Securing UbuntuJan 17, 2013 - 10 minutes
Table of Contents
Setting up iptables and Fail2Ban
Make shared memory read-only
Setting up Bastille Linux
Setting up a chroot environment
Securing nginx inside the chroot
Let’s login to our new machine and take some initial steps to secure our system. For this article I’m going to assume your username is
If you need to, setup your sudoers file by adding the following lines to
1ubuntu ALL=(ALL:ALL) ALL # put this in the "User privilege specification" section
~/.ssh/authorized_keys and put your public key inside it. Make sure you can login without a password now once your key is in place.
/etc/ssh/sshd_config and make sure these lines exist to secure SSH:
1# Only allow version 2 communications, version 1 has known vulnerabilities 2Protocol 2 3# Disable root login over ssh 4PermitRootLogin no 5# Load authorized keys files from a users home directory 6AuthorizedKeysFile %h/.ssh/authorized_keys 7# Don't allow empty passwords to be used to authenticate 8PermitEmptyPasswords no 9# Disable password auth, you must use ssh keys 10PasswordAuthentication no
Keep your current session open and restart sshd:
1sudo service ssh restart
Make sure you can login from another terminal. If you can, move on.
Now we need to update and upgrade to make sure all of our packages are up to date and install two pre-requisites for later in the article: build-essential and ntp.
1sudo apt-get update 2sudo apt-get install build-essential ntp 3sudo apt-get upgrade 4sudo reboot
Setting up iptables and Fail2Ban
1sudo apt-get install fail2ban
Open up the fail2ban config and change the ban time, destemail, and maxretry
1[DEFAULT] 2ignoreip = 127.0.0.1/8 3bantime = 3600 4maxretry = 2 5destemail = [email protected] 6action = %(action_mw)s 7 8[ssh] 9 10enabled = true 11port = ssh 12filter = sshd 13logpath = /var/log/auth.log 14maxretry = 2
Now restart fail2ban.
1sudo service fail2ban restart
If you try and login from another machine and fail, you should see the ip in iptables.
1# sudo iptables -L 2Chain fail2ban-ssh (1 references) 3target prot opt source destination 4DROP all -- li203-XX.members.linode.com anywhere 5RETURN all -- anywhere anywhere
Here are my default iptables rules, it opens up port 80 and 443 for HTTP/HTTPS communication, and allows port 22. We also allow ping and then log all denied calls and then reject everything else. If you have other services you need to run, such as a game server or something else, you’ll have to add the rules to open up the ports in the iptables config.
1*filter 2 3# Accepts all established inbound connections 4 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 5 6# Allows all outbound traffic 7# You could modify this to only allow certain traffic 8 -A OUTPUT -j ACCEPT 9 10# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) 11 -A INPUT -p tcp --dport 443 -j ACCEPT 12 -A INPUT -p tcp --dport 80 -j ACCEPT 13# Allows SSH connections for script kiddies 14# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE 15 -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT 16 17# Now you should read up on iptables rules and consider whether ssh access 18# for everyone is really desired. Most likely you will only allow access from certain IPs. 19 20# Allow ping 21 -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 22 23# log iptables denied calls (access via 'dmesg' command) 24 -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 25 26# Reject all other inbound - default deny unless explicitly allowed policy: 27 -A INPUT -j REJECT 28 -A FORWARD -j REJECT 29 30COMMIT
We can load that up into iptables:
1sudo iptables-restore < /etc/iptables.up.rules
Make sure it loads on boot by putting it into the if-up scripts:
1#!/bin/sh 2iptables-restore /etc/iptables.up.rules
Now make it executable:
1chmod +x /etc/network/if-up.d/iptables
Rebooting here is optional, I usually reboot after major changes to make sure everything boots up properly.
If you’re getting hit by scanners or brute-force attacks, you’ll see a line similar to this in your
1Jan 18 03:30:37 localhost kernel: [ 79.631680] iptables denied: IN=eth0 OUT= MAC=04:01:01:40:70:01:00:12:f2:c6:e8:00:08:00 SRC=188.8.131.52 DST=192.34.XX.XX LEN=64 TOS=0x00 PREC=0x00 TTL=34 ID=57021 DF PROTO=TCP SPT=1253 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
Read only shared memory
A common exploit vector is going through shared memory (which can let you change the UID of running programs and other malicious actions). It can also be used as a place to drop files once an initial breakin has been made. An example of one such exploit is available here.
1tmpfs /dev/shm tmpfs defaults,ro 0 0
Once you do this you need to reboot.
Setting up Bastille Linux
The Bastille Hardening program “locks down” an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system’s current state of hardening, granularly reporting on each of the security settings with which it works.
Bastille: Installation and Setup
1sudo apt-get install bastille # choose Internet site for postfix 2# configure bastille 3sudo bastille
After you run that command you’ll be prompted to configure your system, here are the options I chose:
- File permissions module: Yes (suid)
- Disable SUID for mount/umount: Yes
- Disable SUID on ping: Yes
- Disable clear-text r-protocols that use IP-based authentication? Yes
- Enforce password aging? No (situation dependent, I have no users accessing my machines except me, and I only allow ssh keys)
- Default umask: Yes
- Umask: 077
- Disable root login on tty’s 1-6: No
- Password protect GRUB prompt: No (situation dependent, I’m on a VPS and would like to get support in case I need it)
- Password protect su mode: Yes
- default-deny on tcp-wrappers and xinetd? No
- Ensure telnet doesn’t run? Yes
- Ensure FTP does not run? Yes
- display authorized use message? No (situation dependent, if you had other users, Yes)
- Put limits on system resource usage? Yes
- Restrict console access to group of users? Yes (then choose root)
- Add additional logging? Yes
- Setup remote logging if you have a remote log host, I don’t so I answered No
- Setup process accounting? Yes
- Disable acpid? Yes
- Deactivate nfs + samba? Yes (situation dependent)
- Stop sendmail from running in daemon mode? No (I have this firewalled off, so I’m not concerned)
- Deactivate apache? Yes
- Disable printing? Yes
- TMPDIR/TMP scripts? No (if a multi-user system, yes)
- Packet filtering script? No (we configured the firewall previously)
- Finished? YES! & reboot
You can verify some of these changes by testing them out, for instance, the SUID change on ping:
Bastille: Verifying changes
1[email protected]:~$ ping google.com 2ping: icmp open socket: Operation not permitted 3[email protected]:~$ sudo ping google.com 4PING google.com (184.108.40.206) 56(84) bytes of data. 564 bytes from iad23s07-in-f8.1e100.net (220.127.116.11): icmp_req=1 ttl=55 time=9.06 ms 6^C 7--- google.com ping statistics --- 81 packets transmitted, 1 received, 0% packet loss, time 0ms 9rtt min/avg/max/mdev = 9.067/9.067/9.067/0.000 ms
Since our machine isn’t running as a router and is going to be running as an application/web server, there are additional steps we can take to secure the machine. Many of these are from the NSA’s security guide, which you can read in its entirety here.
/etc/sysctl.conf http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf Source
1# Protect ICMP attacks 2net.ipv4.icmp_echo_ignore_broadcasts = 1 3 4# Turn on protection for bad icmp error messages 5net.ipv4.icmp_ignore_bogus_error_responses = 1 6 7# Turn on syncookies for SYN flood attack protection 8net.ipv4.tcp_syncookies = 1 9 10# Log suspcicious packets, such as spoofed, source-routed, and redirect 11net.ipv4.conf.all.log_martians = 1 12net.ipv4.conf.default.log_martians = 1 13 14# Disables these ipv4 features, not very legitimate uses 15net.ipv4.conf.all.accept_source_route = 0 16net.ipv4.conf.default.accept_source_route = 0 17 18# Enables RFC-reccomended source validation (dont use on a router) 19net.ipv4.conf.all.rp_filter = 1 20net.ipv4.conf.default.rp_filter = 1 21 22# Make sure no one can alter the routing tables 23net.ipv4.conf.all.accept_redirects = 0 24net.ipv4.conf.default.accept_redirects = 0 25net.ipv4.conf.all.secure_redirects = 0 26net.ipv4.conf.default.secure_redirects = 0 27 28# Host only (we're not a router) 29net.ipv4.ip_forward = 0 30net.ipv4.conf.all.send_redirects = 0 31net.ipv4.conf.default.send_redirects = 0 32 33 34# Turn on execshild 35kernel.exec-shield = 1 36kernel.randomize_va_space = 1 37 38# Tune IPv6 39net.ipv6.conf.default.router_solicitations = 0 40net.ipv6.conf.default.accept_ra_rtr_pref = 0 41net.ipv6.conf.default.accept_ra_pinfo = 0 42net.ipv6.conf.default.accept_ra_defrtr = 0 43net.ipv6.conf.default.autoconf = 0 44net.ipv6.conf.default.dad_transmits = 0 45net.ipv6.conf.default.max_addresses = 1 46 47# Optimization for port usefor LBs 48# Increase system file descriptor limit 49fs.file-max = 65535 50 51# Allow for more PIDs (to reduce rollover problems); may break some programs 32768 52kernel.pid_max = 65536 53 54# Increase system IP port limits 55net.ipv4.ip_local_port_range = 2000 65000 56 57# Increase TCP max buffer size setable using setsockopt() 58net.ipv4.tcp_rmem = 4096 87380 8388608 59net.ipv4.tcp_wmem = 4096 87380 8388608 60 61# Increase Linux auto tuning TCP buffer limits 62# min, default, and max number of bytes to use 63# set max to at least 4MB, or higher if you use very high BDP paths 64net.core.rmem_max = 8388608 65net.core.wmem_max = 8388608 66net.core.netdev_max_backlog = 5000 67net.ipv4.tcp_window_scaling = 1
After making these changes you should reboot.
Setting up a chroot environment
We’ll be setting up a chroot environment to run our web server and applications in. Chroot’s provide isolation from the rest of the operating system, so even in the event of a application compromise, damage can be mitigated.
chroot: Installation and Setup
1sudo apt-get install debootstrap dchroot
Now add this to your
/etc/schroot/schroot.conf file, precise is the release of Ubuntu I’m using, so change it if you need to:
1[precise] 2description=Ubuntu Precise LTS 3location=/var/chroot 4priority=3 5users=ubuntu 6groups=sbuild 7root-groups=root
Now bootstrap the chroot with a minimal Ubuntu installation:
1sudo debootstrap --variant=buildd --arch amd64 precise /var/chroot/ http://mirror.anl.gov/pub/ubuntu/ 2sudo cp /etc/resolv.conf /var/chroot/etc/resolv.conf 3sudo mount -o bind /proc /var/chroot/proc 4sudo chroot /var/chroot/ 5apt-get install ubuntu-minimal 6apt-get update
Add the following to
/etc/apt/sources.list inside the chroot:
1deb http://archive.ubuntu.com/ubuntu precise main 2deb http://archive.ubuntu.com/ubuntu precise-updates main 3deb http://security.ubuntu.com/ubuntu precise-security main 4deb http://archive.ubuntu.com/ubuntu precise universe 5deb http://archive.ubuntu.com/ubuntu precise-updates universe
Let’s test out our chroot and install nginx inside of it:
1apt-get update 2apt-get install nginx
Securing nginx inside the chroot
First thing we will do is add a www user for nginx to run under:
Adding a application user
1sudo chroot /var/chroot 2useradd www -d /home/www 3mkdir /home/www 4chown -R www.www /home/www
/etc/nginx/nginx.conf and make sure you change user to www inside the chroot:
We can now start nginx inside the chroot:
1sudo chroot /var/chroot 2service nginx start
Now if you go to http://your_vm_ip/ you should see “Welcome to nginx!” running inside your fancy new chroot.
We also need to setup ssh to run inside the chroot so we can deploy our applications more easily.
1sudo chroot /var/chroot 2apt-get install openssh-server udev
Since we already have SSH for the main host running on 22, we’re going to run SSH for the chroot on port 2222. We’ll copy over our config from outside the chroot to the chroot.
1sudo cp /etc/ssh/sshd_config /var/chroot/etc/ssh/sshd_config
Now open the config and change the bind port to 2222.
We also need to add the rules to our firewall script:
1# Chroot ssh 2 -A INPUT -p tcp -m state --state NEW --dport 2222 -j ACCEPT
Now make a startup script for chroot-precise in
1mount -o bind /proc /var/chroot/proc 2mount -o bind /dev /var/chroot/dev 3mount -o bind /sys /var/chroot/sys 4mount -o bind /dev/pts /var/chroot/dev/pts 5chroot /var/chroot service nginx start 6chroot /var/chroot service ssh start
Set it to executable and to start at boot:
1sudo chmod +x /etc/init.d/chroot-precise 2sudo update-rc.d chroot-precise defaults
Next is to put your public key inside the
.ssh/authorized_keys file for the www user inside the chroot so you can ssh and deploy your applications.
If you want, you can test your server and reboot it now to ensure nginx and ssh boot up properly. If it’s not running right now, you start it:
You should now be able to ssh into your chroot and main server without a password.
I would like to also mention the GRSecurity kernel patch. I had tried several times to install this (two different versions were released while I was writing this) and both make the kernel unable to compile. Hopefully they’ll fix these bugs and I’ll be able to update this article with notes on setting GRSecurity up as well.
I hope this article proved useful to anyone trying to secure a Ubuntu system, and if you liked it please share it!