Ubuntu Live Server

The following is a directive for best security practices when newly installing the Ubuntu Live Server. It takes several security guides and compiles them into one. Note that we will start without a network connection to the Internet and will use commands that are native to Ubuntu. By doing so, we can harden the system before we connect to the public Internet.

Note: this guide assumes that the reader is already familiar with Linux command lines

Ensuring Log Accuracy

Set up the time and date, so timestamps on history log are accurate. In the terminal, enter the following commands. Replace the time and date between the parenthesis.

sudo date -s “YYYY-MM-DD HH:MM:SS”

sudo vi ~/.bashrc

Insert the following on a new line.

export HISTTIMEFORMAT=”%F %T “

Add/Edit these lines as well to make bash history persistent through different sessions. Note that commands from a non-user may not be persistent due to .bash_history permissions.

shopt -s histappend

HISTSIZE = 100000

# this could depend on the amount of storage you can spare

PROMPT_COMMAND=’history -a’

# saves each command after execution, rather than end of session

Press ESC and write ‘:wq!’ to save changes.

cat ./bashrc to check changes.

Then activate on current session through:

source ~/.bashrc

source ~/.bash_history

Configure Basic Security Logging

Edit the following configuration file.

sudo vi /etc/rsyslog.conf

Add these lines to enhance security logging

auth,authpriv.* /var/log/auth.log

*.alert /var/log/alert.log

kern.* /var/log/kern.log

If you have a separate log server, set up remote logging

*If an attacker compromises your system, they will try to clear local logs, so it is best to have a copy of the logs on a remote server. Add the following line to your local /etc/rsyslog.conf

*.* @<IP address>:<portnumber> # Replace with your log server IP, if you have one

Configure receiving server to accept these logs (assuming it is also Ubuntu). Edit its /etc/rsyslog.conf file

$ModLoad imudp

$UDPServerRun 514

Implement log rotation with logrotate, to prevent logs from consuming all disk space with logrotate. Edit /etc/logrotate.d/rsyslog

/var/log/auth.log {

rotate 7

daily

compress

missingok

notifempty

}

Note: you can add more logrotate rules under /etc/logrotate.d

Document Host Information + Baseline

Server Info

touch ./serverInfo.txt

echo “Date of Hardening: $(date)” > ./serverInfo.txt

echo -n “MAC ADDRESS → “ >> ./serverInfo.txt

ip a | grep “link/ether” | grep -o ‘[a-zA-Z0-9:]*’ | sed -n ‘3p’ >> ./serverInfo.txt

echo >> ./serverInfo.txt

hostnamectl >> ./serverInfo.txt

echo >> ./serverInfo.txt

User List

echo “User List” >> ./serverInfo.txt

cat /etc/passwd >> ./serverInfo.txt

echo >> ./serverInfo.txt

Startup List

reboot

systemctl list-unit-files –type=service

Current Process List

echo “Current Proccess List”

ps aux >> ./serverInfo.txt

Service Status List

echo “Service Status List”

service–status-all >> ./serverInfo.txt

Network Info

echo “Network Info” >> ./serverInfo.txt

ip a >> ./serverInfo.txt

BIOS/EUFI Protection for Bare Metal

Ensure that the systems running the VMs have the following settings. Note that it cannot be done for cloud unless you have physical access to these systems.

Set strong BIOS/UEFI passwords
Enable secure boot, if available
- Note: may need to disable to update Ubuntu, but can be reenabled after
Disable booting from external devices
Update firmware to latest versions

Verify Disk Encryption

UbuntuLive should already have disk encryption when the OS was initially installed. To check if it exists:

cat /etc/crypttab

This file will have the following values:

sda4_crypt → name of the encrypted device
UUID=[…] → UUID of the partition
none → this means that the user has to enter the password interactively during boot
luks, discard -> options to enable TRIM commands to improve SSD performance and lifespan

This file contains a line for each encrypted partition if more than one is mounted at boot time.

If disk is not encrypted, or non-root partitions are not encrypted:

cryptsetup luksFormat <partition to be encrypted> -> ex. -> /dev/sdb1

cryptsetup luksOpen /dev/sdb1 encrypted_volume

mkfs.ext4 /dev/mapper/encrypted_volume

**Note that /boot does not need to be encrypted, unless you encrypt the whole hard drive with secure boot

Secure GRUB Boot Loader

Note: do this step on a VM first and fully understand it. Else, you may lock yourself out of the system if done incorrectly. It would also be a good idea to take a snapshot of the current system, so you do not have to reinstall your VM.

GRUB is a complete program for loading and managing the boot process. It is the most common bootloader for Linux distributions. A bootloader is the first software that runs when a computer starts. It loads the kernel of the operating system and then the kernel initializes the rest of the operating system: shell, display manager, desktop environment, etc.

In Linux, the GRUB looks something like this:

This prevents unauthorized modification of kernel parameters during boot.

The following step is not secure, but provides a backup to getting past the GRUB, should the hash method not work. MAKE SURE TO DELETE THIS LINE FROM YOUR SYSTEM AFTER YOU CAN SUCCESSFULLY USE THE GRUB PASSWORD WITH THE HASH.

sudo vi /etc/grub.d/40_custom

Add these lines and save

set superusers=”<username>”

password <username> backuppass

Update grub, reboot and check that back up password works

sudo update-grub

reboot

The steps outlined here are streamlined for command-line only environments, as it requires an output to be copied into a file called /etc/grub.d/40_custom. This output can only be appended through sudo tee -a: This step is not required if you implemented the backup password earlier.

echo ‘set superusers=”<superuser>”’ | sudo tee -a /etc/grub.d/40_custom

Note the space after ‘<superuser>’

echo -n ‘password_pbkdf2 <superuser> ‘ | sudo tee -a /etc/grub.d/40_custom

To protect boot process with password protection, generate a password hash and add it to the grub file:

grub-mkpasswd-pbkdf2 | grep -o ‘grub.*’ | sudo tee -a /etc/grub.d/40_custom

This will pause the bash terminal as it will ask for the password to be entered twice, though the prompt is not visible on your end. Simply enter the password twice and it will show you the current contents of the grub file, which includes the hash.

Delete previous unsecure password. Looks like the following:

password <username> backuppass

The added contents should look like this:

set superusers=”<superuser>”

password_pbkdf2 root grub.pbkdf2.sha512.10000.<insertedhash>

Update GRUB with the new configuration

sudo update-grub

reboot

**If done correctly, you should be required to enter: bios password (if not VM), grub username/password, disk encryption key, and login credentials

Disable Root Login

sudo passwd -l root

Note: if you need to enable root login, simply set the root password (make sure it is strong and unique)

Make Sure No Non-Root User Accounts Have their UID Set to 0

awk -F: ‘($3 == “0”) {print}’ /etc/passwd

You should only see one line:

root:x:0:0:root:/root:/bin/bash

If there are other lines, make sure these accounts are authorized to use UID 0 (meaning root priveleges). Else, delete them from /etc/passwd

Check for Accounts with Empty Passwords and Lock Them

awk -F: ‘($2 == “”) {print}’ /etc/shadow

passwd -l <userName>

Set Up SSH Security

sudo vi /etc/ssh/sshd_config

Locate the line ‘# Port 22’, uncomment the line and change the port number to 46853

Set the following configurations for security.Root Permission to No, so that no one can login as root.

Port 46853 #you can change this to any number that your system won’t use

PermitRootLogin no #only sudo allowed. So, by default, login does not have root pwr

Protocol 2 #protocol 2 is more secure than 1

PasswordAuthentication no #force key-based auth; will do later

PubkeyAuthentication yes #key auth allowed

AuthorizedKeysFile .ssh/authorized_keys

PermitEmptyPasswords no #do not allow empty password

X11Forwarding no #denies use of graphical interface over ssh

ClientAliveInterval 360 #disconnects after a specific amount of idle time/no activity

ClientAliveCountMax 3 #limit to how many ssh users you have

MaxAuthTries 6 #denies several password guessing attempts

IgnoreRhosts yes #SSH can emulate the behavior of the obsolete rsh command in

allowing users to enable insecure access to their accounts via .rhosts files.

Restart the service so the changes take effect. Will be asked for sudo credentials

systemctl daemon-reload

systemctl restart ssh.socket

Note: if you do not want SSH to be running on your system at all, use the following commands:

sudo systemctl stop sshd

sudo systemctl disable sshd

Note: you will eventually want to use TCP wrappers with your SSH

Implement Sysctl Security Settings

Harden the kernel with these settings. Open /etc/sysctl.d/99-sysctl.conf and add these lines at the end of file:

# Network security

# Prevents spoofing attacks

net.ipv4.conf.all.rp_filter=1

net.ipv4.conf.default.rp_filter=1

# Turn on TCP SYN cookies to protect from TCP DoS

# Note: may impact IPv6 TCP sessions

net.ipv4.tcp_syncookies=1

# Do not send ICMP redirects (only enable for routers like PFSense)

net.ipv4.conf.all.send_redirects = 0

# Do not accept ICMP redirects (prevent MITM attacks)

net.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.default.accept_redirects=0

# May not have file or directory if IPv6 is disabled

net.ipv6.conf.all.accept_redirects=0

net.ipv6.conf.default.accept_redirects=0

# Prevent core dumps – limit sensitive info that is leaked

# May make troubleshooting, especially for developers more difficult

# Good to have on if system is stable, and requires more security

fs.suid_dumpable=0

# Restrict kernel pointers

kernel.kptr_restrict=2

Apply the settings with sudo, else OS will ignore settings:

sudo sysctl -p /etc/sysctl.d/99-sysctl.conf

Disable IPv6 If Not Used

sudo vi /etc/default/grub

Change to following to be:

GRUB_CMDLINE_LINUX=”ipv6.disable=1”

sudo update-grub

reboot

Check that IPv6 is not working. No IPv6 address should be listed

ip a

Disable Unsecure Protocols

rlogin

rsh

telnet

ftp

SNMP v1/v2c

**Note: certain protocols like FTP can be used for certain services like Network Management; however, if you don’t intend to use them, disable for best security practices

Hash System Files

Hashing files will let you know if they have been tmapered with. Can be used later for baseline comparison.

Note that if a file has been updated, the hash will change (ex. if a user is added, the hash of /etc/shadow will change drastically). Also, do NOT use MD5 as it now considered unsercure

sha256sum <filename> >> fileHash.txt

Files to hash include:

~/serverInfo.txt

~/.bashsrc

/etc/shadow

/etc/passwd

/etc/grub.d/40_custom

/etc/ssh/*

/etc/ssh/sshd_config

/etc/sysctl.d/99-sysctl.conf