs or current activity logs are available.
/var/log/auth.log — Authentication logs.
/var/log/kern.log — Kernel logs.
/var/log/cron.log — Crond logs (cron job).
/var/log/maillog — Mail server logs.
/var/log/boot.log — System boot log.
/var/log/mysqld.log — MySQL database server log file.
/var/log/secure — Authentication log.
/var/log/utmp or /var/log/wtmp — Login records file.
/var/log/apt — Apt package manager logs