Automatically update and secure Ubuntu Server 10.04

Ubuntu Linux Specific Guides
Post Reply
User avatar
dedwards
Site Admin
Posts: 70
Joined: Wed Mar 15, 2006 8:28 pm
Contact:

Automatically update and secure Ubuntu Server 10.04

Post by dedwards » Sun Sep 26, 2010 8:32 am

Automatic Updates
The "unattended-upgrades" package can be used to automatically install updated packages, and can be configured to update all packages or just install security updates. First, install the package by entering the following in a terminal:

Code: Select all

sudo apt-get install unattended-upgrades


To configure unattended-upgrades, edit "/etc/apt/apt.conf.d/50unattended-upgrades" and adjust the following to fit your needs:

Code: Select all

sudo vi /etc/apt/apt.conf.d/50unattended-upgrades


Ensure it's set like below:

Code: Select all

Unattended-Upgrade::Allowed-Origins {
        "Ubuntu lucid-security";
//      "Ubuntu lucid-updates";
};


Personally, I only like to allow security updates to install automatically. If you want all updates, remove the "//" in front of the "Ubuntu lucid-updates".

Certain packages can also be blacklisted and therefore will not be automatically updated. To blacklist a package, add it to the list:

Code: Select all

Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};


The double “//” serve as comments, so whatever follows "//" will not be evaluated.

To enable automatic updates, edit /etc/apt/apt.conf.d/10periodic and set the appropriate apt configuration options:

Code: Select all

sudo vi /etc/apt/apt.conf.d/10periodic


Ensure it's set like below:

Code: Select all

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";


The above configuration updates the package list, downloads, and installs available upgrades every day. The local download archive is cleaned every week.

You can read more about apt Periodic configuration options in the /etc/cron.daily/apt script header.

The results of unattended-upgrades will be logged to /var/log/unattended-upgrades.

Automatic Update Notifications
Configuring Unattended-Upgrade::Mail in /etc/apt/apt.conf.d/50unattended-upgrades will enable unattended-upgrades to email an administrator detailing any packages that need upgrading or have problems.

Another useful package is apticron. apticron will configure a cron job to email an administrator information about any packages on the system that have updates available, as well as a summary of changes in each package.

To install the apticron package, in a terminal enter:

Code: Select all

sudo apt-get install apticron


Once the package is installed edit /etc/apticron/apticron.conf, to set the email address and other options:

Code: Select all

sudo vi /etc/apticron/apticron.conf


Change "root@example.com" to your email address below in the "EMAIL="root@example.com":

Code: Select all

EMAIL="root@example.com"


Ensure you have an MTA installed on your system for the email notifications. Postfix is a good choice.

Securing an Ubuntu Server

Credit: All of the information below is the intellectual property of Andrew Ault and it's re-printed here for simplicity.

Secure shared memory
/dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure.

Code: Select all

sudo vi /etc/fstab


Add this line:

Code: Select all

tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0


Disable root SSH login
The root account is disabled by default in Ubuntu. If you installed Ubuntu on Slicehost or Linode, root is enabled. In any case, it is a good idea to disable root SSH access. Edit /etc/ssh/sshd_config and set PermitRootLogin to no.

Code: Select all

sudo vi /etc/ssh/sshd_config


Change PermitRootLogin to no:

Code: Select all

PermitRootLogin no


Of course, if you access your server via SSH, you should make sure you have sudo working for your user before disabling SSH root access.

Only allow admin users to use su
This helps prevent privilege escalation.

By default, Ubuntu does not have an admin group. Create an admin group:

Code: Select all

sudo groupadd admin


Add yourself to the admin group:

Code: Select all

sudo usermod -a -G admin yourname


Restrict access to /bin/su to admin group members:

Code: Select all

sudo dpkg-statoverride --update --add root admin 4750 /bin/su


Check permissions for /bin/su with:

Code: Select all

ls -lh /bin/su


…and see the following:

Code: Select all

-rwsr-x--- 1 root admin 31K 2010-01-26 17:09 /bin/su


Do not permit source routing of incoming packets
see also: http://www.cromwell-intl.com/security/s ... ening.html

Code: Select all

sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 
sudo sysctl ­-w net.ipv4.conf.default.accept_source_route=0


UFW: basic firewall
UFW (Uncomplicated Firewall) provides an easy to understand interface to control iptables (iptables conteol Netfilter, which is built into the kernel). Will just a few commands, your server can control access. Checking status is also easy.

UFW (uncomplicated firewall) is a simple interface used to configure iptables.

Install and enable Uncomplicated Firewall:

Code: Select all

sudo aptitude install -y ufw
sudo ufw enable


Display available UFW commands:

Code: Select all

sudo ufw show


Display UFW configuration:

Code: Select all

sudo ufw status


Allow SSH and HTTP access to the Apache server:

Code: Select all

sudo ufw allow ssh 
sudo ufw allow http


In the above example, ports for OpenSSH and Apache were opened by service name (“ssh” and “http”). You can use a port number instead of the service name (like “80″ instead of “http”).

See services running and which names to use:

The practice here is to open only ports that you use – ports that use a service that have a service running. To see a list of services that you have running for which you might want to open ports for:

Code: Select all

sudo ufw app list


To see a list of services that UFW uses (like in the “sudo ufw allow ssh” example, above):

Code: Select all

less /etc/services


Denyhosts: avoid SSH attacks
project: http://denyhosts.sourceforge.net/

Looking at /var/log/auth.log on servers that I manage shows a steady streams of attacks on SSH. I am countering these attacks in a number of ways, starting with denyhosts.

Denyhosts periodically scans /var/log/auth.log for repeated failures to access the system via SSH. It then adds these offenders to /etc/hosts.deny. See the project page for details.

Code: Select all

sudo aptitude -y install denyhosts


That does it – the rest is automatic. You can see the IP addresses added to /etc/hosts.deny with:

Code: Select all

sudo less /etc/hosts.deny


Tiger: security system scanner
project: http://www.nongnu.org/tiger/

Tiger creates an automated security audit by analyzing files and settings on the system and creating a report listing what has been analyzed and listing warning, alerts and failures.

The tiger command creates a report of potential security problems in /var/log/tiger. The use the tigexp command to look up the resulting codes generated for a detailed explanation and what to do to make the system more secure. The problems tiger considers most serious are marked with FAIL.

Install tiger:

Code: Select all

sudo aptitude -y install tiger


Run tiger to create a report of security issues.

Code: Select all

sudo tiger


Use less to view the most recent tiger report:

Code: Select all

sudo -i 
less /var/log/tiger/`ls -t1 /var/log/tiger | head -1`
exit


Use tigexp to list explanations for FAIL codes:

Code: Select all

tigexp dev002f


Google is also helpful, naturally.

Ignore these:

Code: Select all

--FAIL-- [dev002f] /dev/fuse has world permissions 
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660


Changing permissions for these could cause problems.

Detect attempted intrusions with psad
project: http://www.cipherdyne.org/psad/

Psad is a collection of lightweight daemons that log attempted intrusions, in particular monitoring iptables.

Installation:

Code: Select all

sudo aptitude -y install psad


The daemons will run automatically.

To check current status:

Code: Select all

sudo psad -S


You can modify psad settings to e-mail the admin in the event of intrusion detection:

Code: Select all

sudo vi /etc/psad/psad.conf


Change EMAIL_ADDRESSES to your email address:

Code: Select all

EMAIL_ADDRESSES             you@yourdomain.com;


Nmap: port scanning
project: http://nmap.org/

This allows you to see which ports are open, verifying that UFW/iptables is working correctly.

Installing nmap:

Code: Select all

sudo aptitude install -y nmap


Port scanning:

Code: Select all

nmap -v -sT localhost


SYN Scanning:

Code: Select all

sudo nmap -v -sS localhost


scan type explanations: http://nmap.org/book/man-port-scanning-techniques.html

Chkrootkit: check for rootkit presence
project: http://www.chkrootkit.org/

Chkrootkit scans the system for evidence that a rootkit has been installed.

This is a confidence test to be used to test whether your system has been compromised. In a perfect world you would not need this…but in this world, it is good to run periodically.

Installing chkrootkit:

Code: Select all

sudo aptitude install -y chkrootkit


Running chkrootkit:

Code: Select all

sudo chkrootkit


LogWatch
Ubuntu community documentation: https://help.ubuntu.com/community/Logwatch

The most detailed and informative logs in the world are useless if no one looks at them. Logwatch winnows the deluge to a succinct report…which you will look at. Even so, familiarize yourself with your system’s logs and review them on a regular basis. A daily logwatch habit would be a good start.

Installation:

Code: Select all

sudo aptitude -y install logwatch


Usage:

Code: Select all

sudo logwatch | less


Schedule daily email logwatch report:

Code: Select all

sudo vi /usr/share/logwatch/default.conf/logwatch.conf


Edit the following parameters:

Code: Select all

Output = mail
Format = html
MailTo = test@gmail.com


Save and exit the file. Now you should receive a daily logwatch report to the email address you specified.

**** THE STEPS BELOW ARE FOR REFERENCE ONLY. THEY ARE NOT REQUIRED IN ORDER TO HAVE THE DAILY LOGWATCH REPORT EMAILED TO YOU. SIMPLY LEAVING THE "/usr/sbin/logwatch --output mail" AS IS WILL GIVE YOU DAILY LOGWATCH REPORT VIA EMAIL. ****

Now edit the 00logwatch file:

Code: Select all

sudo vi /etc/cron.daily/00logwatch


Change the line below:

Code: Select all

#execute
/usr/sbin/logwatch --output mail


to:

Code: Select all

#execute
/usr/sbin/logwatch --mailto test@gmail.com


Ongoing maintenance
Your server is now more secure. Once a week, perform on-going maintenance.

Check for attempted instrusions:

Code: Select all

sudo psad -S


UPDATED: Analyze system with tiger. Because the tiger reports in /var/log/tiger/are owned by root, run these commands one at a time. (This solves a problem some people were having with permissions.)

Code: Select all

sudo -i 
tiger
grep FAIL /var/log/tiger/`ls -t1 /var/log/tiger | head -1`
exit


In the above, FAILs are pulled from the newest report file with grep. The ls clause in backticks gives grep the newest file in the directory. The sudo -i command allows you to run multiple commands as root, ending with exit.

Use tigexp to list explanations for FAIL codes:

Code: Select all

tigexp dev002f


Scan ports with nmap:

Code: Select all

sudo nmap -v -sS localhost


Check for rootkits

Code: Select all

sudo chkrootkit


Look at logs:

Code: Select all

sudo logwatch | less


Keep up with trends

visit: http://www.linuxsecurity.com/
Post Reply