- Open System Settings
- Click on Users
- For each user:
- Check the readme if the user is supposed to be on this computer
- Lock out or delete extra or prohibited users, keep their files
- Set Account Type to match user role
- Change and write down password for refence
- Open Terminal
- cat /etc/passwd
- Check Default Users
- Check that the users specified in the readme exist. Double check the default users. Look out for unmentioned users.
- Line reference = [user]:x:[user id]:[group id]:[description]:[home directory]:[default shell]
- User ID number less than 1000 are hidden users
- only user root should have User ID of 0
- To disable a user (unable to log in, keep files):
- sudo passwd -l [user]
- To remove a user:
- sudo userdel [user]
- use userdel -r [user] to remove user files
- To add a user:
- sudo useradd [user] -m -s /bin/bash
- Update all allowed users' passwords (including root)
- sudo passwd [user]
- Write down user and password for reference
- Open Terminal
- cat /etc/group
- Check Default Groups
- root group should be empty
- sudo group should only have administrator users
- users group should only have users specified in the readme
- each user may have a corresponding group
- To add a user to a group:
- sudo gpasswd -a [user] [group]
- To remove a user from a group:
- sudo gpasswd -d [user] [group]
-
Open file /etc/lightdm/lightdm.conf
-
Make sure the file has the following content:
[SeatDefaults]
greeter-session=unity-greeter
allow-guest=false -
Note: Any mistakes will break the GUI
-
Save the file
-
sudo systemctl restart lightdm
-
The GUI should restart and guest access should be disabled.
Option 1
- sudo visudo
Option 2
- Open file /etc/sudoers
- Comment lines start with #
- The following are the default settings:
- Defaults env_reset
- Defaults mail_badpass
- Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
- root ALL=(ALL:ALL) ALL
- %admin ALL=(ALL) ALL
- %sudo ALL=(ALL:ALL) ALL
- Comment out all other entries
- Open Terminal
- sudo apt-get update
- sudo apt-get install gufw
- sudo gufw
- Set to the following settings:
- Profile: Office
- Status: ON
- Incoming: Deny
- Outgoing: Allow
- For new inbound rules
- Click on Rules
- Click on +
- Click on Simple
- Name: [set name here]
- Policy: Allow
- Direction: In
- Protocol: [protocol]
- Port: [port]
- Click on Add
- Open Terminal
- Check IPv4 firewall rules
- sudo iptables -nvL
- Reset IPv4 firewall rules
- sudo iptables -F
- sudo iptables -X
- Set default IPv4 firewall rules
- sudo iptables -A INPUT -m state --state INVALID -j DROP
- sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- sudo iptables -A INPUT -i lo -j ACCEPT
- Add allowed INPUT rule to IPv4 firewall
- sudo iptables -A INPUT -p [protocol] --dport [port] -j ACCEPT
- Check Readme for required services. Research any required ports that need to be opened on firewall.
- Example for SSH: sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- Set default IPv4 firewall policy
- sudo iptables -P INPUT DROP
- sudo iptables -P FORWARD DROP
- sudo iptables -P OUTPUT ACCEPT
- Check IPv6 firewall rules
- sudo ip6tables -nvL
- Reset IPv6 firewall rules
- sudo ip6tables -F
- sudo ip6tables -X
- Set default IPv6 firewall rules
- sudo ip6tables -A INPUT -m state --state INVALID -j DROP
- sudo ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- sudo ip6tables -A INPUT -i lo -j ACCEPT
- Add allowed INPUT rule to IPv6 firewall
1. sudo ip6tables -A INPUT -p [protocol] --dport [port] -j ACCEPT
2. Check Readme for required services. Research any required ports that need to be opened on firewall.
- Example for SSH: sudo ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
- Set default IPv6 firewall policy 1. sudo ip6tables -P INPUT DROP 2. sudo ip6tables -P FORWARD DROP 3. sudo ip6tables -P OUTPUT ACCEPT
- Open Terminal
- sudo netstat [options]
-
Check listening network connections
-
netstat -ntulp
-
Make sure only necessary services have listening connections on the correct ports
-
Check established network connections
-
netstat -ntup
- Press Ubuntu icon button
- Type Ubuntu Software Center
- Click on icon
- Press Installed button
- Review readme for applications or categories that must be removed
- For each application category (e.g. Accessories)
- Check against readme if it should be removed
- It's safer to leave program alone than to remove it
- To remove application, click on it, then press Remove button
- Open Terminal
Check status of all services
- systemctl list-unit-files
Check status of one service
- systemctl status [service-name]
Other common service commands
- systemctl start [service-name]
- systemctl stop [service-name]
- systemctl restart [service-name]
- systemctl stop [service-name]
- systemctl disable [service-name]
The following services should be disabled if they are not required:
Database
- mysqld
- postgres
- dovecot
- exim4
- postfix
File Sharing
- nfs
- nmbd
- rpc.mountd
- rpc.nfsd
- smbd
- vsftpd
Music
- mpd
Networking
- avahi-daemon
- bind
- dnsmasq
- xinetd
- inetd
- sshd
- telnet
Printing, Scanning
- cupsd
- saned
Time
- ntpd
Web/Application Server
- apache2
- httpd
- jetty
- nginx
- tomcat
- Open System Settings
- Under System section, find and click on Software & Updates
- Press Revert for default settings
- For Ubuntu Software tab
- Canonical-supported free and open-source software (main)
- Community-maintained free and open-source software (universe)
- Proprietary drivers for devices (restricted)
- Software restricted by copyright or legal issues (multiverse)
- Source code
- For Download from:, select Other
- Click Select Best Server. Wait for tests to complete.
- Click Choose Server
- For Updates tab
- Important security updates (*-security)
- Recommended updates (*-updates)
- Unsupported updates (*-backports)
- Automatic check for updates: Daily
- When there are security updates: Display immediately
- When there are other updates: Display weekly
- Notify me of a new Ubuntu version: For long-term support version
- For Developer Options
- Pre-released updates (*-proposed)
- Click Close
- Open Terminal
- sudo apt-get update && sudo apt-get upgrade -y
- Open Terminal
- sudo apt-get install chkrootkit
- Follow installation instructions
- sudo chkrootkit
- After scan completes, review findings.
- Open Terminal
- sudo apt-get install rkhunter
- Follow installation instructions
- sudo rkhunter --update
- sudo rkhunter -c
- Follow scan instructions
- After scan completes, review findings, and fix issues
- Open Terminal
- find /home -name ".mp3"
- This will search for .mp3 files in /home
- If there are any results, inspect the files and remove as necessary
- Repeat from step 2 for the following file extensions
- (music) - .mp3, .wav, .wma, .aac
- (movie/video) - .mp4, .mov, .avi
Manually search for files in all user directories and remove unauthorized files.
- Open Terminal
- cat /etc/hosts
- Disable any entry lines by adding a # to the start of the line
- Default file entries:
- 127.0.0.1 localhost
- 127.0.1.1 ubuntu
- Ignore IPv6 lines
-
Open Terminal
-
ls -la /
Default permissions:- drwxr-xr-x root root home
- drwx------ root root root
To fix:
- sudo chown root:root /home
- sudo chmod 755 /home
- sudo chown root:root /root
- sudo chown 700 /root
-
cd /home
-
ls -la
Default permissions for every user:- drwxr-xr-x
- For example: drwxr-xr-x ubuntu ubuntu ubuntu
To fix:
- sudo chown :
- For example: sudo chown ubuntu:ubuntu ubuntu
- sudo chmod 755
- For example: sudo chmod 755 ubuntu
- Open Terminal
- sudo apt-get install auditd
- sudo auditctl -e 1
- Open Terminal
- sudo apt-get install bum
- sudo bum
- Click checkmark for Advanced
- Review list of programs that are set to start automatically at boot
- Add checkmark for services required to be running
- Remove checkmark for services that are not necessary to run
Reference: https://help.ubuntu.com/community/BootServices
Review the following files or directories:
- /etc/crontab
- /etc/cron.d/
- /etc/cron.hourly/
- /etc/cron.daily/
- /etc/cron.weekly/
- /etc/cron.monthly/
- /var/spool/cron/crontabs/
Reference: https://help.ubuntu.com/community/CronHowto
- Open Terminal
- sudo apt-get install libpam-cracklib
For /etc/pam.d/common-password
- Find the following line in the file:
- password requisite pam_cracklib.so retry=3 minlen=8 difok=3
- To require at least 10 characters, change to the following:
- minlen=10
- To require password complexity, add to the end of the line:
- ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
- The line should now look like the following
- password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
- Find the following line in the file:
- password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
- To remember last 5 passwords, add to the end of the line:
- remember=5
- To require at least 10 characters, add to the end of the line:
- minlen=10
- The line should now look like the following
- password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 remember=5 minlen=10
- Save the file
For /etc/login.defs
- Find PASS_MAX_DAYS, set to 90
- Find PASS_MIN_DAYS, set to 10
- Find PASS_WARN_AGE, set to 7
- Open file /etc/pam.d/common-auth
- Add the following to the end of the file:
- auth required pam_tally2.so deny=5 onerr=fail unlock_time=1800
- this will set lockout to 5 attempts and lock out for 1800 seconds (30 minutes)
- Press Ubuntu icon
- Type System Log
- Click on icon
- Review logs prior to today for system changes
- Pay attention to user accounts, especially root/sudo
Reference: https://help.ubuntu.com/community/LinuxLogFiles
- root
- daemon
- bin
- sys
- adm
- tty
- disk
- lp
- news
- uucp
- man
- proxy
- kmem
- dialout
- fax
- voice
- cdrom
- floppy
- tape
- sudo
- audio
- dip
- www-data
- backup
- operator
- list
- irc
- src
- gnats
- shadow
- utmp
- video
- sasl
- plugdev
- staff
- games
- users
- nogroup
- libuuid
- crontab
- syslog
- fuse
- messagebus
- bluetooth
- scanner
- colord
- lpadmin
- ssl-cert
- lightdm
- nopasswdlogin
- netdev
- whoopsie
- mlocate
- ssh
- avahi-autoipd
- avahi
- pulse
- pulse-access
- utempter
- rtkit
- saned
- ubuntu
- sambashare
- root
- daemon
- bin
- sys
- sync
- games
- man
- lp
- news
- uucp
- proxy
- www-data
- backup
- list
- irc
- gnats
- nobody
- libuuid
- syslog
- messagebus
- colord
- lightdm
- whoopsie
- avahi-autoipd
- avahi
- usbmux
- kernoops
- pulse
- rtkit
- speech-dispatcher
- dispatcher
- hplip
- saned
- ubuntu
Option 1 (gedit)
- sudo gedit [file path]
Option 2 (nano)
- sudo nano [file path]
Option 3 (vi or vim)
- sudo vi [file path]
- sudo vim [file path]
Option 1
- Press Ubuntu icon button
- Type terminal, press Enter
Option 2
- Click on Applications menu
- Go to Accessories
- Click on Terminal
- Press the gear-like icon at the top right of the screen. (Next to the current time)
- Click on System Settings