Setup Idea Ubuntu Hardening

Last updated
Aug 23, 2024
How it's used?
For home and private use
Operating system
Linux
On-device encryption
Other full-disk drive encryption software
Log-in security
    • Basic account password (insecure)
Security updates
Allow security updates
Update channels
Allow stable updates only
User Access Control
N/A - Linux / Mac / Other operating system
Smart App Control
N/A - Linux / Mac / Other operating system
Network firewall
Enabled
Real-time security
clamav (linux free AV)
Firewall security
Built-in Firewall for Mac/Linux
About custom security
this is what the article is about
Periodic malware scanners
clamav
Malware sample testing
I do not participate in malware testing
Environment for malware testing
n/a
Browser(s) and extensions
firefox
Secure DNS
quad9
Desktop VPN
proton vpn free
Password manager
firefox built-in password manager
File and Photo backup
deja-dup (built-in backup app)
System recovery
clonzilla
Risk factors
    • Browsing to popular websites
Computer specs
ASUS Vivobook 2021 model
Recommended for
  1. All types of users

Victor M

Level 13
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
645
There is also Ubuntu Security Guide ( usg ) . It configures Ubuntu automatically to satisfy some security best practices. But it does not work for Ubuntu 24 yet. So if you are using Ubuntu 22 or earlier you can try that. The Ubuntu Security Guide | Ubuntu . It allows you to take one step towards being compliant to computer security regulations that apply towards your industry. Different industries have different regulations. For example there is the HIPAA for health care industry, and the PCI DSS that applies to anybody who accepts credit card payments. If you suffer a breach and did not do your due diligence you could lose the right to accept credit card payments which would be a big deal to merchants large or small.

USG gives you a choice of implementing DISA (Defense Information System Agency) or the CIS (Center for Internet Security) configuration. They setup hundreds of hardening settings.

I chose the DISA, You first do an audit comparing would be settings to the existing settings. This shows you which settings would be configured in addition to what you have now. Then you can tailor the settings that you don't need or want. You open the html audit report which gives you the setting names, and you edit the 'tailor.xml' to turn off items. Then you apply your tailored configuration.
 
Last edited:

Victor M

Level 13
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
645
If you have a hardware firewall which does not support ipv6, you should go to Settings > Network > WiFi or Ethernet > IPv6 set to Disable. Because when your hardware firewall doesn't support ipv6, ipv6 traffic will go right through, and your hardware firewall will not function as a firewall.
 
Last edited:

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
@Victor M website says: And you can test your firewall with the 'nmap' tool. Install nmap. Then issue the command > nmap 192.168.0.0/16
I tried this in VMware MX-Linux and nothing seemed to be happening. After about 15 min I used terminal signal to quit. Perhaps the internal ip is different because running in vm?
I minimally used nmap a decade++ ago, so more reading, but comments welcome. I do have an commercial grade router so perhaps that "killed" nmap, so far no indications of anything. I suppose the router might see a nmap scan as an attack? This is why linux is fun (for me) -- getting under the hood to some degree. Lots to (re)learn.

EDIT errr nevermind, I used chatGPT to get a clearer idea of what to do, then nmap becomes both informative and helpful. seeing a few open ports on both Host & Guest I need to "investigate." fun+
 
Last edited:

Guilhermesene

Level 1
Dec 19, 2023
29
Well, I know that the focus here is on Ubuntu for desktop (home use). But, for those who are interested and work with Debian-based servers (like Ubuntu for example), here's a script for hardening and adjusting settings for security on these servers.

I apologize that the script is in Portuguese pt-br (my native language), but since most browsers today have an integrated translator, I don't think it will be a problem.

I hope I've helped someone 😄

Ubuntu/Debian Server Hardening - GitLab
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
What do you mean by notations ?
here's what I see in shell, you run lynis and sample output eg = wpa_supplicant.service > 9.6 UNSAFE and when you dig a little there are suggestions to harden it, eg, for this service I stopped and masked it. 9.9 or 10 score is max unsafe. the number of kernel services in default installation marked unsafe surprised me
 
  • Like
Reactions: oldschool

Vitali Ortzi

Level 26
Verified
Top Poster
Well-known
Dec 12, 2016
1,580

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
Hardening Guide updated again. Changes to firejail protection + changes to the firefox .desktop file.
I read thru the new hardening pdf -- I knew or understood about 90% of it from working on my linux. Curious about Wazuh, I was looking at it earlier today before I saw your post. It looked somewhat complicated and did not have time to read its docs. Can you install and run it on default successfully as you find the time to learn it. I am currently working thru AIDE.
 
  • Like
Reactions: oldschool

Victor M

Level 13
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
645
The meat of Wazuh is in Threat Hunting. When you are there, click on the Events tab up at the top. Then you will see all the events Wazuh collected, each with a severity level. Level 6 and below are less important. But you should not ignore them as attacks comes in bits and pieces chained together, and each piece when considered alone may not be significant.

Then as you go thru the events, you may want to ignore a particular event always. For that you can use the filters at the top. Define a filter and save it.
 

Victor M

Level 13
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
645
Major update. Now using Ubuntu apparmor additional profile's' stronger Firefox profile instead of Firejail-default apparmor profile. Firejail now need apparmor specification and includes additional protection settings. New component also needs to be downloaded - openbox. Start reading from downloads paragraph.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top