We are now going to learn ways of hardening ubuntu 16.04 security in this guide.
1. Securing the shared memory.
- The first step is to secure shared memory. It is a necessary measure because the running service can be attacked through the shared memory.
- To do this you will have to modify /etc/ftstab file.
- You will have to open the editor by using the following command line.
sudo vim /etc/ftstab
- Next, add the below line at the end of your file.
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
- Save it and then close the file. If you want to see the changes in effect, you will have to reboot your server.
2. Handling the SSH settings.
a. SSH, short for Secure Shell is also known as Secure Socket Shell.
It is a network protocol with which a user, basically an administrator can access a remote computer in a secure way. You can make your network secure by handling the SSH settings. You can change and set them as per your requirements.
Add a warning banner.
i) The first step here is to open the terminal.
ii) Then enter the command line shown below.
sudo vim etc/issue.net
This will open the issues.net file.
iii) This step includes editing the file. You could add a warning. It could either be just a single line. Or an elaborate warning as to what could happen to these trespassers. After that, it’s just the matter of saving the file and closing it. Hold on a second, before you think that you are done. Although you cannot call it an outright security measure, it still matters. It acts similar to the ‘Trespasser will be persecuted’ sign that is put on some properties. It tends to scare off most of the people. And that ‘most’ is what you are aiming at here. To avoid a clash with the motd you have to disable the banner in it. In order to do that. You will have to follow the steps below.
Open the sshd file as shown in the following command line.
sudo vim /etc/pam.d/sshd
Then you need to comment out the following lines in the file.
session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate
Open the etc/ssh/sshd_config file. Using the following code.
sudo vim etc/ssh/sshd_config
When the file opens you will have to comment out the following line.
Save the file and then close it.
Don’t worry, you are almost done.
Use the following command to restart the ssh server.
sudo service ssh restart
Now, when anyone uses secure shell to log in to your server.
They will come across the warning banner. We have already been through this but it will scare away attackers if they know that you are aware of their snooping.
B) Enabling SSH setting.
First, open the terminal.
Next, you have to edit the ssh configuration file, so,
sudo vim etc/ssh/sshd_config
In the next step you will have to add ‘AllowUsers’ directive depending upon few conditions.
i) To allow secure shell entry to a particular user. We will assume the username as shane for this security step. We are giving access to the user shane. Anyone other than him cannot access the server.
Add this at the end of the ssh configuration file.
ii) To allow secure shell entry to users from a particular ip address. This one will give access to all the users from the ip address 192.168.2.213.
iii) To allow secure shell entry to a particular user from a particular ip address. There can be many users at the ip address 192.168.2.213 but you are only giving access to shane at that ip address.
iv) To allow secure shell entry to access multiple users. There may be times when you want to give access to multiple users. At those times, you can add a new group, like follows:
sudo addgroup groupname
Then you can allow access to that group.
If other users that do not belong to this group try to access it they are led to believe that they have to enter that password and they can access it. But it doesn’t give them access, even if they enter the right password. After you have allowed access, depending on your condition. You can restart sshd by using the following command line.
sudo service ssh restart
Have you not had enough and still want to know how to secure ubuntu desktop?
Then stick around, you will discover more ways in which you can secure your server.
3. Network Layer security.
To prevent a source routing attack on your Ubuntu server you have to open the terminal. Next, open the configuration file using the command shown below:
sudo vim /etc/sysctl.conf
You either have the below lines in the file or you don’t.
If you do then make sure that they are not commented out. If you don’t then add the below lines to that file.
# IP Spoofing protection net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Ignore ICMP broadcast requests net.ipv4.icmp_echo_ignore_broadcasts = 1 # Disable source packet routing net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Ignore send redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Block SYN attacks net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 # Log Martians net.ipv4.conf.all.log_martians = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Ignore Directed pings net.ipv4.icmp_echo_ignore_all = 1
Next step is like any other. Save the config file and close it.
You can then restart the service using the following command.
sudo systctl -p
4. The end of IP address forgery.
You can prevent IP address forgery from happening. Here’s what you have to do.
sudo vim /etc/host.conf
You just have to replace a line in this file with another one.
Here’s what you will find when you open the file.
# The "order" line is only used by old versions of the C library. order hosts,bind multi on
You will have to replace this with the following line.
# The "order" line is only used by old versions of the C library. order bind,hosts nospoof on
Save it and close it.
That will tide you over for a long time. These additional security measures should help you prevent any kind of attacks on your Ubuntu 16.04 server.
1. The Ubuntu security commands work great when you know what you are doing.
2. These are all the ubuntu security tools that you have at your disposal.
3. They will help you maintain ubuntu server security and get your ubuntu server as secure as possible.