Ubuntu OS Security Hardening

Exported on 04-Sep-2021 18:32:11

Ubuntu OS Hardening

This procedure is for the Ubuntu OS hardening to improve the system security.

This has been tested on Raspberry Pi 4 with Ubuntu Server 20.04.2 LTS 64-bit.

Replace the Default Account

Create a new account then delete the default Ubuntu account.

Secure SSH and SUDO

Disable the SSH root login and force SUDO to require a password.

Patching and Unattended Upgrades

Patch the device with the latest packages and enable unattended upgrades.

Fail2Ban

Fail2ban is intrusion prevention software that protects servers from brute force attacks.

Firewall

The Uncomplicated Firewall (ufw) is a frontend for iptables.

Parameters

Name Type Script Reference Default Value Comment
Attune Node Linux / Unix Server attuneNode
Linux Node Linux / Unix Server linuxNode
Linux User Linux OS Credential linuxUser
Ubuntu Default User Linux OS Credential ubuntuDefaultUser The default Ubuntu user account.
ssh Port Text sshPort 22

1 - Replace Ubuntu User Account

Replace the default user account by creating a new account, setting up privileges, and then removing the old account.

1.1 - RUA Add Linux User Account

Create a user account and apply privileges.

1.1.1 - AUA Create Linux User Account

Create a new user account.

This step has the following parameters

Name Script Reference Default Value
Linux User {linuxUser.user} None
Linux User {linuxUser.password}
The connection details have changed from the last step.

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
user={linuxUser.user}

adduser $user

less /etc/passwd | grep $user

This step will require you to answer the following prompts.

Prompt Answer
New password: {linuxUser.password}
Retype new password: {linuxUser.password}
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y

1.1.2 - AUA Give New Linux User Account sudo Privilege

Add the new user to the sudo group.

This step has the following parameters

Name Script Reference Default Value
Linux User {linuxUser.user} None

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
user={linuxUser.user}

adduser $user sudo

groups $user

1.1.3 - AUA Test New Linux User Account

Using the new account, test with a simple command.

The connection details have changed from the last step.

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
date

1.2 - Delete Ubuntu User Account - Linux

Delete the default user account.

1.2.1 - Restart Linux Node

Shutdown the node with the reboot flag set and wait until the node has rebooted by checking it was down for two seconds and is active on port 22.

1.2.1.1 - Shutdown Node with Restart Flag

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
shutdown -r now

1.2.1.2 - Is Node Up

The connection details have changed from the last step.

on node

Check if tcp port 22 is listening make sure it goes down for 2 seconds .

Use Telnet to check if the TCP service is accepting connections.

1.2.2 - DDUA Delete Ubuntu User

Using the previously created account, delete the old user.

The exit code was updated: * Exit Code = 1 for a successful delete. * Exit Code = 2 if user does not exist.

This step has the following parameters

Name Script Reference Default Value
Ubuntu Default User {ubuntuDefaultUser.user} None
The connection details have changed from the last step.

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
user={ubuntuDefaultUser.user}

deluser -remove-home $user

less /etc/passwd | grep $user

2 - Secure SSH and SUDO

Disable the SSH root login and force SUDO to require a password.

2.1 - SS Make sudo Require Password

Force SUDO to require a password.

This step has the following parameters

Name Script Reference Default Value
Linux User {linuxUser.user} None

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
touch /etc/sudoers.d/010_{linuxUser.user}-nopasswd

echo '{linuxUser.user} ALL=(ALL) PASSWD: ALL' >> /etc/sudoers.d/010_{linuxUser.user}-nopasswd

2.2 - SS Prevent ssh root login

Disable the SSH root login.

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config

cat /etc/ssh/sshd_config

service ssh restart

service ssh status

3 - Node Patching - Linux

Update the package lists and upgrade the packages.

3.1 - NP Update Package Lists

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
apt-get update

3.2 - NP Upgrade Packages

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
apt-get upgrade -y

4.1 - UUL Install Unattended Upgrades Package

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
apt install unattended-upgrades -y

4.2 - UUL Install Apt List Changes

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
apt install apt-listchanges -y

4.3 - UUL Push Unattended Upgrades Config

Login as user on node

Connect via SSH
ssh user@hostname
Deploy archive Unattended Updates Config.tar to remote path /etc/apt/apt.conf.d/
  1. Locate Files archive "Unattended Updates Config.tar", This can be downloaded from Attune
  2. Copy the Files archive to the server
  3. Extract the root of the Files archive to /etc/apt/apt.conf.d/
  4. Check that the files are in the correct location

4.4 - UUL Test Unattended Upgrade

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
unattended-upgrade -d

5 - Setup Fail2ban

Fail2ban is intrusion prevention software that protects servers from brute force attacks.

5.1 - SF2B Install fail2ban

Install Fail2ban.

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
apt install fail2ban -y

5.2 - SF2B Create jail.local

The jail.local file is for fail2ban configuration customisations. The jail.conf is overwritten with distribution updates. jail.local is parsed after jail.conf.

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

5.3 - SF2B Customise jail.conf

Enable the ssh definition in jail.conf.

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
sed -i 's/# [sshd]/[sshd]/g' /etc/fail2ban/jail.conf
sed -i 's/# enabled = true/enabled = true/g' /etc/fail2ban/jail.conf

5.4 - SF2B Restart fail2ban Service

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
service fail2ban restart

6 - Setup Uncomplicated Firewall

The Uncomplicated Firewall (ufw) is a frontend for iptables.

6.1 - SFW Install Uncomplicated Firewall

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
apt install ufw

6.2 - SFW Configure Firewall

This step has the following parameters

Name Script Reference Default Value
ssh Port {sshPort.value} 22
Attune Node {attuneNode.ip} None

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
ufw allow from {attuneNode.ip} port {sshPort.value}

6.3 - SFW Enable Firewall

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
ufw enable

ufw status verbose

7 - Restart Linux Node

Shutdown the node with the reboot flag set and wait until the node has rebooted by checking it was down for two seconds and is active on port 22.

7.1 - Shutdown Node with Restart Flag

Login as user on node

Connect via SSH
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session
shutdown -r now

7.2 - Is Node Up

The connection details have changed from the last step.

on node

Check if tcp port 22 is listening make sure it goes down for 2 seconds .

Use Telnet to check if the TCP service is accepting connections.