Ubuntu System Hardening Solutions

1, delete the system does not need the default account

# Userdel LP
# Groupdel LP
#passwd –l LP
If the following system default account is not required, it is recommended to delete.
LP, Sync News, UUCP, games, Bin, Mans
Modify some of the system account shell variables, such as UUCP,FTP and news, and some only need the FTP function account, must not give them to set/bin/bash or/bin/sh and other shell variables. You can set their shell variables to/bin/false or/dev/null in/etc/passwd, or you can use Usermod-s/dev/null

2. Restrict remote login to Super Administrator
Reference configuration Actions
Ssh:
#vi/etc/ssh/sshd_config
Put
Permitrootlogin Yes
Switch
Permitrootlogin No
Restarting the SSHD service
#service sshd Restart

3. Modify the SSH port
Vi/etc/ssh/sshd_config
Modify
Port 22
Modify the other ports to confuse the illegal temptations
Linux under the default SSH port is 22, for security purposes, now modify the SSH port is 1433, modify the method as follows:
/usr/sbin/sshd-p 1433

CONSOLE:
Configuration in the/etc/securetty file: CONSOLE =/dev/tty01

#service sshd Restart

3. Default password life cycle limit
Cat/etc/login.defs
Reference configuration Actions
Pass_max_days 90
Pass_min_days 0

4. Set permissions for critical directories

Reference configuration Actions
The permissions of the directory are actually set by the chmod command.
Supplemental operating Instructions
ETC/PASSWD must be readable by all users and the root user can write –rw-r-r-
/etc/shadow only root readable –r--------
/etc/group must be readable by all users and the root user can write –rw-r-r-
Use the following command settings:
chmod 644/etc/passwd
chmod 600/etc/shadow
chmod 644/etc/group
If there is a write right VI limit, you need to remove the group and other users of the write access to/etc (except for special cases)
Execute command #chmod-r go-w/etc

5. Modify the Umask value
Reference configuration Actions
Set default permissions:
Vi/etc/profile
Vi/etc/bash.bashrc
Add umask at the end 027
To modify permissions for a file or directory, the following are examples:
#chmod 444 dir; #修改目录dir的权限为所有人都为只读.
Set permissions according to the actual situation;
Supplemental operating Instructions
If a user needs to use a umask that differs from the default global system setting, it can be set at the command line when needed, or configured in the user's shell startup file
Additional Information
The default setting for Umask is typically 022, which gives the newly created file default permissions of 755 (777-022=755), which gives the file owner read and Write permissions, but only for group members and other users.
Calculation of Umask:
Umask is set with octal data code, which is equal to the octal data code 777 minus the required default permissions for the directory, and the octal data code value for the file, which is equal to the octal data code 666 minus the required default permissions.

6. Resource Limitations
Reference configuration Actions
?? The first step
Edit limits.conf File
(vi/etc/security/limits.conf), add or change the following lines:
* Soft Core 0
* Hard Core 0
* Hard RSS 5000
* Hard Nproc 20
* Soft Nofile 10000
* Hard Nofile 10000

If you restrict the use of host resources by the Limitu user group,
Join:
@limitu Soft Core 0
@limitu Hard Nproc 30
@limitu-maxlogins 5

These lines mean "core 0" is forbidden to create a core file, "Nproc 20" limits the maximum number of processes, "RSS 5000" means that other users can use up to 5 m of memory in addition to root. These are only valid for users logged on to the system. With these limitations, you can better control the user's use of processes, core files, and memory in the system. The asterisk "*" indicates all users logged on to the system.
?? Step Two

You must edit the/etc/pam.d/login file to add the following line at the end of the file:
Session required/lib/security/pam_limits.so
Additional notes:
After joining this line, the "/etc/pam.d/sudologin" file is like this:
#%pam-1.0 Auth required/lib/security/pam_securetty.so
Auth required/lib/security/pam_pwdb.so Shadow Nullok
Auth required/lib/security/pam_nologin.so A
Ccount required/lib/security/pam_pwdb.so Password required/lib/security/pam_cracklib.so
Password required/lib/security/pam_pwdb.so
Nullok Use_authtok MD5 Shadow
Session required/lib/security/pam_pwdb.so
Session required/lib/security/pam_limits.so
#session Optional/lib/security/pam_console.sodaemon
Statistics Process Qty PS Ax | grep httpd | Wc-l

7. Set directory Permissions

Reference configuration Actions
View important file and directory permissions: Ls–l
To change permissions:
For important directories, it is recommended that you do something like this:
# Chmod-r 750/etc/init.d/*
This allows only root to read, write, and execute scripts in this directory.

8. Setting properties of key files

# Lsattr/etc/shadow
# LSATTR/ETC/PASSWD
# Lsattr/etc/group
1. Reference configuration operation
# chattr +i/etc/shadow
# chattr +I/ETC/PASSWD
# chattr +i/etc/group

It is recommended that the administrator make special settings for critical files (cannot be changed or can only be appended, etc.).

9. Use Pam to prohibit anyone su to root
Reference configuration Actions
To edit the Su file (vi/etc/pam.d/su), add the following two lines at the beginning:
Auth sufficient/lib/security/pam_rootok.so
Auth required/lib/security/pam_wheel.so Group=wheel
This indicates that only members of the wheel group can use the SU command to become the root user. You can add users to the wheel group so that it can use the SU command to become the root user. Add the method as:
# CHMOD–G10 Username

10. Change the order of host resolution addresses

"/etc/host.conf" explains how to resolve an address. Edit the "/etc/host.conf" file (vi/etc/host.conf) and add the following line:
# Lookup names via DNS first then fall back to/etc/hosts. Order Bind,hosts
Multi on
# Check for IP address spoofing
Nospoof on
The first setting resolves the IP address through DNS and then resolves it through the Hosts file. The second setting detects if the host in the "/etc/hosts" file has more than one IP address (for example, multiple Ethernet port cards). The third setting illustrates the need to be aware of native unauthorized IP spoofing.

11. Open Syncookie
# echo 1 >/proc/sys/net/ipv4/tcp_syncookies

Net.ipv4.tcp_syncookies = 1

Can be added to the/etc/rc.d/rc.local. /

12.
Do not respond to ICMP requests:
# echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all

13.
Reference configuration Actions
Sysctl-w Net.ipv4.tcp_max_syn_backlog = 2048

Permanent effective need to add the above Net.ipv4.tcp_max_syn_backlog = 2048 directly in vim/etc/sysctl.conf, and then execute sysctl-p

The above operation is mainly for Ubuntu, Linux system Evaluation analysis, do a few aspects of security reinforcement, the main strategy involves the following points:

1. Cancel the root remote SSH login of all the servers, restrict Su-root user rights, and SSH login port adjustment, external SSH login all adjust;
2. Adjust password expiration time and complexity;
3. Adjust the network flooding, SYN and other anti-attack strategy parameters;
4. Clean the server invalid account such as LP, news, etc., adjust the System key directory permissions;
5. Optimize server connection number parameters;
6. Log Management: Login authentication record, etc.;

Ubuntu System Hardening Solutions