Created
May 10, 2019 13:10
-
-
Save szepnapot/993e60a344bb66119908fdd6b50179b3 to your computer and use it in GitHub Desktop.
[Uubntu hardening] #security #harden #ubuntu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
``` | |
sudo apt-get update | |
sudo apt-get upgrade | |
sudo apt-get autoremove | |
sudo apt-get autoclean | |
``` | |
------------ auto update | |
``` | |
sudo su - | |
apt-get install unattended-upgrades | |
# select yes | |
dpkg-reconfigure unattended-upgrades | |
nano /etc/apt/apt.conf.d/20auto-upgrades | |
``` | |
``` | |
APT::Periodic::Update-Package-Lists "1"; | |
APT::Periodic::Download-Upgradeable-Packages "1"; | |
APT::Periodic::Unattended-Upgrade "3"; | |
APT::Periodic::AutocleanInterval "9"; | |
``` | |
``` | |
nano /etc/apt/apt.conf.d/50unattended-upgrades | |
``` | |
``` | |
Unattended-Upgrade::Allowed-Origins { | |
"${distro_id}:${distro_codename}-security"; | |
"${distro_id}:${distro_codename}-updates"; | |
// "${distro_id}:${distro_codename}-proposed"; | |
// "${distro_id}:${distro_codename}-backports"; | |
}; | |
``` | |
create a dedicated email account | |
```Unattended-Upgrade::Mail "me@example.com";``` | |
```apt-get install heirloom-mailx``` | |
``` | |
cd ~ | |
nano .mailrc | |
``` | |
``` | |
set smtp-use-starttls | |
set ssl-verify=ignore | |
set smtp=smtp://smtp.gmail.com:587 | |
set smtp-auth=login | |
set smtp-auth-user=changeme@gmail.com | |
set smtp-auth-password=mypassword | |
set from="changeme@gmail.com" | |
``` | |
```chmod 400 .mailrc``` | |
```echo "Just testing mailx" | mail -s "Yooooo woot" test@example.com``` | |
---------------------swap | |
``` | |
sudo fallocate -l 4G /swapfile | |
# secure it | |
sudo chown root:root /swapfile | |
sudo chmod 0600 /swapfile | |
# prepare | |
sudo mkswap /swapfile | |
# activate | |
sudo swapon /swapfile | |
# add to fstab | |
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab | |
# tweak | |
sudo sysctl vm.swappiness=10 | |
echo 'vm.swappiness=10' | sudo tee -a /etc/sysctl.conf | |
sudo sysctl vm.vfs_cache_pressure=50 | |
echo 'vm.vfs_cache_pressure=50' | sudo tee -a /etc/sysctl.conf | |
``` | |
-----------------------sysctl.conf | |
``` | |
# IP Spoofing protection | |
net.ipv4.conf.default.rp_filter = 1 | |
net.ipv4.conf.all.rp_filter = 1 | |
# Block SYN attacks | |
net.ipv4.tcp_syncookies = 1 | |
# Controls IP packet forwarding | |
net.ipv4.ip_forward = 0 | |
# Ignore ICMP redirects | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv6.conf.all.accept_redirects = 0 | |
net.ipv4.conf.default.accept_redirects = 0 | |
net.ipv6.conf.default.accept_redirects = 0 | |
# Ignore send redirects | |
net.ipv4.conf.all.send_redirects = 0 | |
net.ipv4.conf.default.send_redirects = 0 | |
# Disable source packet routing | |
net.ipv4.conf.all.accept_source_route = 0 | |
net.ipv6.conf.all.accept_source_route = 0 | |
net.ipv4.conf.default.accept_source_route = 0 | |
net.ipv6.conf.default.accept_source_route = 0 | |
# Log Martians | |
net.ipv4.conf.all.log_martians = 1 | |
# Block SYN attacks | |
net.ipv4.tcp_max_syn_backlog = 2048 | |
net.ipv4.tcp_synack_retries = 2 | |
net.ipv4.tcp_syn_retries = 5 | |
# Log Martians | |
net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
# Ignore ICMP broadcast requests | |
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
# Ignore Directed pings | |
net.ipv4.icmp_echo_ignore_all = 1 | |
kernel.randomize_va_space = 1 | |
# disable IPv6 if required (IPv6 might caus issues with the Internet connection being slow) | |
net.ipv6.conf.all.disable_ipv6 = 1 | |
net.ipv6.conf.default.disable_ipv6 = 1 | |
net.ipv6.conf.lo.disable_ipv6 = 1 | |
# Accept Redirects? No, this is not router | |
net.ipv4.conf.all.secure_redirects = 0 | |
# Log packets with impossible addresses to kernel log? yes | |
net.ipv4.conf.default.secure_redirects = 0 | |
# [IPv6] Number of Router Solicitations to send until assuming no routers are present. | |
# This is host and not router. | |
net.ipv6.conf.default.router_solicitations = 0 | |
net.ipv6.conf.default.accept_ra_rtr_pref = 0 | |
net.ipv6.conf.default.accept_ra_pinfo = 0 | |
net.ipv6.conf.default.accept_ra_defrtr = 0 | |
net.ipv6.conf.default.autoconf = 0 | |
net.ipv6.conf.default.dad_transmits = 0 | |
net.ipv6.conf.default.max_addresses = 1 | |
# In rare occasions, it may be beneficial to reboot your server reboot if it runs out of memory. | |
# This simple solution can avoid you hours of down time. The vm.panic_on_oom=1 line enables panic | |
# on OOM; the kernel.panic=10 line tells the kernel to reboot ten seconds after panicking. | |
vm.panic_on_oom = 1 | |
kernel.panic = 10 | |
``` | |
-----IRQ balance | |
```sed --in-place 's/ENABLED="1"/ENABLED="0"/g' /etc/default/irqbalance``` | |
-------OpenSSL Hearthbleed | |
``` | |
openssl version -v | |
# above should be not 1.0.1f or below, otherwise: | |
sudo apt-get update | |
sudo apt-get upgrade openssl libssl-dev | |
apt-cache policy openssl libssl-dev | |
sudo apt-get install make | |
curl https://www.openssl.org/source/openssl-1.0.2f.tar.gz | tar xz && cd openssl-1.0.2f && sudo ./config && sudo make && sudo make install | |
sudo ln -sf /usr/local/ssl/bin/openssl `which openssl` | |
openssl version | |
``` | |
-----------secure tmp | |
``` | |
sudo fallocate -l 1G /tmpdisk | |
sudo mkfs.ext4 /tmpdisk | |
sudo chmod 0600 /tmpdisk | |
sudo mount -o loop,noexec,nosuid,rw /tmpdisk /tmp | |
sudo chmod 1777 /tmp | |
echo '/tmpdisk /tmp ext4 loop,nosuid,noexec,rw 0 0' | sudo tee -a /etc/fstab | |
sudo mount -o remount /tmp | |
sudo mv /var/tmp /var/tmpold | |
sudo ln -s /tmp /var/tmp | |
sudo cp -prf /var/tmpold/* /tmp/ | |
sudo rm -rf /var/tmpold/ | |
``` | |
---------secure shared memory | |
```echo 'tmpfs /run/shm tmpfs ro,noexec,nosuid 0 0' | sudo tee -a /etc/fstab``` | |
----------set locale | |
``` | |
sudo locale-gen en_GB.UTF-8 | |
sudo update-locale LANG=en_GB.UTF-8 | |
sudo dpkg-reconfigure tzdata | |
``` | |
---------disable root account add user | |
``` | |
sudo passwd -l root | |
adduser [username] | |
usermod -aG sudo [username] | |
# test it | |
su - [username] | |
``` | |
----------set secure limits | |
``` | |
sudo nano /etc/security/limits.conf | |
: user1 hard nproc 100 | |
: @group1 hard nproc 20 | |
``` | |
-----------ip spoofing | |
``` | |
cat <<EOT >> /etc/host.conf | |
order bind,hosts | |
nospoof on | |
EOT | |
``` | |
---------fail2ban | |
``` | |
awk '{ printf "# "; print; }' /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local | |
``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment