{"id":20699315,"url":"https://github.com/schooloffreelancing/ubuntu-server-hardening","last_synced_at":"2025-04-22T22:03:40.822Z","repository":{"id":100560819,"uuid":"275690114","full_name":"SchoolOfFreelancing/Ubuntu-Server-Hardening","owner":"SchoolOfFreelancing","description":"Ubuntu server hardening standards for defending ubuntu Linux systems and data against Cyberattacks. The best security measures GitHub repository based on CIS Benchmark.  ","archived":false,"fork":false,"pushed_at":"2020-06-29T00:15:15.000Z","size":21,"stargazers_count":9,"open_issues_count":0,"forks_count":9,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-29T19:11:30.796Z","etag":null,"topics":["cis-benchmarks","firewall","hackproof-ubuntu","linux","security","ubuntu-hardening","ubuntu-server-hardening"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SchoolOfFreelancing.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-29T00:04:11.000Z","updated_at":"2024-06-18T15:05:46.000Z","dependencies_parsed_at":"2023-05-15T22:15:09.152Z","dependency_job_id":null,"html_url":"https://github.com/SchoolOfFreelancing/Ubuntu-Server-Hardening","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SchoolOfFreelancing%2FUbuntu-Server-Hardening","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SchoolOfFreelancing%2FUbuntu-Server-Hardening/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SchoolOfFreelancing%2FUbuntu-Server-Hardening/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SchoolOfFreelancing%2FUbuntu-Server-Hardening/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SchoolOfFreelancing","download_url":"https://codeload.github.com/SchoolOfFreelancing/Ubuntu-Server-Hardening/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250331803,"owners_count":21413100,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cis-benchmarks","firewall","hackproof-ubuntu","linux","security","ubuntu-hardening","ubuntu-server-hardening"],"created_at":"2024-11-17T00:29:12.935Z","updated_at":"2025-04-22T22:03:40.809Z","avatar_url":"https://github.com/SchoolOfFreelancing.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"List of things for hardening Ubuntu\n\n### System Updates\n**http://bookofzeus.com/harden-ubuntu/initial-setup/system-updates/**\n\nKeeping the system updated is vital before starting anything on your system. This will prevent people to use known vulnerabilities to enter in your system.\n\n    sudo apt-get update\n    sudo apt-get upgrade\n    sudo apt-get autoremove\n    sudo apt-get autoclean\n\nEnable automatic updates can be crucial for your server security. It is very important to stay up to date.\n\n    sudo apt-get install unattended-upgrades\n    sudo dpkg-reconfigure -plow unattended-upgrades\n\nTo enable ONLY security updates, please change the code to look like this:\n\n    sudo nano /etc/apt/apt.conf.d/50unattended-upgrades\n    : Unattended-Upgrade::Allowed-Origins {\n    :     \"${distro_id}:${distro_codename}-security\";\n    : //  \"${distro_id}:${distro_codename}-updates\";\n    : //  \"${distro_id}:${distro_codename}-proposed\";\n    : //  \"${distro_id}:${distro_codename}-backports\";\n    : };\n    : // Unattended-Upgrade::Mail \"my_user@my_domain.com\";\n\n### Disable Root Account\n**http://bookofzeus.com/harden-ubuntu/initial-setup/disable-root-account/**\n\nFor security reasons, it is safe to disable the root account. Removing the account might not be a good idea at first, instead we simply need to disable it.\n\n    # To disable the root account, simply use the -l option.\n    sudo passwd -l root\n    \n    # If for some valid reason you need to re-enable the account, simply use the -u option.\n    sudo passwd -u root\n\n### Add Swap\n**http://bookofzeus.com/harden-ubuntu/server-setup/add-swap/**\n\nSome pre-installed Ubuntu Server are not configured with SWAP. Linux swaps allow a system to harness more memory than was originally physically available\n\n    # Let's check if a SWAP file exists and it's enabled before we create one.\n    sudo swapon -s\n    \n    # To create the SWAP file, you will need to use this.\n    sudo fallocate -l 4G /swapfile\t# same as \"sudo dd if=/dev/zero of=/swapfile bs=1G count=4\"\n    \n    # Secure swap.\n    sudo chown root:root /swapfile\n    sudo chmod 0600 /swapfile\n    \n    # Prepare the swap file by creating a Linux swap area.\n    sudo mkswap /swapfile\n    \n    # Activate the swap file.\n    sudo swapon /swapfile\n    \n    # Confirm that the swap partition exists.\n    sudo swapon -s\n    \n    # This will last until the server reboots. Let's create the entry in the fstab.\n    sudo nano /etc/fstab\n    : /swapfile\tnone\tswap\tsw\t0 0\n    \n    # Swappiness in the file should be set to 0. Skipping this step may cause both poor performance,\n    # whereas setting it to 0 will cause swap to act as an emergency buffer, preventing out-of-memory crashes.\n    echo 0 | sudo tee /proc/sys/vm/swappiness\n    echo vm.swappiness = 0 | sudo tee -a /etc/sysctl.conf\n\n### sysctl.conf\n**http://bookofzeus.com/harden-ubuntu/hardening/sysctl-conf/**\n\nThese settings can:\n- Limit network-transmitted configuration for IPv4\n- Limit network-transmitted configuration for IPv6\n- Turn on execshield protection\n- Prevent against the common 'syn flood attack'\n- Turn on source IP address verification\n- Prevents a cracker from using a spoofing attack against the IP address of the server.\n- Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.\n\n\"/etc/sysctl.conf\" file is used to configure kernel parameters at runtime. Linux reads and applies settings from this file.\n\n    sudo nano /etc/sysctl.conf\n\n    # IP Spoofing protection\n    : net.ipv4.conf.default.rp_filter = 1\n    : net.ipv4.conf.all.rp_filter = 1\n    # Block SYN attacks\n    : net.ipv4.tcp_syncookies = 1\n    # Controls IP packet forwarding\n    : net.ipv4.ip_forward = 0\n    # Ignore ICMP redirects\n    : net.ipv4.conf.all.accept_redirects = 0\n    : net.ipv6.conf.all.accept_redirects = 0\n    : net.ipv4.conf.default.accept_redirects = 0\n    : net.ipv6.conf.default.accept_redirects = 0\n    # Ignore send redirects\n    : net.ipv4.conf.all.send_redirects = 0\n    : net.ipv4.conf.default.send_redirects = 0\n    # Disable source packet routing\n    : net.ipv4.conf.all.accept_source_route = 0\n    : net.ipv6.conf.all.accept_source_route = 0\n    : net.ipv4.conf.default.accept_source_route = 0\n    : net.ipv6.conf.default.accept_source_route = 0\n    # Log Martians\n    : net.ipv4.conf.all.log_martians = 1\n    # Block SYN attacks\n    : net.ipv4.tcp_max_syn_backlog = 2048\n    : net.ipv4.tcp_synack_retries = 2\n    : net.ipv4.tcp_syn_retries = 5\n    # Log Martians\n    : net.ipv4.icmp_ignore_bogus_error_responses = 1\n    # Ignore ICMP broadcast requests\n    : net.ipv4.icmp_echo_ignore_broadcasts = 1\n    # Ignore Directed pings\n    : net.ipv4.icmp_echo_ignore_all = 1\n    : kernel.exec-shield = 1\n    : kernel.randomize_va_space = 1\n    # disable IPv6 if required (IPv6 might caus issues with the Internet connection being slow)\n    : net.ipv6.conf.all.disable_ipv6 = 1\n    : net.ipv6.conf.default.disable_ipv6 = 1\n    : net.ipv6.conf.lo.disable_ipv6 = 1\n    # Accept Redirects? No, this is not router\n    : net.ipv4.conf.all.secure_redirects = 0\n    # Log packets with impossible addresses to kernel log? yes\n    : net.ipv4.conf.default.secure_redirects = 0\n    \n    # [IPv6] Number of Router Solicitations to send until assuming no routers are present.\n    # This is host and not router.\n    : net.ipv6.conf.default.router_solicitations = 0\n    # Accept Router Preference in RA?\n    : net.ipv6.conf.default.accept_ra_rtr_pref = 0\n    # Learn prefix information in router advertisement.\n    : net.ipv6.conf.default.accept_ra_pinfo = 0\n    # Setting controls whether the system will accept Hop Limit settings from a router advertisement.\n    : net.ipv6.conf.default.accept_ra_defrtr = 0\n    # Router advertisements can cause the system to assign a global unicast address to an interface.\n    : net.ipv6.conf.default.autoconf = 0\n    # How many neighbor solicitations to send out per address?\n    : net.ipv6.conf.default.dad_transmits = 0\n    # How many global unicast IPv6 addresses can be assigned to each interface?\n    : net.ipv6.conf.default.max_addresses = 1\n    \n    # In rare occasions, it may be beneficial to reboot your server reboot if it runs out of memory.\n    # This simple solution can avoid you hours of down time. The vm.panic_on_oom=1 line enables panic\n    # on OOM; the kernel.panic=10 line tells the kernel to reboot ten seconds after panicking.\n    : vm.panic_on_oom = 1\n    : kernel.panic = 10\n\n    # Apply new settings\n    sudo sysctl -p\n\n### Disable IRQ Balance\n**http://bookofzeus.com/harden-ubuntu/server-setup/disable-irqbalance/**\n\nYou should turn off IRQ Balance to make sure you do not get hardware interrupts in your threads. Turning off IRQ Balance, will optimize the balance between power savings and performance through distribution of hardware interrupts across multiple processors.\n\n    sudo nano /etc/default/irqbalance\n    : ENABLED=\"0\"\n\n### OpenSSL Heartbleed Bug\n**http://bookofzeus.com/harden-ubuntu/server-setup/fix-openssl-heartbleed/**\n\nThe OpenSSL heartbleed bug (CVE-2014-0160) bug allows a hacker to leak the memory in up to 64k chunks. Repetitively trying, he can get crutial informations about your system.\n\nThe worst a hacker can retrieve are the private keys. Which means now he has the keys to decrypt the encrypted any data. The other information a hacker can get are users' cookies information or even users' username and passwords.\n\nIt is crutial to fix this issue to version greater or equal to 1.0.1g. You also have to revoke and regenerate new keys and certificates and re-issuing of CA certs and the like in the coming days.\n\n    openssl version -v\n    \n    # above should be not 1.0.1f or below, otherwise:\n    sudo apt-get update\n    sudo apt-get upgrade openssl libssl-dev\n    apt-cache policy openssl libssl-dev\n    \n    sudo apt-get install make\n    curl https://www.openssl.org/source/openssl-1.0.2f.tar.gz | tar xz \u0026\u0026 cd openssl-1.0.2f \u0026\u0026 sudo ./config \u0026\u0026 sudo make \u0026\u0026 sudo make install\n    sudo ln -sf /usr/local/ssl/bin/openssl `which openssl`\n    \n    openssl version\n\n### Secure `/tmp` and `/var/tmp`\n**http://bookofzeus.com/harden-ubuntu/server-setup/secure-tmp-var-tmp/**\n\nTemporary storage directories such as /tmp, /var/tmp and /dev/shm gives the ability to hackers to provide storage space for malicious executables.\n\n    # Let's create a 1GB (or what is best for you) filesystem file for the /tmp parition.\n    sudo fallocate -l 1G /tmpdisk\n    sudo mkfs.ext4 /tmpdisk\n    sudo chmod 0600 /tmpdisk\n    \n    # Mount the new /tmp partition and set the right permissions.\n    sudo mount -o loop,noexec,nosuid,rw /tmpdisk /tmp\n    sudo chmod 1777 /tmp\n    \n    # Set the /tmp in the fstab.\n    sudo nano /etc/fstab\n    : /tmpdisk\t/tmp\text4\tloop,nosuid,noexec,rw\t0 0\n    sudo mount -o remount /tmp\n    \n    # Secure /var/tmp.\n    sudo mv /var/tmp /var/tmpold\n    sudo ln -s /tmp /var/tmp\n    sudo cp -prf /var/tmpold/* /tmp/\n    sudo rm -rf /var/tmpold/\n\n### Secure Shared Memory\n**http://bookofzeus.com/harden-ubuntu/server-setup/secure-shared-memory/**\n\nShared memory can be used in an attack against a running service, apache2 or httpd for example. \n\n    sudo nano /etc/fstab\n    : tmpfs\t/run/shm\ttmpfs\tro,noexec,nosuid\t0 0\n\n### Set Hostname and Host File\n**http://bookofzeus.com/harden-ubuntu/server-setup/set-hostname-and-host/**\n\nThe hostname uniquely identifies your computer on the local network. The hostname can be use in many services or applications. Once the hostname is set, it is not recommended to change it.\n\n    sudo nano /etc/hostname\n    : \u003cip/hostname\u003e\n    \n    sudo nano /etc/hosts\n    : 127.0.0.1\tlocalhost localhost.localdomain \u003cip/hostname\u003e\n\n### Set Locale and Timezone\n**http://bookofzeus.com/harden-ubuntu/server-setup/set-timezone/**\n\n    sudo locale-gen en_GB.UTF-8\n    sudo update-locale LANG=en_GB.UTF-8\n    sudo dpkg-reconfigure tzdata\n\n### Set Security Limits\n**http://bookofzeus.com/harden-ubuntu/server-setup/set-security-limits/**\n\nYou might need to protect your system against fork bomb attacks. A simple way to prevent this is by setitng up processes limit for your users. All the limits can be configured in the `/etc/security/limits.conf` file.\n\n    sudo nano /etc/security/limits.conf\n    : user1 hard nproc 100\n    : @group1 hard nproc 20\n\nThis will prevent users from a specific group from having a maximum of 20 processs and maximize the number of processes to 100 to user1.\n\n### IP Spoofing\n**http://hardenubuntu.com/hardening/ip-spoofing/**\n\nIP spoofing is the creation of Internet Protocol (IP) packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system.\n\n    sudo nano /etc/host.conf\n    : order bind,hosts\n    : nospoof on\n\n### PHP\n**http://bookofzeus.com/harden-ubuntu/hardening/php/**\n\n    sudo nano /etc/php/fpm/php.ini\n    : safe_mode = On\n    : safe_mode_gid = On\n    : sql.safe_mode = On\n    \n    : register_globals = Off\n    : magic_quotes_gpc = Off\n    \n    : expose_php = Off\n    : track_errors = Off\n    : html_errors = Off\n    : display_errors = Off\n    \n    : disable_functions = ... system,exec,shell_exec,php_uname,getmyuid,getmypid,leak,listen,diskfreespace,link,ignore_user_abord,dl,set_time_limit,highlight_file,source,show_source,passthru,fpaththru,virtual,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,phpinfo\n    # exceptions: getmypid\n    \n    : allow_url_fopen = Off\n    : allow_url_include = Off\n    \n    : sql.safe_mode = On\n    \n    : session.cookie_httponly = 1\n    : session.referer_check = mydomain.com\n\n### SSH\n**http://bookofzeus.com/harden-ubuntu/hardening/ssh/**\n\nSSH can be very helpful when configuring your server, setup domains or anything else you need to do. It also one of the first point of entry of hackers. This is why it is very important to secure your SSH.\n\nThe basic rules of hardening SSH are:\n- No password for SSH access (use private key)\n- Don't allow root to SSH (the appropriate users should SSH in, then `su` or `sudo`)\n- Use `sudo` for users so commands are logged\n- Log unauthorised login attempts (and consider software to block/ban users who try to access your server too many times, like fail2ban)\n- Lock down SSH to only the ip range your require (if you feel like it)\n\nIt is recommended to use SSH keys.\n\n    sudo nano /etc/ssh/sshd_config\n    : Port \u003cport\u003e\n    : Protocol 2\n    : LogLevel VERBOSE\n    : PermitRootLogin no\n    : StrictModes yes\n    : RSAAuthentication yes\n    : IgnoreRhosts yes\n    : RhostsAuthentication no\n    : RhostsRSAAuthentication no\n    : PermitEmptyPasswords no\n    : PasswordAuthentication no\n    : ClientAliveInterval 300\n    : ClientAliveCountMax 0\n    : AllowTcpForwarding no\n    : X11Forwarding no\n    : UseDNS no\n    \n    sudo nano /etc/pam.d/sshd\t(comment lines below)\n    : #session\toptional\tpam_motd.so motd=/run/motd.dynamic noupdate\n    : #session\toptional\tpam_motd.so # [1]\n    \n    sudo service ssh restart\n\n### Antivirus (clamav)\n\n    sudo apt-get install clamav\n    sudo freshclam\n    sudo apt-get install clamav-daemon\n    sudo crontab -e\n    : 00 00 * * * clamscan -r /location_of_files_or_folder | grep FOUND \u003e\u003e /path/to/save/report/myfile.txt\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fschooloffreelancing%2Fubuntu-server-hardening","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fschooloffreelancing%2Fubuntu-server-hardening","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fschooloffreelancing%2Fubuntu-server-hardening/lists"}