This gist aims to be an incomplete set of steps to provide additional hardening of a default Ubuntu Server installation. The following guides and configurations have been collated from man pages; source documentation; and online guides / best practices.
This document will focus on production Ubuntu server installations, not desktop configurations. Please note : your requirements may differ, use at your own risk.
This is a live document which I hope to update with new findings.
Many Linux distributions, Ubuntu in paticular, are often shipping with more and more services enabled alongisde not hardened default configurations. This list aims to detail some potentially no-required services and how to disable; remove; or completely uninstall them.
SSH - generate SSH keys SSH - restrict access to ~/.ssh SSH - do not allow root login SSH - do not allow password login (keys only) SSH - specifically allow only certain users or groups SSH - change from default port SSH - disable all legacy protocol versions SSH - reduce LoginGraceTime SSH - increase ServerKeyBits strength SSH - disable rhosts (IgnoreRhosts yes) SSH - disable RhostsAuthentication SSH - disable HostbasedAuthentication SSH - disable RhostsRSAAuthentication SSH - disable PermitEmptyPasswords SSH - disable PAM (password auth) SSH - enable RSAAuthentication (keys) SSH - disable PermitEmptyPasswords SSH - enable StrictModes SSH - disable X11Forwarding SSH - disable known hosts auth
Firewall - Install and configure firewall (iptables, ufw or ConfigServer Firewall [CSF&LFD]) Firewall - deny all > allow only required ports Firewall - enable geo-restriction (disable Russia, China, etc. whatever is unneeded)
Monitor - Install auto-ban package (fail2ban or Login Failure Daemon [CFS&LFD]) Monitor - Install Intrusion Detection System [HIDS] (tripwire or OSSEC) Monitor - check and reports unusual issues with logs (LogWatch, etc.) Monitor - check network usage for unusual issues (OpenNMS, etc.)
HTTPD - Install and configure Lets Encrypt HTTPD - enforce HSTS HTTPD - restrict any old protocols (allow only TLS1.2, etc.) HTTPD - uninstall any unused modules HTTPD - harden any PHP configs, etc.
General - set up custom ports on the router and port-forward to default ports for each service (security by obscurity, but most port scans will be within the default ranges and your router/firewall will block fter a few fails) General - keep all packages up to date General - do not run anything as root General - create a new user and add to sudo General - remove any non-required packages, disable any unused services General - perhaps set up SELinux General - set up a personal schedule for routine Rootkit scans / package updates / backups General - routinely tets a restore of backups General - think about disk encryption General - think about OpenVPN