A quick way to make a Ubuntu server a bit more secure.
Tested on 16.04 Xenial Xerus, 17.10 Artful Aardvark and 18.04 Bionic Beaver.
Systemd required.
If you’re just interested in the security focused systemd configuration, it’s available as a separate document.
If you’re interested in testing your host settings, you’ll find the instructions here.
If you’re using Ansible, a playbook with most of the above functions implemented is available in my Ansible repository konstruktoid/ansible-role-hardening.
|
Note
|
This is a constant work in progress. Make sure you understand what it
does. Read the code.
|
Start the installation of the server.
Pick language, keyboard layout, timezone and so on as you usually would.
/
/boot (rw)
/home (rw,nosuid,nodev)
swap
/var
/var/log (rw,nosuid,nodev,noexec)
/var/log/audit (rw,nosuid,nodev,noexec)Note that /tmp and /var/tmp will be added automatically by the script.
Do not add any packages.
Log in.
Select a Grub2 password (using grub-mkpasswd-pbkdf2).
Download the script using git clone https://github.com/konstruktoid/hardening.git.
Change the configuration options in the ubuntu.cfg file and last but not least
run the script, sudo bash ubuntu.sh.
FW_ADMIN='127.0.0.1' // (1)
SSH_GRPS='sudo' // (2)
SYSCTL_CONF='./misc/sysctl.conf' // (3)
AUDITD_RULES='./misc/audit.rules' // (4)
LOGROTATE_CONF='./misc/logrotate.conf' // (5)
NTPSERVERPOOL='0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org pool.ntp.org' // (6)
TIMEDATECTL='' // (7)
VERBOSE='N' // (8)
AUTOFILL='N' // (9)
CHANGEME='' // (10)
# Configuration files
ADDUSER='/etc/adduser.conf'
AUDITDCONF='/etc/audit/auditd.conf'
AUDITRULES='/etc/audit/rules.d/hardening.rules'
COMMONPASSWD='/etc/pam.d/common-password'
COMMONACCOUNT='/etc/pam.d/common-account'
COMMONAUTH='/etc/pam.d/common-auth'
DEFAULTGRUB='/etc/default/grub'
DISABLEMNT='/etc/modprobe.d/disablemnt.conf'
DISABLEMOD='/etc/modprobe.d/disablemod.conf'
DISABLENET='/etc/modprobe.d/disablenet.conf'
JOURNALDCONF='/etc/systemd/journald.conf'
LIMITSCONF='/etc/security/limits.conf'
LOGINDCONF='/etc/systemd/logind.conf'
LOGINDEFS='/etc/login.defs'
LOGROTATE='/etc/logrotate.conf'
PAMLOGIN='/etc/pam.d/login'
RESOLVEDCONF='/etc/systemd/resolved.conf'
RKHUNTERCONF='/etc/default/rkhunter'
SECURITYACCESS='/etc/security/access.conf'
SSHDFILE='/etc/ssh/sshd_config'
SYSCTL='/etc/sysctl.conf'
SYSTEMCONF='/etc/systemd/system.conf'
TIMESYNCD='/etc/systemd/timesyncd.conf'
UFWDEFAULT='/etc/default/ufw'
USERADD='/etc/default/useradd'
USERCONF='/etc/systemd/user.conf'-
The IP addresses that will be able to connect with SSH, separated by spaces.
-
Which group the users have to be member of in order to acess via SSH, separated by spaces.
-
Stricter sysctl settings.
-
Auditd rules.
-
Logrotate settings.
-
NTP server pool.
-
Add a specific time zone or use the system default by leaving it empty.
-
If you want all the details or not.
-
Let the script guess the
FW_ADMINandSSH_GRPSsettings. -
Add something just to verify that you actually glanced the code.
CCE-80137-3, CCE-80138-1, CCE-80139-9, CCE-80140-7, CCE-80141-5, CCE-80142-3, CCE-80143-1, UBTU-16-010070
Disable cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat file
systems.
Disable coredumps and crash shells, set DefaultLimitNOFILE and
DefaultLimitNPROC to 1024.
Configure /tmp/ and /var/tmp/. Remove floppy drivers from /etc/fstab
and add hidepid=2 to /proc.
CCE-26895-3, UBTU-16-010010, UBTU-16-010560, UBTU-16-010570
apt-get update and upgrade.
CCE-80205-8, UBTU-16-010150, UBTU-16-010170, UBTU-16-010190, UBTU-16-010210, UBTU-16-010220, UBTU-16-010640
Modify /etc/login.defs, e.g. UMASK, password age limits and
SHA_CRYPT_MAX_ROUNDS.
Limit /etc/securetty to console, and root from 127.0.0.1 in
/etc/security/access.conf.
UBTU-16-010050, UBTU-16-010500, UBTU-16-010600
Installs acct aide-common apparmor-profiles apparmor-utils auditd
debsums haveged libpam-apparmor libpam-cracklib libpam-tmpdir
openssh-server postfix rkhunter vlock.
Removes avahi* beep popularity-contest rsh* talk* telnet* tftp*
yp-tools ypbind xinetd.
UBTU-16-010090, UBTU-16-010100, UBTU-16-010110, UBTU-16-010120, UBTU-16-010120, UBTU-16-010130, UBTU-16-010140, UBTU-16-010180, UBTU-16-010230, UBTU-16-010240, UBTU-16-010250, UBTU-16-010290, UBTU-16-010320, UBTU-16-010340
Configure pam_cracklib.so and pam_tally.so.
CCE-27327-6, CCE-27277-3, UBTU-16-010580
Disable bluetooth bnep btusb firewire-core n_hdlc net-pf-31
pcspkr soundcore thunderbolt usb-midi usb-storage kernel modules.
Remove suid bits from /bin/fusermount /bin/mount /bin/ping /bin/ping6
/bin/su /bin/umount /usr/bin/bsd-write /usr/bin/chage /usr/bin/chfn
/usr/bin/chsh /usr/bin/mlocate /usr/bin/mtr /usr/bin/newgrp
/usr/bin/pkexec /usr/bin/traceroute6.iputils /usr/bin/wall
/usr/sbin/pppd.
UBTU-16-010780
Set root path to /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin,
and user path to /usr/local/bin:/usr/bin:/bin.
f_pre
f_firewall
f_disablenet
f_disablemnt
f_disablemod
f_systemdconf
f_resolvedconf
f_logindconf
f_journalctl
f_timesyncd
f_coredump
f_fstab
f_prelink
f_aptget_configure
f_aptget
f_hosts
f_issue
f_logindefs
f_sysctl
f_limitsconf
f_adduser
f_rootaccess
f_package_remove
f_package_install
f_usbguard
f_postfix
f_apport
f_motdnews
f_rkhunter
f_sshdconfig
f_password
f_cron
f_ctrlaltdel
f_auditd
f_aide
f_rhosts
f_users
f_lockroot
f_aptget_clean
f_suid
f_restrictcompilers
f_umask
f_path
f_aa_enforce
f_aide_post
f_aide_timer
f_systemddelta
f_checkrebootThere are approximately 400 Bats tests for most of the above settings available in the tests directory.
git clone https://github.com/konstruktoid/hardening.git
cd tests/
sudo bats .