An extremely crucial part of hardening any system is to ensure that it is always kept up-to-date. Doing this will keep any known bugs or vulnerabilities patched if one exists. The following commands are ways to update an Ubuntu system: A good place to start when dealing with any operating system\u2019s security is to ensure that user accounts are locked down.<\/p>\n\n\n\n Accounts that have a UID set to 0 have the highest access to a system. In most cases, this should only be the \u201croot\u201d account. Using the below command will list all accounts with a UID of 0: Accounts that have no password essentially have no security. The command below will print all accounts that have an empty password:<\/p>\n\n\n\n In addition, you can use the command below to lock any accounts (prepends a ! to the user\u2019s password hash):<\/p>\n\n\n\n It is best practice to keep the use of the root account to a minimum. To do this, add a new account that will be primarily used with the command below:<\/p>\n\n\n\n This will automatically create a user with the default configuration defined in \u2018\/etc\/skel\u2019.<\/p>\n\n\n\n The Sudo package allows a regular user to run commands in an elevated context. This means a regular user can run commands normally restricted to the root account. Often, this is the ideal way of making system configurations or running elevated commands; not by using the root account. The configuration file for Sudo is in \/etc\/sudoers, however it can only be edited by using the \u201cvisudo\u201d command. There are many different configuration options for that limit the use of Sudo to certain users, groups, Ips, and commands. The general configuration format is below:<\/p>\n\n\n\n %www<\/strong> \u2013 All users of the www group<\/p>\n\n\n\n ALL=<\/strong> \u2013 From any Host\/IP<\/p>\n\n\n\n (ALL)<\/strong> \u2013 can run as any user<\/p>\n\n\n\n NOPASSWD<\/strong> \u2013 No password required (omit to require a password)<\/p>\n\n\n\n :\/bin\/cat,\/bin\/ls<\/strong> \u2013 Commands able to run as sudo. In this case, \u201ccat\u201d and \u201cls\u201d<\/p>\n\n\n\n To run any elevated command, simply place \u201csudo\u201d in front of it as a properly configured user.<\/p>\n\n\n\n IpTables are essentially your operating system\u2019s firewall. IpTables are extremely powerful in controlling the network traffic going into and out of your server. While I will give some very basic example configurations below, it is recommended that any person looking into hardening their Ubuntu OS do research into IpTables implementation. Be careful it is easy to lock yourself out of SSH which will be painful on a cloud install. If you have access to a static ip then the SSH option is hardened by allowing only access form that ip with the addition of -s x.x.x.x or a range using -s x.x.x.0\/24<\/p>\n\n\n\n Running the commands below will configured your box to allow inbound connections only on ports 80, 22, and the loopback interface and drop all other packets (configure to your own server\u2019s needs):<\/p>\n\n\n\n (Or use It goes without saying that all services hosted on your server should be adequately configured and locked down; however since SSH is almost always going to be running on your server, it is essential to lock it down as much as possible. The SSH service configuration file can be found at \u2018\/etc\/ssh\/sshd_config\u2019.<\/p>\n\n\n\n This configuration will limit SSH only to users other than root. Find and ensure the line for \u201cPermitRootLogin\u201d exists and looks like the one below:<\/p>\n\n\n\n This line will allow you to specify which users can log into the SSH service:<\/p>\n\n\n\n This line will specify which port to host the SSH service on. It is recommended to change this to a non-default high port number. (Remember to fix your IpTables accordingly!)<\/p>\n\n\n\n This line ensures that no users can login with an empty password. This adds a nice layer of security if there is a user without a password set:<\/p>\n\n\n\n As always, after making changes to a service be sure to restart it!<\/p>\n\n\n\n In addition to the server hardening tips above, below are some useful things to remember when hardening an Ubuntu server:<\/p>\n\n\n\n The below command can be an Ubuntu sysadmin\u2019s best friend, it will list all current connections and listening services on a system along with the processes and PIDs for each connection:<\/p>\n\n\n\n The command below will list all services on the system and their status:<\/p>\n\n\n\n Use grep to specify only the running services:<\/p>\n\n\n\n The package \u201crkhunter\u201d is useful for doing a quick scan of your system for any known rootkits:<\/p>\n\n\n\n Below are configuration file locations for just a few common services:<\/p>\n\n\n\n \/etc\/apache\/apache2.conf #Apache 2<\/p>\n\n\n\n \/etc\/ssh\/sshd_config #SSH Server<\/p>\n\n\n\n \/etc\/mysql\/mysql.cnf #MySQL<\/p>\n\n\n\n \/var\/lib\/mysql\/ #This entire directory contains all of the database in MySQL<\/p>\n\n\n\n Below are the common default log locations:<\/p>\n\n\n\n \/var\/log\/message \u2014 Where whole system logs or current activity logs are available.<\/p>\n\n\n\n \/var\/log\/auth.log \u2014 Authentication logs.<\/p>\n\n\n\n \/var\/log\/kern.log \u2014 Kernel logs.<\/p>\n\n\n\n \/var\/log\/cron.log \u2014 Crond logs (cron job).<\/p>\n\n\n\n \/var\/log\/maillog \u2014 Mail server logs.<\/p>\n\n\n\n \/var\/log\/boot.log \u2014 System boot log.<\/p>\n\n\n\n \/var\/log\/mysqld.log \u2014 MySQL database server log file.<\/p>\n\n\n\n \/var\/log\/secure \u2014 Authentication log.<\/p>\n\n\n\n \/var\/log\/utmp or \/var\/log\/wtmp \u2014 Login records file.<\/p>\n\n\n\n \/var\/log\/apt \u2014 Apt package manager logs<\/p>\n","protected":false},"excerpt":{"rendered":" Keep System Up-To-Date An extremely crucial part of hardening any system is to ensure that it is always kept up-to-date. Doing this will keep any known bugs or vulnerabilities patched if one exists. The following commands are ways to update an Ubuntu system:apt-get update && apt-get upgrade Accounts A good place to start when dealing […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,4,2],"tags":[],"class_list":["post-278","post","type-post","status-publish","format-standard","hentry","category-general-server-stuff","category-iptables","category-linux"],"_links":{"self":[{"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/posts\/278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/comments?post=278"}],"version-history":[{"count":1,"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/posts\/278\/revisions"}],"predecessor-version":[{"id":279,"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/posts\/278\/revisions\/279"}],"wp:attachment":[{"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/media?parent=278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/categories?post=278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/tags?post=278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}apt-get update && apt-get upgrade<\/strong><\/code><\/p>\n\n\n\nAccounts<\/h3>\n\n\n\n
Ensure Only root Has UID of 0<\/h3>\n\n\n\n
awk -F: '($3==\"0\"){print}' \/etc\/passwd<\/strong><\/code><\/p>\n\n\n\nCheck for Accounts with Empty Passwords<\/h3>\n\n\n\n
cat \/etc\/shadow | awk -F: '($2==\"\"){print $1}'<\/strong><\/code><\/p>\n\n\n\nLock Accounts<\/h3>\n\n\n\n
passwd -l accountName<\/strong><\/code><\/p>\n\n\n\nAdding New User Accounts<\/h3>\n\n\n\n
adduser accountName<\/strong><\/code><\/p>\n\n\n\nSudo Configuration<\/h3>\n\n\n\n
%www ALL=(ALL)NOPASSWD:\/bin\/cat,\/bin\/ls<\/strong><\/code><\/p>\n\n\n\nIpTables<\/h3>\n\n\n\n
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT<\/code><\/p>\n\n\n\niptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT<\/code><\/p>\n\n\n\niptables -A INPUT -I lo -j ACCEPT<\/code><\/p>\n\n\n\niptables -A INPUT -j DROP<\/code><\/p>\n\n\n\niptables -P INPUT DROP<\/code> to automatically drop all packets without a rule)<\/p>\n\n\n\nSSH<\/h3>\n\n\n\n
Disable root Login<\/h3>\n\n\n\n
PermitRootLogin no<\/code><\/p>\n\n\n\nAllow Specific Users<\/h3>\n\n\n\n
AllowUsers accountName<\/code><\/p>\n\n\n\nChange Default Port From 22<\/h3>\n\n\n\n
Port 22222<\/code><\/p>\n\n\n\nDisable Empty Passwords<\/h3>\n\n\n\n
PermitEmptyPasswords no<\/code><\/p>\n\n\n\nRestart Service<\/h3>\n\n\n\n
service ssh restart<\/code><\/p>\n\n\n\nAdditional Tips and Tricks<\/h2>\n\n\n\n
Display All Current Connections, Listening Services, and Processes Handling Them<\/h3>\n\n\n\n
netstat -tulpn<\/code><\/p>\n\n\n\nDisplay Services and Their Status<\/h3>\n\n\n\n
service --status-all<\/code><\/p>\n\n\n\nservice --status-all | grep \"[ + ]\"<\/code><\/p>\n\n\n\nCheck for Rootkits<\/h3>\n\n\n\n
apt-get install rkhunter<\/code><\/p>\n\n\n\nrkhunter -C<\/code><\/p>\n\n\n\nCommon Configuration File Locations<\/h3>\n\n\n\n
Log Locations<\/h3>\n\n\n\n