ashley blackmore : "Basic Hardening of a Fresh Ubuntu Installation"

Whether you're on a computer at home or at work, there are a number of basic security settings that you can enable to significantly harden a new Ubuntu installation.

Throughout this piece, I will be mentioning committing passphrases/passwords to memory, or storing them somewhere. If you have a fabulous memory, and can store a random alphanumeric string around thirty characters in your head, then that's great. For everyone else, there's nothing wrong with writing down/printing certain credentials, such as your drive encryption password, or your root password, as long as you store the credentials somewhere secure.

What I mean by secure is up to you (your threat model). If you are worried about the authorities decrypting your hard drive and gaining root access, then you should either opt for memorisation, or storage in a discreet geocache (or stop storing sensitive information on computers entirely).

You are able to skip any section of this guide --- each section is written atomically.

Update Your Machine

The first thing you'll want to do upon installing is update your software sources, and upgrade the existing software. Here's the famous incantation:

sudo apt-get update
sudo apt-get upgrade

Whole-Drive Encryption

If you want to encrypt your drive or home directory, you are given the choice at install time. After installaing and logging in for the first time, you're going to be asked to physically record (i.e., with pen and paper or a printout) your encryption passphrase. This passphrase is used for manual recovery of your drive's contents, and should either be committed to long-term memory, or stored physically somewhere. You can also do this later by running:

ecryptfs-unwrap-passphrase

Passwords

If you opted for a standard, guided install, you're going to be logging in as the user you created during that process. A good step at this point is to change the root user password to something long (more than 32 alphanumeric & special characters ought to give you some breathing space). As with your drive encryption passphrase, store it somewhere secure.

So switch to root and change the UNIX password:

sudo su
passwd

Install fail2ban

fail2ban is a rather nice piece of software that can blocks suspicious login attempts

sudo apt-get install fail2ban

Modify sshd_config

The default sshd config is set up for ease of use, so it should be hardened somewhat.

sudo vim /etc/ssh/sshd_config

Set the following variables as shown:

PermitRootLogin no
PasswordAuthentication no
AllowUsers <space-delimited list of user@ip that should be able to connect>

Then restart sshd.

sudo service sshd restart

Uncomplicated Firewall (UFW)

IPTables is a hassle to configure by hand - UFW is a very nice wrapper for it, that comes standard on Ubuntu. Set up UFW to accept ssh connections, along with any other ports you require:

ufw allow 22
ufw enable

Enabling only udp for 51770 looks like this:

sudo ufw allow 51770/udp

Admire your handiwork:

ufw status

Bear in mind that any hassles you have connecting to certain services in future may be caused by this. If that happens, find the port and allow it, as we did with port 22 above.

Unattended Upgrades

If you leave your desktop on and unattended for long periods of time, it is easy to set up Ubuntu to automatically install critical security patches, as follows:

sudo apt-get install unattended-upgrades
sudo vim /etc/apt/apt.conf.d/10periodic

Change the file to look like this:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Now edit another file:

sudo vim /etc/apt/apt.conf.d/50unattended-upgrades

...to look like the following:

Unattended-Upgrade::Allowed-Origins {
        "Ubuntu lucid-security";
//      "Ubuntu lucid-updates";
};

Getting Hardcore

These are very basic tips, and are the bare minimum. Further hardening can be done (for example, by compiling your own hardened kernel, such as SELinux or Bastille Linux). I may get around to posting a tutorial for this in the future.

All posts

  1. "Polyglots"
  2. "Ekranoplans"