There are a variety of Ubuntu hardening techniques out there. These are just a few that should be of interest.
Secure shared memory
Shared memory can be used as an attack vector for running services.
Edit the /etc/fstab file and add the following to the bottom:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
A reboot is needed to make the change.
Secure ssh login for specific users
Although you can secure a server with a firewall, sometimes the server simply must be accessible to certain users, even if a VPN is an option. You may also want to make it certain users from certain networks.
The /etc/ssh/sshd_config file has the configuration of sshd. Edit the /etc/ssh/sshd_config file and add a line like:
AllowUsers student@192.168.2.28
To make the change:
service ssh restart
Note that this only allows student from the IP 192.168.2.28. Anyone else will be denied, even if the credentials are correct.
If you wanted to allow everyone from the same subnet, you could do
AllowUsers *@192.168.2.*
or consider other modifications:
AllowUsers *@192.168.2.0/24 *@*.example.com AllowGroups ssh
Keep in mind that any changes require a restart of the ssh service.
Login Banner
Once upon a time, Unixes used the /etc/motd file to provide the Message Of The Day as the method by which users were greeted upon login. It also became a vehicle for additional information. Today, the MOTD is more robust and Linuxes are using a more dynamic MOTD model including Ubuntu.
The majority of the details provided by this dynamic often center around available patches, system utilization and general heatlh of the system.
Many banners greet the user with a “Welcome” message. This should never be allowed. Rather, systems should provide policy information regarding the legal ramifications of illegal access to and the use and modification of a system to which they are connected.
Create a new MOTD file something like /etc/policy.motd
Find the lines in /etc/pam.d/sshd that look like:
session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate
and comment them out by putting #’s at the beginning of the line.
# session optional pam_motd.so motd=/run/motd.dynamic # session optional pam_motd.so noupdate
Edit /etc/ssh/sshd_config and modify the Banner option to look like:
Banner /etc/policy.motd
Remember to restart the ssh service.
The network layer
The network configuration can be further tweaked to prevent source routing, ignore redirects, block SYN attacks and ignore pings. You can also log malformed IPs.
Edit the /etc/sysctl.conf file adding the following:
# IP Spoofing protection net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Ignore ICMP broadcast requests net.ipv4.icmp_echo_ignore_broadcasts = 1 # Disable source packet routing net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Ignore send redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Block SYN attacks net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 # Log Martians net.ipv4.conf.all.log_martians = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Ignore Directed pings net.ipv4.icmp_echo_ignore_all = 1
You will need to run
sysctl -p.
to effect the changes on the running system.
Prevent IP spoofing
There is an old configuration option to prevent IP spoofing. However, it was never actually implemented. Sadly there are many documents purporting that this is a useful addition to hardening your system. However, it does not work.
What is interesting is this:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773443
was reported in 2014. While this:
https://bugzilla.redhat.com/show_bug.cgi?id=1577265
was reported in 2018, mostly because the entries began to produces errors rather than being ignored…