Ubuntu Server Hardening

 

• Set bash history with time stamp for root and other users

Add this to .bashrc

HISTSIZE=500000

HISTFILESIZE=200000

HISTTIMEFORMAT="(%m/%d/%y) %T "

export HISTFILESIZE

export HISTSIZE

export HISTTIMEFORMAT

export PROMPT_COMMAND='history -a'

• Kernel Parameter setup

Add this to "/etc/sysctl.conf"

net.ipv4.conf.all.rp_filter=1

net.ipv4.conf.all.accept_source_route=0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.icmp_echo_ignore_broadcasts=1

kernel.exec-shield=1

kernel.randomize_va_space=1

net.core.somaxconn=4096

net.core.rmem_max=16777216

net.core.wmem_max=16777216

net.ipv4.ip_local_port_range=1024 65535

net.ipv4.tcp_tw_recycle=1

net.ipv4.tcp_max_syn_backlog=8192

net.core.netdev_max_backlog=16384

net.core.rmem_max=16777216

net.core.wmem_max=16777216

net.ipv4.tcp_rmem=4096 87380 16777216

net.ipv4.tcp_wmem=4096 16384 16777216

net.ipv4.tcp_syncookies = 1

net.core.netdev_max_backlog=300000

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.tcp_timestamps=0

• Set Limit security for normal users where application are running.

Add below lines to  this file. /etc/security/limits.conf

root        -    nofile          40000

User1       -    nofile          40000

User2       -    nofile          40000 

 

•  User Account lock after 3 failed logging attempt

Add this configuration to this configuration. /etc/pam.d/common-auth

auth    required        pam_tally2.so deny=3 unlock_time=60

•  Set ulimit

Add these lines to .bashrc under required user

ulimit -n 40000

TMOUT=1800

ulimit -c unlimited

• Secure SSH

Stop ssh login for root user. Add ssh allow users to AllowUsers list

Change these configuration in sshd_conf file. /etc/ssh/sshd_config

PermitRootLogin no
Port 3222
AllowUsers User1 User2