{"id":47,"date":"2023-09-28T21:53:08","date_gmt":"2023-09-28T14:53:08","guid":{"rendered":"http:\/\/nitirat.ddns.net\/wordpress\/?p=47"},"modified":"2024-05-07T21:25:36","modified_gmt":"2024-05-07T14:25:36","slug":"harden-your-ubuntu-20-04-hosting-server","status":"publish","type":"post","link":"http:\/\/nitirat.ddns.net\/wordpress\/?p=47","title":{"rendered":"Harden your Ubuntu 20.04 hosting server"},"content":{"rendered":"\n

We will look at some general server steps to harden your Ubuntu 20.04.<\/p>\n\n\n\n

1. Set Auto-update On Ubuntu 20.04<\/strong><\/h2>\n\n\n\n
# sudo apt install unattended-upgrades<\/code>\n\nNow open the below file and edit <\/pre>\n\n\n\n
# vim \/etc\/apt\/apt.conf.d\/50unattended-upgrades<\/pre>\n\n\n\n
Uncomment this line :<\/p>\n\n\n\n
\"${distro_id}:${distro_codename}-updates\";<\/code><\/p>\n\n\n\n
Now remove unused kernel packages and dependencies . Make sure these lines are added \/ uncommented :<\/p>\n\n\n\n

Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";
Unattended-Upgrade::Remove-Unused-Dependencies \"true\";
Unattended-Upgrade::Automatic-Reboot \"true\";
Unattended-Upgrade::Automatic-Reboot-Time \"00:00\"<\/pre>\n\n\n\n
Edit the \/etc\/apt\/apt.conf.d\/20auto-upgrades file and set the time interval for update checks ( one week or so depeneding on your choice )<\/p>\n\n\n\n
APT::Periodic::Update-Package-Lists \"7\";<\/code>
APT::Periodic::Download-Upgradeable-Packages \"7\";<\/code>
APT::Periodic::AutocleanInterval \"7\";<\/code>
APT::Periodic::Unattended-Upgrade \"7\";<\/code><\/p>\n\n\n\n
2. Install CSF firewall which comes with the LFD login monitor.<\/h2>\n\n\n\n
The ufw in ubuntu is good for a basic firewall, but CSF \/ LFD provides us with more options and helps to monitor the login failures and block the offending IPs automatically.<\/p>\n\n\n\n
# cd \/usr\/src\n# wget https:\/\/download.configserver.com\/csf.tgz \n# tar -xzf csf.tgz \n# cd csf \n# sh install.sh\n\n# apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl\n\nOpen \/etc\/csf\/csf.conf and remove the TESTING mode and restart the service using csf -r\n<\/pre>\n\n\n\n
3. Change the default SSH port and disable root login<\/h2>\n\n\n\n
# vim \/etc\/ssh\/sshd_config<\/pre>\n\n\n\n
Change port number to something custom like 2900 or and open the same port in CSF config file \u2013 TCP_IN section.<\/p>\n\n\n\n
Now, create a sudo user and lets disable the root login<\/p>\n\n\n\n
# adduser newusername\n# passwd newusername<\/pre>\n\n\n\n
$ Now, we want to edit the sudo rights and grant administrative privilages to this user.<\/p>\n\n\n\n
# vi \/etc\/sudoers<\/code><\/p>\n\n\n\n
Add the username which we just created, below the space<\/p>\n\n\n\n
## Allow root to run any commands anywhere
root ALL=(ALL) ALL<\/code>
newusername ALL=(ALL) ALL<\/pre>\n\n\n\n
Now save and close this file. Go to your ssh configuration file and give the setting :<\/p>\n\n\n\n
PermitRootLogin no<\/code><\/p>\n\n\n\n
4. Installing chkrootkit on Ubuntu 20.04<\/h2>\n\n\n\n
# apt-get update\n# apt install chkrootkit\n\nOpen \/etc\/chkrootkit.conf , Replace the first line to reflect RUN_DAILY=\"true\"\n\n<\/pre>\n\n\n\n
5. Secure Apache by removing Apache Version and OS Identity from Errors<\/h2>\n\n\n\n
# vim \/etc\/apache2\/apache2.conf\n\nAdd the following lines and restart the apache service.\n\nServerSignature Off \nServerTokens Prod\n\n<\/pre>\n\n\n\n
6. Disable Directory Listing on Apache<\/h2>\n\n\n\n
Turn off<\/strong> directory listing by using Options directive<\/strong> in configuration file \u2013 \/etc\/apache2\/apache2.conf<\/p>\n\n\n\n
<Directory \/var\/www\/domainname>\n    Options -Indexes\n<\/Directory>\n<\/pre>\n\n\n\n
7. Setup and configure Mod_Security on Apache 20.04<\/h2>\n\n\n\n
# apt install libapache2-mod-security2\n\n# sudo cp \/etc\/modsecurity\/modsecurity.conf-recommended \/etc\/modsecurity\/modsecurity.conf\n\n# vi \/etc\/modsecurity\/modsecurity.conf\n\nChange 'SecRuleEngine' to SecRuleEngine on\n<\/strong>\nNext Download Latest OWASP ModSecurity Rules\n<\/strong>Download the latest OWASP CRS from GitHub.\n# wget https:\/\/github.com\/coreruleset\/coreruleset\/archive\/v3.3.0.tar.gz\nExtract the file.\n# tar xvf v3.3.0.tar.gz\nCreate a directory to store CRS files.\n# sudo mkdir \/etc\/apache2\/modsecurity-crs\/\nMove the extracted directory to \/etc\/apache2\/modsecurity-crs\/<\/code>.\n# sudo mv coreruleset-3.3.0\/ \/etc\/apache2\/modsecurity-crs\/\nGo to that directory.\n# cd \/etc\/apache2\/modsecurity-crs\/coreruleset-3.3.0\/\nRename the crs-setup.conf.example<\/code> file.\n# sudo mv crs-setup.conf.example crs-setup.conf\nEdit the \/etc\/apache2\/mods-enabled\/security2.conf<\/code> file.\n# sudo nano \/etc\/apache2\/mods-enabled\/security2.conf\nFind the following line, which loads the default CRS files.\n\nIncludeOptional \/usr\/share\/modsecurity-crs\/*.load\n\nChange it to the following, so the latest OWASP CRS will be used.\n\nIncludeOptional \/etc\/apache2\/modsecurity-crs\/coreruleset-3.3.0\/crs-setup.conf \nIncludeOptional \/etc\/apache2\/modsecurity-crs\/coreruleset-3.3.0\/rules\/*.conf\n\n\"apache\nSave and close the file. Then test Apache configuration.\n# sudo apache2ctl -t\nIf the syntax is OK, then restart Apache.\n# sudo systemctl restart apache2<\/pre>\n\n\n\n
Test if it\u2019s working by loading \u2013 http:\/\/serverIP\/index.html?exec=\/bin\/bash on your browser. You should receive a 403 forbidden error.<\/p>\n","protected":false},"excerpt":{"rendered":"
We will look at some general server steps to harden your Ubuntu 20.04. 1. Set Auto-update On Ubuntu 20.04 # sudo apt install unattended-upgrades Now open the below file and edit # vim \/etc\/apt\/apt.conf.d\/50unattended-upgrades Uncomment this line : “${distro_id}:${distro_codename}-updates”; Now remove unused kernel packages and dependencies . Make sure these lines are added \/ uncommented : […]<\/p>\n","protected":false},"author":1,"featured_media":119,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[6],"tags":[],"class_list":["post-47","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ubuntu"],"_links":{"self":[{"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/47","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=47"}],"version-history":[{"count":1,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/47\/revisions"}],"predecessor-version":[{"id":48,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/47\/revisions\/48"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/media\/119"}],"wp:attachment":[{"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=47"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=47"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=47"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}