1 of 14 12/1/2014 1:09 PM
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics | How To ... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server...
Requirements:
Ubuntu 12.04 LTS or later server with a standard LAMP stack installed.
1. Firewall - UFW
A good place to start is to install a Firewall.
UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its
Firewall configuration tool - gufw, or use Shorewall, fwbuilder, or Firestarter.
Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide, UFW manual
pages (http://manpages.ubuntu.com/manpages/precise/en/man8/ufw.8.html) or the Ubuntu
UFW community documentation (http://help.ubuntu.com/community/UFW) .
Install UFW and enable, open a terminal window and enter :
2 of 14 12/1/2014 1:09 PM
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics | How To ... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server...
Shared memory can be used in an attack against a running service. Modify /etc/fstab to make it more
secure.
Open a Terminal Window and enter the following :
Add the following line and save. You will need to reboot for this setting to take effect :
Note : This only is works in Ubuntu 12.04 - For later Ubuntu versions replace /dev/shm with /run/shm
Save and Reboot when done
3. SSH Hardening - key based login, disable root login and change
port.
The best way to secure SSH is to use public/private key based login. See SSH/OpenSSH/Keys
If you have to use password authentication, the easiest way to secure SSH is to disable root login and
change the SSH port to something different than the standard port 22.
Before disabling the root login create a new SSH user and make sure the user belongs to the admin group
(see step 4. below regarding the admin group).
if you change the SSH port keep the port number below 1024 as these are priviledged ports that can only
be opened by root or processes running as root.
If you change the SSH port also open the new port you have chosen on the firewall and close port 22.
Open a Terminal Window and enter :
3 of 14 12/1/2014 1:09 PM
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics | How To ... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server...
We will disable Apache support for the protocol and force the use of the newer protocols.
Open a Terminal Window and enter :
Edit the /etc/sysctl.conf file and un-comment or add the following lines :
4 of 14 12/1/2014 1:09 PM
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics | How To ... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server...
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
sudo sysctl ‐p
5 of 14 12/1/2014 1:09 PM
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics | How To ... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server...
recursion no;
version "Not Disclosed";
Restart BIND DNS server. Open a Terminal and enter the following :
8. Prevent IP Spoofing.
Open a Terminal and enter the following :
order bind,hosts
nospoof on
disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off
6 of 14 12/1/2014 1:09 PM
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics | How To ... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server...
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header unset ETag
FileETag None
13. Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban.
DenyHosts (http://denyhosts.sourceforge.net/) is a python program that automatically blocks SSH
attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about
offending hosts, attacked users and suspicious logins.
Open a Terminal and enter the following :
After installation edit the configuration file /etc/denyhosts.conf and change the email, and other settings
as required.
To edit the admin email settings open a terminal window and enter:
7 of 14 12/1/2014 1:09 PM
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics | How To ... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server...
ADMIN_EMAIL = root@localhost
SMTP_HOST = localhost
SMTP_PORT = 25
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
SMTP_FROM = DenyHosts nobody@localhost
#SYSLOG_REPORT=YES
After installation edit the configuration file /etc/fail2ban/jail.local and create the filter rules as required.
To edit the settings open a terminal window and enter:
Activate all the services you would like fail2ban to monitor by changing enabled = false to enabled = true
For example if you would like to enable the SSH monitoring and banning jail, find the line below and
change enabled from false to true. Thats it.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
If you have selected a non-standard SSH port in step 3 then you need to change the port setting in
fail2ban from ssh which by default is port 22, to your new port number, for example if you have chosen
1234 then port = 1234
[ssh]
8 of 14 12/1/2014 1:09 PM
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics | How To ... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server...
enabled = true
port = <ENTER YOUR SSH PORT NUMBER HERE>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your
email address.
destemail = root@localhost
action = %(action_)s
to:
action = %(action_mwl)s
You can also create rule filters for the various services that you would like fail2ban to monitor that is not
supplied by default.
Good instructions on how to configure fail2ban and create the various filters can be found on
HowtoForge (http://www.howtoforge.com/) - click here for an example (http://www.howtoforge.com
/perfect-server-ubuntu-11.10-ispconfig-3-p5)
When done with the configuration of Fail2Ban restart the service with :
9 of 14 12/1/2014 1:09 PM
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics | How To ... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server...
traffic.
Currently version 2.1 causes errors during install on Ubuntu 12.04, but apparently does work. Version 2.2
resolves these issues but is not yet available on the Ubuntu software repositories. It is recommended to
manually compile and install version 2.2 from the source files available on the Ciperdyne website
(http://www.cipherdyne.org/psad/download/) .
To install the latest version from the source files follow these instruction : How to install PSAD
Intrusion Detection on Ubuntu 12.04 LTS server
OR install the older version from the Ubuntu software repositories, open a Terminal and enter the
following :
Then for basic configuration see How to install PSAD Intrusion Detection on Ubuntu 12.04 LTS
server and follow from step 2:
sudo chkrootkit
To update and run RKHunter. Open a Terminal and enter the following :
10 of 14 12/1/2014 1:09 PM
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics | How To ... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server...
To email a logwatch report for the past 7 days to an email address, enter the following and replace
mail@domain.com with the required email. :
11 of 14 12/1/2014 1:09 PM
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics | How To ... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server...
sudo apparmor_status
sudo tiger
Comments
Why do you suggest "magic_quotes_gpc = On" ? When you read php.ini comments, it is written that
the Off value is for production. Thanks
Thank you for pointing that out - It should be off, as this feature has been DEPRECATED as of PHP
12 of 14 12/1/2014 1:09 PM
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics | How To ... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server...
This is a nice tutorial, quick and easy, less explained, thanks for that! What i missed here also is the
security of email services like postfix and generally a anti virus tool. I mean use of clamav, postgrey
and so on. It would be nice if you spent time to write a part for that ;-) One that i believe is also
required for good security is to install suhosin for php. It would be nice if you add it to this guide, and
how to configure it with minimal settings. Also speak about disabling/enabling modules in php that are
mostly not used, or modules which can be turned off and on for special applications. Another thing i
ever see is enabled mods in apache that nobody uses (which can be simply disabled). It would be nice
if you speak about what is really needed, and how to disable/enable unused ones. ModEvasive is also
not really needed in favour of ModSecurity, which can also do DDoS prevention for you. I did not test
the rules of OWASP CRS yet since they are stated as experimental, but they look clear to me. Take a
look to file "modsecurity_crs_11_dos_protection". I use similar ones in production environment...
related content
How to secure an Ubuntu 12.04 LTS server - Part 2 The GUI installer script
How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server
13 of 14 12/1/2014 1:09 PM
How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics | How To ... https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server...
14 of 14 12/1/2014 1:09 PM