Official Power Up Hosting Blog

Everything about Linux, Windows, and hosting ;)

I am an avid book reader, who enjoys technology as well as writing.

Share


Our Newsletter


Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Tags


Twitter


Official Power Up Hosting Blog

Harden Ubuntu security for 16.04 server (The Complete Guide).

Apurva ChodnekarApurva Chodnekar

Many developers have shown a strong preference for Ubuntu and there's a reason for that. It's because Ubuntu server in itself is pretty secure.

To take things further and make sure that you are not cutting any corners when it comes to securing ubuntu desktop, we will show you some easy fixes.

This guide will help you with everything you need for ubuntu security hardening

Before we get into the additional security measures why don't we take a brief look at few of the basic ubuntu security features?

They will help you understand what you have and maybe, why you need more than that.

Most of them handle ubuntu security vulnerabilities and make your system secure.

  • Antivirus: It's true that antivirus is an effective measure. But it doesn't cover everything and you need to take a step back and think if you can live with the consequences of not using better security measures and just relying on the antivirus.

  • Browser Security: A considerable number of security threats origin here. You can shake things up by making a few changes like setting preferences, using NoScript, using AdBlockPlus, and more such things.

  • Backup after reinstall: This works in your favor. At times, you don't have a moments notice and you might have to reinstall ubuntu. These are the times when you lose important data if you don't have a backup.

  • A decent password: This is where it all starts. You set a strong password and you are already taking a step in the right direction.

  • Security updates: This is a must if you want to protect your server and system from vulnerabilities. Each update comes with a recent fix which works in making your system more secure.

  • AppArmor: This access control system limits access for each program. It prevents the system from unknown vulnerabilities. It does it by implementing good application behavior.

All of these features are available to you, you just have to take an initiative to activate them.

Now that we are done with the basics let get to the part that will answer one of your questions. How to secure ubuntu 16.04 desktop?

Prerequisites:

The but obvious, an installed ubuntu 16.04 server. Refer the Ubuntu Server Setup Guide for Beginners (Version 16.04.

We are now going to learn ways of hardening ubuntu 16.04 desktop security in this guide.

1. Securing the shared memory.

The first step is to secure shared memory. It is a necessary measure because the running service can be attacked through the shared memory.

To do this you will have to modify /etc/ftstab file.
You will have to open the editor by using the following command line.

sudo nano /etc/ftstab

Next, add the below line at the end of your file.

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

Save it and then close the file. If you want to see the changes in effect, you will have to reboot your server.

2. Handling the SSH settings.

SSH, short for Secure Shell is also known as Secure Socket Shell.

It is a network protocol with which a user, basically an administrator can access a remote computer in a secure way.

You can make your network secure by handling the SSH settings.

You can change and set them as per your requirements.

A) Add a warning banner.

i) The first step here is to open the terminal.

ii) Then enter the command line shown below.

sudo nano etc/issue.net

This will open the issues.net file.

iii) This step includes editing the file.

You could add a warning. It could either be just a single line. Or an elaborate warning as to what could happen to these trespassers.

After that, it’s just the matter of saving the file and closing it.

Hold on a second, before you think that you are done.
Although you cannot call it an outright security measure, it still matters.

It acts similar to the ‘Trespasser will be persecuted’ sign that is put on some properties.

It tends to scare off most of the people. And that ‘most’ is what you are aiming at here.

To avoid a clash with the motd you have to disable the banner in it.

In order to do that. You will have to follow the steps below.

Now:

Open the sshd file as shown in the following command line.

sudo nano /etc/pam.d/sshd

Then you need to comment out the following lines in the file.

session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate

Next:

Open the etc/ssh/sshd_config file. Using the following code.

sudo nano etc/ssh/sshd_config

When the file opens you will have to comment out the following line.

Banner etc/issues.net

Save the file and then close it.

Don’t worry, you are almost done.

Use the following command to restart the ssh server.

sudo service ssh restart

Now, when anyone uses secure shell to log in to your server.

They will come across the warning banner. We have already been through this but it will scare away attackers if they know that you are aware of their snooping.

B) Enabling SSH setting.

First, open the terminal.

Next, you have to edit the ssh configuration file, so,

sudo nano etc/ssh/sshd_config

In the next step you will have to add ‘AllowUsers’ directive depending upon few conditions.

i) To allow secure shell entry to a particular user.

We will assume the username as shane for this security step.

We are giving access to the user shane. Anyone other than him cannot access the server.

AllowUsers shane

Add this at the end of the ssh configuration file.

ii) To allow secure shell entry to users from a particular ip address.

This one will give access to all the users from the ip address 192.168.2.213.

AllowUsers @192.168.2.213

iii) To allow secure shell entry to a particular user from a particular ip address.

There can be many users at the ip address 192.168.2.213 but you are only giving access to shane at that ip address.

AllowUsers shane@192.168.2.213

iv) To allow secure shell entry to access multiple users.

There may be times when you want to give access to multiple users.

At those times, you can add a new group, like follows:

sudo addgroup groupname

Then you can allow access to that group.

AllowGroups groupname

If other users that do not belong to this group try to access it they are led to believe that they have to enter that password and they can access it.

But it doesn’t give them access, even if they enter the right password.

After you have allowed access, depending on your condition.

You can restart sshd by using the following command line.

sudo service ssh restart

Have you not had enough and still want to know how to secure ubuntu desktop?

Then stick around, you will discover more ways in which you can secure your server.

3. Network Layer security.

To prevent a source routing attack on your Ubuntu server you have to open the terminal.

Next, open the configuration file using the command shown below:

sudo nano  /etc/sysctl.conf

You either have the below lines in the file or you don’t.
If you do then make sure that they are not commented out. If you don’t then add the below lines to that file.

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0 
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

Next step is like any other. Save the config file and close it.

You can then restart the service using the following command.

sudo systctl -p

4. The end of IP address forgery.

You can prevent IP address forgery from happening. Here’s what you have to do.

sudo nano /etc/host.conf

You just have to replace a line in this file with another one.

Here’s what you will find when you open the file.

# The "order" line is only used by old versions of the 
C library.
order hosts,bind
multi on

You will have to replace this with the following line.

# The "order" line is only used by old versions of the 
C library.
order bind,hosts
nospoof on

Save it and close it.

That will tide you over for a long time. These additional security measures should help you prevent any kind of attacks on your Ubuntu 16.04 server.

Conclusion:

The Ubuntu security commands work great when you know what you are doing.

These are all the ubuntu security tools that you have at your disposal.

They will help you maintain ubuntu server security and get your ubuntu server as secure as possible.

Well, does that answer your ‘what security does ubuntu have?’ question?

For securing Nginx server is you can refer 8 (Easy) Ways to Secure Nginx Server to Prevent Security Attacks

I am an avid book reader, who enjoys technology as well as writing.

Comments