You are viewing a read-only archive of the Blogs.Harvard network. Learn more.
Skip to content

Basic Ubuntu Server Hardening

This is a basic level of hardening for Ubuntu servers and should be considered a baseline. This tutorial will cover two topics: SSH and Firewall. This tutorial was prepared using Ubuntu Server 8.04 beta.

SSH
edit the ssh daemon configuration file to move the ssh port away from 22. Most worms or bots are programmed to look at 22 and bruteforce whatever is there. Moving to an unknown port is the easiest way to decrease the level of log activity.


zeroday> sudo vi /etc/ssh/sshd_config

Look for “Port 22” and change it to a different value. Anything above 1024 is fine.

# What ports, IPs and protocols we listen for
Port 65522

Now restart sshd

zeroday> sudo invoke-rc.d ssh restart

Firewall

Shorewall is an easy to configure Netfilter and provide a basic level of perimeter for your server's Internet facing interfaces.

zeroday> sudo apt-get install shorewall

Once the system is installed it will display an error message stating it can not start until configured. This is a "dummy proof" feature so that new users will not deploy Shorewall without making critical changes to the rules. Simply put it will lock out all inbound connections if deployed as is. This is a great way to stay secure but would prevent even ssh from working.

The first step is to copy the example configuration files

zeroday> sudo cp /usr/share/doc/shorewall-common/examples/one-interface/* /etc/shorewall

To allow the most basic of services we will add rules to allow inbound connections for the web server and ssh server.


zeroday> sudo vi /etc/shorewall/rules

Look for "Permit all ICMP traffic FROM the firewall TO the net zone" and add the following lines after the icmp rule:

  • ACCEPT net fw tcp 65522
  • ACCEPT net fw tcp 80

Your rules file should now look like this:

# Permit all ICMP traffic FROM the firewall TO the net zone

ACCEPT $FW net icmp
ACCEPT net fw tcp 65522
ACCEPT net fw tcp 80

Now the last two steps are enabling the system to startup. The first location is in the shorewall.conf file.


zeroday> sudo vi /etc/shorewall/shorewall.conf

Look for the STARTUP_ENABLED variable and change it from "No" to "Yes". This is not case sensitive.

The file should end up looking like this:

#######################################
# S T A R T U P E N A B L E D
#######################################

STARTUP_ENABLED=YES

Lastly we need to change the shorewall file in /etc/default.


zeroday> sudo vi /etc/default/shorewall

Look for the "startup" parameter and change it from 0 to 1.

It should look like this when you are done

# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start

startup=1

Now you are ready to start your firewall. It is a good idea to double check your work. I like to compare my edited configuration files to the originals using diff.


zeroday> for i in `ls /etc/shorewall`;
do
diff /etc/shorewall/$i /usr/share/doc/shorewall-common/examples/one-interface/$i;
done

Once you have confirmed the changes start up the firewall.


zeroday> sudo invoke-rc.d shorewall start

This was written by zeroday. Posted on Saturday, March 29, 2008, at 7:00 pm. Filed under Interesting Tech. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback.

Post a Comment

You must be logged in to post a comment.
Proudly powered by WordPress. Hosted by Pressable.