Harden Ubuntu Server 12.04 LTS


Its not enough to harden just Ubuntu. Its necessary to harden the rest of LAMP as well. So here is how I do it.

Harden MYSQL
sudo mysql_secure_installation

answer Yes to all questions (but no need to change password)

Harden PHP – and tune performance
sudo apt-get install php5-suhosin
sudo vi /etc/php5/apache2/php.ini

uncomment this code or update setting

 max_execution_time = 30
 memory_limit = 64M
 error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (had to change this one)
 display_errors = Off
 log_errors = On
 error_log = /var/log/php-error.log
 register_globals = Off
sudo /etc/init.d/apache2 restart

https://help.ubuntu.com/community/StricterDefaults

In Ubuntu the administrative ROOT account is disabled by default.

Reconfiguring Shared memory to Read Only
sudo vi /etc/fstab

add line

tmpfs /dev/shm tmpfs defaults,ro 0 0

Disabling SSH root login and settings
sudo vi /etc/ssh/sshd_config

change

PermitRootLogin yes
to
PermitRootLogin no

LoginGraceTime 120
to
LoginGraceTime 30

add line

AllowUsers username username username

Restart Apache (any one of these)

sudo service ssh restart
sudo /etc/init.d/ssh restart
sudo apachectl restart
Limiting access to su
sudo chown root:admin /bin/su
sudo chmod 04750 /bin/su
Limiting access to apt-get and aptitude

Remember you’ll have to change this back to 700 everytime you update the system

sudo chmod 000 /usr/bin/apt-get
sudo chmod 000 /usr/bin/aptitude
Install Fail2ban

Install Fail2ban
Fail2ban Wiki

Add rules to iptables

Handy iptables rule for handling w00tw00t attacks that Fail2ban is not best to handle

iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

http://pierre.linux.edu/2010/06/using-iptables-to-reject-w00tw00t-at-isc-sans-dfind-scanners/

iptables How To & Tips & Tricks

Prevent Apache from displaying index /var/www

add this line

sudo vi /var/www/.htaccess

Options -Indexes

Set permissions and protect .htaccess from tampering
sudo chown username:www-data /var/www/.htaccess
sudo chmod 444 /var/www/.htaccess
Install Bastille Linux

Install Bastille Linux
https://help.ubuntu.com/community/BastilleLinux

Now don’t forget to Harden WordPress


You may also like...