Securing Linux Based OS: A Stepwise Guide to Harden Ubuntu 16.04 LTS Server
VerifiedAdded on 2023/04/25
|20
|2197
|262
AI Summary
This article provides a stepwise guide to harden Linux based operating systems like Ubuntu 16.04 LTS server against common and critical security threats and vulnerabilities. It covers topics like installation and configuration of security tools, securing SSH, network hardening through sysctl settings, disabling recursion of Open DNS, and securing PHP. The article also discusses the importance of security tools like uncomplicated firewall, rootkit scanner, and PSAD for intrusion detection. The guide is relevant for Ubuntu 16.04 LTS server or later versions.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: SECURING LINUX BASED OS
Discussion
Methodologies
Linux based operating systems may not be as exposed to cyber security risks as
Windows based ones but it would be foolish for anyone to let the guard down. For, more than
actual threats from attackers, vulnerabilities in open source tools and environments are very
common as they are more accessible and the exploits are pretty much well known. Hence
focus must be given in securing Linux based operating systems. In relative terms, the
following is easy to implement stepwise guide to harden Linux based operating systems
against the most common as well as critical security threats and vulnerabilities (Wang and Lu
2013). These techniques can be used to secure Ubuntu 16.04 LTS server or later versions:
Installation and configuring of security tools like uncomplicated firewall (ufw)
Secure SSH by configuring login based on public/private keys
Securing network via sysctl settings
Disabling recursion of Open DNS as also renaming of Version Info (Bind9 DNS)
Securing PHP
Security Tools for Ubuntu - Uncomplicated Firewall (ufw)
The best and easiest way to start securing Linux Ubuntu systems is by installing
firewalls. The Uncomplicated Firewall is among the very basic firewall solutions which
performs decently and configuring can be easily done with the provided tool ‘gufw’ or by
using fwbuilder, Firestarter or even Shorewall (Vanickis et al. 2018). Firestarter provides the
users with a GUI interface for configuring the firewall. To install the ufw, it is necessary to
enter the following command in the terminal window:
sudo apt-get install ufw
Discussion
Methodologies
Linux based operating systems may not be as exposed to cyber security risks as
Windows based ones but it would be foolish for anyone to let the guard down. For, more than
actual threats from attackers, vulnerabilities in open source tools and environments are very
common as they are more accessible and the exploits are pretty much well known. Hence
focus must be given in securing Linux based operating systems. In relative terms, the
following is easy to implement stepwise guide to harden Linux based operating systems
against the most common as well as critical security threats and vulnerabilities (Wang and Lu
2013). These techniques can be used to secure Ubuntu 16.04 LTS server or later versions:
Installation and configuring of security tools like uncomplicated firewall (ufw)
Secure SSH by configuring login based on public/private keys
Securing network via sysctl settings
Disabling recursion of Open DNS as also renaming of Version Info (Bind9 DNS)
Securing PHP
Security Tools for Ubuntu - Uncomplicated Firewall (ufw)
The best and easiest way to start securing Linux Ubuntu systems is by installing
firewalls. The Uncomplicated Firewall is among the very basic firewall solutions which
performs decently and configuring can be easily done with the provided tool ‘gufw’ or by
using fwbuilder, Firestarter or even Shorewall (Vanickis et al. 2018). Firestarter provides the
users with a GUI interface for configuring the firewall. To install the ufw, it is necessary to
enter the following command in the terminal window:
sudo apt-get install ufw
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1SECURING LINUX BASED OS
For allowing the services SSH and HTTP, enter:
sudo ufw allow ssh
sudo ufw allow http
For enabling firewall, enter:
sudo ufw enable
For checking firewall status, enter:
sudo ufw status verbose
Securing the shared memory
The shared memory is often manipulated to attack a running service. They can be
secured by modifying the /etc/fstab. To perform this, one has to enter the /etc/fstab file, add
the line tmpfs /run/shm tmpfs defaults, noexec, nosuid 0 0 and save. Then a reboot should be
done.
For allowing the services SSH and HTTP, enter:
sudo ufw allow ssh
sudo ufw allow http
For enabling firewall, enter:
sudo ufw enable
For checking firewall status, enter:
sudo ufw status verbose
Securing the shared memory
The shared memory is often manipulated to attack a running service. They can be
secured by modifying the /etc/fstab. To perform this, one has to enter the /etc/fstab file, add
the line tmpfs /run/shm tmpfs defaults, noexec, nosuid 0 0 and save. Then a reboot should be
done.
2SECURING LINUX BASED OS
Following the reboot process if the file /etc/fstab if opened again, shows that the security
modifications to the file are saved.
Following the reboot process if the file /etc/fstab if opened again, shows that the security
modifications to the file are saved.
3SECURING LINUX BASED OS
Hardening of SSH
The most comprehensive means of securing the SSH is by making use of
public/private keys for logging in (Main and Sha 2017). When using password authentication,
the easiest method for securing SSH is by disabling the root login while also changing port
number of SSH with values other than default which is 22. Prior to disabling of root login, a
fresh SSH user needs to be created and made sure that this user is belonging to admin groups.
The SSH port number if changed must have a value less than 1024 for these ports are
privileged ones which cannot be opened by processes other than the root and processes that
run like root. For changing the SSH port, the newly chosen port on firewall needs to be
opened and port 22 should be closed. For the configuration the following command should
be entered:
sudo vi /etc/ssh/sshd_config
Hardening of SSH
The most comprehensive means of securing the SSH is by making use of
public/private keys for logging in (Main and Sha 2017). When using password authentication,
the easiest method for securing SSH is by disabling the root login while also changing port
number of SSH with values other than default which is 22. Prior to disabling of root login, a
fresh SSH user needs to be created and made sure that this user is belonging to admin groups.
The SSH port number if changed must have a value less than 1024 for these ports are
privileged ones which cannot be opened by processes other than the root and processes that
run like root. For changing the SSH port, the newly chosen port on firewall needs to be
opened and port 22 should be closed. For the configuration the following command should
be entered:
sudo vi /etc/ssh/sshd_config
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4SECURING LINUX BASED OS
For setting up the port, necessary changes or additions should be made below:
Port <ENTER YOUR PORT>
Protocol 2
PermitRootLogin no
DebianBanner no
Then the server needs to be restarted by entering the below command in the terminal
window:
sudo service SSH restart
Network hardening through sysctl settings
The sysctl interface allow users in making changes to an already running kernel of a
linux based operating system. All sysctl related settings are contained in the file named
sysctl.conf (Breitwieser 2015). The primary concern here is source routing of incoming
packets which must be prevented and the malformed set of IPs can be logged by these
commands in the terminal window.
sudo vi /etc/sysctl.conf
This /etc/sysctl.conf file should be edited for adding the below lines:
# Protect against IP Spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignoring requests of ICMP broadcast
net.ipv4.icmp_echo_ignore_broadcasts = 1
For setting up the port, necessary changes or additions should be made below:
Port <ENTER YOUR PORT>
Protocol 2
PermitRootLogin no
DebianBanner no
Then the server needs to be restarted by entering the below command in the terminal
window:
sudo service SSH restart
Network hardening through sysctl settings
The sysctl interface allow users in making changes to an already running kernel of a
linux based operating system. All sysctl related settings are contained in the file named
sysctl.conf (Breitwieser 2015). The primary concern here is source routing of incoming
packets which must be prevented and the malformed set of IPs can be logged by these
commands in the terminal window.
sudo vi /etc/sysctl.conf
This /etc/sysctl.conf file should be edited for adding the below lines:
# Protect against IP Spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignoring requests of ICMP broadcast
net.ipv4.icmp_echo_ignore_broadcasts = 1
5SECURING LINUX BASED OS
# Disabling source routing of packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignoring redirect of send messages
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Blocking SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Martians Log
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignoring redirect of IMCP packets
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disabling source routing of packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignoring redirect of send messages
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Blocking SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Martians Log
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignoring redirect of IMCP packets
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
6SECURING LINUX BASED OS
net.ipv6.conf.default.accept_redirects = 0
# Ignoring directed ping requests
net.ipv4.icmp_echo_ignore_all = 1
For reloading the sysctl with the recent edits, enter:
sudo sysctl –p
BIND DNS Server – Renaming of Version Info and Disabling of recursion
The most critical set of vulnerabilities stem from BIND DNS servers. Though the
majority of DNS servers over the internet are powered by BIND, it has been found that more
than 50% of these servers are vulnerable to popular exploits (Winstead 2014). Generating
multiple queries only to answer other queries is called recursion and limiting or disabling this
process can greatly enhance the security of the servers. The following command must be
entered in the terminal window:
sudo vi /etc/bind.named.conf.options
These changes should be added in the
Recursion no;
Version “Not disclosed”
To reboot the BIND server with the above changes, the below command should be entered in
the terminal:
sudo service bind9 restart
Strengthening security of PHP
Several vulnerabilities of PHP have been discovered. These can range from
mishandling the opcache access controls that were configured for using PHP-FPM to
net.ipv6.conf.default.accept_redirects = 0
# Ignoring directed ping requests
net.ipv4.icmp_echo_ignore_all = 1
For reloading the sysctl with the recent edits, enter:
sudo sysctl –p
BIND DNS Server – Renaming of Version Info and Disabling of recursion
The most critical set of vulnerabilities stem from BIND DNS servers. Though the
majority of DNS servers over the internet are powered by BIND, it has been found that more
than 50% of these servers are vulnerable to popular exploits (Winstead 2014). Generating
multiple queries only to answer other queries is called recursion and limiting or disabling this
process can greatly enhance the security of the servers. The following command must be
entered in the terminal window:
sudo vi /etc/bind.named.conf.options
These changes should be added in the
Recursion no;
Version “Not disclosed”
To reboot the BIND server with the above changes, the below command should be entered in
the terminal:
sudo service bind9 restart
Strengthening security of PHP
Several vulnerabilities of PHP have been discovered. These can range from
mishandling the opcache access controls that were configured for using PHP-FPM to
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7SECURING LINUX BASED OS
incorrect handling of several multibyte sequences that were invalid among many others. To
strengthen the security of PHP, some lines in the ini file needs to be edited (Glaser 2014). To
open it the following command is used.
sudo vi /etc/php5/apache2/php.ini
In the ini file the below changes need to be added
disable_functions = exec, system, shell_exec, passthru
register_globals = off
expose_php = off
display_errors = off
track_errors = off
html_error = off
magic_quotes_gpc = off
mail.add_x_header = off
session.name = NEWSESSID
After saving the changes, the apache server must be restarted byentering the below command
in the terminal:
Sudo service apache2 restart
Security Tools for Ubuntu
Out of the methods of securing Linux based operating systems like Ubuntu studied
above, the most reliable and easy to implement technique comes in the form of security tools
like uncomplicated firewall (ufw), Rootkit scanners and PSAD for intrusion detection. These
incorrect handling of several multibyte sequences that were invalid among many others. To
strengthen the security of PHP, some lines in the ini file needs to be edited (Glaser 2014). To
open it the following command is used.
sudo vi /etc/php5/apache2/php.ini
In the ini file the below changes need to be added
disable_functions = exec, system, shell_exec, passthru
register_globals = off
expose_php = off
display_errors = off
track_errors = off
html_error = off
magic_quotes_gpc = off
mail.add_x_header = off
session.name = NEWSESSID
After saving the changes, the apache server must be restarted byentering the below command
in the terminal:
Sudo service apache2 restart
Security Tools for Ubuntu
Out of the methods of securing Linux based operating systems like Ubuntu studied
above, the most reliable and easy to implement technique comes in the form of security tools
like uncomplicated firewall (ufw), Rootkit scanners and PSAD for intrusion detection. These
8SECURING LINUX BASED OS
tools require minimum commands to set up and are readily available through the internet. A
mix of different security tools addressing different security aspects of the operating system is
the ideal security solution. The simplicity of working with these tools is an added advantage
that help users easily identify the root cause of any security breach taking place so that
appropriate action can be taken by the concerned user at the right time.
Uncomplicated firewall
Can easily be installed using the “sudo apt-get install” command
tools require minimum commands to set up and are readily available through the internet. A
mix of different security tools addressing different security aspects of the operating system is
the ideal security solution. The simplicity of working with these tools is an added advantage
that help users easily identify the root cause of any security breach taking place so that
appropriate action can be taken by the concerned user at the right time.
Uncomplicated firewall
Can easily be installed using the “sudo apt-get install” command
9SECURING LINUX BASED OS
Rules for ssh, http among others can be changed on the fly.
Rules for ssh, http among others can be changed on the fly.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
10SECURING LINUX BASED OS
11SECURING LINUX BASED OS
The firewall can be enabled or disabled as per requirements of the user using “sudo ufw
enable”.
The firewall can be enabled or disabled as per requirements of the user using “sudo ufw
enable”.
12SECURING LINUX BASED OS
The status of the firewall which include the rules for the different ports can be enquired any
time with the command “sudo ufw status verbose”.
Rootkit Scanner
Another set of tools that play an important role in securing the operating system are the
rootkit scanning tools like rkhunter and chkrootkit (Čabak and Gazivoda 2016). Below lay
the package configuration options available during installation of chkrootkit.
The status of the firewall which include the rules for the different ports can be enquired any
time with the command “sudo ufw status verbose”.
Rootkit Scanner
Another set of tools that play an important role in securing the operating system are the
rootkit scanning tools like rkhunter and chkrootkit (Čabak and Gazivoda 2016). Below lay
the package configuration options available during installation of chkrootkit.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
13SECURING LINUX BASED OS
After selecting the mail configuration, the tool performs the necessary configurations
and installs by itself.
After selecting the mail configuration, the tool performs the necessary configurations
and installs by itself.
14SECURING LINUX BASED OS
Once installed the chkrootkit tool can be used to conduct an in-depth scan to identify
rootkits if present y using the simple command sudo chkrootkit as can be seen from the next
screenshot.
Once installed the chkrootkit tool can be used to conduct an in-depth scan to identify
rootkits if present y using the simple command sudo chkrootkit as can be seen from the next
screenshot.
15SECURING LINUX BASED OS
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
16SECURING LINUX BASED OS
PSAD
PSAD from CipherDyne for detecting intrusions and analysing logs refer to the mix
of three daemons which are lightweight and run in Linux based systems responsible for
analysing iptables log messages (Hongell 2013). For detecting port scans along with other
suspected traffic. PSAD provides intrusion detection mechanisms and despite having
enable_auto_ids enabled, PSAD comes with the added advantage in that it logs the events
which is immensely useful when testing the production environment. Although PSAD can be
further configured, once installed, it will automatically start reporting whenever an intrusion
is recognized by the daemons. This tool is known to work on Ubuntu and Debian based
Linux environments (Šmilauer 2015).
From the above demonstration of the three identified security tools (uncomplicated
firewall, rootkit scanner and PSAD), it can be seen that the Ubuntu based Linux operating
PSAD
PSAD from CipherDyne for detecting intrusions and analysing logs refer to the mix
of three daemons which are lightweight and run in Linux based systems responsible for
analysing iptables log messages (Hongell 2013). For detecting port scans along with other
suspected traffic. PSAD provides intrusion detection mechanisms and despite having
enable_auto_ids enabled, PSAD comes with the added advantage in that it logs the events
which is immensely useful when testing the production environment. Although PSAD can be
further configured, once installed, it will automatically start reporting whenever an intrusion
is recognized by the daemons. This tool is known to work on Ubuntu and Debian based
Linux environments (Šmilauer 2015).
From the above demonstration of the three identified security tools (uncomplicated
firewall, rootkit scanner and PSAD), it can be seen that the Ubuntu based Linux operating
17SECURING LINUX BASED OS
system is being simultaneously protected by a firewall, rootkit cleaners and a tool for
intrusion detection. For any operating system, a firewall is always a must have as they
actively monitor all the processes making use of system resources. Rootkits are insidious
means by which malwares hide in areas of the operating system that are generally not
authorized to the users (Xie and Wang 2013). Intrusion detection plays a very critical part in
securing the operating system. With the rise of zero-day attacks from unknown threats, it is
not possible to detect them from regular scanning and monitoring mechanisms before the
attacker has already dealt the damage (Kotenko and Chechulin 2013). This has led to
invention of complex algorithms like heuristic based approaches in identifying malicious
intrusions so that the security threat can be precisely identified beforehand (Liao et al. 2013).
It is worth noting that the three tools do not conflict or overlap but complement each other.
system is being simultaneously protected by a firewall, rootkit cleaners and a tool for
intrusion detection. For any operating system, a firewall is always a must have as they
actively monitor all the processes making use of system resources. Rootkits are insidious
means by which malwares hide in areas of the operating system that are generally not
authorized to the users (Xie and Wang 2013). Intrusion detection plays a very critical part in
securing the operating system. With the rise of zero-day attacks from unknown threats, it is
not possible to detect them from regular scanning and monitoring mechanisms before the
attacker has already dealt the damage (Kotenko and Chechulin 2013). This has led to
invention of complex algorithms like heuristic based approaches in identifying malicious
intrusions so that the security threat can be precisely identified beforehand (Liao et al. 2013).
It is worth noting that the three tools do not conflict or overlap but complement each other.
18SECURING LINUX BASED OS
References
Breitwieser, C., 2015. TiD--Documentation of TOBI Interface D. arXiv preprint
arXiv:1507.01313.
Čabak, M. and Gazivoda, V., 2016. Security Recommendation for an Ubuntu Server-based
System.
Glaser, J.D., 2014. Secure Development for Mobile Apps: How to Design and Code Secure
Mobile Applications with PHP and JavaScript. Auerbach Publications.
Hongell, T., 2013. SETTING UP A SMALL OFFICE NETWORK.
Kotenko, I. and Chechulin, A., 2013, June. A cyber attack modeling and impact assessment
framework. In 2013 5th International Conference on Cyber Conflict (CYCON 2013) (pp. 1-
24). IEEE.
Liao, H.J., Lin, C.H.R., Lin, Y.C. and Tung, K.Y., 2013. Intrusion detection system: A
comprehensive review. Journal of Network and Computer Applications, 36(1), pp.16-24.
Main, E. and Sha, L., 2017. Hedwig: Secure dialup service with strong per-user sandbox.
Šmilauer, V., Chareyre, B., Duriez, J., Eulitz, A., Gladky, A., Guo, N., Jakob, C., Kozicki, J.,
Kneib, F., Modenese, C. and Stránský, J., 2015. Using and programming. The Yade Project,
doi, 10.
Vanickis, R., Jacob, P., Dehghanzadeh, S. and Lee, B., 2018, June. Access Control Policy
Enforcement for Zero-Trust-Networking. In 2018 29th Irish Signals and Systems Conference
(ISSC) (pp. 1-6). IEEE.
Wang, W. and Lu, Z., 2013. Cyber security in the smart grid: Survey and challenges.
Computer Networks, 57(5), pp.1344-1371.
References
Breitwieser, C., 2015. TiD--Documentation of TOBI Interface D. arXiv preprint
arXiv:1507.01313.
Čabak, M. and Gazivoda, V., 2016. Security Recommendation for an Ubuntu Server-based
System.
Glaser, J.D., 2014. Secure Development for Mobile Apps: How to Design and Code Secure
Mobile Applications with PHP and JavaScript. Auerbach Publications.
Hongell, T., 2013. SETTING UP A SMALL OFFICE NETWORK.
Kotenko, I. and Chechulin, A., 2013, June. A cyber attack modeling and impact assessment
framework. In 2013 5th International Conference on Cyber Conflict (CYCON 2013) (pp. 1-
24). IEEE.
Liao, H.J., Lin, C.H.R., Lin, Y.C. and Tung, K.Y., 2013. Intrusion detection system: A
comprehensive review. Journal of Network and Computer Applications, 36(1), pp.16-24.
Main, E. and Sha, L., 2017. Hedwig: Secure dialup service with strong per-user sandbox.
Šmilauer, V., Chareyre, B., Duriez, J., Eulitz, A., Gladky, A., Guo, N., Jakob, C., Kozicki, J.,
Kneib, F., Modenese, C. and Stránský, J., 2015. Using and programming. The Yade Project,
doi, 10.
Vanickis, R., Jacob, P., Dehghanzadeh, S. and Lee, B., 2018, June. Access Control Policy
Enforcement for Zero-Trust-Networking. In 2018 29th Irish Signals and Systems Conference
(ISSC) (pp. 1-6). IEEE.
Wang, W. and Lu, Z., 2013. Cyber security in the smart grid: Survey and challenges.
Computer Networks, 57(5), pp.1344-1371.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
19SECURING LINUX BASED OS
Winstead, E., 2014. Response Rate Limiting with BIND. In Proceedings of the APRICOT
Conference.
Xie, X. and Wang, W., 2013, October. Rootkit detection on virtual machines through deep
information extraction at hypervisor-level. In 2013 IEEE Conference on Communications
and Network Security (CNS) (pp. 498-503). IEEE.
Winstead, E., 2014. Response Rate Limiting with BIND. In Proceedings of the APRICOT
Conference.
Xie, X. and Wang, W., 2013, October. Rootkit detection on virtual machines through deep
information extraction at hypervisor-level. In 2013 IEEE Conference on Communications
and Network Security (CNS) (pp. 498-503). IEEE.
1 out of 20
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.