1234tySecuring Ubuntu/Ubuntu Hardening Guide

Ive built this up over a while as part of some personal documentation for work use and figured it may be of use to other people. I have no idea where half this came from, but if you recognize some tips of yours contact me at admin at matthewlye dot com and ill add some credits to this, I'm sure most of the tips are widely documented.

A more regularly updated version can be found here: http://www.matthewlye.com/index.php/ubuntu-sec

For more general tips and ideas check the Ubuntu Security by that genius bodhi.zazen at http://ubuntuforums.org/showthread.php?t=765421

First things first if you just want something quick and fast here are the big three:

Reconfiguring shared memoryLoad your favorite text editor, open the file "/etc/fstab" and add the following line of code: ทำ��แล้�วอยู่�ในเอกส�รของ Ubuntu ในเว�บ www.ubuntuclub.comเอกส�รภ�ษ�ไทำยู่· tmpfs /dev/shm tmpfs defaults,ro 0 0

Disabling SSH root loginLoad your favorite text editor, open the file "/etc/ssh/sshd_config" and add change the following line of code:ทำ��แล้�วเช่�นก�น เป็�นเอกส�รภ�ษ�ไทำยู่· PermitRootLogin yes to PermitRootLogin no

Limiting access to the "su" program (this is done by default in Ubuntu)*****MAKE SURE YOU ARE PART OF THE ADMIN GROUP****Open the terminal by clicking "Applications" selecting "Accessories" and choosing "Terminal." From there enter the commands:ทำ��แล้�วเช่�นก�นเอกส�รภ�ษ�ไทำยู่sudo chown root:admin /bin/su sudo chmod 04750 /bin/su

System/Server Hardening Checklist

Here is the larger recommended list (although most are not necessary unless your looking at a server or lab environments).

1. Disk Partitions and Mounting

1. Separate /home, /tmp, /var/tmp from /root partitions (If only if the machine has frequent access from general user except administrator).2. Change mount options in /etc/fstab to limit user access on appropriate filesystems.

· Using noexec instead prevents execution of binaries on a file system

This is not good if you have programs to be executed Data partitions are good for this. Its used often for partitions serving Apache.

· Using nosuid will prevent the setuid bit from having effect.

SUID stands for Set User ID. This means that if the SUID bit is set for any application then your user ID would be set as that of the owner of application/file rather than the current user, while running that application. That means in case I have an application whose owner is ' root ' and it has its SUID bit set, then when I run this application as a normal user, that application would still run as root. Since the SUID bit tells Linux that the the User ID root is set for this application and whenever this application executes it must execute as if root was executing it (since root owns this file). Disabling this for a drive prevents this operation.

· The nodev option prevents use of device files on the filesystem.

This option would be recommended for CDs and NTFS file systems generally speaking. But it can have options to lock down a system preventing breaching by simply creating hda1 or sda1 devices that are writable by all.

2. Physical SecurityTypically used in lab environments or where a server in not in a completely secured location.

1. Configure BIOS.· Disable booting from CDs/DVDs, floppies, and external devices.· Set BIOS password to protect the settings.2. Set a password for the GRUB bootloader.· Generate a password hash using the command / /usr/sbin/grub-md5-crypt. Add the hash to the first line of /boot/grub/menu.lst as follows:password --md5 passwordhash· Remove rescue-mode boot section from /boot/grub/menu.lst

3. Keep Software Up to DateUpgrade through the Ubuntu Repository Network to apply upgrade automatically. Security updates should be applied as soon as possible.Create the file apt.cron, make it executable, place it in /etc/cron.daily or /etc/cron.weekly, and ensure that it reads as follows:

#!/bin/sh/usr/bin/apt-get update

This can have a side effect of breaking some dependencies.

4. Detecting listening network ports & Closing open ports and services

Detecting listening network portsFor a list of network ports that are open you can use the following commands:

# netstat -tulp or lsof -i -n | egrep 'COMMAND|LISTEN|UDP' or just a port scanner (nmap) 9 ดูว��มี Service อะไรบ��ง

Closing open ports and servicesTo get a list of running services you can execute the following command: apt-get install sysv-rc-confsysv-rc-conf --list | grep on ทำ��เพื่#$อดูว��เร�เป็%ดูก�รทำ��ง�น พื่อร&ตอะไรบ��งTo disable a running service you can execute the command: sysv-rc-conf service name off ทำ��เพื่#$อดูว��เร�ป็%ดูก�รทำ��ง�นand then you should stop this service from running by executing: /etc/init.d/service stop.

5. Disable SUID and SGID BinariesTo find SUID and SGID files on the system, use the following command:

# find / \( -perm -4000 -o -perm -2000 \) –print

SUID or SGID bits safely disabled (using chmod -s filename) unless required for other program.

6. Configure and Use TCP WrapperConfigure the TCP Wrapper library to protect network daemons that support its use by adding appropriate rules to /etc/hosts.allow and /etc/hosts.deny.

NOTE: tcp wrappers only works for services that inetd starts. Sendmail, apache, and named do not use inetd, and so they are not protected via tcp wrappers.

7. Configure and Use AppArmorAppArmor is installed and loaded by default in Hardy. Some packages will install their own enforcing profiles. Active profiles for LAM Server:· usr.sbin.mysqld· usr.sbin.apache2All activity will be logged by auditd and saved to /var/log/audit/audit.log

Some excellent advice on this is available in the stickies threads here.

8. Rdate or NTP (To keep your server date up to date)Create the file /etc/cron.d/rdate with the following line:15 * * * * root /usr/sbin/rdate -s content

for NTPCreate the file /etc/cron.d/ntp with the following line:

15 * * * * root /usr/sbin/ntpdate server

9. Configure or Disable SSH- Disable it when not required.- If SSH is required, ensure the SSH configuration includes the following lines:

· PermitRootLogin no· Protocol 2

- If possible, limit SSH access to a subset of users. Create a group called sshusers and only add the users that need remote access. Then, add the following line to /etc/ssh/sshd_config:

· AllowGroups sshusers

Edit /etc/group find sshusers and add allowed users.

10. Disable IPv6- Disable it when not required.Edit the following line from /etc/modprobe.d/aliases:

· Find the line: alias net-pf-10 ipv6· Edit this to: alias net-pf-10 off ipv6· Save the file and reboot

11. Disable Compile ·Add compiler group: /usr/sbin/groupadd compiler· Move to correct directory: cd /usr/bin· Make most common compilers part of the

compiler group

chgrp compiler *cc*chgrp compiler *++*chgrp compiler ldchgrp compiler as

· Set access on mysqlaccess

chgrp root mysqlaccess

· Set permissions

chmod 750 *cc*chmod 750 *++*chmod 750 ldchmod 750 aschmod 755 mysqlaccess

· To add users to the group, modify /etc/group and change compiler:123: to compiler:123:username1,username2 ('123' will be different on your installation)

12. Root NotificationEdit .bashrc under /root to get notified by email when someone logs in as root and add the following:echo 'ALERT - Root Shell Access (Server Name) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" admin@myhost.com

13. Securing Historychattr +a .bash_history (append)chattr +I .bash_historyGet your users know that their history is being locked and they will have to agree before they use your services.

14. Using Welcome MessageEdit /etc/motd and put the following banner to be displayed:Report : Hardening Ubuntu 9.10 Server – MSIT03WARNING !!!This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized use.Unauthorized use may subject you to criminal prosecution. By accessing this system, you have agreed to the term and condition of use and your actions will be monitored and recorded. □

15. Chmod dangerous fileschmod 700 /bin/pingchmod 700 /usr/bin/whochmod 700 /usr/bin/wchmod 700 /usr/bin/locatechmod 700 /usr/bin/whereischmod 700 /sbin/ifconfigchmod 700 /bin/nanochmod 700 /usr/bin/vichmod 700 /usr/bin/whichchmod 700 /usr/bin/gccchmod 700 /usr/bin/make

chmod 700 /usr/bin/apt-getchmod 700 /usr/bin/aptitude

16. Specify TTY Devices Root is allowedvi /etc/securettyLeave only two connections:tty1tty2

17. Choose a secure passwordThis is generally a good tip, this fix however applies to people using pam to authenticate to LDAP or AD.

vi /etc/pam.d/common-passwordchange the detail from this:password requisite pam_unix.so nullok obscure md5topassword requisite pam_unix.so nullok obscure md5 min=8Change min=8 with your company password policy length.

18. Checking for RootkitsInstall it from Ubuntu Repository:# apt-get install chkrootkitYou can run it with the following command: ./chkrootkitNow we are going to add it to contrab to schedule daily automatic scans in the system:vi /etc/cron.daily/chkrootkit.sh and type#!/bin/bash

# Enter the directory where the rootkit is installedcd /root/chkrootkit/# Enter your email address where you want to receive the report./chkrootkit | mail -s "Daily chkrootkit from Server Name" admin@myhost.com

Now change the file permissions so we can run it: chmod 755 /etc/cron.daily/chkrootkit.shTo give it a try you can run the chkrootkit.sh file manually from /etc/cron.daily:etc/cron.daily# apt chkrootkit.sh directory and you should receive a report to the email account you provided.

19. Hardening your Kernel (sysctl.conf)Instead of doing this manually use a pre hardened kernel like selinux.

20. Disable unnecessary PHP variablesEdit /etc/php5/apache2/php.ini and /etc/php5/cli/php.iniทำ��ไดู�เพื่ ยู่งไฟล้&เดู ยู่ว

Turn off these variables:

allow_call_time_pass_reference = Offmagic_quotes_gpc = Offregister_long_arrays = Offregister_argc_argv = Offallow_url_fopen = Offexpose_php = Off

disable_functions = symlink,shell_exec,proc_close,proc_open,dl,passthru,escapeshellarg,escapeshellcmd,openlog, apache_child_terminate,apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,virtual, phpinfo

21. Apache 2 Hardening- Edit /etc/apache2/apache2.conf

- Turn off these variables:TraceEnable off- (Disable apache root access)[directory\]Order deny,allowDeny from all[/directory]

- Enable Module ( /etc/apache2/mods-enable/ ):

alias, auth_basic, authn_file, authz_default, authz_groupfile, authz_host, authz_user, autoindex, dir, env, mime, mod-security2, negotiation, php5, rewrite, setenvif, ssl, unique_id

- Edit /etc/php.ini

Find disable functions and edit as below:disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec,

curl_multi_exec, parse_ini_file, show_source

Hardened Kernel Variables ( /etc/sysctl.conf )เพื่)$มีทำ�*งหมีดูเล้ยู่เพื่)$มีคว�มีป็ล้อดูภ�ยู่

# Controls the System Request debugging functionality of the kernelkernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.# Useful for debugging multi-threaded applications.kernel.core_uses_pid = 1

#Prevent SYN attacknet.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 2048net.ipv4.tcp_synack_retries = 2

# Disables IP source routingnet.ipv4.conf.lo.accept_source_route = 0net.ipv4.conf.eth0.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verificationnet.ipv4.conf.eth0.rp_filter = 1

# Disable ICMP Redirect Acceptancenet.ipv4.conf.lo.accept_redirects = 0net.ipv4.conf.eth0.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packetsnet.ipv4.conf.lo.log_martians = 1net.ipv4.conf.eth0.log_martians = 1

# Disables IP source routingnet.ipv4.conf.lo.accept_source_route = 0net.ipv4.conf.eth0.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verificationnet.ipv4.conf.eth0.rp_filter = 1

# Disable ICMP Redirect Acceptancenet.ipv4.conf.lo.accept_redirects = 0net.ipv4.conf.eth0.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0

# Modify system limits for Ensim WEBppliancefs.file-max = 65000

# Decrease the time default value for tcp_fin_timeout connectionnet.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connectionnet.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scalingnet.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack ( Need to turn on for traffic to internet)#net.ipv4.tcp_sack = 0

# Turn off the tcp_timestampsnet.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protectionnet.ipv4.tcp_syncookies = 1

# Set maximum amount of memory allocated to shm to 256MBkernel.shmmax = 268435456

# Increase the maximum total TCP buffer-space allocatablenet.ipv4.tcp_mem = 57344 57344 65536

# Increase the maximum TCP write-buffer-space allocatablenet.ipv4.tcp_wmem = 32768 65536 524288

# Increase the maximum TCP read-buffer space allocatablenet.ipv4.tcp_rmem = 98304 196608 1572864

# Increase the maximum and default receive socket buffer sizenet.core.rmem_max = 524280net.core.rmem_default = 524280

# Increase the maximum and default send socket

buffer sizenet.core.wmem_max = 524280net.core.wmem_default = 524280

# Increase the tcp-time-wait buckets pool sizenet.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port rangenet.ipv4.ip_local_port_range = 16384 65536

# Increase the maximum memory used to reassemble IP fragmentsnet.ipv4.ipfrag_high_thresh = 512000net.ipv4.ipfrag_low_thresh = 446464

# Increase the maximum amount of option memory buffersnet.core.optmem_max = 57344

ต)ดูต�*ง Nessus 4.2.0 for Ubuntu 910 32bit

จ�กเว�บไซต&

http://www.nessus.org/download/nessus_download.php

ไฟล้&มี ขน�ดู

Nessus-4.2.0-ubuntu910_386.deb (7066 KB)

จ�กน�*นเข�� Terminal

ถ้��มี Nessus ต�วเก��ให�ล้บออกไป็โดูยู่ใช่�ค��ส� $ง

# killall nessusd

เพื่#$อเร ยู่กเข��ไป็ในโฟล้เดูอร& Downloads แล้�วต)ดูต�*งดู�วยู่ค��ส�$ง

#root@ubuntu:~/Downloads# dpkg –i Nessus-4.2.0-ubuntu910_i386.deb

แก�ไขไฟล้& gedit /opt/nessus/etc/nessus/nessusd.conf

# max_host = 20 ใน ล้)น1กซ& ถ้��ในว)นโดูวส& 19 พื่อ

# max_checks=3 เป็�นค��ทำ $น)ยู่มี

ส�$งให�ทำ��ง�นดู�วยู่ /etc/init.d/nessusd start

ส�$งให�หยู่1ดู killall nessusd

ก�อนจะทำ��ก�ร Update Plugins

เป็%ดูอ เมีล้& hotmail.com ทำ $ล้งทำะเบ ยู่นก�บทำ�ง nessus

จะไดู�ร�บโค�ดูในก�ร Activate

# /opt/nessus/bin/nessus-fetch --register DDA8-98EB-10D9-0832-2D8D

จ�กน�*นทำ��ก�ร Update Plugins ไดู�บ�อยู่ๆ ทำ $น $

# /opt/nessus/sbin/nessus-update-plugins

ส�$งให� Auto Plugins Update

# /opt/nessus/bin/nessus-fetch --check

เป็%ดู Port 8834 ส��หร�บ Connect แบบ SSL(https)

# ufw allow 8834

เป็%ดู Port 1241 ส��หร�บ Nessus Scanner

# ufw allow 1241

ป็%ดูก�รทำ��ง�น iPV6

http://www.webupd8.org/2009/11/how-to-disable-ipv6-in-ubuntu-910.html

# sudo gedit /etc/default/grub

# And Search GRUB_CMDLINE_LINUX

#modify it so it look like this GRUB_CMDLINE_LINUX=”ipv6.disable=1”

#let’s update the GRUB : sudo update-grub2

# if you don’t use GRUB 2 : sudo update-grub # final , restart your system

ต)ดูต�*ง GUFW (Firewall ของ Ubuntu แบบ GUI mode)

# apt-get update

# apt-get –y install gufw

เล้#อก Enable your firewall

มี�นจะเซตค�� allow ให�เหมี#อนก�บ ufw ธรรมีดู�จ�ะ

ต)ดูต�*ง phpmyadmin

# apt-get install phpmyadmin

restart service ของ apache2

# /etc/init.d/apache2 restart

SSL with Web Server

# apt-get update

# apt-get install openssl

# mkdir /ssl-key

Cd /ssl-key

ข�อมีล้จ�ก http://www.oknation.net/blog/itlabour/2009/04/04/entry-1

Server www.rangsun.test:443