Harden Ubuntu Server 12.04 LTS

Its not enough to harden just Ubuntu. Its necessary to harden the rest of LAMP as well. So here is how I do it.

Harden MYSQL
sudo mysql_secure_installation

answer Yes to all questions (but no need to change password)

Harden PHP – and tune performance
sudo apt-get install php5-suhosin
sudo vi /etc/php5/apache2/php.ini

uncomment this code or update setting

 max_execution_time = 30
 memory_limit = 64M
 error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (had to change this one)
 display_errors = Off
 log_errors = On
 error_log = /var/log/php-error.log
 register_globals = Off
sudo /etc/init.d/apache2 restart


In Ubuntu the administrative ROOT account is disabled by default.

Reconfiguring Shared memory to Read Only
sudo vi /etc/fstab

add line

tmpfs /dev/shm tmpfs defaults,ro 0 0

Disabling SSH root login and settings
sudo vi /etc/ssh/sshd_config


PermitRootLogin yes
PermitRootLogin no

LoginGraceTime 120
LoginGraceTime 30

add line

AllowUsers username username username

Restart Apache (any one of these)

sudo service ssh restart
sudo /etc/init.d/ssh restart
sudo apachectl restart
Limiting access to su
sudo chown root:admin /bin/su
sudo chmod 04750 /bin/su
Limiting access to apt-get and aptitude

Remember you’ll have to change this back to 700 everytime you update the system

sudo chmod 000 /usr/bin/apt-get
sudo chmod 000 /usr/bin/aptitude
Install Fail2ban

Install Fail2ban
Fail2ban Wiki

Add rules to iptables

Handy iptables rule for handling w00tw00t attacks that Fail2ban is not best to handle

iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP


iptables How To & Tips & Tricks

Prevent Apache from displaying index /var/www

add this line

sudo vi /var/www/.htaccess

Options -Indexes

Set permissions and protect .htaccess from tampering
sudo chown username:www-data /var/www/.htaccess
sudo chmod 444 /var/www/.htaccess
Install Bastille Linux

Install Bastille Linux

Now don’t forget to Harden WordPress

You may also like...