Академический Документы
Профессиональный Документы
Культура Документы
This guide is based on various community forum posts and webpages. Special thanks to all. All
comments and improvements are very welcome as this is purely a personal experimental project at
this point and must be considered a work in progress.
Harden the security on an Ubuntu 12.04 LTS server by installing and configuring the following:
1 of 14 31/07/15 13:17
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204...
Requirements:
Ubuntu 12.04 LTS or later server with a standard LAMP stack installed.
1. Firewall - UFW
A good place to start is to install a Firewall.
UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure
with its Firewall configuration tool - gufw, or use Shorewall, fwbuilder, or Firestarter.
Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide, UFW
manual pages (http://manpages.ubuntu.com/manpages/precise/en/man8/ufw.8.html) or the
Ubuntu UFW community documentation (http://help.ubuntu.com/community/UFW) .
Install UFW and enable, open a terminal window and enter :
2 of 14 31/07/15 13:17
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204...
sudo vi /etc/fstab
Add the following line and save. You will need to reboot for this setting to take effect :
Note : This only is works in Ubuntu 12.04 - For later Ubuntu versions
replace /dev/shm with /run/shm
Save and Reboot when done
sudo vi /etc/ssh/sshd_config
3 of 14 31/07/15 13:17
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204...
sudo vi /etc/apache2/mods-available/ssl.conf
sudo vi /etc/sysctl.conf
4 of 14 31/07/15 13:17
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204...
Edit the /etc/sysctl.conf file and un-comment or add the following lines :
#
IP
Spoofing
protection
net.ipv4.conf.all.rp_filter
=
1
net.ipv4.conf.default.rp_filter
=
1
#
Log
Martians
net.ipv4.conf.all.log_martians
=
1
net.ipv4.icmp_ignore_bogus_error_responses
=
1
sudo sysctl -p
5 of 14 31/07/15 13:17
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204...
sudo vi /etc/bind/named.conf.options
recursion
no;
version
"Not
Disclosed";
Restart BIND DNS server. Open a Terminal and enter the following :
8. Prevent IP Spoofing.
Open a Terminal and enter the following :
sudo vi /etc/host.conf
order
bind,hosts
nospoof
on
sudo vi /etc/php5/apache2/php.ini
disable_functions
=
exec,system,shell_exec,passthru
register_globals
=
Off
expose_php
=
Off
display_errors
=
Off
track_errors
=
Off
html_errors
=
Off
6 of 14 31/07/15 13:17
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204...
magic_quotes_gpc = Off
sudo vi /etc/apache2/conf.d/security
ServerTokens
Prod
ServerSignature
Off
TraceEnable
Off
Header
unset
ETag
FileETag
None
7 of 14 31/07/15 13:17
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204...
After installation edit the configuration file /etc/denyhosts.conf and change the email, and
other settings as required.
To edit the admin email settings open a terminal window and enter:
sudo vi /etc/denyhosts.conf
ADMIN_EMAIL
=
root@localhost
SMTP_HOST
=
localhost
SMTP_PORT
=
25
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
SMTP_FROM
=
DenyHosts
nobody@localhost
#SYSLOG_REPORT=YES
After installation edit the configuration file /etc/fail2ban/jail.local and create the filter rules
as required.
To edit the settings open a terminal window and enter:
sudo vi /etc/fail2ban/jail.conf
Activate all the services you would like fail2ban to monitor by changing enabled = false to
enabled = true
For example if you would like to enable the SSH monitoring and banning jail, find the line
below and change enabled from false to true. Thats it.
[ssh]
8 of 14 31/07/15 13:17
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204...
enabled
=
true
port
=
ssh
filter
=
sshd
logpath
=
/var/log/auth.log
maxretry
=
3
If you have selected a non-standard SSH port in step 3 then you need to change the port
setting in fail2ban from ssh which by default is port 22, to your new port number, for example
if you have chosen 1234 then port = 1234
[ssh]
enabled
=
true
port
=
<ENTER
YOUR
SSH
PORT
NUMBER
HERE>
filter
=
sshd
logpath
=
/var/log/auth.log
maxretry
=
3
If you would like to receive emails from Fail2Ban if hosts are banned change the following
line to your email address.
destemail = root@localhost
action = %(action_)s
to:
action = %(action_mwl)s
You can also create rule filters for the various services that you would like fail2ban to monitor
that is not supplied by default.
sudo vi /etc/fail2ban/jail.local
Good instructions on how to configure fail2ban and create the various filters can be found on
HowtoForge (http://www.howtoforge.com/) - click here for an example
(http://www.howtoforge.com/perfect-server-ubuntu-11.10-ispconfig-3-p5)
9 of 14 31/07/15 13:17
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204...
When done with the configuration of Fail2Ban restart the service with :
Then for basic configuration see How to install PSAD Intrusion Detection on Ubuntu 12.04
LTS server and follow from step 2:
sudo chkrootkit
To update and run RKHunter. Open a Terminal and enter the following :
10 of 14 31/07/15 13:17
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204...
To email a logwatch report for the past 7 days to an email address, enter the following and
replace mail@domain.com with the required email. :
11 of 14 31/07/15 13:17
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204...
sudo apparmor_status
sudo tiger
Tags: Ubuntu 12.04 Ubuntu Security ufw SSH sysctl DNS IP Spoofing PHP
Security ModSecurity ModEvasive DenyHosts Fail2Ban PSAD RKHunter NMap LogWatc
h Apparmor SELinux Tiger RootKits Log Files
Comments
12 of 14 31/07/15 13:17
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204...
Why do you suggest "magic_quotes_gpc = On" ? When you read php.ini comments, it is
written that the Off value is for production. Thanks
Thank you for pointing that out - It should be off, as this feature has been
DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0. (see :
http://www.php.net/manual/en/security.magicquotes.php)
This is a nice tutorial, quick and easy, less explained, thanks for that! What i missed here
also is the security of email services like postfix and generally a anti virus tool. I mean use
of clamav, postgrey and so on. It would be nice if you spent time to write a part for that
;-) One that i believe is also required for good security is to install suhosin for php. It
would be nice if you add it to this guide, and how to configure it with minimal settings.
Also speak about disabling/enabling modules in php that are mostly not used, or modules
which can be turned off and on for special applications. Another thing i ever see is enabled
mods in apache that nobody uses (which can be simply disabled). It would be nice if you
speak about what is really needed, and how to disable/enable unused ones. ModEvasive is
also not really needed in favour of ModSecurity, which can also do DDoS prevention for
you. I did not test the rules of OWASP CRS yet since they are stated as experimental, but
they look clear to me. Take a look to file "modsecurity_crs_11_dos_protection". I use
similar ones in production environment...
related content
13 of 14 31/07/15 13:17
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204...
How to secure an Ubuntu 12.04 LTS server - Part 2 The GUI installer script
more
14 of 14 31/07/15 13:17