{"id":448,"date":"2012-01-07T23:11:00","date_gmt":"2012-01-07T23:11:00","guid":{"rendered":"https:\/\/noi3.org\/site\/?p=448"},"modified":"2012-01-07T23:11:00","modified_gmt":"2012-01-07T23:11:00","slug":"securing-an-ubuntu-server","status":"publish","type":"post","link":"https:\/\/site.noi3.org\/?p=448","title":{"rendered":"Securing an Ubuntu Server"},"content":{"rendered":"<p> \t<img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-446\" border=\"0\" height=\"175\" src=\"https:\/\/noi3.org\/site\/wp-content\/uploads\/2012\/01\/ubuntu_lock1.png\" title=\"ubuntu_lock\" width=\"155\" \/><strong> <\/strong><\/p>\n<p> \t<strong>Security is relative.<\/strong> Will these steps make your server &ldquo;secure&rdquo;? It will be more secure than it was before. And more secure than most servers. Your server will not be &ldquo;low hanging fruit&rdquo;. Security is an on-going process. It includes settings, practices and procedures. Make it your business to regularly read about security and to understand the concepts and our system. Paranoia is useful with regard to server security.<\/p>\n<p>  <!--more-->  <\/p>\n<p> \t<a href=\"https:\/\/noi3.org\/site\/wp-content\/uploads\/2012\/01\/ubuntu_lock1.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-446\" border=\"0\" height=\"175\" src=\"https:\/\/noi3.org\/site\/wp-content\/uploads\/2012\/01\/ubuntu_lock1.png\" title=\"ubuntu_lock\" width=\"155\" \/><\/a><strong> <\/strong><\/p>\n<p> \t<strong>Security is relative.<\/strong> Will these steps make your server &ldquo;secure&rdquo;? It will be more secure than it was before. And more secure than most servers. Your server will not be &ldquo;low hanging fruit&rdquo;. Security is an on-going process. It includes settings, practices and procedures. Make it your business to regularly read about security and to understand the concepts and our system. Paranoia is useful with regard to server security.<\/p>\n<p> \tI&rsquo;ve tested what is presented here in Ubuntu Server 10.04 (Lucid) and 10.10 (Maverick). If you want to harden your new Ubuntu server, this is a good start.<\/p>\n<p> \tUbuntu server is well designed, regularly updated and relatively secure. The <a href=\"https:\/\/wiki.ubuntu.com\/SecurityTeam\">Ubuntu Security Team<\/a> manifests an <a href=\"https:\/\/wiki.ubuntu.com\/SecurityTeam\/UpdateProcedures\">onging effort<\/a> to keep Ubuntu secure. Regular security updates are available and easy to implement.<\/p>\n<ul>\n<li> \t\tNo open ports<\/li>\n<li> \t\tRole-based administration<\/li>\n<li> \t\tNo X server<\/li>\n<li> \t\tSecurity updates<\/li>\n<li> \t\tKernel and compiler hardening<\/li>\n<\/ul>\n<p> \tIn this post, we are going to meet the security challenge in with multi-pronged effort that will include: system analysis, changing settings for additional hardening against attack, installing a firewall maintenance system, scanning for rootkits, and offering a regular maintenance regimen.<\/p>\n<ul>\n<li> \t\tChange settings for increased security<\/li>\n<li> \t\tImplement UFW, the uncomplicated firewall<\/li>\n<li> \t\tUse denyhosts to automatically blacklist attackers<\/li>\n<li> \t\tScan the system for vulnerabilities with Tiger<\/li>\n<li> \t\tDetect attempted intrusions with psad<\/li>\n<li> \t\tInstall nmap and scan the system for open ports<\/li>\n<li> \t\tCheck the system for rootkits with chkrootkit<\/li>\n<li> \t\tMonitor logs<\/li>\n<\/ul>\n<h3> \tChange settings for increased security<\/h3>\n<p> \t<strong>see also:<\/strong> <a href=\"https:\/\/help.ubuntu.com\/community\/StricterDefaults\">https:\/\/help.ubuntu.com\/community\/StricterDefaults<\/a><\/p>\n<h4> \tSecure shared memory<\/h4>\n<p> \t<strong>\/dev\/shm<\/strong> can be used in an attack against a running service, such as httpd. Modify <strong>\/etc\/fstab<\/strong> to make it more secure.<\/p>\n<pre> sudo vi \/etc\/fstab <\/pre>\n<p> \tAdd this line:<\/p>\n<pre> tmpfs     \/dev\/shm     tmpfs     defaults,noexec,nosuid     0     0 <\/pre>\n<h4> \tDisable root SSH login<\/h4>\n<p> \tThe root account is disabled by default in Ubuntu. If you installed Ubuntu on Slicehost or Linode, root is enabled. In any case, it is a good idea to disable root SSH access. Edit <strong>\/etc\/ssh\/sshd_config<\/strong> and set <strong>PermitRootLogin<\/strong> to <strong>no<\/strong>.<\/p>\n<pre> sudo vi \/etc\/ssh\/sshd_config <\/pre>\n<p> \tChange <strong>PermitRootLogin<\/strong> to <strong>no<\/strong>:<\/p>\n<pre> PermitRootLogin no <\/pre>\n<p> \tOf course, if you access your server via SSH, you should make sure you have sudo working for your user before disabling SSH root access.<\/p>\n<h4> \tOnly allow admin users to use su<\/h4>\n<p> \tThis helps prevent privilege escalation.<\/p>\n<p> \tBy default, Ubuntu does not have an admin group. Create an admin group:<\/p>\n<pre> sudo groupadd admin <\/pre>\n<p> \tAdd yourself to the admin group:<\/p>\n<pre> sudo usermod -a -G admin andrew <\/pre>\n<p> \tRestrict access to \/bin\/su to admin group members:<\/p>\n<pre> sudo dpkg-statoverride --update --add root admin 4750 \/bin\/su <\/pre>\n<p> \tCheck permissions for \/bin\/su with:<\/p>\n<pre> ls -lh \/bin\/su <\/pre>\n<p> \t&hellip;and see the following:<\/p>\n<pre> -rwsr-x--- 1 root admin 31K 2010-01-26 17:09 \/bin\/su <\/pre>\n<h4> \tDo not permit source routing of incoming packets<\/h4>\n<p> \t<strong>see also:<\/strong> <a href=\"http:\/\/www.cromwell-intl.com\/security\/security-stack-hardening.html\">http:\/\/www.cromwell-intl.com\/security\/security-stack-hardening.html<\/a><\/p>\n<pre> sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 sudo sysctl &shy;-w net.ipv4.conf.default.accept_source_route=0 <\/pre>\n<h4> \tDon&rsquo;t allow system users to access an FTP server<\/h4>\n<p> \tThis is only needed is ftpd is installed and running. <strong>Only if you&rsquo;ve installed ftpd.<\/strong> However, it is Ok to do this anyway and it will remove a FAIL from the tiger report.<\/p>\n<p> \tSFTP is probably better than FTP, if it is usable for your files transfer needs.<\/p>\n<p> \t<strong>see ftpusers manual:<\/strong> <a href=\"http:\/\/manpages.ubuntu.com\/manpages\/lucid\/man5\/ftpusers.5.html\">http:\/\/manpages.ubuntu.com\/manpages\/lucid\/man5\/ftpusers.5.html<\/a><\/p>\n<p> \tEdit \/etc\/ftpusers:<\/p>\n<pre> sudo vi \/etc\/ftpusers <\/pre>\n<p> \tAdd system users to deny use of ftpd:<\/p>\n<pre> backup bin daemon games gnats irc libuuid list lp mail man mysql news ntp postfix proxy sshd sync sys syslog uucp www-data <\/pre>\n<h3> \tUFW: basic firewall<\/h3>\n<p> \t<strong>previous post:<\/strong> <a href=\"http:\/\/www.andrewault.net\/2010\/04\/15\/ubuntu-ufw-uncomplicated-firewall-examples\/\">Ubuntu UFW Uncomplicated Firewall Examples<\/a><\/p>\n<p> \t<strong>community documentation:<\/strong> <a href=\"https:\/\/help.ubuntu.com\/community\/UFW\">https:\/\/help.ubuntu.com\/community\/UFW<\/a><\/p>\n<p> \t<strong>server guide:<\/strong> <a href=\"https:\/\/help.ubuntu.com\/8.04\/serverguide\/C\/firewall.html\">https:\/\/help.ubuntu.com\/10.04\/serverguide\/C\/firewall.html<\/a><\/p>\n<p> \t<strong>ufw manual:<\/strong> <a href=\"http:\/\/manpages.ubuntu.com\/manpages\/lucid\/en\/man8\/ufw.8.html\">http:\/\/manpages.ubuntu.com\/manpages\/lucid\/en\/man8\/ufw.8.html<\/a><\/p>\n<p> \t<strong>project wiki:<\/strong> <a href=\"https:\/\/wiki.ubuntu.com\/UncomplicatedFirewall\">https:\/\/wiki.ubuntu.com\/UncomplicatedFirewall<\/a><\/p>\n<p> \t<strong>nice article:<\/strong> <a href=\"http:\/\/savvyadmin.com\/ubuntus-ufw\/\">http:\/\/savvyadmin.com\/ubuntus-ufw\/<\/a><\/p>\n<p> \tUFW (Uncomplicated Firewall) provides an easy to understand interface to control iptables (iptables conteol Netfilter, which is built into the kernel). Will just a few commands, your server can control access. Checking status is also easy.<\/p>\n<p> \tUFW (uncomplicated firewall) is a simple interface used to configure iptables.<\/p>\n<p> \t<strong>Install and enable Uncomplicated Firewall:<\/strong><\/p>\n<pre> sudo aptitude install -y ufw sudo ufw enable <\/pre>\n<p> \t<strong>Display available UFW commands:<\/strong><\/p>\n<pre> sudo ufw show <\/pre>\n<p> \t<strong>Display UFW configuration:<\/strong><\/p>\n<pre> sudo ufw status <\/pre>\n<p> \t<strong>Allow SSH and HTTP access to the Apache server:<\/strong><\/p>\n<pre> sudo ufw allow ssh sudo ufw allow http <\/pre>\n<p> \tIn the above example, ports for OpenSSH and Apache were opened by service name (&ldquo;ssh&rdquo; and &ldquo;http&rdquo;). You can use a port number instead of the service name (like &ldquo;80? instead of &ldquo;http&rdquo;).<\/p>\n<p> \t<strong>See services running and which names to use:<\/strong><\/p>\n<p> \tThe practice here is to open only ports that you use &ndash; ports that use a service that have a service running. To see a list of services that you have running for which you might want to open ports for:<\/p>\n<pre> sudo ufw app list <\/pre>\n<p> \tTo see a list of services that UFW uses (like in the &ldquo;sudo ufw allow ssh&rdquo; example, above):<\/p>\n<pre> less \/etc\/services <\/pre>\n<h3> \tDenyhosts: avoid SSH attacks<\/h3>\n<p> \t<strong>project:<\/strong> <a href=\"http:\/\/denyhosts.sourceforge.net\/\">http:\/\/denyhosts.sourceforge.net\/<\/a><\/p>\n<p> \tLooking at \/var\/log\/auth.log on servers that I manage shows a steady streams of attacks on SSH. I am countering these attacks in a number of ways, starting with <strong>denyhosts<\/strong>.<\/p>\n<p> \t<strong>Denyhosts<\/strong> periodically scans <strong>\/var\/log\/auth.log<\/strong> for repeated failures to access the system via SSH. It then adds these offenders to <strong>\/etc\/hosts.deny<\/strong>. See the project page for details.<\/p>\n<pre> sudo aptitude -y install denyhosts <\/pre>\n<p> \tThat does it &ndash; the rest is automatic. You can see the IP addresses added to \/etc\/hosts.deny with:<\/p>\n<pre> sudo less \/etc\/hosts.deny <\/pre>\n<h3> \tTiger: security system scanner<\/h3>\n<p> \t<strong>project:<\/strong> <a href=\"http:\/\/www.nongnu.org\/tiger\/\">http:\/\/www.nongnu.org\/tiger\/<\/a><\/p>\n<p> \tTiger creates an automated security audit by analyzing files and settings on the system and creating a report listing what has been analyzed and listing warning, alerts and failures.<\/p>\n<p> \tThe <strong>tiger<\/strong> command creates a report of potential security problems in <strong>\/var\/log\/tiger<\/strong>. The use the <strong>tigexp<\/strong> command to look up the resulting codes generated for a detailed explanation and what to do to make the system more secure. The problems tiger considers most serious are marked with <strong>FAIL<\/strong>.<\/p>\n<p> \tIt has been a while since Tiger has been updated. It still produces a useful report.<\/p>\n<p> \tInstall tiger:<\/p>\n<pre> sudo aptitude -y install tiger <\/pre>\n<p> \tRun tiger to create a report of security issues.<\/p>\n<pre> sudo tiger <\/pre>\n<p> \tUse <strong>less<\/strong> to view the <em>most recent<\/em> tiger report:<\/p>\n<pre> sudo -i less \/var\/log\/tiger\/`ls -t1 \/var\/log\/tiger | head -1` exit <\/pre>\n<p> \tUse tigexp to list explanations for FAIL codes:<\/p>\n<pre> tigexp dev002f <\/pre>\n<p> \tGoogle is also helpful, naturally.<\/p>\n<p> \tIgnore these:<\/p>\n<pre> --FAIL-- [dev002f] \/dev\/fuse has world permissions --FAIL-- [logf005f] Log file \/var\/log\/btmp permission should be 660 <\/pre>\n<p> \tChanging permissions for these could cause problems.<\/p>\n<h3> \tDetect attempted intrusions with psad<\/h3>\n<p> \t<strong>project:<\/strong> <a href=\"http:\/\/www.cipherdyne.org\/psad\/\">http:\/\/www.cipherdyne.org\/psad\/<\/a><\/p>\n<p> \tPsad is a collection of lightweight daemons that log attempted intrusions, in particular monitoring iptables.<\/p>\n<p> \tInstallation:<\/p>\n<pre> sudo aptitude -y install psad <\/pre>\n<p> \tThe daemons will run automatically.<\/p>\n<p> \tTo check current status:<\/p>\n<pre> sudo psad -S <\/pre>\n<p> \tYou can modify psad settings to e-mail the admin in the event of intrusion detection.<\/p>\n<h3> \tNmap: port scanning<\/h3>\n<p> \t<strong>project:<\/strong> <a href=\"http:\/\/nmap.org\/\">http:\/\/nmap.org\/<\/a><\/p>\n<p> \tThis allows you to see which ports are open, verifying that UFW\/iptables is working correctly.<\/p>\n<p> \t<strong>Installing nmap:<\/strong><\/p>\n<pre> sudo aptitude install -y nmap <\/pre>\n<p> \t<strong>Port scanning:<\/strong><\/p>\n<pre> nmap -v -sT localhost <\/pre>\n<p> \t<strong>SYN Scanning:<\/strong><\/p>\n<pre> sudo nmap -v -sS localhost <\/pre>\n<p> \t<strong>scan type explanations:<\/strong> <a href=\"http:\/\/nmap.org\/book\/man-port-scanning-techniques.html\">http:\/\/nmap.org\/book\/man-port-scanning-techniques.html<\/a><\/p>\n<h3> \tChkrootkit: check for rootkit presence<\/h3>\n<p> \t<strong>project:<\/strong> <a href=\"http:\/\/www.chkrootkit.org\/\">http:\/\/www.chkrootkit.org\/<\/a><\/p>\n<p> \tChkrootkit scans the system for evidence that a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Rootkit\">rootkit<\/a> has been installed.<\/p>\n<p> \tThis is a confidence test to be used to test whether your system has been compromised. In a perfect world you would not need this&hellip;but in this world, it is good to run periodically.<\/p>\n<p> \t<strong>Installing chkrootkit:<\/strong><\/p>\n<pre> sudo aptitude install -y chkrootkit <\/pre>\n<p> \t<strong>Running chkrootkit:<\/strong><\/p>\n<pre> sudo chkrootkit <\/pre>\n<h3> \tLogWatch<\/h3>\n<p> \t<strong>Ubuntu community documentation:<\/strong> <a href=\"https:\/\/help.ubuntu.com\/community\/Logwatch\">https:\/\/help.ubuntu.com\/community\/Logwatch<\/a><\/p>\n<p> \tThe most detailed and informative logs in the world are useless if no one looks at them. Logwatch winnows the deluge to a succinct report&hellip;which you will look at. Even so, familiarize yourself with your system&rsquo;s logs and review them on a regular basis. A daily logwatch habit would be a good start.<\/p>\n<p> \tInstallation:<\/p>\n<pre> sudo aptitude -y install logwatch <\/pre>\n<p> \tUsage:<\/p>\n<pre> sudo logwatch | less <\/pre>\n<h3> \tOngoing maintenance<\/h3>\n<p> \tYour server is now more secure. Once a week, perform on-going maintenance.<\/p>\n<p> \t<strong>Updating software:<\/strong><\/p>\n<pre> sudo aptitude update sudo aptitude safe-upgrade <\/pre>\n<p> \tThe safe-upgrade action is preferred by me because it does not upgrade packages that rely on dependencies that have not been upgraded to required levels.<\/p>\n<p> \t<strong>see:<\/strong> <a href=\"http:\/\/wiki.debian.org\/Aptitude\">http:\/\/wiki.debian.org\/Aptitude<\/a><\/p>\n<p> \tOr, you could set-up automatic security updates, if you cannot do the weekly maintenance. This is not a perfect solution because an administrator is not monitoring what is being updated and testing after updates. <strong>see:<\/strong> <a href=\"https:\/\/help.ubuntu.com\/10.04\/serverguide\/C\/automatic-updates.html\">https:\/\/help.ubuntu.com\/10.04\/serverguide\/C\/automatic-updates.html<\/a><\/p>\n<p> \t<strong>Check for attempted instrusions:<\/strong><\/p>\n<pre> sudo psad -S <\/pre>\n<p> \t<strong>UPDATED: Analyze system with tiger.<\/strong> Because the tiger reports in \/var\/log\/tiger\/are owned by root, run these commands one at a time. (This solves a problem some people were having with permissions.)<\/p>\n<pre> sudo -i tiger grep FAIL \/var\/log\/tiger\/`ls -t1 \/var\/log\/tiger | head -1` exit <\/pre>\n<p> \tIn the above, FAILs are pulled from the newest report file with <strong>grep<\/strong>. The <strong>ls<\/strong> clause in backticks gives grep the newest file in the directory. The <strong>sudo -i<\/strong> command allows you to run multiple commands as root, ending with <strong>exit<\/strong>.<\/p>\n<p> \tUse <strong>tigexp<\/strong> to list explanations for FAIL codes:<\/p>\n<pre> tigexp dev002f <\/pre>\n<p> \t<strong>Scan ports with nmap:<\/strong><\/p>\n<pre> sudo nmap -v -sS localhost <\/pre>\n<p> \t<strong>Check for rootkits<\/strong><\/p>\n<pre> sudo chkrootkit <\/pre>\n<p> \t<strong>Look at logs:<\/strong><\/p>\n<pre> sudo logwatch | less <\/pre>\n<p> \t<strong>Keep up with trends<\/strong><\/p>\n<p> \tvisit: <a href=\"http:\/\/www.linuxsecurity.com\/\">http:\/\/www.linuxsecurity.com\/<\/a><\/p>\n<h3> \tElsewhere<\/h3>\n<p> \t<a href=\"http:\/\/www.itsecurity.com\/features\/ubuntu-secure-install-resource\/\">http:\/\/www.itsecurity.com\/features\/ubuntu-secure-install-resource\/<\/a><\/p>\n<p> \t<a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-security.html\">http:\/\/www.cyberciti.biz\/tips\/linux-security.html<\/a><\/p>\n<div>\n<div> \t\t<span style=\"color:gray;\">share and enjoy:<\/span><\/div>\n<ul>\n<li> \t\t\t<a href=\"http:\/\/www.printfriendly.com\/print?url=http%3A%2F%2Fwww.andrewault.net%2F2010%2F05%2F17%2Fsecuring-an-ubuntu-server%2F&amp;partner=sociable\" rel=\"nofollow\" title=\"Print\"><img decoding=\"async\" alt=\"Print\" border=\"0\" src=\"http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.gif\" style=\"width: 16px; height: 16px; background: url(http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.png) no-repeat scroll -343px -37px transparent;\" title=\"Print\" \/><\/a><\/li>\n<li> \t\t\t<a href=\"http:\/\/digg.com\/submit?phase=2&amp;url=http%3A%2F%2Fwww.andrewault.net%2F2010%2F05%2F17%2Fsecuring-an-ubuntu-server%2F&amp;title=Securing%20an%20Ubuntu%20Server&amp;bodytext=Security%20is%20relative.%20Will%20these%20steps%20make%20your%20server%20%22secure%22%3F%20It%20will%20be%20more%20secure%20than%20it%20was%20before.%20And%20more%20secure%20than%20most%20servers.%20Your%20server%20will%20not%20be%20%22low%20hanging%20fruit%22.%20Security%20is%20an%20on-going%20process.%20It%20includes%20settings%2C%20practi\" rel=\"nofollow\" title=\"Digg\"><img decoding=\"async\" alt=\"Digg\" border=\"0\" src=\"http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.gif\" style=\"width: 16px; height: 16px; background: url(http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.png) no-repeat scroll -235px -1px transparent;\" title=\"Digg\" \/><\/a><\/li>\n<li> \t\t\t<a href=\"http:\/\/sphinn.com\/index.php?c=post&amp;m=submit&amp;link=http%3A%2F%2Fwww.andrewault.net%2F2010%2F05%2F17%2Fsecuring-an-ubuntu-server%2F\" rel=\"nofollow\" title=\"Sphinn\"><img decoding=\"async\" alt=\"Sphinn\" border=\"0\" src=\"http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.gif\" style=\"width: 16px; height: 16px; background: url(http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.png) no-repeat scroll -199px -55px transparent;\" title=\"Sphinn\" \/><\/a><\/li>\n<li> \t\t\t<a href=\"http:\/\/delicious.com\/post?url=http%3A%2F%2Fwww.andrewault.net%2F2010%2F05%2F17%2Fsecuring-an-ubuntu-server%2F&amp;title=Securing%20an%20Ubuntu%20Server&amp;notes=Security%20is%20relative.%20Will%20these%20steps%20make%20your%20server%20%22secure%22%3F%20It%20will%20be%20more%20secure%20than%20it%20was%20before.%20And%20more%20secure%20than%20most%20servers.%20Your%20server%20will%20not%20be%20%22low%20hanging%20fruit%22.%20Security%20is%20an%20on-going%20process.%20It%20includes%20settings%2C%20practi\" rel=\"nofollow\" title=\"del.icio.us\"><img decoding=\"async\" alt=\"del.icio.us\" border=\"0\" src=\"http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.gif\" style=\"width: 16px; height: 16px; background: url(http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.png) no-repeat scroll -199px -1px transparent;\" title=\"del.icio.us\" \/><\/a><\/li>\n<li> \t\t\t<a href=\"http:\/\/www.facebook.com\/share.php?u=http%3A%2F%2Fwww.andrewault.net%2F2010%2F05%2F17%2Fsecuring-an-ubuntu-server%2F&amp;t=Securing%20an%20Ubuntu%20Server\" rel=\"nofollow\" title=\"Facebook\"><img decoding=\"async\" alt=\"Facebook\" border=\"0\" src=\"http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.gif\" style=\"width: 16px; height: 16px; background: url(http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.png) no-repeat scroll -343px -1px transparent;\" title=\"Facebook\" \/><\/a><\/li>\n<li> \t\t\t<a href=\"http:\/\/www.mixx.com\/submit?page_url=http%3A%2F%2Fwww.andrewault.net%2F2010%2F05%2F17%2Fsecuring-an-ubuntu-server%2F&amp;title=Securing%20an%20Ubuntu%20Server\" rel=\"nofollow\" title=\"Mixx\"><img decoding=\"async\" alt=\"Mixx\" border=\"0\" src=\"http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.gif\" style=\"width: 16px; height: 16px; background: url(http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.png) no-repeat scroll -91px -37px transparent;\" title=\"Mixx\" \/><\/a><\/li>\n<li> \t\t\t<a href=\"http:\/\/www.google.com\/bookmarks\/mark?op=edit&amp;bkmk=http%3A%2F%2Fwww.andrewault.net%2F2010%2F05%2F17%2Fsecuring-an-ubuntu-server%2F&amp;title=Securing%20an%20Ubuntu%20Server&amp;annotation=Security%20is%20relative.%20Will%20these%20steps%20make%20your%20server%20%22secure%22%3F%20It%20will%20be%20more%20secure%20than%20it%20was%20before.%20And%20more%20secure%20than%20most%20servers.%20Your%20server%20will%20not%20be%20%22low%20hanging%20fruit%22.%20Security%20is%20an%20on-going%20process.%20It%20includes%20settings%2C%20practi\" rel=\"nofollow\" title=\"Google Bookmarks\"><img decoding=\"async\" alt=\"Google Bookmarks\" border=\"0\" src=\"http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.gif\" style=\"width: 16px; height: 16px; background: url(http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.png) no-repeat scroll -91px -19px transparent;\" title=\"Google Bookmarks\" \/><\/a><\/li>\n<li> \t\t\t<a href=\"http:\/\/blogplay.com\/\" title=\"Blogplay\"><img decoding=\"async\" alt=\"Blogplay\" border=\"0\" src=\"http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.gif\" style=\"width: 16px; height: 16px; background: url(http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.png) no-repeat scroll -199px -73px transparent;\" title=\"Blogplay\" \/><\/a><\/li>\n<li> \t\t\t<a href=\"http:\/\/cgi.fark.com\/cgi\/fark\/farkit.pl?h=Securing%20an%20Ubuntu%20Server&amp;u=http%3A%2F%2Fwww.andrewault.net%2F2010%2F05%2F17%2Fsecuring-an-ubuntu-server%2F\" rel=\"nofollow\" title=\"Fark\"><img decoding=\"async\" alt=\"Fark\" border=\"0\" src=\"http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.gif\" style=\"width: 16px; height: 16px; background: url(http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.png) no-repeat scroll -1px -19px transparent;\" title=\"Fark\" \/><\/a><\/li>\n<li> \t\t\t<a href=\"http:\/\/reddit.com\/submit?url=http%3A%2F%2Fwww.andrewault.net%2F2010%2F05%2F17%2Fsecuring-an-ubuntu-server%2F&amp;title=Securing%20an%20Ubuntu%20Server\" rel=\"nofollow\" title=\"Reddit\"><img decoding=\"async\" alt=\"Reddit\" border=\"0\" src=\"http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.gif\" style=\"width: 16px; height: 16px; background: url(http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.png) no-repeat scroll -55px -55px transparent;\" title=\"Reddit\" \/><\/a><\/li>\n<li> \t\t\t<a href=\"http:\/\/slashdot.org\/bookmark.pl?title=Securing%20an%20Ubuntu%20Server&amp;url=http%3A%2F%2Fwww.andrewault.net%2F2010%2F05%2F17%2Fsecuring-an-ubuntu-server%2F\" rel=\"nofollow\" title=\"Slashdot\"><img decoding=\"async\" alt=\"Slashdot\" border=\"0\" src=\"http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.gif\" style=\"width: 16px; height: 16px; background: url(http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.png) no-repeat scroll -145px -55px transparent;\" title=\"Slashdot\" \/><\/a><\/li>\n<li> \t\t\t<a href=\"http:\/\/www.stumbleupon.com\/submit?url=http%3A%2F%2Fwww.andrewault.net%2F2010%2F05%2F17%2Fsecuring-an-ubuntu-server%2F&amp;title=Securing%20an%20Ubuntu%20Server\" rel=\"nofollow\" title=\"StumbleUpon\"><img decoding=\"async\" alt=\"StumbleUpon\" border=\"0\" src=\"http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.gif\" style=\"width: 16px; height: 16px; background: url(http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.png) no-repeat scroll -217px -55px transparent;\" title=\"StumbleUpon\" \/><\/a><\/li>\n<li> \t\t\t<a href=\"http:\/\/twitter.com\/home?status=Securing%20an%20Ubuntu%20Server%20-%20http%3A%2F%2Fwww.andrewault.net%2F2010%2F05%2F17%2Fsecuring-an-ubuntu-server%2F\" rel=\"nofollow\" title=\"Twitter\"><img decoding=\"async\" alt=\"Twitter\" border=\"0\" src=\"http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.gif\" style=\"width: 16px; height: 16px; background: url(http:\/\/www.andrewault.net\/wp-content\/plugins\/sociable\/images\/services-sprite.png) no-repeat scroll -343px -55px transparent;\" title=\"Twitter\" \/><\/a><\/li>\n<\/ul><\/div>\n<div> \tMay 17th, 2010 | Tags: <a href=\"http:\/\/www.andrewault.net\/tag\/admin\/\" rel=\"tag\">admin<\/a>, <a href=\"http:\/\/www.andrewault.net\/tag\/security\/\" rel=\"tag\">security<\/a>, <a href=\"http:\/\/www.andrewault.net\/tag\/ubuntu\/\" rel=\"tag\">ubuntu<\/a> | Category: <a href=\"http:\/\/www.andrewault.net\/category\/admin\/\" rel=\"category tag\" title=\"View all posts in admin\">admin<\/a><\/div>\n<p> \t<a name=\"comments\"><\/a><\/p>\n<h3 id=\"comments\"> \t33 comments to Securing an Ubuntu Server<\/h3>\n<ul>\n<li id=\"comment-61\">\n<div id=\"div-comment-61\">\n<div> \t\t\t\t<span><a href=\"http:\/\/www.andrewault.net\/2010\/04\/15\/ubuntu-ufw-uncomplicated-firewall-examples\/\" rel=\"external nofollow\">Ubuntu UFW Uncomplicated Firewall Examples &laquo; andrewault.net<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-61\">2010\/05\/22 at 09:40<\/a><\/div>\n<p> \t\t\t\t[&#8230;] Ubuntu UFW Uncomplicated Firewall Examples See also: Securing an Ubuntu Server [&#8230;]<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-72\">\n<div id=\"div-comment-72\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/1.gravatar.com\/avatar\/78b0bc126eb480fac69dc067117c5cf1?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/petertaylor.me\/\" rel=\"external nofollow\">Peter Aaron Taylor<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-72\">2010\/06\/04 at 14:15<\/a><\/div>\n<p> \t\t\t\tFantastic review! For some reason I could not figure out how this command works:<\/p>\n<p> \t\t\t\tsudo grep FAIL \/var\/log\/tiger\/`sudo ls -t1 \/var\/log\/tiger | head -1`<\/p>\n<p> \t\t\t\tIt kept spitting out errors about &lsquo;sudo ls&hellip;&rsquo; not being found. So I modified the permissions of \/var\/log\/tiger so that I could just grep FAIL \/var\/log\/tiger\/*securityreporthere* and shazzam!<\/p>\n<p> \t\t\t\tThank you!<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-73\">\n<div id=\"div-comment-73\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/0.gravatar.com\/avatar\/22299277f2428b103dd1b12fefa61510?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/www.andrewault.net\/\" rel=\"external nofollow\">Andrew Ault<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-73\">2010\/06\/04 at 14:45<\/a><\/div>\n<p> \t\t\t\t@Peter: Glad to hear it and well done! The security on \/var\/log\/tiger\/ is probably a bit much. It seems like it should have a group ownership of adm with rights to read the reports. I modified the instructions based on your experience.<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-91\">\n<div id=\"div-comment-91\">\n<div> \t\t\t\t<span><a href=\"http:\/\/developernews.info\/2010\/06\/16\/hardening-ubuntu-10-04-server\/\" rel=\"external nofollow\">Hardening Ubuntu 10.04 Server | DeveloperNews.info<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-91\">2010\/06\/16 at 11:53<\/a><\/div>\n<p> \t\t\t\t[&#8230;] Read More [&#8230;]<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-114\">\n<div id=\"div-comment-114\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/0.gravatar.com\/avatar\/a74b2454475693d9caa15872dc61ed01?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span>John<\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-114\">2010\/08\/01 at 13:18<\/a><\/div>\n<p> \t\t\t\tThanks for sharing your knowledge. This is exactly what I was looking for. <img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-447\" alt=\":)\" border=\"0\" src=\"https:\/\/noi3.org\/site\/wp-content\/uploads\/2012\/01\/icon_smile.gif\" width=\"15\" height=\"15\" \/><\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-137\">\n<div id=\"div-comment-137\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/0.gravatar.com\/avatar\/0d28f36605fa3ff4f1f0f59d97a689d4?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span>Matt<\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-137\">2010\/10\/21 at 08:35<\/a><\/div>\n<p> \t\t\t\tThank you. This was tremendously helpful &mdash; broad in scope, with clear, succinct explanations.<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-138\">\n<div id=\"div-comment-138\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/0.gravatar.com\/avatar\/22299277f2428b103dd1b12fefa61510?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/www.andrewault.net\/\" rel=\"external nofollow\">Andrew Ault<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-138\">2010\/10\/21 at 08:40<\/a><\/div>\n<p> \t\t\t\tGood to hear, Matt. Glad to give back a little. -A<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-181\">\n<div id=\"div-comment-181\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/0.gravatar.com\/avatar\/2a8c7328b5340dbeebd42432dfc5e0d8?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/www.boredomsoft.org\/\" rel=\"external nofollow\">Andrew<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-181\">2011\/03\/09 at 01:36<\/a><\/div>\n<p> \t\t\t\tAs the others above have said, this guide has been very, very useful. Thank you!<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-182\">\n<div id=\"div-comment-182\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/1.gravatar.com\/avatar\/f7105dd5dc850e545047cfa4477d2343?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/sucuri.net\/\" rel=\"external nofollow\">David Dede<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-182\">2011\/03\/12 at 14:55<\/a><\/div>\n<p> \t\t\t\tYou missed OSSEC in there (<a href=\"http:\/\/www.ossec.net\/\" rel=\"nofollow\">http:\/\/www.ossec.net<\/a>) &ndash; It is open source and does all things the other tools you mention do.<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-183\">\n<div id=\"div-comment-183\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/1.gravatar.com\/avatar\/33cef4051b0bc6d31e657cd6859d7af0?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/www.encinc.com\/\" rel=\"external nofollow\">brian mcgrogan<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-183\">2011\/03\/12 at 15:02<\/a><\/div>\n<p> \t\t\t\tI would recommend using the grsecurity.net kernel patches to the linux kernel (<a href=\"http:\/\/grsecurity.net\/\" rel=\"nofollow\">http:\/\/grsecurity.net\/<\/a> and <a href=\"http:\/\/grsecurity.net\/%7Espender\" rel=\"nofollow\">http:\/\/grsecurity.net\/~spender<\/a> for the latest patch). This by itself locks down a linux server. It prevents non-root users from executing code outside of the bin directories (trusted path execution). It prevents buffer overflow exploits from executing code on the stack (no-exec stack). It prevents non-root users from seeing other users processes by making \/proc read-only. So, if an attacker does actually gain access to the server, they really can&rsquo;t do anything interesting.<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-184\">\n<div id=\"div-comment-184\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/0.gravatar.com\/avatar\/22299277f2428b103dd1b12fefa61510?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/www.andrewault.net\/\" rel=\"external nofollow\">Andrew Ault<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-184\">2011\/03\/12 at 15:05<\/a><\/div>\n<p> \t\t\t\tDavid and Brian: I&rsquo;ll look at those two projects the next time I review my security procedures &ndash; thanks! -Andrew<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-185\">\n<div id=\"div-comment-185\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/1.gravatar.com\/avatar\/5f5f062a7c6b25c222e5d4ee155c3474?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span>todd<\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-185\">2011\/03\/12 at 16:55<\/a><\/div>\n<p> \t\t\t\tNote that tiger installs sendmail as a dependancy, which you might not want to do.<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-186\">\n<div id=\"div-comment-186\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/0.gravatar.com\/avatar\/22299277f2428b103dd1b12fefa61510?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/www.andrewault.net\/\" rel=\"external nofollow\">Andrew Ault<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-186\">2011\/03\/12 at 17:12<\/a><\/div>\n<p> \t\t\t\tHere&rsquo;s a discussion thread about this page: <a href=\"http:\/\/news.ycombinator.com\/item?id=2317359\" rel=\"nofollow\">http:\/\/news.ycombinator.com\/item?id=2317359<\/a><\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-187\">\n<div id=\"div-comment-187\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/1.gravatar.com\/avatar\/75984f91ac11fd9244663f98311abf56?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/www.rootkit.nl\/\" rel=\"external nofollow\">Michael<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-187\">2011\/03\/13 at 03:36<\/a><\/div>\n<p> \t\t\t\tNice article!<br \/> \t\t\t\tNo intention to plug, but you might like my open source project Lynis as well, to check how well the system is hardened and what other tips are available!<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-188\">\n<div id=\"div-comment-188\">\n<div> \t\t\t\t<span><a href=\"http:\/\/www.benmccann.com\/dev-blog\/security-lockdown-for-linux\/\" rel=\"external nofollow\">Security Lockdown for Linux<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-188\">2011\/03\/13 at 07:28<\/a><\/div>\n<p> \t\t\t\t[&#8230;] Andrew Ault wrote a good article as well Share and [&#8230;]<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-189\">\n<div id=\"div-comment-189\">\n<div> \t\t\t\t<span><a href=\"http:\/\/www.jeuxdefillefr.com\/webmapping-securiser-un-serveur-ubuntu\" rel=\"external nofollow\">[WebMapping] S&eacute;curiser un serveur Ubuntu | Jeux De Fille<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-189\">2011\/03\/13 at 09:46<\/a><\/div>\n<p> \t\t\t\t[&#8230;] <a href=\"http:\/\/www.andrewault.net\/2010\/05\/17%E2%80%A6ubuntu-server\/\" rel=\"nofollow\">http:\/\/www.andrewault.net\/2010\/05\/17&hellip;ubuntu-server\/<\/a> [&#8230;]<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-190\">\n<div id=\"div-comment-190\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/1.gravatar.com\/avatar\/115b908751885366af83204fa7543b44?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span>Kenneth<\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-190\">2011\/03\/14 at 02:52<\/a><\/div>\n<p> \t\t\t\tThanks for sharing this helpful information.<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-191\">\n<div id=\"div-comment-191\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/1.gravatar.com\/avatar\/5820439c9fa0565d974396283ea892b0?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/www.jroller.com\/bookreview\" rel=\"external nofollow\">Helen Neely<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-191\">2011\/03\/15 at 07:19<\/a><\/div>\n<p> \t\t\t\tNice post. Apart from editing the \/etc\/ssh\/sshd_config to set the permission to no, I think you can also disable root account with this command: $sudo passwd -l root<\/p>\n<p> \t\t\t\tThanks again.<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-192\">\n<div id=\"div-comment-192\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/0.gravatar.com\/avatar\/22299277f2428b103dd1b12fefa61510?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/www.andrewault.net\/\" rel=\"external nofollow\">Andrew Ault<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-192\">2011\/03\/15 at 09:04<\/a><\/div>\n<p> \t\t\t\t@Helen: Editing the \/etc\/ssh\/sshd_config to set the permission to no disallows root from logging in via SSH and &ldquo;sudo passwd -l root&rdquo; disables the root account all together. -A<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-193\">\n<div id=\"div-comment-193\">\n<div> \t\t\t\t<span><a href=\"http:\/\/www.j2eegeek.com\/blog\/2011\/03\/15\/daily-del-icio-us-for-march-13th-through-march-15th\/\" rel=\"external nofollow\">Daily del.icio.us for March 13th through March 15th &mdash; Vinny Carpenter&#39;s blog<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-193\">2011\/03\/15 at 14:02<\/a><\/div>\n<p> \t\t\t\t[&#8230;] Securing an Ubuntu Server &laquo; andrewault.net &ndash; In this post, we are going to meet the security challenge in with multi-pronged effort that will include: system analysis, changing settings for additional hardening against attack, installing a firewall maintenance system, scanning for rootkits, and offering a regular maintenance regimen. [&#8230;]<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-194\">\n<div id=\"div-comment-194\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/1.gravatar.com\/avatar\/36b469eef5380d19947eabb583565db1?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span>John<\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-194\">2011\/03\/16 at 10:09<\/a><\/div>\n<p> \t\t\t\tGreat Howto! Will these steps work on securing the desktop too, or is it too much\/too little for locking it down?<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-195\">\n<div id=\"div-comment-195\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/0.gravatar.com\/avatar\/22299277f2428b103dd1b12fefa61510?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/www.andrewault.net\/\" rel=\"external nofollow\">Andrew Ault<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-195\">2011\/03\/16 at 11:47<\/a><\/div>\n<p> \t\t\t\t@John: Ubuntu desktop is pretty secure for a desktop. All these measures are based on what Internet-facing servers get hit with. Man, the number of attacks on some of my servers is unbelievable.<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-196\">\n<div id=\"div-comment-196\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/1.gravatar.com\/avatar\/36b469eef5380d19947eabb583565db1?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span>John<\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-196\">2011\/03\/17 at 10:21<\/a><\/div>\n<p> \t\t\t\t@Andrew &ndash; That is what I have been reading about it security, I am not worried about my home system, but I recently loaded on an old laptop and am just trying to keep it nice and secure when I use public WiFi, I do always make sure to VPN back home just to be safe <img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-447\" alt=\":)\" border=\"0\" src=\"https:\/\/noi3.org\/site\/wp-content\/uploads\/2012\/01\/icon_smile.gif\" width=\"15\" height=\"15\" \/> I can only imagine the amount of attacks you see on your servers though.<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-198\">\n<div id=\"div-comment-198\">\n<div> \t\t\t\t<span><a href=\"http:\/\/maxnim.wordpress.com\/2011\/03\/21\/%ec%9a%b0%eb%b6%84%ed%88%ac-%ec%84%9c%eb%b2%84%eb%a5%bc-%ec%a2%80-%eb%8d%94-%ec%95%88%ec%a0%84%ed%95%98%ea%b2%8c-%eb%a7%8c%eb%93%a4%ea%b8%b0\/\" rel=\"external nofollow\">??? ??? ? ? ???? ??? &laquo; turtle9<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-198\">2011\/03\/21 at 05:50<\/a><\/div>\n<p> \t\t\t\t[&#8230;] <a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/\" rel=\"nofollow\">http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/<\/a> [&#8230;]<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-204\">\n<div id=\"div-comment-204\">\n<div> \t\t\t\t<span><a href=\"http:\/\/blacky.co.kr\/wordpress\/2011\/04\/01\/%ec%9a%b0%eb%b6%84%ed%88%ac-%ec%84%9c%eb%b2%84%eb%a5%bc-%ec%a2%80-%eb%8d%94-%ec%95%88%ec%a0%84%ed%95%98%ea%b2%8c-%eb%a7%8c%eb%93%a4%ea%b8%b0\/\" rel=\"external nofollow\">??? ??? ? ? ???? ??? &laquo; Blacky<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-204\">2011\/04\/03 at 21:42<\/a><\/div>\n<p> \t\t\t\t[&#8230;] <a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/\" rel=\"nofollow\">http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/<\/a> [&#8230;]<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-208\">\n<div id=\"div-comment-208\">\n<div> \t\t\t\t<span><a href=\"http:\/\/www.fabianrodriguez.com\/blog\/2011\/04\/13\/daily-digest-for-april-13th-2\" rel=\"external nofollow\">Daily Digest for April 13th &laquo; Fabian Rodriguez<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-208\">2011\/04\/13 at 13:48<\/a><\/div>\n<p> \t\t\t\t[&#8230;] MagicFab shared Securing an Ubuntu Server &laquo; andrewault.net. [&#8230;]<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-209\">\n<div id=\"div-comment-209\">\n<div> \t\t\t\t<span><a href=\"http:\/\/kratunar.mine.nu\/wordpress\/?p=31\" rel=\"external nofollow\">Securing an Ubuntu Server | toombaloomba<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-209\">2011\/04\/14 at 09:06<\/a><\/div>\n<p> \t\t\t\t[&#8230;] <a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/\" rel=\"nofollow\">http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/<\/a> [&#8230;]<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-215\">\n<div id=\"div-comment-215\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/0.gravatar.com\/avatar\/6c75e07e5010566bbd5a732fbee300ee?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span>David Nandell<\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-215\">2011\/05\/01 at 13:54<\/a><\/div>\n<p> \t\t\t\tExcellent! Thanks!<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-216\">\n<div id=\"div-comment-216\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/1.gravatar.com\/avatar\/55a2dca831be2ef180517c2d13390d56?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/giorgio\/\" rel=\"external nofollow\">Giorgio<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-216\">2011\/05\/12 at 03:34<\/a><\/div>\n<p> \t\t\t\tI&rsquo;ve got this message, how can I solve it without compromising installation?<\/p>\n<p> \t\t\t\t&ndash;FAIL&ndash; [lin016f] The system permits source routing from incoming packets<br \/> \t\t\t\t&ndash;FAIL&ndash; [lin005f] Installed file `\/usr\/share\/bind9\/bind9-default.md5sum&rsquo;<br \/> \t\t\t\t&ndash;FAIL&ndash; [lin005f] Installed file<br \/> \t\t\t\t&ndash;FAIL&ndash; [dev002f] \/dev\/fuse has world permissions<br \/> \t\t\t\t&ndash;FAIL&ndash; [dev002f] \/dev\/rfkill has world permissions<br \/> \t\t\t\t&ndash;FAIL&ndash; [netw018f] Administrative user avahi allowed access in \/etc\/ftpusers<br \/> \t\t\t\t&ndash;FAIL&ndash; [netw018f] Administrative user bind allowed access in \/etc\/ftpusers<br \/> \t\t\t\t&ndash;FAIL&ndash; [netw018f] Administrative user messagebus allowed access in<br \/> \t\t\t\t&ndash;FAIL&ndash; [netw018f] Administrative user openpanel-core allowed access in<br \/> \t\t\t\t&ndash;FAIL&ndash; [netw018f] Administrative user vmail allowed access in \/etc\/ftpusers<\/p>\n<p> \t\t\t\tBecause following this &ldquo;Only allow admin users to use su&rdquo; I&rsquo;ve been locked out of my system. Needed a restore.<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-223\">\n<div id=\"div-comment-223\">\n<div> \t\t\t\t<span><a href=\"http:\/\/gotofreedom.org\/2011\/07\/securiser-un-serveur-ubuntu-toi-aussi-tu-peux-le-faire\/\" rel=\"external nofollow\">S&eacute;curiser un serveur Ubuntu, toi aussi tu peux le faire ! | Zat&#39;s Hall<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-223\">2011\/07\/06 at 06:59<\/a><\/div>\n<p> \t\t\t\t[&#8230;] 15:48 0 commentaires Le site Andrewault.net nous propose un petit billet sympa concernant la s&eacute;curisation d&rsquo;un serveur Ubuntu. Je pense que l&rsquo;on peut facilement reprendre une partie du billet pour l&rsquo;appliquer &agrave; [&#8230;]<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-224\">\n<div id=\"div-comment-224\">\n<div> \t\t\t\t<span><a href=\"http:\/\/uncorruptedstate.com\/2011\/07\/hosting-on-linode\/\" rel=\"external nofollow\">Hosting on Linode | Uncorrupted State<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-224\">2011\/07\/17 at 16:28<\/a><\/div>\n<p> \t\t\t\t[&#8230;] For security, the excellent fail2ban and Uncomplicated Firewall provide a strong foundation for analyzing web traffic and simplifying the firewall configuration on a Linux server. For a more in-depth source on securing a Ubuntu server, check out this article. [&#8230;]<\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-225\">\n<div id=\"div-comment-225\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/0.gravatar.com\/avatar\/c6e63ad6247e3883a9b4bcbbad9ee65e?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span>Gorja<\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-225\">2011\/08\/13 at 08:19<\/a><\/div>\n<p> \t\t\t\tthx for your nice how-to <img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-447\" alt=\":)\" border=\"0\" src=\"https:\/\/noi3.org\/site\/wp-content\/uploads\/2012\/01\/icon_smile.gif\" width=\"15\" height=\"15\" \/> for beginners a good point to start&hellip;<\/p>\n<p> \t\t\t\tnow my ubuntu-server is a bit more secure <img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-447\" alt=\":)\" border=\"0\" src=\"https:\/\/noi3.org\/site\/wp-content\/uploads\/2012\/01\/icon_smile.gif\" width=\"15\" height=\"15\" \/><\/p>\n<\/p><\/div>\n<\/li>\n<li id=\"comment-227\">\n<div id=\"div-comment-227\">\n<div> \t\t\t\t<img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"55\" src=\"http:\/\/1.gravatar.com\/avatar\/d652c201fd85519099c1d2d069c64898?s=55&amp;d=monsterid&amp;r=PG\" width=\"55\" \/> <span><a href=\"http:\/\/www.nexdegree.com\/\" rel=\"external nofollow\">Imran M<\/a><\/span><\/div>\n<div> \t\t\t\t<a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/comment-page-1\/#comment-227\">2011\/09\/27 at 08:13<\/a><\/div>\n<p> \t\t\t\tSuperb article! Thanks!<\/p>\n<\/p><\/div>\n<\/li>\n<\/ul>\n<hr \/>\n<p> \tArticolul original: <a href=\"http:\/\/www.andrewault.net\/2010\/05\/17\/securing-an-ubuntu-server\/\">aici<\/a><\/p>\n<hr \/>\n<p> \t&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security is relative. Will these steps make your server &ldquo;secure&rdquo;? It will be more secure than it was before. And more secure than most servers.&hellip;<\/p>\n","protected":false},"author":1,"featured_media":446,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[249,206,248],"class_list":["post-448","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-informatica","tag-securizare","tag-server","tag-ubuntu"],"_links":{"self":[{"href":"https:\/\/site.noi3.org\/index.php?rest_route=\/wp\/v2\/posts\/448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/site.noi3.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/site.noi3.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/site.noi3.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/site.noi3.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=448"}],"version-history":[{"count":0,"href":"https:\/\/site.noi3.org\/index.php?rest_route=\/wp\/v2\/posts\/448\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/site.noi3.org\/index.php?rest_route=\/wp\/v2\/media\/446"}],"wp:attachment":[{"href":"https:\/\/site.noi3.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/site.noi3.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/site.noi3.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}