edwin
/
do-bastion
mirror of https://git.technerdonline.com/edwin/do-bastion.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update 'Hardening Ubuntu'

master
Edwin Lyon 3 years ago
parent e88745d988
commit f6081061ec
1 changed files with 367 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 367
      Hardening-Ubuntu.md

367
Hardening-Ubuntu.md
Unescape

@ -0,0 +1,367 @@
Taking the extra steps to protect your Ubuntu or Debian cloud droplet takes only a little effort and time but will have a huge long term impact on your cyber security. You can use the referral badge below to get started with a $100 credit from Digital Ocean or use this link to [DigitalOcean](https://m.do.co/c/42cf2120197b).
[![DigitalOcean Referral Badge](https://web-platforms.sfo2.cdn.digitaloceanspaces.com/WWW/Badge%201.svg)](https://www.digitalocean.com/?refcode=42cf2120197b&utm_campaign=Referral_Invite&utm_medium=Referral_Program&utm_source=badge)
### **1. ASSESS & IDENTIFY THE RISK**
Undertaking a review to identify potential risks is a important first step. Some useful techniques for identifying risks are:
1. **NMAP** is a great tool to help identify potential risks. DigitalOcean has a pretty good guide **[HERE](https://www.digitalocean.com/community/tutorials/how-to-test-your-firewall-configuration-with-nmap-and-tcpdump)**.
2. **Tenable** offers a great solution that also provides a very friendly report. Although normally a Nessus Professional license isn't cheap, Tenable does offer a free version as well. You can download the free version **[HERE](https://www.tenable.com/downloads/nessus?loginAttempted=true)**.
3. **Sn1per** is a open source solution that puts together a number of great open projects to deliver a very effective and easy to use package. You can check out the project on Github **[HERE](https://github.com/1N3/Sn1per)**.
4. **Lynis** is a open source tool that audits and grades your linux operating system's security. You can check out the project on Github **[HERE](https://github.com/CISOfy/lynis)**.
### **2. REDUCE THE RISK**
Once you have an idea of what potential cyber security risks you face you should start to take the steps to reduce those risks.
Set the default user profile to "umask 027" it is a good compromise between security and simplicity. A umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 makes files and directories readable by users in the same Unix group (i.e. "sudo" or "root"), while a umask of 022 makes files readable by every user on the system.
```bash
# Setting global umask
sudo echo "umask 027" >> /etc/profile
```
Restrict at and cron to authorized users only.
```bash
# First Remove both at.deny & cron.deny
sudo rm /etc/cron.deny 2> /dev/null
sudo rm /etc/at.deny 2> /dev/null
# Second create both at.allow & cron.allow
sudo echo 'root' > /etc/cron.allow
sudo echo 'root' > /etc/at.allow
# Third set the ownership to root
sudo chown root:root /etc/cron*
sudo chown root:root /etc/at*
```
Use the hosts.allow and hosts.deny files to help restrict access to services. For example the only IP address that should have access to NRPE on port 5666 is your Nagios server.
```bash
# Setup Some Access Control Rules
sudo echo 'sshd : ALL : ALLOW' > /etc/hosts.allow
# Or if this Node should only be accessible via a bastion-host
sudo echo 'sshd: 192.168.0.2' > /etc/hosts.allow
sudo echo 'ALL: LOCAL, 127.0.0.1' >> /etc/hosts.allow
sudo echo 'NRPE: 192.168.0.2' >> /etc/hosts.allow
sudo echo 'ALL: PARANOID' > /etc/hosts.deny
sudo chmod 644 /etc/hosts.allow
sudo chmod 644 /etc/hosts.deny
```
Limit visibility of running processes to those services that started the process or users in the same group.
```bash
# Edit fstab & Hide PID2
sudo echo 'proc /proc proc defaults,hidepid=2 0 0' >> /etc/fstab
```
Disable Root Recovery console, but make sure you have set a root password first.
```bash
# GRUB enable swap & disable root recovery
sudo echo 'GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"' >> /etc/default/grub
sudo echo 'GRUB_DISABLE_RECOVERY="true"' >> /etc/default/grub
sudo update-grub
```
It may seem unimportant, but having the time stamps match your timezone will make things easier later on when you are reviewing your logs and reports.
```bash
# Setup NTP
sudo timedatectl set-ntp true
sudo timedatectl set-timezone America/Los_Angeles
sudo echo 'servers=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org' >> /etc/systemd/timesyncd.conf
```
```bash
sudo apt update
sudo apt install apparmor apparmor-profiles apparmor-utils apparmor-easyprof -y
# Enforce apparmor profiles
sudo echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor
sudo systemctl start apparmor.service
sudo systemctl enable apparmor.service
```
```bash
sudo apt update
sudo apt install libpam-tmpdir libpam-apparmor libpam-cracklib -y
```
Disable USB access on your cloud node.
```bash
# Install USBGuard
sudo apt update
sudo apt install usbguard -y
# Setting up USBGuard
sudo usbguard generate-policy > /tmp/rules.conf
sudo install -m 0600 -o root -g root /tmp/rules.conf /etc/usbguard/rules.conf
```
Securing your remote access services isn't just about disabling root access and enabling authorized keys in your SSH configuration.
```bash
sudo mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# Harden SSH Settings
sudo cat <<-EOF > /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
AcceptEnv LANG LC_*
AllowGroups root sudo
Banner /etc/issue.net
ChallengeResponseAuthentication no
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
ClientAliveCountMax 0
ClientAliveInterval 300
Compression no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
LoginGraceTime 20
LogLevel VERBOSE
Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
MaxAuthTries 3
MaxSessions 3
MaxStartups 10:30:60
PermitEmptyPasswords no
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
PermitUserEnvironment no
PrintLastLog yes
PrintMotd no
StrictModes yes
Subsystem sftp internal-sftp
UseDNS no
UsePAM yes
X11Forwarding no
AllowTcpForwarding no
EOF
sudo systemctl daemon-reload
sudo systemctl restart ssh.service
```
Now update your host keys and test ssh by starting a 2nd session.
```bash
## Switch to root
sudo su -
## Update ssh_host keys
rm /etc/ssh/ssh_host_*
ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N ""
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli
```
### **3. MANAGE YOUR RISK**
```bash
sudo apt update
sudo apt install dbconfig-common dbconfig-sqlite3 sqlite3 fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.d/jail.local
sudo systemctl restart fail2ban
```
```bash
sudo apt update
sudo apt install rkhunter -y
sudo dpkg-reconfigure rkhunter
```
```bash
sudo cat <<-EOF > /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF
```
### **4. MONITOR YOUR RISK**
Auditd can be a pretty powerful tool once you have the audit rules setup as it will give you valuable insights about your server performance and activities by ensuring that they are written to your logs.
```bash
sudo apt update
sudo apt install auditd audispd-plugins -y
# Setup Auditd Rules and Logging
sudo cat <<-EOF > /etc/audit/rules.d/docker.rules
# Remove any existing rules
-D
# Buffer Size
-b 8192
# Ignore errors
-i
# Failure Mode
-f 1
# Audit the audit logs
-w /var/log/audit/ -k auditlog
# Auditd configuration
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig
# Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
# Monitor AppArmor configuration changes
-w /etc/apparmor/ -p wa -k apparmor
-w /etc/apparmor.d/ -p wa -k apparmor
# Monitor usage of AppArmor tools
-w /sbin/apparmor_parser -p x -k apparmor_tools
-w /usr/sbin/aa-complain -p x -k apparmor_tools
-w /usr/sbin/aa-disable -p x -k apparmor_tools
-w /usr/sbin/aa-enforce -p x -k apparmor_tools
# Monitor Systemd configuration changes
-w /etc/systemd/ -p wa -k systemd
-w /lib/systemd/ -p wa -k systemd
# Monitor usage of systemd tools
-w /bin/systemctl -p x -k systemd_tools
-w /bin/journalctl -p x -k systemd_tools
# Special files
-a always,exit -F arch=x86_64 -S mknod -S mknodat -k specialfiles
-a always,exit -F arch=b32 -S mknod -S mknodat -k specialfiles
# Mount operations
-a always,exit -F arch=x86_64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
# Changes to the time
-a always,exit -F arch=x86_64 -S settimeofday -k audit_time_rules
-a always,exit -F arch=x86_64 -S adjtimex -k audit_time_rules
-a always,exit -F arch=x86_64 -S clock_settime -k audit_time_rules
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
# Cron configuration & scheduled jobs
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -k cron
# User, group, password databases
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
# MAC-policy
-w /etc/selinux/ -p wa -k MAC-policy
# Monitor usage of passwd
-w /usr/bin/passwd -p x -k passwd_modification
# Monitor for use of tools to change group identifiers
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
# Monitor module tools
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
# Login configuration and information
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login
# Network configuration
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/network/ -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
# System startup scripts
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init
# Library search paths
-w /etc/ld.so.conf -p wa -k libpath
# Local time zone
-w /etc/localtime -p wa -k localtime
# Time zone configuration
-w /etc/timezone -p wa -k audit_time_ruleszone
# Kernel parameters
-w /etc/sysctl.conf -p wa -k sysctl
# Modprobe configuration
-w /etc/modprobe.conf -p wa -k modprobe
-w /etc/modprobe.d/ -p wa -k modprobe
-w /etc/modules -p wa -k modprobe
# Module manipulations
-a always,exit -F arch=x86_64 -S init_module -S delete_module -F key=modules
-a always,exit -F arch=x86_64 -S init_module -F key=modules
-a always,exit -F arch=b32 -S init_module -S delete_module -F key=modules
-a always,exit -F arch=b32 -S init_module -F key=modules
# PAM configuration
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam
# Postfix configuration
-w /etc/aliases -p wa -k mail
-w /etc/postfix/ -p wa -k mail
# SSH configuration
-w /etc/ssh/sshd_config -k sshd
# Changes to hostname
-a always,exit -F arch=x86_64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
# Changes to issue
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
# Capture all unauthorized file accesses
-a always,exit -F arch=x86_64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=x86_64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
# Monitor for use of process ID change (switching accounts) applications
-w /bin/su -p x -k actions
-w /usr/bin/sudo -p x -k actions
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d -p wa -k actions
# Make the configuration immutable
-e 2
EOF
sudo systemctl start auditd
sudo systemctl enable auditd
```
You can then install logcheck or logwatch to get more detailed reports emailed to you. In addition you can use projects like [mkcert](https://github.com/FiloSottile/mkcert) or [cfssl](https://github.com/cloudflare/cfssl) to enable TLS for internal communications between software like nrpe and nagios for example.
Write Preview
Loading…
Cancel
Save