- Oct 3, 2022
- 590
Ubuntu hardening. Not a script. Just follow along and paste in the commands.
Last edited:
Ubuntu Hardening
- Thread starter Victor M
- Start date
- Oct 3, 2022
- 590
There is also Ubuntu Security Guide ( usg ) . It configures Ubuntu automatically to satisfy some security best practices. But it does not work for Ubuntu 24 yet. So if you are using Ubuntu 22 or earlier you can try that. The Ubuntu Security Guide | Ubuntu . It allows you to take one step towards being compliant to computer security regulations that apply towards your industry. Different industries have different regulations. For example there is the HIPAA for health care industry, and the PCI DSS that applies to anybody who accepts credit card payments. If you suffer a breach and did not do your due diligence you could lose the right to accept credit card payments which would be a big deal to merchants large or small.
USG gives you a choice of implementing DISA (Defense Information System Agency) or the CIS (Center for Internet Security) configuration. They setup hundreds of hardening settings.
I chose the DISA, You first do an audit comparing would be settings to the existing settings. This shows you which settings would be configured in addition to what you have now. Then you can tailor the settings that you don't need or want. You open the html audit report which gives you the setting names, and you edit the 'tailor.xml' to turn off items. Then you apply your tailored configuration.
USG gives you a choice of implementing DISA (Defense Information System Agency) or the CIS (Center for Internet Security) configuration. They setup hundreds of hardening settings.
I chose the DISA, You first do an audit comparing would be settings to the existing settings. This shows you which settings would be configured in addition to what you have now. Then you can tailor the settings that you don't need or want. You open the html audit report which gives you the setting names, and you edit the 'tailor.xml' to turn off items. Then you apply your tailored configuration.
Last edited:
- Oct 3, 2022
- 590
If you have a hardware firewall which does not support ipv6, you should go to Settings > Network > WiFi or Ethernet > IPv6 set to Disable. Because when your hardware firewall doesn't support ipv6, ipv6 traffic will go right through, and your hardware firewall will not function as a firewall.
Last edited:
- Oct 3, 2022
- 590
The latest version is up on https://fortifiedubuntu.org . Changed the order of the sections so that the most important things are done offline first.
- Oct 3, 2022
- 590
- Apr 16, 2017
- 2,613
on Fortify Ubuntu: hardening Ubuntu this is your website?? or you can post / save pdf files there...
EDIT PS I also like the short comment about using nmap to test firewall... helpful stuff as I reacquaint myself with linux
- Apr 16, 2017
- 2,613
@Victor M website says: And you can test your firewall with the 'nmap' tool. Install nmap. Then issue the command > nmap 192.168.0.0/16
I tried this in VMware MX-Linux and nothing seemed to be happening. After about 15 min I used terminal signal to quit. Perhaps the internal ip is different because running in vm?
I minimally used nmap a decade++ ago, so more reading, but comments welcome. I do have an commercial grade router so perhaps that "killed" nmap, so far no indications of anything. I suppose the router might see a nmap scan as an attack? This is why linux is fun (for me) -- getting under the hood to some degree. Lots to (re)learn.
EDIT errr nevermind, I used chatGPT to get a clearer idea of what to do, then nmap becomes both informative and helpful. seeing a few open ports on both Host & Guest I need to "investigate." fun+
I tried this in VMware MX-Linux and nothing seemed to be happening. After about 15 min I used terminal signal to quit. Perhaps the internal ip is different because running in vm?
I minimally used nmap a decade++ ago, so more reading, but comments welcome. I do have an commercial grade router so perhaps that "killed" nmap, so far no indications of anything. I suppose the router might see a nmap scan as an attack? This is why linux is fun (for me) -- getting under the hood to some degree. Lots to (re)learn.
EDIT errr nevermind, I used chatGPT to get a clearer idea of what to do, then nmap becomes both informative and helpful. seeing a few open ports on both Host & Guest I need to "investigate." fun+
Last edited:
Guilhermesene
Level 1
- Dec 19, 2023
- 27
Well, I know that the focus here is on Ubuntu for desktop (home use). But, for those who are interested and work with Debian-based servers (like Ubuntu for example), here's a script for hardening and adjusting settings for security on these servers.
I apologize that the script is in Portuguese pt-br (my native language), but since most browsers today have an integrated translator, I don't think it will be a problem.
I hope I've helped someone
Ubuntu/Debian Server Hardening - GitLab
I apologize that the script is in Portuguese pt-br (my native language), but since most browsers today have an integrated translator, I don't think it will be a problem.
I hope I've helped someone
Ubuntu/Debian Server Hardening - GitLab
- Oct 3, 2022
- 590
- Oct 3, 2022
- 590
More security added to Firejail Ubuntu 24.04 settings: see PDF at: Fortified Ubuntu: hardening Ubuntu 24 Desktop .
- Apr 16, 2017
- 2,613
fwiw I've been going thru fedora 41 with chatgpt using lynis & other apps to harden fedora. I was sorta surprised by varoius "unsafe" notations including the kernel too. Helpful learning experience for me.
- Oct 3, 2022
- 590
- Apr 16, 2017
- 2,613
here's what I see in shell, you run lynis and sample output eg = wpa_supplicant.service > 9.6 UNSAFE and when you dig a little there are suggestions to harden it, eg, for this service I stopped and masked it. 9.9 or 10 score is max unsafe. the number of kernel services in default installation marked unsafe surprised me
- Dec 12, 2016
- 1,368
There is already a more hardened version of Fedora GitHub - secureblue/secureblue: Hardened Fedora Atomic and Fedora CoreOS images
- Apr 16, 2017
- 2,613
well I did see a reference to Atomic, but didn't know what it was. My lynis hardening index keeps increasing so this fun, and I think I'm pretty safe (famous last words) -- for some reason that I do not fully understand, I really like fedora.
- Dec 12, 2016
- 1,368
Fedora is really nice and by default it's a very secure distro
- Oct 3, 2022
- 590
Hardening Guide updated again. Changes to firejail protection + changes to the firefox .desktop file.
- Apr 16, 2017
- 2,613
I read thru the new hardening pdf -- I knew or understood about 90% of it from working on my linux. Curious about Wazuh, I was looking at it earlier today before I saw your post. It looked somewhat complicated and did not have time to read its docs. Can you install and run it on default successfully as you find the time to learn it. I am currently working thru AIDE.
- Oct 3, 2022
- 590
The meat of Wazuh is in Threat Hunting. When you are there, click on the Events tab up at the top. Then you will see all the events Wazuh collected, each with a severity level. Level 6 and below are less important. But you should not ignore them as attacks comes in bits and pieces chained together, and each piece when considered alone may not be significant.
Then as you go thru the events, you may want to ignore a particular event always. For that you can use the filters at the top. Define a filter and save it.
Then as you go thru the events, you may want to ignore a particular event always. For that you can use the filters at the top. Define a filter and save it.
- Oct 3, 2022
- 590
Major update. Now using Ubuntu apparmor additional profile's' stronger Firefox profile instead of Firejail-default apparmor profile. Firejail now need apparmor specification and includes additional protection settings. New component also needs to be downloaded - openbox. Start reading from downloads paragraph.
Last edited:
