This is a basic level of hardening for Ubuntu servers and should be considered a baseline. This tutorial will cover two topics: SSH and Firewall. This tutorial was prepared using Ubuntu Server 8.04 beta.
SSH
edit the ssh daemon configuration file to move the ssh port away from 22. Most worms or bots are programmed to look at 22 and bruteforce whatever is there. Moving to an unknown port is the easiest way to decrease the level of log activity.
zeroday> sudo vi /etc/ssh/sshd_config
Look for “Port 22” and change it to a different value. Anything above 1024 is fine.
# What ports, IPs and protocols we listen for
Port 65522
Now restart sshd
zeroday> sudo invoke-rc.d ssh restart
Firewall
Shorewall is an easy to configure Netfilter and provide a basic level of perimeter for your server's Internet facing interfaces.
zeroday> sudo apt-get install shorewall
Once the system is installed it will display an error message stating it can not start until configured. This is a "dummy proof" feature so that new users will not deploy Shorewall without making critical changes to the rules. Simply put it will lock out all inbound connections if deployed as is. This is a great way to stay secure but would prevent even ssh from working.
The first step is to copy the example configuration files
zeroday> sudo cp /usr/share/doc/shorewall-common/examples/one-interface/* /etc/shorewall
To allow the most basic of services we will add rules to allow inbound connections for the web server and ssh server.
zeroday> sudo vi /etc/shorewall/rules
Look for "Permit all ICMP traffic FROM the firewall TO the net zone" and add the following lines after the icmp rule:
- ACCEPT net fw tcp 65522
- ACCEPT net fw tcp 80
Your rules file should now look like this:
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
ACCEPT net fw tcp 65522
ACCEPT net fw tcp 80
Now the last two steps are enabling the system to startup. The first location is in the shorewall.conf file.
zeroday> sudo vi /etc/shorewall/shorewall.conf
Look for the STARTUP_ENABLED variable and change it from "No" to "Yes". This is not case sensitive.
The file should end up looking like this:
#######################################
# S T A R T U P E N A B L E D
#######################################
STARTUP_ENABLED=YES
Lastly we need to change the shorewall file in /etc/default.
zeroday> sudo vi /etc/default/shorewall
Look for the "startup" parameter and change it from 0 to 1.
It should look like this when you are done
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start
startup=1
Now you are ready to start your firewall. It is a good idea to double check your work. I like to compare my edited configuration files to the originals using diff.
zeroday> for i in `ls /etc/shorewall`;
do
diff /etc/shorewall/$i /usr/share/doc/shorewall-common/examples/one-interface/$i;
done
Once you have confirmed the changes start up the firewall.
zeroday> sudo invoke-rc.d shorewall start