/ubuntu-hardening

NP CSF SCS Module Individual Assignment

ubuntu-hardening

NP CSF SCS ☁️ Module Individual Assignment

Installation and Dependencies

  • Ubuntu Server 20.04.1+ (20.04 LTS), select Option 2. Can also choose to deploy on the Cloud--GCP, Linode etc.
  • req.sh (contains all pre-requisite packages and/or dependencies): WARNING: this was not tested by the author and is a minimal and quick way to set up your environment, configuration is still required. This project is not actively maintained. However, please open an issue if need be.
  • Slides for server hardening.
  • GUI is optional and Ubuntu 18.04+ Client VM would be helpful to test ssh hardening.

Secure Checklist

Part 1. Apache 2.x

Step 1: Install Apache2 Package and make boot-persistent

$ sudo apt update
$ sudo apt upgrade
$ sudo apt install -y apache2 apache2-utils
$ sudo systemctl enable apache2                          # run on startup

Test 1: If Apache is running: If it shows no error message, press q to quit and move on to the next steps.

$ sudo systemctl status apache2

Step 2: Miscellanous steps to start service

$ sudo ufw allow http
$ sudo chown www-data:www-data /var/www/html/ -R          # good idea to change to www-data instead of root
$ sudo systemctl reload apache2

Test 2: now you can try to access the web server by going to http://xxx.xxx.xxx.xxx which is your ip address (run ifconfig) or using localhost or 127.0.0.1 (loopback).

apache2

Part 2. MariaDB and MySQL Secure Installation

Step 1: Install MariaDB

$ sudo apt install mariadb-server mariadb-client
$ sudo systemctl enable mariadb                          # run on startup

Test 1: If MariaDB is running: If it shows no error message, press q to quit and move on to the next steps.

$ sudo systemctl status mariadb                          

Step 2: MySQL Secure Installation

$ sudo mysql_secure_installation

Press Y or y for all other options at prompt, key in a decent alphanumeric password (select 1 when prompted for medium-strength password).

Test 2: Verify MariaDB Installation

$ sudo mariadb -u root
...
[mariadb] > exit
$ 

3. PHP 7.x

Step 1: PHP package installation

$ sudo apt install php libapache2-mod-php php-mysql -y      # requires additional config I will not cover

OR

$ sudo apt install php7.4 libapache2-mod-php7.4 php7.4-mysql php-common php7.4-cli php7.4-common php7.4-json php7.4-opcache php7.4-readline
$ sudo a2enmod php7.4
$ sudo systemctl restart apache2
$ sudo nano /var/www/html/info.php

# in the nano editor, enter the following and save
<?php phpinfo(); ?>

Test 1: Navigate to http://xxx.xxx.xxx.xxx/info.php which is your ip address or localhost/info.php and you should see a page like below:

php

Step 2: Remove default PHP and index.html pages

# make a html file called index.html somewhere
$ sudo mv /<path>/<to>/<file>.index.html /var/www/html/index.html
$ sudo rm /var/www/html/info.php

Test 2: You should no longer be able to see the default pages when you try to navigate to them.

Installing Phpmyadmin is optional. See here for more.


  • SSH Keys for Authentication
$ ssh-keygen -t rsa 4096 -C “ubuntu client”
$ scp -p <port> <path> id@<ipaddr>:~/.ssh/authorized_keys

  • Antimalware: ClamAV

Part 1. Installing ClamAV

$ sudo apt install clamav clamav-daemon -y
$ sudo systemctl stop clamav-freshclam
$ sudo systemctl start clamav-daemon.service
$ sudo freshclam                                                    #update AV defs
$ sudo systemctl start clamav-freshclam.service

Part 2. Install and Configure ClamTK (ClamAV GUI)

$ sudo apt install clamtk -y

Configure according to own preference using GUI.


  • Linux Firewall (ufw)
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
$ sudo ufw allow <port>/tcp                           # make sure correct port
$ sudo ufw allow http
$ sudo ufw allow https
$ sudo ufw enable

In this exercise, I changed the ssh port to 727 from 22 (see the slides). Since it is a web server, we will allow http/https traffic for both incoming and outgoing connections.

Miscellaneous

  • Ubuntu Desktop (and Screen Manager)

Mainly following this guide

$ sudo apt install net-tools                                      # for ifconfig
$ sudo apt install tasksel

# SELECT "UBUNTU-DESKTOP" using [SPACEBAR], leave defaults, press [TAB] and then [ENTER] on "OK" to confirm.
# wait for installation to complete

$ sudo reboot                                                    # login using credentials

  • Troubleshooting Server 20.04 Clipboard Issues

There was some problem with the clipboard during my installation of lamp stack when I wanted to copy commands. I used these articles to troubleshoot, finally I managed to fix the issue with these 2 commands

$ sudo apt-get install open-vm-tools-desktop
$ sudo reboot

Edit the corresponding files as per the slides above to further harden the server.

Here are the files that are unique to my setup.


References