Ubuntu Server Security Guide

This guide provides detailed instructions for installing and configuring essential security packages on Ubuntu Server.

System Updates
UFW (Uncomplicated Firewall)
Fail2ban
ClamAV
Rootkit Hunter (rkhunter)
Lynis
Unattended Upgrades
Auditd
AppArmor
LogWatch
AIDE
Security Best Practices
User Log Commands With acct

System Updates

Before installing security packages, ensure your system is up to date:

# Update package lists
sudo apt update

# Upgrade installed packages
sudo apt upgrade -y

# Install security updates only
sudo apt dist-upgrade -y

UFW (Uncomplicated Firewall)

UFW is a user-friendly interface for managing iptables, the default firewall in Ubuntu.

Installation

sudo apt install ufw -y

Configuration

# Check status
sudo ufw status

# Enable UFW (will activate on boot)
sudo ufw enable

# Allow SSH (modify port if you use a non-standard SSH port)
sudo ufw allow 22/tcp

# Allow HTTP and HTTPS if needed
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Deny all incoming connections (optional, use with caution)
sudo ufw default deny incoming

# Allow all outgoing connections
sudo ufw default allow outgoing

# Check rules
sudo ufw status verbose

Advanced UFW Configuration

Rate limiting for SSH:

sudo ufw limit ssh

Allow access from specific IP:

sudo ufw allow from 192.168.1.100 to any port 22

Fail2ban

Fail2ban protects against brute-force attacks by temporarily banning IPs after failed login attempts.

Installation

sudo apt install fail2ban -y

Configuration

Create a local configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Basic configuration in jail.local:

[DEFAULT]
# Ban IP for 1 hour (3600 seconds)
bantime = 3600

# Check for ban violations every 10 seconds
findtime = 600

# Ban after 5 failures
maxretry = 5

# Email notifications (optional)
destemail = [email protected]
sendername = Fail2Ban
mta = sendmail

# Default action to ban IPs
banaction = iptables-multiport

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Start and enable Fail2ban:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Check Fail2ban status:

sudo fail2ban-client status
sudo fail2ban-client status sshd

ClamAV

ClamAV is an open-source antivirus scanner.

Installation

sudo apt install clamav clamav-daemon -y

Configuration

Stop the service to update virus definitions:

sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam

Scan the system:

# Scan a specific directory
sudo clamscan -r /directory/to/scan

# Scan and remove infected files
sudo clamscan -r --remove=yes /directory/to/scan

# Scan entire system (be patient, this takes time)
sudo clamscan -r /

Setting up scheduled scans with cron:

sudo nano /etc/cron.daily/clamav-scan

Add the following content:

#!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log"
DIRTOSCAN="/home /var/www"

# Create log directory if it doesn't exist
if [ ! -d "/var/log/clamav" ]; then
    mkdir -p "/var/log/clamav"
fi

# Start scan and log results
echo "ClamAV scan started at $(date)" > $LOGFILE
clamscan -ri $DIRTOSCAN >> $LOGFILE
echo "ClamAV scan completed at $(date)" >> $LOGFILE

Make the script executable:

sudo chmod 755 /etc/cron.daily/clamav-scan

Rootkit Hunter (rkhunter)

Rkhunter scans for rootkits, backdoors, and local exploits.

Installation

sudo apt install rkhunter -y

Configuration

Update rkhunter property database:

sudo rkhunter --propupd

Run a system check:

sudo rkhunter --check

Set up automatic updates and scans via cron:

sudo nano /etc/cron.daily/rkhunter

Add the following content:

#!/bin/bash
/usr/bin/rkhunter --update
/usr/bin/rkhunter --cronjob --report-warnings-only

Make the script executable:

sudo chmod 755 /etc/cron.daily/rkhunter

Modify the main configuration:

sudo nano /etc/rkhunter.conf

Important settings:

ALLOW_SSH_ROOT_USER=no
SCRIPTWHITELIST=/usr/bin/lwp-request
PKGMGR=DPKG
[email protected]

Lynis

Lynis is a security auditing tool for UNIX-based systems.

Installation

sudo apt install lynis -y

Usage

Run a system audit:

sudo lynis audit system

Create an automated daily audit:

sudo nano /etc/cron.daily/lynis-audit

Add the following content:

#!/bin/bash
AUDITOR="automated"
DATE=$(date +%Y%m%d)
REPORT="/var/log/lynis-report-${DATE}.dat"

/usr/bin/lynis audit system --auditor "${AUDITOR}" --report-file ${REPORT}

Make the script executable:

sudo chmod 755 /etc/cron.daily/lynis-audit

Unattended Upgrades

Enables automatic installation of security updates.

Installation

sudo apt install unattended-upgrades apticron -y

Configuration

Configure automatic updates:

sudo dpkg-reconfigure -plow unattended-upgrades

Edit the configuration file:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Enable security updates and adjust settings:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
};

Unattended-Upgrade::Package-Blacklist {
    // Add packages you don't want automatically updated
};

Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Configure automatic updates schedule:

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Add the following:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Test the configuration:

sudo unattended-upgrade --dry-run --debug

Auditd

Auditd is a system auditing tool.

Installation

sudo apt install auditd audispd-plugins -y

Configuration

Start and enable the service:

sudo systemctl start auditd
sudo systemctl enable auditd

Configure audit rules:

sudo nano /etc/audit/rules.d/audit.rules

Add basic rules:

# Delete all existing rules
-D

# Buffer Size
-b 8192

# Monitor file access
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k identity

# Monitor command execution
-w /usr/bin/sudo -p x -k sudo_execute

# Monitor system calls
-a always,exit -F arch=b64 -S execve -k exec
-a always,exit -F arch=b32 -S execve -k exec

# Monitor network changes
-w /etc/sysconfig/network -p wa -k network
-w /etc/network/ -p wa -k network
-w /etc/hosts -p wa -k network

# Monitor mounts
-a always,exit -F arch=b64 -S mount -S umount2 -k mount
-a always,exit -F arch=b32 -S mount -S umount -S umount2 -k mount

Restart auditd to apply changes:

sudo systemctl restart auditd

View audit logs:

sudo ausearch -k identity
sudo ausearch -ts today

AppArmor

AppArmor is a Mandatory Access Control (MAC) system that restricts programs’ capabilities.

Installation

sudo apt install apparmor apparmor-utils -y

Configuration

Check AppArmor status:

sudo aa-status

Enable AppArmor:

sudo systemctl enable apparmor
sudo systemctl start apparmor

Set profiles to enforce mode:

sudo aa-enforce /etc/apparmor.d/*

Create custom profile:

sudo aa-genprof /path/to/program

LogWatch

LogWatch provides customizable log analysis.

Installation

sudo apt install logwatch -y

Configuration

Edit the configuration:

sudo nano /etc/logwatch/conf/logwatch.conf

Set your preferences:

LogDir = /var/log
TmpDir = /var/cache/logwatch
MailTo = [email protected]
MailFrom = [email protected]
Range = yesterday
Detail = Med
Service = All

Run LogWatch manually:

sudo logwatch --output file --filename /var/log/logwatch.log --detail High --range today

Schedule daily reports:

sudo nano /etc/cron.daily/00logwatch

Add:

#!/bin/bash
/usr/sbin/logwatch

Make executable:

sudo chmod 755 /etc/cron.daily/00logwatch

AIDE (Advanced Intrusion Detection Environment)

AIDE is a file and directory integrity checker.

Installation

sudo apt install aide -y

Configuration

Initialize the AIDE database:

sudo aideinit

This creates a new database at /var/lib/aide/aide.db.new

Move the new database to the actual database location:

sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Edit the configuration:

sudo nano /etc/aide/aide.conf

Basic configuration includes:

# Define what directories to monitor
/etc/ PERMS
/bin/ PERMS
/sbin/ PERMS
/usr/bin/ PERMS
/usr/sbin/ PERMS

Run a manual check:

sudo aide --check

Set up daily checks:

sudo nano /etc/cron.daily/aide

Add:

#!/bin/bash
/usr/bin/aide --check > /var/log/aide/$(date +%Y%m%d).log

Make executable:

sudo chmod 755 /etc/cron.daily/aide

Update AIDE database after system changes:

sudo aide --update
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Security Best Practices

SSH Hardening:

sudo nano /etc/ssh/sshd_config

Recommended settings:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Protocol 2
PermitEmptyPasswords no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 0

Restart SSH:

sudo systemctl restart sshd

Disable Unused Services:

# List running services
sudo systemctl list-units --type=service --state=running

# Disable unused service
sudo systemctl stop [service-name]
sudo systemctl disable [service-name]

Remove Unnecessary Packages:
```
sudo apt autoremove -y
```

Set Strong Password Policies:

sudo apt install libpam-pwquality -y
sudo nano /etc/pam.d/common-password

Add to the password line:

password requisite pam_pwquality.so retry=3 minlen=12 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 reject_username enforce_for_root

Check for Open Ports:

sudo apt install net-tools -y
sudo netstat -tulpn

Keep Backups:

# Install backup tool
sudo apt install rsync -y

# Example backup command
rsync -avz --delete /source/directory /backup/directory

Secure Shared Memory: Add to /etc/fstab:

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

Kernel Hardening with sysctl:

sudo nano /etc/sysctl.conf

Add:

# Prevent IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable IP forwarding
net.ipv4.ip_forward = 0

# Disable ping responses
net.ipv4.icmp_echo_ignore_all = 1

# Prevent against the common SYN flood attack
net.ipv4.tcp_syncookies = 1

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

Apply changes:

sudo sysctl -p

User Log Commands With acct

acct is package help to track any commands excuting by user

Installing

   sudo apt install acct
   sudo systemctl enable acct
   sudo systemctl start acct

Usage

# Show last 10 commands executed
lastcomm | head -10

# Show login statistics
ac -d

# Show daily summaries
ac -dp

# Show summary accounting information
sa

Remember to regularly:

Update all software
Check security logs
Verify service configurations
Run security audits with Lynis
Check file integrity with AIDE
Monitor user activities gi

Ubuntu Server Security Guide

Table of Contents

System Updates

UFW (Uncomplicated Firewall)

Installation

Configuration

Advanced UFW Configuration

Fail2ban

Installation

Configuration

ClamAV

Installation

Configuration

Rootkit Hunter (rkhunter)

Installation

Configuration

Lynis

Installation

Usage

Unattended Upgrades

Installation

Configuration

Auditd

Installation

Configuration

AppArmor

Installation

Configuration

LogWatch

Installation

Configuration

AIDE (Advanced Intrusion Detection Environment)

Installation

Configuration

Security Best Practices

User Log Commands With acct

Gallery