1. INTRODUCTIONSystem hardening, also called Operating System hardening, helps minimize these security vulnerabilities.
The purpose of system hardening is to eliminate as many security risks as possible. This is typically done by removing all non-essential software programs and utilities from the computer. While these programs may offer useful features to the user, if they provide "back-door" access to the system, they must be removed during system hardening.
Advanced system hardening may involve reformatting the hard disk and only installing the bare necessities that the computer needs to function. The CD drive is listed as the first boot device, which enables the computer to start from a CD or DVD if needed. File and print sharing are turned off if not absolutely necessary and TCP/IP is often the only protocol installed. The guest account is disabled, the administrator account is renamed, and secure passwords are created for all user logins. Auditing is enabled to monitor unauthorized access attempts.
The following hardening configuration adopted from NSA Security Configuration Guides. NSA has developed and distributed configuration guidance for operating systems. They made this configuration base on RHEL 5 and i customize the configuration and implement it in Ubuntu 8.04 Server Edition.
1.1. General Principles· Encrypt all data transmitted over the network. Encrypting authentication information (such as passwords) is particularly important.
· Minimize the amount of software installed and running in order to minimize vulnerability.
· Use security-enhancing software and tools whenever available (e.g., AppArmor, SELinux and Iptables).
o Ubuntu 8.04 default installation already hardened by AppArmor package.
o How to install SELinux in Ubuntu 8.04
# sudo apt-get install SELinux
o How to install Iptables
# sudo apt-get install Iptables
· Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others.
· Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts.
· Review system and application logs on a routine basis. Send logs to a dedicated log server. This prevents intruders from easily avoiding detection by modifying the local logs.
· Never activate root password and log in directly as root, unless absolutely necessary. Administrators should use sudo to execute commands as root when required. The accounts capable of using sudo are specified in /etc/sudoers, which is edited with the visudo utility. By default, relevant logs are written to /var/log/auth.log.
1.2. Disk Partitions and MountingDuring initial installation, ensure that filesystems with user‑writeable directories such as the following are mounted on separate partitions: /home, /tmp, /var/tmp.
During system configuration, change mount options in /etc/fstab to limit user access on appropriate filesystems. The defaults option is equal to rw,suid,dev,exec,auto,nouser,async. Using noexec instead prevents execution of binaries on a file system (though it will not prevent scripts from running). Using nosuid will prevent the setuid bit from having effect. The nodev option prevents use of device files on the filesystem.
1.3. Physical SecurityConfigure the BIOS to disable booting from CDs/DVDs, floppies, and external devices, and set a password to protect these settings.
Next, set a password for the GRUB bootloader. Generate a password hash using the command / /usr/sbin/grub-md5-crypt. Add the hash to the first line of /boot/grub/menu.lst as follows:
password --md5 passwordhash
This prevents users from entering single user mode or changing settings at boot time.
1.4. Keep Software Up to DateUpgrade through the Ubuntu Repository Network to apply upgrade automatically. Security updates should be applied as soon as possible.
Create the file apt.cron, make it executable, place it in /etc/cron.daily or /etc/cron.weekly, and ensure that it reads as follows:
#!/bin/sh
/usr/bin/apt-get upgrade
1.5. Disable Unnecessary ServicesFor a list of network port that are open you can use the following commands:
# netstat -tulp or lsof -i -n | egrep 'COMMAND|LISTEN|UDP' or just a port scanner (nmap) 9
To list the services configured to start at boot, run the following command:
# sudo apt-get install sysv-rv-config ( similar function with chkconfig )
# sudo sysv-rc-config
Find the column for the current run level to see which services are enabled. The default run level is 5. To disable a service, run the following command:
# /sbin/sysv-rc-conf servicename off
It is particularly important to disable unnecessary services. Additionally, the following services can be safely disabled if NFS is not in use: netfs, nfslock, portmap, rpcgssd, and rpcidmapd. Some software relies on other services, so care should be taken when disabling them. Changes will take effect after a reboot.
1.6. Disable SUID and SGID BinariesTo find SUID and SGID files on the system, use the following command:
# find / \( -perm -4000 -o -perm -2000 \) -print
The following files can have their SUID or SGID bits safely disabled (using chmod -s filename) unless required for the purpose listed in the second column:
File: Required For:
/bin/ping6 IPv6
/sbin/mount.nfs NFS
/sbin/mount.nfs4 NFS
/sbin/netreport network control
/sbin/umount.nfs NFS
/sbin/umount.nfs4 NFS
/usr/bin/chage passwd
/usr/bin/chfn account info
/usr/bin/chsh account info
/usr/bin/crontab cron
/usr/bin/lockfile Procmail
/usr/bin/rcp rsh
/usr/bin/rlogin rsh
/usr/bin/rsh rsh
/usr/bin/wall console messaging
/usr/bin/write console messaging
/usr/kerberos/bin/ksu Kerberos
/usr/libexec/openssh/ssh-keysign SSH host-based authentication
/usr/sbin/suexec Apache, CGI
/usr/sbin/userisdnctl ISDN
/usr/sbin/usernetctl network control
1.7. Configure and Use Iptables and TCP WrapperThe Iptables firewall should be configured to allow only necessary network communications. For workstations, this may entail blocking all incoming communications, except for those related to connections the system initiated. If Iptables is currently running, view the current firewall policy with the following command:
/sbin/iptables -L
By default, the output should correspond to rules stored in the file /etc/sysconfig/iptables. Understand and edit these rules, removing any lines that allow unnecessary communications. To activate the updated rules, restart the service.
Also configure the TCP Wrapper library to protect network daemons that support its use by adding appropriate rules to /etc/hosts.allow and /etc/hosts.deny.
1.8. Configure and Use SELinux ( Default for Ubuntu is AppArmor )The default SELinux policy, called targeted, provides protection against compromised or misconfigured system services. This policy should not interfere with normal system operation. Ensure that /etc/selinux/config includes the following lines:
SELINUX=enforcing
SELINUXTYPE=targeted
Stronger policies such as strict and mls can be used if appropriate. However, these require customization to operate successfully for many general-purpose usage scenarios.
SELinux and AppArmor cannot be used together. They have a similar function. Ubuntu 8.04 already bundled AppArmor in their package, so it is better to use AppArmor instead of SELinux.
1.9. Set Kernel ParametersAt boot, the system reads and applies a set of kernel parameters from /etc/sysctl.conf. Add the following lines to that file to prevent certain kinds of attacks:
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
kernel.exec-shield=1
kernel.randomize_va_space=1
For more possible parameters, including settings for IPv6, please see our complete guide.
1.10. NTPFor most systems, the ntpd service introduces unnecessary overhead. Instead, call its update utility, ntpdate, directly through a cron job. Create the file /etc/cron.d/ntpdate with the following line:
15 * * * * root /usr/sbin/ntpdate server
Substitute an appropriate NTP server for server. Hosts on a network should synchronize their time from a local NTP server, and then only this local NTP server should acquire the time from an external, trusted source.
1.11. Configure or Disable SSHSSH is often required, but if it is not, disable it:
# sysv-rc-conf ssh off
If SSH is required, ensure the SSH configuration file
/etc/ssh/sshd_config (not ssh_config) includes the following lines:
PermitRootLogin no
Protocol 2
If possible, limit SSH access to a subset of users. Create a group called sshusers and only add the users that need remote access. Then, add the following line to /etc/ssh/ssh_config:
AllowGroups sshusers
Restart the service so that these changes take effect.
1.12. Disable IPv6Unless your policy or network configuration requires it, disable IPv6. To do so, prevent the kernel module from loading by edit the following line from /etc/modprobe.d/aliases:
1. Find the line: alias net-pf-10 ipv6
2. Edit this to: alias net-pf-10 off ipv6
3. Save the file and reboot
