Securing Ubuntu 12.04

I have been extended my knowledge of Linux System Administration (in particular, securing Linux systems), and as such the first thing I did when I installed Ubuntu 12.04 LTS was to lock it down.

Installing Ubuntu is outside the scope of this blog post, so if you don't have Ubuntu yet I suggest you follow the official documentation.

Networking

We will first deal with locking down our machines network access. By restricting how our machine communicates with others we narrow down the attack vectors available.

1. The first thing we should do is turn on a firewall. Ubuntu comes with ufw pre-installed so we will just use that (I have covered this in a previous blog post).
   

   sudo ufw enable

   Check its status with:
   

   sudo ufw allow ssh

2. Enable any services you will need. For instance a web server will need the HTTP port of 80 open.
   

   sudo ufw allow ssh
   
   # You can specify a port directly
   sudo ufw allow 80
   # You can also specify whether it is TCP or UDP
   sudo ufw allow 80/tcp
   # Finally, you can specify whether it is incoming or outgoing
   sudo ufw allow in 80
   sudo reject out 1337

3. Sysctl allows you to configure the Linux kernel during runtime. We will edit the file /etc/sysctl to harden our network interface; open the file in your favorite editor and make the following changes:

   #IP spoofing/forging protection by turning on the reverse path filter
   net.ipv4.conf.all.rp_filter=1
   net.ipv4.conf.default.rp_filter=1
   
   # Protect against ICMP attacks
   net.ipv4.icmp_echo_ignore_broadcasts=1
   net.ipv4.icmp_ignore_bogus_error_responses=1
   
   # Turn off IPv4 features that are easy to abuse
   net.ipv4.conf.all.accept_source_route=0
   net.ipv6.conf.all.accept_source_route=0
   net.ipv4.conf.default.accept_source_route=0
   net.ipv6.conf.default.accept_source_route=0
   net.ipv4.conf.all.send_redirects=0
   net.ipv4.conf.default.send_redirects=0
   net.ipv4.conf.all.accept_redirects=0
   net.ipv6.conf.all.accept_redirects=0
   net.ipv4.conf.all.secure_redirects=0
   
   # Block SYN attacks
   net.ipv4.tcp_syncookies=1
   net.ipv4.tcp_max_syn_backlog=2048
   net.ipv4.tcp_synack_retries=2
   net.ipv4.tcp_syn_retries=2
   
   # Log Martians
   net.ipv4.conf.all.log_martians=1
   
   # Ignore directed ICMP pings
   net.ipv4.icmp_echo_ignore_all=1
   
   # Don't perform IP forwarding
   net.ipv4.ip_forward=0
   
   #####
   # IPv6
   #####
   
   # Number of router solicitations to send until assume no routers present
   net.ipv6.conf.default.router_solicitations=0
   
   # Do not accept router preferences
   net.ipv6.conf.default.accept_ra_rtr_pref=0
   
   # Do not accept prefix info from router
   net.ipv6.conf.default.accept_ra_pinfo=0
   
   # Do not accept Hop limit settings from router
   net.ipv6.conf.default.accept_ra_defrtr=0

   
   
4. Reload sysctl with your changes:
   

   sudo sysctl -p

5. Secure your TCP Wrapper by editing the /etc/hosts.deny file, ensuring the following line is the only one uncommented:
   

   ALL: ALL

6. Allow your TCP Wrapper services (like SSH) by editing the /etc/hosts.allow file. The basic syntax is:
   

   <service>: <host/network>

7. Prevent IP Spoofing via DNS by editing the file /etc/host.conf and adding the following lines:
   

   order bind,hosts
   nospoof on

8. If you have not already done so, update your system so that there are no security vulnerabilities:
   

   sudo apt-get update
   sudo apt-get upgrade

9. Install nmap, a tool for network discovery and security auditing:
   

   sudo apt-get install nmap

10. Perform a local nmap TCP scan of your machine and ensure that all ports that are open are supposed to be open.
    

    sudo nmap -v -sT localhost

    Perform a SYN scan, which is another way a hacker can probe your system:
    

    sudo nmap -v -sS localhost

    Perform a UDP scan to determine which UDP services are operational:
    

    sudo nmap -v -sU localhost

11. Perform the same NMap tests but on another host. If you followed the above instructions you may want to add -PN to the command so that nmap ignores the fact that your machine does not respond to pings. Note that this scan may take some time...

 

Filesystem

We will now protect our file-system.  

Note: you will get the best security by putting your system directories into their own partition. This will allow you to specify the mount options for each directory. This guide will only cover the default install.

1. Protect your shared memory by editing /etc/fstab as follows:
   

   tmpfs  /dev/shm  tmpfs  defaults,noexec,nosuid  0  0

2. Bind /var/tmp to /tmp so that we limited what applications can do with that system directory. Edit /etc/fstab as follows:
   

   /tmp  /var/tmp  none  rw,noexec,nosuid,nodev,bind  0  0

 

Startup Applications

We will now modify the start-up applications and services that turn on during boot.

1. Display the hidden start-up applications:
   

   sudo sed -i 's/NoDisplay=true/NoDisplay=false/g' /etc/xdg/autostart/*.desktop

2. Press the windows key on your keyboard, type in 'Startup Applications' and launch the program of the same name
3. Disable the following services (Note: These may change depending on your personal situation):
• Backup monitor
• Bluetooth manager
• Chat
• Desktop Sharing
• Gwibber
• Orca Screen Reader
• Personal File Sharing
• Ubuntu One

 

Disable Guest Login

Just edit /etc/lightdm/lightdm.conf and add the following line:

allow-guest=false

 

References:

• 'How to secure Ubuntu 12.04 LTS server' by thefanclub.co.za
• 'Securing a Linux VPS' from wolfpaw.co.uk
• NSA guide to securing RHEL 5
• NSA hardening tips for RHEL 5
• NSA guides to securing other operating systems
• 'Tuning the Linux kernel', a paper by Long Yi and James Connan
• 'Linux Kernel /etc/sysctl.conf Security Hardening' from www.cyberciti.biz
• 'Security auditing with NMAP' by www.techrepublic.com 
• Nmap reference for scanning techniques
• 'Securing an Ubuntu Server' by www.andrewault.net
• Ubuntu 12.04 LTS security by rationally paranoid
• Modify Ubuntu blog