Johnny
asked on
Must properly secure Ubuntu Server 18.04
What document, if any would you use to secure Ubuntu 18.04. I dont believe its a good time to migrate to 20.04.
There will be many updates that come through over the next 6 to nine months, and then from there, hopefully, the updates will drop to once every 6 months.
There are a great many documents, and opinions galore on what steps to take to harden/secure Ubuntu Server 18.04
A good solid recommendation would be welcomed.
Thank you
There will be many updates that come through over the next 6 to nine months, and then from there, hopefully, the updates will drop to once every 6 months.
There are a great many documents, and opinions galore on what steps to take to harden/secure Ubuntu Server 18.04
A good solid recommendation would be welcomed.
Thank you
Specific hardening techniques include applying security patches and adjusting the system's configurations, like closing open ports and disabling unnecessary services that add to the system's attack surface.
https://www.experts-exchange.com/questions/29163186/Linux-and-Windows-How-to-Harden-These-Systems.html#a42973283
https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure/
https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/ubuntu-18-04-lts
https://www.experts-exchange.com/questions/29163186/Linux-and-Windows-How-to-Harden-These-Systems.html#a42973283
https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure/
https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/ubuntu-18-04-lts
The first step of Linux (or even Windows) hardening is to uninstall all unnecessary services that you won't need. Not having it in the first place prevents it from ever starting up, even accidentally.
The 2nd step is to disable all services you don't really use all the time. Don't leave them running or for any sort of automatic start, just because you might use it once a year.
Basically, the fewer things you have running on the system means fewer avenues of attack. It also means fewer reboots after patching are needed. When I did that, my patching was simple and quick, on both Unix/Linux and Windows. Back when Windows patches wasn't monolithic, I also had fewer monthly patch cycle reboots per server, just service stops, then starts.
Ban all web browsers and user apps on your server. You should know how to download what you need on your workstation and transfer it to your server. If you're surfing the web on your server, you're a junior admin. If you don't know how to mainly use the command line on a server, you're a junior admin.
After that, you can then think about the entire firewall, anti-virus, pen-test, and everything else. These are the 2nd steps. Step 1 has always been to trim the server of unnecessary cruft to reduce the attack surface.
The 2nd step is to disable all services you don't really use all the time. Don't leave them running or for any sort of automatic start, just because you might use it once a year.
Basically, the fewer things you have running on the system means fewer avenues of attack. It also means fewer reboots after patching are needed. When I did that, my patching was simple and quick, on both Unix/Linux and Windows. Back when Windows patches wasn't monolithic, I also had fewer monthly patch cycle reboots per server, just service stops, then starts.
Ban all web browsers and user apps on your server. You should know how to download what you need on your workstation and transfer it to your server. If you're surfing the web on your server, you're a junior admin. If you don't know how to mainly use the command line on a server, you're a junior admin.
After that, you can then think about the entire firewall, anti-virus, pen-test, and everything else. These are the 2nd steps. Step 1 has always been to trim the server of unnecessary cruft to reduce the attack surface.
ASKER
I really need a document to go along with the paper i am writing for the given client. Yes there are a lot of hardening selections out there, and a tremendous amount of recommendations, but what I want is a reputable document that has been tried and used by others to harden, and support my position.
For instance, I am looking at multi factor authentication since there are 45,000 potential hackers against this machine, and there will only be the command line, and no desktop.
I like the ability of seeing what is happening on my ethernet, and so Vuurmuur is a likely candidate front end for managing the Iptables.
Your help with a specific document from a reputable source would be appreciated.
Thank you
For instance, I am looking at multi factor authentication since there are 45,000 potential hackers against this machine, and there will only be the command line, and no desktop.
I like the ability of seeing what is happening on my ethernet, and so Vuurmuur is a likely candidate front end for managing the Iptables.
Your help with a specific document from a reputable source would be appreciated.
Thank you
Hi,
What specifically is wrong with the documents linked by David above?
What are they missing?
Thanks,
Alan.
What specifically is wrong with the documents linked by David above?
What are they missing?
Thanks,
Alan.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Aside: LXD - About Draconian Security: I work on all manner of projects - Sites + Apps + APIs.
A common problem I see, when I'm engaged to cleanse a hacked machine... is...
Well, code installed at machine level.
This is 2020. One of the best security measure you can take is to...
1) Install LXD at machine level (or Docker if now SQL databases are involved).
2) Never install any other machine level code. Ever. Period. No exception.
3) Every project - Site/App/API - gets their own container.
4) This means any hacked container, is just one hacked container. No other containers are effected.
5) This also means tuning becomes far easier, as workloads (like SQL data access patterns) can be optimized on a per site basis, rather than many sites with conflicting/incongruent data access patterns.
For me, working with 1000s of sites daily, LXD is the only option to enforce stringent security.
A common problem I see, when I'm engaged to cleanse a hacked machine... is...
Well, code installed at machine level.
This is 2020. One of the best security measure you can take is to...
1) Install LXD at machine level (or Docker if now SQL databases are involved).
2) Never install any other machine level code. Ever. Period. No exception.
3) Every project - Site/App/API - gets their own container.
4) This means any hacked container, is just one hacked container. No other containers are effected.
5) This also means tuning becomes far easier, as workloads (like SQL data access patterns) can be optimized on a per site basis, rather than many sites with conflicting/incongruent data access patterns.
For me, working with 1000s of sites daily, LXD is the only option to enforce stringent security.
If you really insist on a defacto guide, then just use the SANS guide. https://www.sans.org/score/checklists/linux
Please check out the following links, they include many security controls, and the methods to implement.
https://www.cyberciti.biz/tips/linux-security.html
https://gist.github.com/lokhman/cc716d2e2d373dd696b2d9264c0287a3
https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure/
https://www.nuharborsecurity.com/ubuntu-server-hardening-guide-2/
https://www.cyberciti.biz/tips/linux-security.html
https://gist.github.com/lokhman/cc716d2e2d373dd696b2d9264c0287a3
https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure/
https://www.nuharborsecurity.com/ubuntu-server-hardening-guide-2/
Hi, I recommend you use the latest CIS benchmark or STIG.
CIS_Ubuntu_Linux_18.04_LTS_Benchmark_v2.0.1.pdf
U_CAN_Ubuntu_18-04_LTS_V1R1_STIG.zip
STIG viewers are available @ https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=stig-viewing
You can follow up with a Lynis audit.
CIS_Ubuntu_Linux_18.04_LTS_Benchmark_v2.0.1.pdf
U_CAN_Ubuntu_18-04_LTS_V1R1_STIG.zip
STIG viewers are available @ https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=stig-viewing
You can follow up with a Lynis audit.
ASKER
David, and Giovani,
Thank you for the documents, and some of the information you have provided. While true there isn't any silver bullet document, the documents the two of you have provided will be used to support all of my recommendations. In addition, I am of the opinion that I have to go through all of the installed services that remain behind after installation, and assure that these services are secured as well, or eliminated if not necessary. Again thank you!!
Thank you for the documents, and some of the information you have provided. While true there isn't any silver bullet document, the documents the two of you have provided will be used to support all of my recommendations. In addition, I am of the opinion that I have to go through all of the installed services that remain behind after installation, and assure that these services are secured as well, or eliminated if not necessary. Again thank you!!
You're welcome!
2) Good starting points...
https://www.experts-exchange.com/questions/29180555/Need-a-tool-for-pen-testing-recommendation.html
https://www.experts-exchange.com/questions/29145495/What-questions-evolving-around-security-would-you-ask-third-party-managing-your-cloud-infrastructure.html
Implementing comments in both these provide a rock solid starting point.
You may add other items after this.