Hardening Ubuntu 14.04 Server

Hardening is the process of reducing vulnerabilities and securing a system from possible attack points. Reducing vulnerabilities includes the removal of unnecessary services, usernames and logins and disabling unnecessary ports. In this article we are going to show you how you can harden a Ubuntu server.

Ubuntu 14.04 LTS server with Open SSH installed.

Keeping the system up to date is necessary after installing any operating system. This will reduce known vulnerabilities that are in your system.

For Ubuntu 14.04 run the following:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get autoremove
sudo apt-get autoclean

Enabling automatic updates can be very important to secure your server. To install the “unattended-upgrades,”  run

sudo apt-get install unattended-upgrades

To enable it, run the following command:

sudo dpkg-reconfigure -plow unattended-upgrades

This will create the “/etc/apt/apt.conf.d/20auto-upgrades” file shown below.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Using a “shadow user” instead of the root account is necessary for security reasons. You can create a user that will not be easy for other users to guess. In this tutorial we will use “maketech111” as the username.

To create a user, run the following command:

sudo useradd -d /home/maketech111 -s /bin/bash -m maketech111

To give the user sudo access, run the following command:

sudo usermod -a -G sudo maketech111

To set a password, run the following command:

sudo passwd maketech111

Note: make sure your password is at least eight characters long and contains a complex combination of numbers, letters, and punctuation marks.

To remove the password prompt for sudo, edit the sudoers file.

sudo nano /etc/sudoers

Add / edit as described below.

maketech111 ALL=(ALL) NOPASSWD: ALL

Save the file and exit.

Disabling the root account is necessary for security reasons.

To disable the root account, use the following command:

sudo passwd -l root

If you need to re-enable the account, run the following command:

sudo passwd -u root

Some Ubuntu servers are not configured with SWAP. SWAP is used when the amount of total physical memory (RAM) is full.

To check for SWAP space, run the following command:

sudo swapon -s

If there’s no SWAP file, you should get a the following output.

Filename                                Type            Size    Used    Priority

To create the 4 GB SWAP file you will need to use the “dd” command.

sudo dd if=/dev/zero of=/swapfile bs=4M count=1000

To set up the SWAP file, run the following command:

sudo mkswap /swapfile

To activate the swap file, run

sudo swapon /swapfile
sudo swapon -s

This will output like the following:

Filename                                Type            Size    Used    Priority
/swapfile                               file            4096000 0       -1

To enable it permanently, edit the “/etc/fstab” file.

sudo nano /etc/fstab

Add the following line:

/swapfile swap swap defaults 0 0

Set proper swappiness value to improve overall performance of the system.

You can do this with the following command:

sudo echo 0 >> /proc/sys/vm/swappiness
sudo echo vm.swappiness = 0 >> /etc/sysctl.conf

Reboot the system to check whether SWAP gets activated properly.

It is recommended to disable IPv6 because it cause issues with the Internet connection being slow.

To disable IPv6, edit the “/etc/sysctl.conf” file.

sudo nano /etc/sysctl.conf

Edit as described below:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

To reload the configuration, run

sudo sysctl -p

IRQBALANCE is used to distribute hardware interrupts across multiple CPU to increase system performance. It is recommended to disable IRQBALANCE to avoid hardware interrupts in your threads.

To disable IRQBALANCE, edit “/etc/default/irqbalance”

sudo nano /etc/default/irqbalance

and change the ENABLED value to 0:

ENABLED=0

The Heartbleed is a serious vulnerability in the OpenSSL. It allows a remote user to leak the memory in up to 64k chunks. Hackers can then retrieve the private keys to decrypt any data like user’s user name and passwords.

The heartbleed bug was found in OpenSSL 1.0.1 and is present in the following versions:

  • 1.0.1
  • 1.0.1a
  • 1.0.1b
  • 1.0.1c
  • 1.0.1d
  • 1.0.1e
  • 1.0.1f

To check the version of OpenSSL in your system, run the following commands:

sudo openssl version -v
sudo openssl version -b

This will output something like the following:

OpenSSL 1.0.1 10 Mar 2012
built on: Wed Jan  2 18:45:51 UTC 2015

If the date is older than “Mon Apr 7 20:33:29 UTC 2014,” and the version is “1.0.1,” then your system is vulnerable to the Heartbleed bug.

To fix this bug, update OpenSSL to the latest version and run

sudo apt-get update
sudo apt-get upgrade openssl libssl-dev
sudo apt-cache policy openssl libssl-dev

Now check the version and run

sudo openssl version -b

This will output something like the following:

built on: Mon Apr  7 20:31:55 UTC 2014

Secure the Console

By default, lots of terminals are enabled in your system. You can allow only one terminal and disable the other terminals.

To allow only “tty1” and disable other terminals, edit the “/etc/securetty” file.

sudo nano /etc/securetty

Add / Edit the following lines:

tty1
#tty2
#tty3
#tty4
# etc ...

To secure the “/etc/securetty” file, change the permission of the file and run the following commands:

sudo chown root:root /etc/securetty
sudo chmod 0600 /etc/securetty

Secure Shared Memory

Any user can use shared memory to attack against a running service, like apache or httpd. By default, shared memory is mounted read/write with execute permission.

To make it more secure, edit the “/etc/fstab” file.

sudo nano /etc/fstab

Add the following line:

tmpfs     /run/shm    tmpfs     ro,noexec,nosuid        0       0

To make the changes without rebooting, you can run

sudo mount -a

Secure /tmp and /var/tmp

Temporary directories such as /tmp, /var/tmp, and /dev/shm open the door for attackers to provide space to run scripts and malicious executables.

Secure /tmp folder

Create a 1GB filesystem file for the /tmp partition.

sudo dd if=/dev/zero of=/usr/tmpDSK bs=1024 count=1024000
sudo mkfs.ext4 /usr/tmpDSK

Create a backup of the current /tmp folder:

sudo cp -avr /tmp /tmpbackup

Mount the new /tmp partition, and set the right permissions.

sudo mount -t tmpfs -o loop,noexec,nosuid,rw /usr/tmpDSK /tmp
sudo chmod 1777 /tmp

Copy the data from the backup folder, and remove the backup folder.

sudo cp -avr /tmpbackup/* /tmp/
sudo rm -rf /tmpbackup

Set the /tmp in the fbtab.

sudo nano /etc/fstab

Add the following line:

/usr/tmpDSK /tmp tmpfs loop,nosuid,noexec,rw 0 0

Test your fstab entry.

sudo mount -a

Secure /var/tmp:

Some software uses this folder as a temporary folder, so we should also secure this one.

To secure /var/tmp,  create a symbolic link that makes /var/tmp point to /tmp.

sudo mv /var/tmp /var/tmpold
sudo ln -s /tmp /var/tmp
sudo cp -avr /var/tmpold/* /tmp/

Set security limits

To protect your system from fork bomb attacks, you should set up a process limit for your users.

To set this up, edit the “/etc/security/limits.conf” file,

sudo nano /etc/security/limits.conf

and edit the following line:

user1 hard nproc 100
@group1 hard nproc 20

This will prevent users of a specific group from having a maximum of twenty processes and maximize the number of processes to one hundred to user1.

Disable unnecessary services

Lots of services in Ubuntu takes memory and disk space that you might need to use. Disabling or removing unnecessary services can improve overall system performance.

To find out which services are currently running, run the following command:

sudo initctl list | grep running

You can disable it by running this command.

sudo update-rc.d -f service_name remove
sudo apt-get purge service_name

The Shellshock vulnerability allows hackers to assign Bash environment variables and gain unauthorized access to the system. This vulnerability is very easy to exploit.

To check system vulnerability, run the following command:

sudo env i='() { :;}; echo Your system is Bash vulnerable' bash -c "echo Bash vulnerability test"

If you see the below output, it means your system is vulnerable.

Your system is Bash vulnerable
Bash vulnerability test

To fix this vulnerability, run the following command:

sudo apt-get update ; sudo apt-get install --only-upgrade bash

If you run the command again, you will see:

bash: warning: VAR: ignoring function definition attempt
bash: error importing function definition for `VAR'
Bash vulnerability test

Here we have explained basic things that you could do to harden Ubuntu. You should now have enough understanding of basic security practices that you can implement on your Ubuntu server. I hope that this post will be useful to you.

Reference: Ubuntu Hardening Guide