Buziness Times

Internet Technology insights & special offers to help you do more with less

Home 2019-07-25

How To Do A Basic Hardening Ubuntu Server

In spite of the fact that Linux viewed as secure, it is advisable to follow some of the business best strategy to secure your server. For instance, you need to update the software applications regularly, use strong passwords and install a strong firewall to safeguard your system from hackers.

There are a few quick steps you can take to ensure your platform is more secure.

  • Secure Shared Memory

One of the main things you ought to do is secure the shared memory used on the system. In case you’re not aware a shared memory is utilized in an attack against a running service. Along these lines you will need to secure that portion of system memory. You can do this by modifying the /etc/fstab file.

First you must open the file for editing by issuing the command:

Sudo nano /etc/fstab

Next, add this line in the bottom of that file:

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

Save and close the file. In order for changes to take effect you must reboot the server.

  • Enable SSH Login for Specific Users

Secure Shell (SSH) is the tool you’ll use to log into your remote Linux servers. Despite the fact that SSH is genuinely secure, as a matter of course, you can make it considerably more along these lines, by enabling SSH login only for specific users. Suppose you need to just permit SSH entry for the user Neil, from IP address 192.168.1.162. Here’s how you would do this.

  1. Open a terminal window.
  2. Open the SSH config. file for editing with the command sudo nano/etc/ssh/sshd_config.
  3. At the bottom of the file, add the line AllowUsers [email protected].
  4. Save and close the file & Restart sshd with the command sudo service ssh restart.

Secure Shell will now only allow user Neil, from IP address 192.168.1.162. If another user attempts to SSH into the server, it will prompt for a password, but the password won’t get accepted.

You can have wild cards, where in the users from a particular IP address gets access. To allow all users on your local network you will have to add the following line:

AllowUsers *@192.168.1.*

Then restart the ssh server, and you’re good to go.

 

  • Add a Security Login Banner

Adding a security login banner may appear as though it would have zero impact on your serve, but if an unwanted user gains access to your server, and in the event, they see you’ve set up a login banner warning them of consequences. This is an easy step and shouldn’t be over looked. Here’s how you can manage this.

Create your new banner by following these steps.

  1. Open a terminal window.
  2. Issue the command sudo nano/etc/issue.net.
  3. Edit the file to add a suitable warning.
  4. Save and close the file.

Next, disable the banner message from Message of The Day (motd). Open a terminal and issue this command:

Sudo nano/etc/pam.d/sshd

With this file open for editing, comment on the following two lines by adding a # to the beginning of each line:

session optional pam_motd.so motd=/run/motd.dynamic

session optional pam_motd.so noupdate

Now open /etc/ssh/sshd_config in your text editor and comment:

Banner /etc/issue.net

Save and close that file. Restart the ssh server with the command:

sudo service ssh restart

Anytime someone logs into your server they will see your added banner to warn them you’re watching.

 

  • Restrict SU Access

Linux users get to use the su command to change different user. When done, they gain privileges granted to other users. To avoid this, you’ll want to disable access to the su command.

First thing to do is to create a new admin group on the server with the command:

sudo groupadd admin

Next, add users to this group. Say you want to add Neil to the group. The command is:

sudo usermod -a -G admin Neil

Next, we grant access to su command to the admin group with command:

sudo dpkg-statoverride –update –add root admin 4750 /bin/su

 

  • Install fail2ban

It is an intrusion prevention system that monitors log files and searches for patterns that relates to failed login attempt. If too many incorrect logins are detected it will block access from that IP address.

To Conclude:

The above-mentioned tips are best practices for hardening your Ubuntu and provide an upgrade to your server’s security.


 

🔝