UBUNTU - Hardening: Difference between revisions
Created page with "Category:Wiki == Scope and Threat Model == This hardening post-install script is designed to reduce the attack surface of a freshly installed Ubuntu system (server or workstation) by enforcing secure defaults, disabling unnecessary components, and applying defense-in-depth controls. The threat model assumes: * Remote network-based attacks * Local privilege escalation attempts * Misconfiguration exploitation * Persistence via services, cron jobs, or kernel paramete..." |
m Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' " |
||
| Line 1: | Line 1: | ||
[[Category:Wiki]] | [[Category:Wiki]] | ||
'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' | |||
== Scope and Threat Model == | == Scope and Threat Model == | ||
Latest revision as of 08:52, 17 January 2026
Scope and Threat Model
This hardening post-install script is designed to reduce the attack surface of a freshly installed Ubuntu system (server or workstation) by enforcing secure defaults, disabling unnecessary components, and applying defense-in-depth controls.
The threat model assumes:
- Remote network-based attacks
- Local privilege escalation attempts
- Misconfiguration exploitation
- Persistence via services, cron jobs, or kernel parameters
- Credential brute-force and reuse attacks
Security Principles Applied
Least Privilege
Users, services, and applications are granted only the minimal permissions required.
Defense in Depth
Multiple layers of security controls are applied (firewall, kernel hardening, MAC, auditing).
Secure by Default
Insecure defaults are replaced with hardened configurations immediately after installation.
Auditable and Reversible
All changes are logged and configuration backups are created before modification.
Script Architecture
The hardening script is modular and idempotent.
Recommended structure:
- 00-preflight.sh
- 10-system-updates.sh
- 20-user-and-auth.sh
- 30-ssh-hardening.sh
- 40-firewall.sh
- 50-kernel-hardening.sh
- 60-filesystem.sh
- 70-auditing.sh
- 80-mandatory-access-control.sh
- 90-services-cleanup.sh
Each module:
- Verifies prerequisites
- Applies configuration
- Validates results
- Logs changes
Example dispatcher:
for module in modules/*.sh; do
bash "$module"
done
System Update and Package Hardening
Automatic Security Updates
Enable unattended upgrades for security patches:
apt install -y unattended-upgrades dpkg-reconfigure --priority=low unattended-upgrades
Security concept: *Vulnerability window reduction*
Package Minimization
Remove unnecessary packages:
apt purge -y telnet ftp rsh-server xinetd
Disable unused package managers:
chmod -x /usr/bin/snap
User Accounts and Authentication
Password Policy
Configure PAM password quality:
apt install -y libpam-pwquality
Example `/etc/security/pwquality.conf` settings:
- minlen = 14
- retry = 3
- enforce_for_root
Account Lockout
Mitigate brute-force attacks:
pam_tally2 --user testuser
Security concept: *Credential attack mitigation*
Disable Root Login
passwd -l root
SSH Hardening
Secure SSH Configuration
Example hardened settings in `/etc/ssh/sshd_config`:
PermitRootLogin no PasswordAuthentication no X11Forwarding no AllowTcpForwarding no MaxAuthTries 3 ClientAliveInterval 300 ClientAliveCountMax 0
Restart service:
systemctl restart ssh
Security concepts:
- Attack surface reduction
- Strong authentication enforcement
Firewall and Network Hardening
UFW Configuration
Default deny policy:
ufw default deny incoming ufw default allow outgoing
Allow required services only:
ufw allow 22/tcp ufw enable
Kernel Network Parameters
Example sysctl hardening:
net.ipv4.conf.all.rp_filter=1 net.ipv4.tcp_syncookies=1 net.ipv4.icmp_echo_ignore_broadcasts=1
Apply:
sysctl -p
Security concept: *Network-level attack mitigation*
Kernel and Memory Hardening
Address Space Layout Randomization
Verify ASLR:
cat /proc/sys/kernel/randomize_va_space
Expected value: `2`
Restrict Kernel Information
kernel.kptr_restrict=2 kernel.dmesg_restrict=1
Security concept: *Information leakage prevention*
Filesystem and Mount Options
Secure Mount Flags
Example `/etc/fstab` entries:
- noexec
- nodev
- nosuid
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0
File Permission Auditing
find / -xdev -type f -perm -4000
Security concept: *Privilege escalation prevention*
Auditing and Logging
Auditd Configuration
Install and enable:
apt install -y auditd audispd-plugins systemctl enable auditd
Example rule:
-w /etc/passwd -p wa -k identity
Log Retention and Protection
chmod 600 /var/log/auth.log
Security concept: *Forensic readiness*
Mandatory Access Control (AppArmor)
Enforcing Mode
aa-status
Enable profiles:
aa-enforce /etc/apparmor.d/*
Security concept: *Application-level isolation*
Service Hardening and Cleanup
Disable Unused Services
systemctl disable avahi-daemon systemctl disable cups
List listening services:
ss -tulpen
Security concept: *Service exposure reduction*
Example Execution Output
[OK] Firewall enabled [OK] SSH hardened [WARN] AppArmor profile missing for custom app [OK] Audit rules loaded
Troubleshooting
SSH Lockout
- Symptom:** Cannot connect via SSH
- Resolution:**
- Use console access
- Re-enable password authentication temporarily:
PasswordAuthentication yes
Firewall Blocking Services
- Symptom:** Service unreachable
- Resolution:**
ufw status verbose ufw allow <port>/<protocol>
System Boot Issues After Sysctl Changes
- Symptom:** Boot hangs or networking fails
- Resolution:**
- Boot into recovery mode
- Comment problematic entries in `/etc/sysctl.conf`
Auditd Performance Impact
- Symptom:** High I/O usage
- Resolution:**
- Reduce audit rule verbosity
- Exclude high-frequency paths
