A quick way to make a Ubuntu server a bit more secure.
Tested on 15.10 Ubuntu Wily Werewolf, 16.04 Xenial Xerus and 16.10 Yakkety Yak (development branch).
Systemd required.
If you’re just interested in the security focused systemd configuration, it’s available as a separate document.
If you’re interested in testing your host settings, you’ll find the instructions here.
|
Note
|
This is a constant work in progress. Make sure you understand what it does. Read the code. |
Start the installation of the server.
Pick language, keyboard layout, timezone and so on as you usually would.
/
/boot (rw)
/home (rw,nosuid,nodev)
swap
/var
/var/log (rw,nosuid,nodev,noexec)
/var/log/audit (rw,nosuid,nodev,noexec)Note that /tmp and /var/tmp will be added automatically by the script.
Do not add any packages.
Log in.
Select a Grub2 password (using grub-mkpasswd-pbkdf2).
Download the script using git clone https://github.com/konstruktoid/hardening.git.
Change the configuration options in the ubuntu.cfg file and last but not least run the script, sudo bash ubuntu.sh.
FW_ADMIN='127.0.0.1' // (1)
SSH_GRPS='sudo' // (2)
SYSCTL_CONF='https://raw.githubusercontent.com/konstruktoid/hardening/master/misc/sysctl.conf' // (3)
AUDITD_RULES='https://raw.githubusercontent.com/konstruktoid/hardening/master/misc/audit.rules' // (4)
LOGROTATE_CONF='https://raw.githubusercontent.com/konstruktoid/hardening/master/misc/logrotate.conf' // (5)
NTPSERVERPOOL='0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org pool.ntp.org' // (6)
VERBOSE='N' // (7)
CHANGEME='' // (8)
# Configuration files
ADDUSER='/etc/adduser.conf'
AUDITDCONF='/etc/audit/auditd.conf'
AUDITRULES='/etc/audit/rules.d/hardening.rules'
COMMONPASSWD='/etc/pam.d/common-password'
COMMONACCOUNT='/etc/pam.d/common-account'
COMMONAUTH='/etc/pam.d/common-auth'
DEFAULTGRUB='/etc/default/grub'
DISABLEMNT='/etc/modprobe.d/disablemnt.conf'
DISABLEMOD='/etc/modprobe.d/disablemod.conf'
DISABLENET='/etc/modprobe.d/disablenet.conf'
JOURNALDCONF='/etc/systemd/journald.conf'
LIMITSCONF='/etc/security/limits.conf'
LOGINDCONF='/etc/systemd/logind.conf'
LOGINDEFS='/etc/login.defs'
LOGROTATE='/etc/logrotate.conf'
PAMLOGIN='/etc/pam.d/login'
RESOLVEDCONF='/etc/systemd/resolved.conf'
RKHUNTERCONF='/etc/default/rkhunter'
SECURITYACCESS='/etc/security/access.conf'
SSHDFILE='/etc/ssh/sshd_config'
SYSCTL='/etc/sysctl.conf'
SYSTEMCONF='/etc/systemd/system.conf'
TIMESYNCD='/etc/systemd/timesyncd.conf'
UFWDEFAULT='/etc/default/ufw'
USERADD='/etc/default/useradd'
USERCONF='/etc/systemd/user.conf'-
The IP addresses that will be able to connect with SSH.
-
Which group the users have to be member of in order to acess via SSH.
-
Stricter sysctl settings.
-
Auditd rules.
-
Logrotate settings.
-
NTP server pool.
-
If you want all the details or not.
-
Add something just to verify that you actually glanced the code.
pre Script setup
firewall Enable ufw and allow port 22 from $FW_ADMIN
disablenet Disable misc network protocols
disablemnt Disable misc file systems
disablemod Disable misc kernel modules
resolvedconf Systemd/resolved.conf
systemdconf Systemd/system.conf and Systemd/user.conf
journalctl Systemd/journald.conf and logrotate.conf
timesyncd Systemd/timesyncd.conf
coredump Systemd/coredump.conf
fstab /etc/fstab, system/tmp.mount and system/var-tmp.mount
prelink Prelink
aptget Updating the package index and upgrading installed packages
hosts /etc/hosts.allow and /etc/hosts.deny
issue Add message to /etc/issue, /etc/issue.net, /etc/motd
logindefs /etc/login.defs
logindconf Systemd/logind.conf
sysctl /etc/sysctl.conf
limitsconf /etc/security/limits.conf
adduser /etc/adduser.conf and /etc/default/useradd
rootaccess /etc/security/access.conf and /etc/securetty
packages Installing base packages
apport Disable apport
rkhunter Configures rkhunter
sshdconfig /etc/ssh/sshd_config
password /etc/pam.d/common-password and /etc/pam.d/common-auth
cron /etc/cron and /etc/at
ctrlaltdel Ctrl-alt-delete
auditd Auditd
aide Aide
rhosts .rhosts
users Remove users
lockroot Lock root user account
aptget_clean Remove unused packages
suid Remove suid bits
umask Set umask
path Modify paths
aa_enforce Enforce apparmor profiles
aide_post Create Aide db
aide_timer Enable daily Aide check
systemddelta systemd-delta
checkreboot Check if reboot is required
There are approximately 275 Bats tests for most of the above settings available in the tests directory.
git clone https://github.com/konstruktoid/hardening.git
cd tests/
sudo bats .If you’re using Ansible, a playbook with most of the above functions implemented is available in my Ansible repository konstruktoid/Ansible.