Ubuntu 16.04 Server Security
In this article, we will discuss some server security configurations that are best to protect Ubuntu 16.04 server environment.
Secure shared memory
First, open the configuration file for editing using the command below:
sudo nano /etc/fstab
Next, add the following line of code to the bottom of the configuration file:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
Save and close the file. Then restart the server for the changes to take effect.
Enable ssh login for specific users
It is a good practice to enable ssh login for specific users. However, if you want to only allow secure shell entry for a user from a specific IP. Here are the steps to use.
For instance, allowing only secure shell entry for the user george, from IP address 192.168.6.32.
In the terminal, open the ssh config file using the following command:
sudo nano /etc/ssh/sshd_config
At the end of the file, add this line of code:
AllowUsers george@192.168.6.32
Save the file and restart sshd with the command below:
sudo service ssh restart
Currently, secure shell only allows entry by george, from IP address 192.168.6.32. At this point, if anyone other than george tries to ssh into the server; they will get a prompt for a password that will not be accepted or get denied access.
Since we all have different needs, you might want to allow all users on a particular network to access the server via ssh.
To do that, add the following line of code to the end of the ssh config file:
AllowUsers *@192.168.6.*
Restart the ssh server for changes to take effect.
Adding security login banner
Most people will not consider adding the login banner, but with the login banner, a malicious user might think twice about continuing. This process is purely psychological, but it is a step you should not overlook.
To configure it, open the configuration file with the following command:
sudo nano /etc/issue.net
Add a suitable warning and save file.
Next, disable the banner message from motd. Use the following command to open the configuration file:
sudo nano /etc/pam.d/sshd
In the configuration file, comment the following lines of code by adding # at the beginning of each line:
#session optional pam_motd.so motd=/run/motd.dynamic
#session optional pam_motd.so noupdate
Now, open the ssh configuration file and comment on this line of code:
#Banner /etc/issue.net
Next, save the file and restart the ssh server with the following command:
sudo service ssh restart
Harden the networking layer
To simply log all malformed IPs and prevent source routing of incoming packets the Ubuntu server, open the configuration file with the following command:
sudo nano /etc/sysctl.conf
Uncomment the following lines of code:
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
Save the file, and restart the service with the following command
sudo sysctl -p
Preventing IP spoofing
Finally, to prevent the server’s IP from being spoofed, open the configuration file with the following command:
sudo nano /etc/host.conf
The initial configuration looks like this:
# The "order" line is only used by old versions of the C library.
order hosts,bind
multi on
Change the configuration to this:
# The "order" line is only used by old versions of the C library.
order bind,hosts
nospoof on
Save the file. Viola! No more IP spoofing.
Conclusion
The configuration above is only some of the enhancements you can make to improve your server security.
Top comments (3)
Ubuntu 16.04 is 4 years old and reached EoL. Upgrade to 18.04 or wait for 20.04.
That is true but some people are still using Ubuntu 16.04.
Also, I have an article on Upgrading from Ubuntu 16.04 to 18.04
Ubuntu 20.04 released .
Any tips for that