You are on page 1of 14

The Fan Club

dynamic design solutions

How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics
Submitted by The Fan Club on Thu, 2012-05-17 13:06

This guide is based on various community forum posts and webpages. Special thanks to all. All
comments and improvements are very welcome as this is purely a personal experimental project at this
point and must be considered a work in progress.

This guide is intended as a relatively easy step by step guide to:
Harden the security on an Ubuntu 12.04 LTS server by installing and configuring the following:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

Install and configure Firewall - ufw
Secure shared memory - fstab
SSH - Key based login, disable root login and change port
Apache SSL - Disable SSL v3 support
Protect su by limiting access only to admin group
Harden network with sysctl settings
Disable Open DNS Recursion and Remove Version Info - Bind9 DNS
Prevent IP Spoofing
Harden PHP for security
Restrict Apache Information Leakage

Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide. Install and configure Apache application firewall . or use Shorewall. fwbuilder. 15.04 LTS or later server with a standard LAMP stack installed. Firewall .gufw. 14.Tiger Requirements: Ubuntu 12.DenyHosts and Fail2Ban Intrusion Detection .Apparmor Audit your system security . 19.UFW A good place to start is to install a Firewall. 1. open a terminal window and enter : sudo apt-get install ufw Allow SSH and Http services.html) or the Ubuntu UFW community documentation (http://help.com/community/UFW) .PSAD Check for RootKits . 16. or Firestarter.com/manpages/precise/en/man8/ufw.11.LogWatch SELinux .RKHunter and CHKRootKit Scan open Ports . UFW manual pages (http://manpages. UFW . sudo ufw enable Check the status of the firewall. 18.ubuntu.8.Nmap Analyse system LOG files . 17.ModSecurity Protect from DDOS (Denial of Service) attacks with ModEvasive Scan logs and ban suspicious hosts .Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool . Install UFW and enable. sudo ufw status verbose . sudo ufw allow ssh sudo ufw allow http Enable the firewall. 13. 12.ubuntu.

Before disabling the root login create a new SSH user and make sure the user belongs to the admin group (see step 4. below regarding the admin group). SSH Hardening . Shared memory can be used in an attack against a running service.noexec. If you change the SSH port also open the new port you have chosen on the firewall and close port 22.nosuid 0 0 3. Open a Terminal Window and enter : sudo vi /etc/ssh/sshd_config Change or add the following and save.d/ssh restart . Open a Terminal Window and enter the following : sudo vi /etc/fstab Add the following line and save.For later Ubuntu versions replace /dev/shm with /run/shm Save and Reboot when done tmpfs /dev/shm tmpfs defaults. if you change the SSH port keep the port number below 1024 as these are priviledged ports that can only be opened by root or processes running as root. The best way to secure SSH is to use public/private key based login. Port <ENTER YOUR PORT> Protocol 2 PermitRootLogin no DebianBanner no Restart SSH server. Secure shared memory. See SSH/OpenSSH/Keys If you have to use password authentication. disable root login and change port.04 . open a Terminal Window and enter : sudo /etc/init. the easiest way to secure SSH is to disable root login and change the SSH port to something different than the standard port 22.2. You will need to reboot for this setting to take effect : Note : This only is works in Ubuntu 12. Modify /etc/fstab to make it more secure.key based login.

The /etc/sysctl. Open a Terminal Window and enter : sudo vi /etc/apache2/mods-available/ssl. Harden network with sysctl settings.d/apache2 restart 5. open a Terminal Window and enter : sudo /etc/init. Apache SSL Hardening . To limit the use of su by admin users only we need to create an admin group. The SSL v3 protocol has been proven to be insecure. Protect su by limiting access only to admin group.4.conf file contain all the sysctl settings.disable SSL v3 support. Prevent source routing of incoming packets and log malformed IP's enter the following in a terminal window: sudo vi /etc/sysctl.conf . then add users and limit the use of su to the admin group. We will disable Apache support for the protocol and force the use of the newer protocols. Add a admin group to the system and add your own admin username to the group by replacing <YOUR ADMIN USERNAME> below with your admin username. Open a terminal window and enter: sudo groupadd admin sudo usermod -a -G admin <YOUR ADMIN USERNAME> sudo dpkg-statoverride --update --add root admin 4750 /bin/su 6. SSLProtocol all -SSLv2 -SSLv3 Restart the Apache server.conf Change this line from : SSLProtocol all -SSLv2 To the following and save.

ipv4.ipv4.rp_filter = 1 net.ipv4.ipv6.ipv4.ipv4.default.all.tcp_max_syn_backlog = 2048 net.accept_redirects = 0 net.all.rp_filter = 1 # Ignore ICMP broadcast requests net.ipv4.conf.tcp_syn_retries = 5 # Log Martians net.accept_redirects = 0 # Ignore Directed pings net.conf.ipv4.default.conf.tcp_syncookies = 1 net.ipv4.conf.ipv6.accept_redirects = 0 net.ipv6.BIND DNS .accept_source_route = 0 net.accept_source_route = 0 # Ignore send redirects net.conf.icmp_echo_ignore_all = 1 To reload sysctl with the latest changes.conf.ipv4.conf.conf.ipv4.log_martians = 1 net.send_redirects = 0 net.ipv4. Disable Open DNS Recursion and Remove Version Info .conf.ipv4.accept_source_route = 0 net.conf file and un-comment or add the following lines : # IP Spoofing protection net.tcp_synack_retries = 2 net.ipv4.ipv4.Edit the /etc/sysctl.conf.conf.conf.default.icmp_echo_ignore_broadcasts = 1 # Disable source packet routing net.default.conf.default.all.accept_source_route = 0 net. enter: sudo sysctl -p 7.accept_redirects = 0 net.ipv4.send_redirects = 0 # Block SYN attacks net.all.ipv4.ipv6.icmp_ignore_bogus_error_responses = 1 # Ignore ICMP redirects net.all.all.all.default.

Open a Terminal and enter the following : sudo vi /etc/bind/named.ini file : sudo vi /etc/php5/apache2/php. Restart BIND DNS server.system.options Add the following to the Options section : recursion no.conf.passthru register_globals = Off expose_php = Off display_errors = Off . Harden PHP for security.ini Add or edit the following lines an save : disable_functions = exec. Prevent IP Spoofing.shell_exec.hosts nospoof on 9.conf Add or edit the following lines : order bind. Open a Terminal and enter the following : sudo vi /etc/host. version "Not Disclosed". Open a Terminal and enter the following : sudo /etc/init.Server.d/bind9 restart 8. Edit the php.

Open a Terminal and enter the following : sudo /etc/init.d/apache2 restart 11.track_errors = Off html_errors = Off magic_quotes_gpc = Off Restart Apache server. Web Application Firewall . attacked users and suspicious logins.deny.net/) is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.sourceforge. Open a Terminal and enter the following : sudo /etc/init.ModSecurity. Open a Terminal and enter the following : .04 LTS server 12.04 LTS server 13. Protect from DDOS (Denial of Service) attacks .d/security Add or edit the following lines and save : ServerTokens Prod ServerSignature Off TraceEnable Off Header unset ETag FileETag None Restart Apache server.d/apache2 restart 10. Edit the Apache2 configuration security file : sudo vi /etc/apache2/conf. DenyHosts will also inform Linux administrators about offending hosts.ModEvasive See : How to install apache2 mod_security and mod_evasive on Ubuntu 12. Scan logs and ban suspicious hosts .DenyHosts and Fail2Ban. See : How to install apache2 mod_security and mod_evasive on Ubuntu 12. Restrict Apache Information Leakage. DenyHosts (http://denyhosts.

and more. ftp. FTP. find the line below and change enabled from false to true.fail2ban.too many password failures.org/wiki/index.conf Change the following values as required on your server : ADMIN_EMAIL = root@localhost SMTP_HOST = localhost SMTP_PORT = 25 #SMTP_USERNAME=foo #SMTP_PASSWORD=bar SMTP_FROM = DenyHosts nobody@localhost #SYSLOG_REPORT=YES Fail2ban (http://www. Thats it. Fail2ban scans log files and bans IPs that show the malicious signs -. Out of the box Fail2Ban comes with filters for various services (apache. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time. Apache. courier. etc. and other settings as required.conf and change the email. .sudo apt-get install denyhosts After installation edit the configuration file /etc/denyhosts. Open a Terminal and enter the following : sudo apt-get install fail2ban After installation edit the configuration file /etc/fail2ban/jail. etc). To edit the settings open a terminal window and enter: sudo vi /etc/fail2ban/jail.local and create the filter rules as required. ssh. seeking for exploits. Courier.conf Activate all the services you would like fail2ban to monitor by changing enabled = false to enabled = true For example if you would like to enable the SSH monitoring and banning jail. although any arbitrary other action could also be configured. To edit the admin email settings open a terminal window and enter: sudo vi /etc/denyhosts.php/Main_Page) is more advanced than DenyHosts as it extends the log monitoring to other services including SSH.

to your new port number.[ssh] enabled port filter logpath maxretry = = = = = true ssh sshd /var/log/auth. for example if you have chosen 1234 then port = 1234 [ssh] enabled port filter logpath maxretry = = = = = true <ENTER YOUR SSH PORT NUMBER HERE> sshd /var/log/auth.local Good instructions on how to configure fail2ban and create the various filters can be found on .log 3 If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address. destemail = root@localhost and change the following line from : action = %(action_)s to: action = %(action_mwl)s You can also create rule filters for the various services that you would like fail2ban to monitor that is not supplied by default. sudo vi /etc/fail2ban/jail.log 3 If you have selected a non-standard SSH port in step 3 then you need to change the port setting in fail2ban from ssh which by default is port 22.

sudo fail2ban-client status 14.sourceforge. Intrusion Detection . Currently version 2. Version 2. but apparently does work.2 from the source files available on the Ciperdyne website (http://www.check your system for rootkits (http://en.com/perfect-server-ubuntu-11.2 resolves these issues but is not yet available on the Ubuntu software repositories.howtoforge.04 LTS server and follow from step 2: 15.RKHunter and CHKRootKit.org/psad/download/) .PSAD.d/fail2ban restart You can also check the status with.org/) basically do the same thing . No harm in using both.HowtoForge (http://www.org/psad/) is a collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.com/) .cipherdyne.04.chkrootkit.howtoforge. It is recommended to manually compile and install version 2.04 LTS server OR install the older version from the Ubuntu software repositories.org/wiki/Rootkit) .wikipedia. Check for rootkits .net/) and CHKRootkit (http://www.1 causes errors during install on Ubuntu 12.10-ispconfig-3-p5) When done with the configuration of Fail2Ban restart the service with : sudo /etc/init.click here for an example (http://www. Cipherdyne PSAD (http://www. Open a Terminal and enter the following : sudo apt-get install rkhunter chkrootkit To run chkrootkit open a terminal window and enter : .cipherdyne. Both RKHunter (http://rkhunter. To install the latest version from the source files follow these instruction : How to install PSAD Intrusion Detection on Ubuntu 12. open a Terminal and enter the following : sudo apt-get install psad Then for basic configuration see How to install PSAD Intrusion Detection on Ubuntu 12.

Logwatch is easy to use and will work right out of the package on most systems. Open a Terminal and enter the following : sudo apt-get install logwatch libdate-manip-perl To view logwatch output use less : sudo logwatch | less . Open a Terminal and enter the following : sudo rkhunter --update sudo rkhunter --propupd sudo rkhunter --check 16. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Analyse system LOG files .sudo chkrootkit To update and run RKHunter. Nmap (http://nmap. Logwatch (http://sourceforge.Nmap.net/projects/logwatch/) is a customizable log analysis system.LogWatch. Scan open ports .org/) ("Network Mapper") is a free and open source utility for network discovery and security auditing. Open a Terminal and enter the following : sudo apt-get install nmap Scan your system for open ports with : nmap -v -sT localhost SYN scanning with the following : sudo nmap -v -sS localhost 17.

nongnu. Tiger (http://www.shtml) (NSA) has taken Linux to the next level with the introduction of Security-Enhanced Linux (SELinux).gov/research/selinux/index. open a Terminal and enter the following : sudo less /var/log/tiger/security. More information can be found here.nsa.org/tiger/) is a security tool that can be use both as a security audit and intrusion detection system. Open a Terminal and enter the following : sudo apt-get install apparmor apparmor-profiles Check to see if things are running : sudo apparmor_status 19. Ubuntu Server Guide . Open a Terminal and enter the following : sudo apt-get install tiger To run tiger enter : sudo tiger All Tiger output can be found in the /var/log/tiger To view the tiger security reports. National Security Agency (http://www. SELinux .Tiger.To email a logwatch report for the past 7 days to an email address. : sudo logwatch --mailto mail@domain. SELinux takes the existing GNU/Linux operating system and extends it with kernel and user-space modifications to make it bullet-proof.report.Apparmor It is installed by default since Ubuntu 7.Apparmor. enter the following and replace mail@domain. Audit your system security .* .com --output mail --format html -range 'between -7 days and today' 18.com with the required email.04.

.-) One that i believe is also required for good security is to install suhosin for php.04 Ubuntu Security ufw SSH sysctl DNS IP Spoofing PHP Security ModSecurity ModEvasive DenyHosts Fail2Ban PSAD RKHunter NMap LogWatch Apparmo r SELinux Tiger RootKits Log Files Comments Why do you suggest "magic Submitted by steph (not verified) on Sat. 2013-03-09 11:29 Why do you suggest "magic_quotes_gpc = On" ? When you read php. Another thing i ever see is enabled mods in apache that nobody uses (which can be simply disabled). It would be nice if you add it to this guide. Thanks Thank you for pointing that Submitted by The Fan Club on Sat.. and how to disable/enable unused ones.php. Submitted by dennis.3. 2013-03-09 14:25 Thank you for pointing that out . I use similar ones in production environment.0 and REMOVED as of PHP 5.magicquotes.0. thanks for that! What i missed here also is the security of email services like postfix and generally a anti virus tool. or modules which can be turned off and on for special applications. Also speak about disabling/enabling modules in php that are mostly not used.php) This is a nice tutorial. but they look clear to me.k (not verified) on Fri. I did not test the rules of OWASP CRS yet since they are stated as experimental.Tags: Ubuntu 12. postgrey and so on.It should be off. I mean use of clamav. as this feature has been DEPRECATED as of PHP 5. (see : http://www. and how to configure it with minimal settings. 2013-03-22 11:03 This is a nice tutorial.net/manual/en/security. ModEvasive is also not really needed in favour of ModSecurity. It would be nice if you speak about what is really needed. quick and easy.ini comments. less explained. It would be nice if you spent time to write a part for that . .4. it is written that the Off value is for production. which can also do DDoS prevention for you. Take a look to file "modsecurity_crs_11_dos_protection".

ubuntu.04 LTS server How to disable ModSecurity rules for Drupal and Wordpress more The Fan Club © 2001-2016. distributed.04 LTS server . about us privacy policy terms & conditions sitemap contact .Part 2 The GUI installer script How to secure an Ubuntu 16.com/) The material on this site may not be reproduced.Part 1 The Basics How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server .04 LTS server How to install PSAD Intrusion Detection on Ubuntu 16.Show all comments related content How to secure an Ubuntu 12. All Rights Reserved. except with the prior written permission of The Fan Club. (http://www. cached or otherwise used. transmitted.