Sources: Ubuntu-Server-Hardening, Ubuntu Server Hardening Guide, Hardening Ubuntu Server 22.04 Part 1
Secure SSH Connection:
#Open sshd_config
sudo nano /etc/ssh/sshd_config#Change the default port
port 22 -> port 227 #this one is up to you.
#Enable connections of IPv4 only
AddressFamily any -> AddressFamily inet#Disable Root Login
PermitRootLogin yes -> PermitRootLogin No
#Enable login for specific users/groups or deny users/groups
#At the bottom of the file, add the line you need for user/s or group/s
AllowUsers user1 user2
AllowUsers [email protected]
AllowGroups root
DenyUsers user1 user2
DenyGroups root#Restart SSH.
sudo systemctl restart sshdby default at this point when you access you ssh server you will need to add -p to the command: ssh -p 227 user@ipaddress you should get your login
Update / Enable Auto Updates:
#Update your repo's:
sudo apt update#Upgrade your system:
sudo apt dist-upgrade#Install Automatic update utility: (If its not already)
sudo apt install unattended-upgrades#Enable it:
sudo dpkg-reconfigure --priority=low unattended-upgradesFrom here you will be greeted with a GUI that will let you set what gets auto upgraded. I picked going with "Stable" releases. The reason this is so crucial is because software updates usually include major security patches. Its always good to keep them rolling.
UFW Firewall
#Install UFW if you dont have it.
sudo apt install ufw
#Check to see if its active
sudo ufw status #it should return inactive.
#Open up your custom SSH port and/or allow connection only from specified networks
sudo ufw allow 227 #Whichever port you set for SSH
sudo ufw allow from 192.168.0.0/16 to any port 22#Allow connection from specific subnet to port
sudo ufw allow from 192.168.0.0/16 to any port 227#Enable UFW
sudo ufw enableBy default, now when you reboot the server UFW will start and allow SSH access using your custom port.
Change root password:
#change root password:
sudo passwd root
Create A Non-Root user:
#Add new user to the system
sudo adduser usernamehere
#Add the new user to sudoers
sudo usermod -aG sudo usernamehere
Install fail2ban
The fail2ban system is an intrusion prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban will block access from that IP address.
To install fail2ban, open a terminal window and issue the command:
sudo apt install fail2ban -yWithin the directory /etc/fail2ban, you'll find the main configuration file, jail.conf. Also in that directory is the subdirectory, jail.d. The jail.conf file is the main configuration file and jail.d contains the secondary configuration files. Do not edit the jail.conf file. Instead, we’ll create a new configuration that will monitor SSH logins with the command:
sudo nano /etc/fail2ban/jail.localIn this new file add the following contents:
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 5This configuration does the following:
- Enables the jail.
- Sets the SSH port to be monitored to 22.
- Uses the sshd filter.
- Sets the log file to be monitored.
Save and close that file. Restart fail2ban with the command:
sudo systemctl restart fail2ban
Remove FTP, Telnet, And Rlogin / Rsh Services on Linux
Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. The common solution to this problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP.
Type the following command to delete NIS, rsh and other outdated service:
sudo apt --purge remove xinetd nis yp-tools tftpd atftpd tftpd-hpa telnetd rsh-server rsh-redone-server
Make Sure No Non-Root Accounts Have UID Set To 0
Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:
awk -F: '($3 == "0") {print}' /etc/passwdYou should only see one line as follows:
root:x:0:0:root:/root:/bin/bash
Secure Shared Memory
What is shared memory?
Shared memory is an efficient means of passing data between programs. Because two or more processes can use the same memory space, it has been discovered that, since shared memory is, by default, mounted as read/write, the /run/shm space can be easily exploited. That translates to a weakened state of security.
If you’re unaware, shared memory can be used in an attack against a running service. Because of this, you’ll want to secure that portion of system memory.
You can do this by modifying the /etc/fstab file.
sudo nano /etc/fstab Next, add the following line to the bottom of that file:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0Save and close the file. In order for the changes to take effect, you must reboot the server with the command:
sudo reboot
Check for Rootkits
The package “rkhunter” is useful for doing a quick scan of your system for any known rootkits:
sudo apt install rkhunter -yrkhunter -C
Common Configuration File Locations
Below are configuration file locations for just a few common services:
#Apache 2
/etc/apache/apache2.conf #SSH Server
/etc/ssh/sshd_config#MySQL
/etc/mysql/mysql.cnf #This entire directory contains all of the database in MySQL
/var/lib/mysql/
Log Locations
Below are the common default log locations:
Where whole system logs or current activity logs are available.
/var/log/messageAuthentication logs.
/var/log/auth.logKernel logs.
/var/log/kern.logCrond logs (cron job).
/var/log/cron.logMail server logs.
/var/log/maillogSystem boot log.
/var/log/boot.logMySQL database server log file.
/var/log/mysqld.logAuthentication log.
/var/log/secureLogin records file.
/var/log/utmp or /var/log/wtmpApt package manager logs
/var/log/apt