Tuesday, March 23, 2010

hardening ubuntu

i came across the article here
http://www.ubuntu-unleashed.com/2008/04/howto-harden-ubuntu-linux-kernel-with.html

so thought of trying it

i opened the terminal application>accessories>terminal
and typed in
sudo gedit /etc/sysctl.conf
enter the sudo password

the file i got was

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 4 4 1 7

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),
# and is not recommended.
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Ignore ICMP broadcasts
#net.ipv4.icmp_echo_ignore_broadcasts = 1
#
# Ignore bogus ICMP errors
#net.ipv4.icmp_ignore_bogus_error_responses = 1
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
# The contents of /proc//maps and smaps files are only visible to
# readers that are allowed to ptrace() the process
# kernel.maps_protect = 1

the article has some stuff from
http://servermonkeys.com/projects/els/sysctl/sysctl.conf

so tried that

will update after it take the system for a test run

on running
sysctl -p
sysctl -w net.ipv4.route.flush=1

it threw up errors

error: permission denied on key 'net.ipv4.ip_forward'
error: permission denied on key 'net.ipv4.conf.default.rp_filter'
error: permission denied on key 'kernel.sysrq'
error: permission denied on key 'kernel.core_uses_pid'
error: permission denied on key 'net.ipv4.tcp_syncookies'
error: permission denied on key 'net.ipv4.tcp_max_syn_backlog'
error: permission denied on key 'net.ipv4.tcp_synack_retries'
error: permission denied on key 'net.ipv4.ip_forward'
error: permission denied on key 'net.ipv4.conf.all.accept_source_route'
error: permission denied on key 'net.ipv4.conf.lo.accept_source_route'
error: permission denied on key 'net.ipv4.conf.eth0.accept_source_route'
error: permission denied on key 'net.ipv4.conf.default.accept_source_route'
error: permission denied on key 'net.ipv4.conf.all.rp_filter'
error: permission denied on key 'net.ipv4.conf.lo.rp_filter'
error: permission denied on key 'net.ipv4.conf.eth0.rp_filter'
error: permission denied on key 'net.ipv4.conf.default.rp_filter'
error: permission denied on key 'net.ipv4.conf.all.accept_redirects'
error: permission denied on key 'net.ipv4.conf.lo.accept_redirects'
error: permission denied on key 'net.ipv4.conf.eth0.accept_redirects'
error: permission denied on key 'net.ipv4.conf.default.accept_redirects'
error: permission denied on key 'net.ipv4.conf.all.log_martians'
error: permission denied on key 'net.ipv4.conf.lo.log_martians'
error: permission denied on key 'net.ipv4.conf.eth0.log_martians'
error: permission denied on key 'net.ipv4.conf.all.accept_source_route'
error: permission denied on key 'net.ipv4.conf.lo.accept_source_route'
error: permission denied on key 'net.ipv4.conf.eth0.accept_source_route'
error: permission denied on key 'net.ipv4.conf.default.accept_source_route'
error: permission denied on key 'net.ipv4.conf.all.rp_filter'
error: permission denied on key 'net.ipv4.conf.lo.rp_filter'
error: permission denied on key 'net.ipv4.conf.eth0.rp_filter'
error: permission denied on key 'net.ipv4.conf.default.rp_filter'
error: permission denied on key 'net.ipv4.conf.all.accept_redirects'
error: permission denied on key 'net.ipv4.conf.lo.accept_redirects'
error: permission denied on key 'net.ipv4.conf.eth0.accept_redirects'
error: permission denied on key 'net.ipv4.conf.default.accept_redirects'
error: permission denied on key 'kernel.sysrq'
error: permission denied on key 'fs.file-max'
error: permission denied on key 'net.ipv4.tcp_fin_timeout'
error: permission denied on key 'net.ipv4.tcp_keepalive_time'
error: permission denied on key 'net.ipv4.tcp_window_scaling'
error: permission denied on key 'net.ipv4.tcp_sack'
error: permission denied on key 'net.ipv4.tcp_timestamps'
error: permission denied on key 'net.ipv4.tcp_syncookies'
error: permission denied on key 'net.ipv4.icmp_echo_ignore_broadcasts'
error: permission denied on key 'net.ipv4.icmp_ignore_bogus_error_responses'
error: permission denied on key 'net.ipv4.conf.all.log_martians'
error: permission denied on key 'kernel.shmmax'
error: "vm.bdflush" is an unknown key
error: "vm.buffermem" is an unknown key
error: permission denied on key 'net.ipv4.tcp_max_syn_backlog'
error: permission denied on key 'net.ipv4.tcp_mem'
error: permission denied on key 'net.ipv4.tcp_wmem'
error: permission denied on key 'net.ipv4.tcp_rmem'
error: permission denied on key 'net.core.rmem_max'
error: permission denied on key 'net.core.rmem_default'
error: permission denied on key 'net.core.wmem_max'
error: permission denied on key 'net.core.wmem_default'
error: permission denied on key 'net.ipv4.tcp_max_tw_buckets'
error: permission denied on key 'net.ipv4.ip_local_port_range'
error: permission denied on key 'net.ipv4.ipfrag_high_thresh'
error: permission denied on key 'net.ipv4.ipfrag_low_thresh'
error: permission denied on key 'net.core.optmem_max'
error: "net.core.hot_list_length" is an unknown key
sysctl -w net.ipv4.route.flush=1

after googling some more found

Bastille Linux Home Page

Jay Beale's Linux/Unix Security Page

Linux Administrator's Security Guide

SANS Institute Website


it seems a bit outdated with a lots of warning that parts do not relate to ubuntu any longer


trying it anyways

sudo apt-get install bastille

The following packages were automatically installed and are no longer required:
linux-headers-2.6.31-14 pidgin-libnotify linux-headers-2.6.31-14-generic
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
libbit-vector-perl libcarp-clan-perl libcurses-perl libdate-calc-perl
libiptables-chainmgr-perl libiptables-parse-perl libnetwork-ipv4addr-perl
libunix-syslog-perl psad
Suggested packages:
acct perl-tk libgtk-perl fwsnort
The following NEW packages will be installed:
bastille libbit-vector-perl libcarp-clan-perl libcurses-perl
libdate-calc-perl libiptables-chainmgr-perl libiptables-parse-perl
libnetwork-ipv4addr-perl libunix-syslog-perl psad
0 upgraded, 10 newly installed, 0 to remove and 1 not upgraded.
Need to get 1,299kB of archives.
After this operation, 5,169kB of additional disk space will be used.
Do you want to continue [Y/n]?

Get:1 http://in.archive.ubuntu.com karmic/universe libcurses-perl 1.27-2 [137kB]
Get:2 http://in.archive.ubuntu.com karmic/universe bastille 1:3.0.9-12 [463kB]
Get:3 http://in.archive.ubuntu.com karmic/main libcarp-clan-perl 6.00-1 [14.9kB]
Get:4 http://in.archive.ubuntu.com karmic/main libbit-vector-perl 6.6-1 [175kB]
Get:5 http://in.archive.ubuntu.com karmic/universe libdate-calc-perl 5.4-6 [254kB]
Get:6 http://in.archive.ubuntu.com karmic/universe libiptables-parse-perl 0.7-1 [13.5kB]
Get:7 http://in.archive.ubuntu.com karmic/universe libnetwork-ipv4addr-perl 0.10.ds-1 [14.6kB]
Get:8 http://in.archive.ubuntu.com karmic/universe libiptables-chainmgr-perl 0.9-1 [16.8kB]
Get:9 http://in.archive.ubuntu.com karmic/main libunix-syslog-perl 1.1-2 [30.5kB]
Get:10 http://in.archive.ubuntu.com karmic/universe psad 2.1.5-1 [180kB]
Fetched 1,299kB in 6s (199kB/s)
Selecting previously deselected package libcurses-perl.
(Reading database ... 180271 files and directories currently installed.)
Unpacking libcurses-perl (from .../libcurses-perl_1.27-2_i386.deb) ...
Selecting previously deselected package bastille.
Unpacking bastille (from .../bastille_1%3a3.0.9-12_all.deb) ...
Selecting previously deselected package libcarp-clan-perl.
Unpacking libcarp-clan-perl (from .../libcarp-clan-perl_6.00-1_all.deb) ...
Selecting previously deselected package libbit-vector-perl.
Unpacking libbit-vector-perl (from .../libbit-vector-perl_6.6-1_i386.deb) ...
Selecting previously deselected package libdate-calc-perl.
Unpacking libdate-calc-perl (from .../libdate-calc-perl_5.4-6_i386.deb) ...
Selecting previously deselected package libiptables-parse-perl.
Unpacking libiptables-parse-perl (from .../libiptables-parse-perl_0.7-1_all.deb) ...
Selecting previously deselected package libnetwork-ipv4addr-perl.
Unpacking libnetwork-ipv4addr-perl (from .../libnetwork-ipv4addr-perl_0.10.ds-1_all.deb) ...
Selecting previously deselected package libiptables-chainmgr-perl.
Unpacking libiptables-chainmgr-perl (from .../libiptables-chainmgr-perl_0.9-1_all.deb) ...
Selecting previously deselected package libunix-syslog-perl.
Unpacking libunix-syslog-perl (from .../libunix-syslog-perl_1.1-2_i386.deb) ...
Selecting previously deselected package psad.
Unpacking psad (from .../archives/psad_2.1.5-1_i386.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
ureadahead will be reprofiled on next reboot
Setting up libcurses-perl (1.27-2) ...
Setting up bastille (1:3.0.9-12) ...
WARNING: Bastille-firewall is not configured yet
Please create /etc/Bastille/bastille-firewall.cfg to enable it.
(HINT: use InteractiveBastille)

Setting up libcarp-clan-perl (6.00-1) ...
Setting up libbit-vector-perl (6.6-1) ...
Setting up libdate-calc-perl (5.4-6) ...
Setting up libiptables-parse-perl (0.7-1) ...
Setting up libnetwork-ipv4addr-perl (0.10.ds-1) ...
Setting up libiptables-chainmgr-perl (0.9-1) ...
Setting up libunix-syslog-perl (1.1-2) ...
Setting up psad (2.1.5-1) ...
Starting Port Scan Attack Detector: psad [*] Could not find mail, edit /etc/psad/psad.conf at /usr/sbin/psad line 9566.
* Unable to start the daemon.
invoke-rc.d: initscript psad, action "start" failed.
dpkg: error processing psad (--configure):
subprocess installed post-installation script returned error exit status 1
E: Sub-process /usr/bin/dpkg returned an error code (1)

checking info on InteractiveBastille
 InteractiveBastille  asks questions to the user in order to define what
security measures must be implemented on the current system. The
intention is to both educate administrators on security and harden the
host’s security. The configuration file generated by
InteractiveBastille is then used by BastilleBackEnd to make the changes
to the local system if the administrator agrees to run the changes. In
any case, the same configuration can be used to harden other (similar)

http://manpages.ubuntu.com/manpages/hardy/man8/InteractiveBastille.8.html
http://manpages.ubuntu.com/manpages/jaunty/man7/bastille.7.html

Bastille Linux
This little gem is one of the most useful I know. It ensures that your server’s security is nice and tight.

sudo apt-get install bastille
sudo InteractiveBastille (wont run on ubuntu)
http://blog.developergurus.com/?p=6

hosts non-interactively using AutomatedBastille.

ERROR: System is not running a stable Debian GNU/Linux version. Setting to 5.0.
ERROR: System is not running a stable Debian GNU/Linux version. Setting to 5.0.
ERROR: System is not running a stable Debian GNU/Linux version. Setting to 5.0.
NOTE: Valid display found; defaulting to Tk (X) interface.
ERROR: System is not running a stable Debian GNU/Linux version. Setting to 5.0.
NOTE: Using Tk user interface module.
ERROR: System is not running a stable Debian GNU/Linux version. Setting to 5.0.
NOTE: Only displaying questions relevant to the current configuration.
ERROR: System is not running a stable Debian GNU/Linux version. Setting to 5.0.
ERROR: Could not load the 'Tk.pm' interface module.This may be due to an
invalid $DISPLAY setting,or the module not being visible to Perl.
\nInvalid argument list:
Usage: bastille [ -b | -c | -r | -x [ --os version ] ]
-b : use a saved config file to apply changes
directly to system
-c : use the Curses (non-X11) TUI
-r : revert all Bastille changes to-date
-x : use the Perl/Tk (X11) GUI
--os version : ask all questions for the given operating system
version. e.g. --os RH6.0


create /etc/Bastille/bastille-firewall.cfg
No command 'create' found, did you mean:
Command 'mcreate' from package 'lustre-utils' (universe)
create: command not found
http://www.linuxjournal.com/article/4547
psad: Intrusion Detection and Log Analysis with iptables
http://otype.de/index.php?id=139
http://cipherdyne.org/psad/
http://bastille-linux.sourceforge.net/running_bastille_on.htm
http://packages.ubuntu.com/dapper/bastille

$ sudo aptitude install psad
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
The following packages will be REMOVED:
linux-headers-2.6.31-14{u} linux-headers-2.6.31-14-generic{u}
pidgin-libnotify{u}
The following partially installed packages will be configured:
psad
0 packages upgraded, 0 newly installed, 3 to remove and 0 not upgraded.
Need to get 0B of archives. After unpacking 82.3MB will be freed.
Do you want to continue? [Y/n/?] y


Writing extended state information... Done
(Reading database ... 180603 files and directories currently installed.)
Removing linux-headers-2.6.31-14-generic ...
Removing linux-headers-2.6.31-14 ...
Removing pidgin-libnotify ...
Setting up psad (2.1.5-1) ...
Starting Port Scan Attack Detector: psad [*] Could not find mail, edit /etc/psad/psad.conf at /usr/sbin/psad line 9566.
* Unable to start the daemon.
invoke-rc.d: initscript psad, action "start" failed.
dpkg: error processing psad (--configure):
subprocess installed post-installation script returned error exit status 1
E: Sub-process /usr/bin/dpkg returned an error code (1)
A package failed to install. Trying to recover:
Setting up psad (2.1.5-1) ...
Starting Port Scan Attack Detector: psad [*] Could not find mail, edit /etc/psad/psad.conf at /usr/sbin/psad line 9566.
* Unable to start the daemon.
invoke-rc.d: initscript psad, action "start" failed.
dpkg: error processing psad (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
psad
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done

sudo aptitude install perl-tk

cariboo907 I don't know If I'd want to use Bastille any more, as it hasn't been updated since early 2008, it looks like development has stopped. That may be why you're getting the error message.

Check bodhi.zazen's security guides here.
Security

Security Discussions (Ubuntu Forums)

How to secure SSH servers

UFW (Configure your firewall [iptables] )

Free Security Tools?

Linux System Administrator's Guide

Securing Debian Manual __________________
A person with ubuntu is open and available to others, affirming of others, does not feel threatened that others are able and good, for he or she has a proper self-assurance that comes from knowing that he or she belongs in a greater whole and is diminished when others are humiliated or diminished, when others are tortured or oppressed. ~ Archbishop Desmond Tutu, 1999
http://ubuntuforums.org/showthread.php?t=1046738

http://ubuntuforums.org/showthread.php?t=1416029

http://manpages.ubuntu.com/manpages/intrepid/man1/bastille.1m.html
http://packages.ubuntu.com/lucid/harden

UFW - Uncomplicated Firewall

The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall.
https://help.ubuntu.com/community/UFW?action=show&redirect=Uncomplicated_Firewall_ufw

you can goto the ubuntu software center and type

GUFW
Gufw is an easy to use Ubuntu / Linux firewall, powered by ufw.

Gufw is an easy, intuitive, way to manage your Linux firewall. It supports common tasks such as allowing or blocking pre-configured, common p2p, or individual ports port(s), and many others! Gufw is powered by ufw , runs on Ubuntu, and anywhere else Python, GTK, and Ufw are available.
http://gufw.tuxfamily.org/index.html

No comments:

Post a Comment