{"id":41,"date":"2019-09-02T10:39:41","date_gmt":"2019-09-02T08:39:41","guid":{"rendered":"http:\/\/blog.remyblom.nl\/?p=41"},"modified":"2020-11-17T10:21:21","modified_gmt":"2020-11-17T09:21:21","slug":"hardening-ubuntu-18-04-lts","status":"publish","type":"post","link":"https:\/\/blog.remyblom.nl\/?p=41","title":{"rendered":"Hardening Ubuntu 18.04 LTS"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

Just got a new box setup and delivered to me by the company’s IT department. They setup a user-account with sudo<\/code> privileges and included my public ssh-key. But in case you only have a root account you should create a user-account with sudo privileges yourself:<\/p>\n\n\n\n

$ adduser username\n$ usermod -aG sudo username<\/code><\/pre>\n\n\n\n
And from your local machine upload your public key:<\/p>\n\n\n\n
$ ssh-copy-id -i .ssh\/id_rsa user@hostname<\/code><\/pre>\n\n\n\n
So let’s start hardening. First let’s set a new password:<\/p>\n\n\n\n
$ passwd<\/code><\/pre>\n\n\n\n
After that I needed to set another hostname, since the one I got from IT was not what I asked for:<\/p>\n\n\n\n
$ sudo nano hostname\n$ sudo nano hosts\n$ sudo reboot <\/code><\/pre>\n\n\n\n
ssh & sshd<\/h2>\n\n\n\n
In \/etc\/ssh\/sshd_config<\/code> set:<\/p>\n\n\n\n
PermitRootLogin no \nPasswordAuthentication no <\/code><\/pre>\n\n\n\n
In \/etc\/ssh\/ssh_config<\/code> set:<\/p>\n\n\n\n
HashKnownHosts yes<\/code><\/pre>\n\n\n\n
firewall<\/h2>\n\n\n\n
Use a firewall to block all unwanted traffic to your machine. Only open up the ports you want publicly available and limit access to your ssh-port to known IP’s only. <\/p>\n\n\n\n
$ sudo ufw allow from 10.2.0.0\/16\n$ sudo ufw allow http \n$ sudo ufw allow https\n$ sudo ufw enable\n$ sudo ufw status numbered<\/code><\/pre>\n\n\n\n
unattended updates <\/h2>\n\n\n\n
Make sure the package is installed and running:<\/p>\n\n\n\n
$ sudo apt install unattended-upgrades\n$ sudo service unattended-upgrades status<\/code><\/pre>\n\n\n\n
Edit \/etc\/apt\/apt.conf.d\/50unattended-upgrades<\/code><\/code> to do only<\/strong> security updates on production machines. Only out-comment the following lines:<\/p>\n\n\n\n
\"${distro_id}:${distro_codename}\";\n\"${distro_id}:${distro_codename}-security\";\n\"${distro_id}ESM:${distro_codename}\";<\/code><\/pre>\n\n\n\n
Security updates may need dependencies from non-security origins. EMS, or extended security maintenance is for releases that have reached end of life, like 14.04 LTS.<\/p>\n\n\n\n
Further you can play with settings like: <\/p>\n\n\n\n
Unattended-Upgrade::Mail \"your@email.com\";\nUnattended-Upgrade::MailOnlyOnError \"false\";\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\nUnattended-Upgrade::Automatic-Reboot \"true\";\nUnattended-Upgrade::Automatic-Reboot-Time \"04:00\";<\/code><\/pre>\n\n\n\n
Doing automatic-reboots at night are at your own risk, I don’t do that on production machines, but really think it is perfectly fine on private, personal and development boxes. And I have never had anything go wrong with them, ever…<\/p>\n\n\n\n
Add\/edit \/etc\/apt\/apt.conf.d\/20auto-upgrades<\/code>:<\/p>\n\n\n\n
APT::Periodic::Update-Package-Lists \"1\";\nAPT::Periodic::Download-Upgradeable-Packages \"1\";\nAPT::Periodic::AutocleanInterval \"7\";\nAPT::Periodic::Unattended-Upgrade \"1\";<\/code><\/pre>\n\n\n\n
The unattended upgrades are initiated by your daily crontab, in my case this runs at 06:25 by default, which I think is a little late to also do a reboot, so I changed the time my daily crontab runs by editing \/etc\/crontab<\/code>:<\/p>\n\n\n\n
\n# m h dom mon dow user\tcommand\n17 *\t* * *\troot    cd \/ && run-parts --report \/etc\/cron.hourly\n0  3\t* * *\troot\ttest -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6\t* * 7\troot\ttest -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6\t1 * *\troot\ttest -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )<\/code><\/pre>\n\n\n\n
Test<\/p>\n\n\n\n
$ sudo unattended-upgrades --dry-run --debug<\/code><\/pre>\n\n\n\n
Checkrestart<\/h2>\n\n\n\n
Another great way to see whether you need to reboot a machine or are just fine with reload\/restarting services is the checkrestart<\/code> command. It is not on the machine by default so you install it yourself:<\/p>\n\n\n\n
$ sudo apt install debian-goodies<\/code><\/pre>\n\n\n\n
I added it to my .bash_profile<\/code> so everytime I log into the machine I get to see which processes still use old versions of upgraded files. <\/p>\n\n\n\n
echo 'Type password for checkrestart report'\nsudo checkrestart<\/code><\/pre>\n\n\n\n
More stuff…<\/h2>\n\n\n\n
This list is of course incomplete and could be updated and expended over time… Things like fail2ban<\/strong> or appArmor<\/strong> might be added….<\/p>\n\n\n\n
But for now let’s install that LEMP stack<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"
Just got a new box setup and delivered to me by the company’s IT department. They setup a user-account with sudo privileges and included my public ssh-key. But in case you only have a root account you should create a user-account with sudo privileges yourself: And from your local machine upload your public key: So … <\/p>\n
Continue reading “Hardening Ubuntu 18.04 LTS”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,3,2],"tags":[],"class_list":["post-41","post","type-post","status-publish","format-standard","hentry","category-hardening","category-ubuntu","category-vps"],"_links":{"self":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/41","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=41"}],"version-history":[{"count":13,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/41\/revisions"}],"predecessor-version":[{"id":215,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/41\/revisions\/215"}],"wp:attachment":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=41"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=41"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=41"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}