UBUNTU - Hardening

From IT-Arts.net
Revision as of 08:52, 17 January 2026 by Admin (talk | contribs) (Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' ")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Return to Wiki Index


Scope and Threat Model

This hardening post-install script is designed to reduce the attack surface of a freshly installed Ubuntu system (server or workstation) by enforcing secure defaults, disabling unnecessary components, and applying defense-in-depth controls.

The threat model assumes:

  • Remote network-based attacks
  • Local privilege escalation attempts
  • Misconfiguration exploitation
  • Persistence via services, cron jobs, or kernel parameters
  • Credential brute-force and reuse attacks

Security Principles Applied

Least Privilege

Users, services, and applications are granted only the minimal permissions required.

Defense in Depth

Multiple layers of security controls are applied (firewall, kernel hardening, MAC, auditing).

Secure by Default

Insecure defaults are replaced with hardened configurations immediately after installation.

Auditable and Reversible

All changes are logged and configuration backups are created before modification.

Script Architecture

The hardening script is modular and idempotent.

Recommended structure:

  • 00-preflight.sh
  • 10-system-updates.sh
  • 20-user-and-auth.sh
  • 30-ssh-hardening.sh
  • 40-firewall.sh
  • 50-kernel-hardening.sh
  • 60-filesystem.sh
  • 70-auditing.sh
  • 80-mandatory-access-control.sh
  • 90-services-cleanup.sh

Each module:

  • Verifies prerequisites
  • Applies configuration
  • Validates results
  • Logs changes

Example dispatcher: 

for module in modules/*.sh; do
    bash "$module"
done

System Update and Package Hardening

Automatic Security Updates

Enable unattended upgrades for security patches: 

apt install -y unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades

Security concept: *Vulnerability window reduction*

Package Minimization

Remove unnecessary packages: 

apt purge -y telnet ftp rsh-server xinetd

Disable unused package managers: 

chmod -x /usr/bin/snap

User Accounts and Authentication

Password Policy

Configure PAM password quality: 

apt install -y libpam-pwquality

Example `/etc/security/pwquality.conf` settings:

  • minlen = 14
  • retry = 3
  • enforce_for_root

Account Lockout

Mitigate brute-force attacks: 

pam_tally2 --user testuser

Security concept: *Credential attack mitigation*

Disable Root Login

passwd -l root

SSH Hardening

Secure SSH Configuration

Example hardened settings in `/etc/ssh/sshd_config`: 

PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
AllowTcpForwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 0

Restart service: 

systemctl restart ssh

Security concepts:

  • Attack surface reduction
  • Strong authentication enforcement

Firewall and Network Hardening

UFW Configuration

Default deny policy: 

ufw default deny incoming
ufw default allow outgoing

Allow required services only: 

ufw allow 22/tcp
ufw enable

Kernel Network Parameters

Example sysctl hardening: 

net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.icmp_echo_ignore_broadcasts=1

Apply: 

sysctl -p

Security concept: *Network-level attack mitigation*

Kernel and Memory Hardening

Address Space Layout Randomization

Verify ASLR: 

cat /proc/sys/kernel/randomize_va_space

Expected value: `2`

Restrict Kernel Information

kernel.kptr_restrict=2
kernel.dmesg_restrict=1

Security concept: *Information leakage prevention*

Filesystem and Mount Options

Secure Mount Flags

Example `/etc/fstab` entries:

  • noexec
  • nodev
  • nosuid
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0

File Permission Auditing

find / -xdev -type f -perm -4000

Security concept: *Privilege escalation prevention*

Auditing and Logging

Auditd Configuration

Install and enable: 

apt install -y auditd audispd-plugins
systemctl enable auditd

Example rule: 

-w /etc/passwd -p wa -k identity

Log Retention and Protection

chmod 600 /var/log/auth.log

Security concept: *Forensic readiness*

Mandatory Access Control (AppArmor)

Enforcing Mode

aa-status

Enable profiles: 

aa-enforce /etc/apparmor.d/*

Security concept: *Application-level isolation*

Service Hardening and Cleanup

Disable Unused Services

systemctl disable avahi-daemon
systemctl disable cups

List listening services: 

ss -tulpen

Security concept: *Service exposure reduction*

Example Execution Output

[OK] Firewall enabled
[OK] SSH hardened
[WARN] AppArmor profile missing for custom app
[OK] Audit rules loaded

Troubleshooting

SSH Lockout

    • Symptom:** Cannot connect via SSH
    • Resolution:**
  • Use console access
  • Re-enable password authentication temporarily:
PasswordAuthentication yes

Firewall Blocking Services

    • Symptom:** Service unreachable
    • Resolution:**
ufw status verbose
ufw allow <port>/<protocol>

System Boot Issues After Sysctl Changes

    • Symptom:** Boot hangs or networking fails
    • Resolution:**
  • Boot into recovery mode
  • Comment problematic entries in `/etc/sysctl.conf`

Auditd Performance Impact

    • Symptom:** High I/O usage
    • Resolution:**
  • Reduce audit rule verbosity
  • Exclude high-frequency paths
Retrieved from "https://it-arts.net/index.php?title=UBUNTU_-_Hardening&oldid=1061"