We will look at some general server steps to harden your Ubuntu 20.04.

1. Set Auto-update On Ubuntu 20.04

# sudo apt install unattended-upgrades

Now open the below file and edit 

# vim /etc/apt/apt.conf.d/50unattended-upgrades

Uncomment this line :

"${distro_id}:${distro_codename}-updates";

Now remove unused kernel packages and dependencies . Make sure these lines are added / uncommented :

Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "00:00"

Edit the /etc/apt/apt.conf.d/20auto-upgrades file and set the time interval for update checks ( one week or so depeneding on your choice )

APT::Periodic::Update-Package-Lists "7";
APT::Periodic::Download-Upgradeable-Packages "7";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "7";

2. Install CSF firewall which comes with the LFD login monitor.

The ufw in ubuntu is good for a basic firewall, but CSF / LFD provides us with more options and helps to monitor the login failures and block the offending IPs automatically.

# cd /usr/src
# wget https://download.configserver.com/csf.tgz 
# tar -xzf csf.tgz 
# cd csf 
# sh install.sh

# apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl

Open /etc/csf/csf.conf and remove the TESTING mode and restart the service using csf -r

3. Change the default SSH port and disable root login

# vim /etc/ssh/sshd_config

Change port number to something custom like 2900 or and open the same port in CSF config file – TCP_IN section.

Now, create a sudo user and lets disable the root login

# adduser newusername
# passwd newusername

$ Now, we want to edit the sudo rights and grant administrative privilages to this user.

# vi /etc/sudoers

Add the username which we just created, below the space

## Allow root to run any commands anywhere
root ALL=(ALL) ALL
newusername ALL=(ALL) ALL

Now save and close this file. Go to your ssh configuration file and give the setting :

PermitRootLogin no

4. Installing chkrootkit on Ubuntu 20.04

# apt-get update
# apt install chkrootkit

Open /etc/chkrootkit.conf , Replace the first line to reflect RUN_DAILY="true"

5. Secure Apache by removing Apache Version and OS Identity from Errors

# vim /etc/apache2/apache2.conf

Add the following lines and restart the apache service.

ServerSignature Off 
ServerTokens Prod

6. Disable Directory Listing on Apache

Turn off directory listing by using Options directive in configuration file – /etc/apache2/apache2.conf

<Directory /var/www/domainname>
    Options -Indexes
</Directory>

7. Setup and configure Mod_Security on Apache 20.04

# apt install libapache2-mod-security2

# sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

# vi /etc/modsecurity/modsecurity.conf

Change 'SecRuleEngine' to SecRuleEngine on

Next Download Latest OWASP ModSecurity Rules

# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

# cd owasp-modsecurity-crs
# mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf
# cd rules
# cp *.* /etc/modsecurity/rules

# vi /etc/apache2/mods-enabled/security2.conf

Add the following lines.

IncludeOptional /etc/modsecurity/*.conf
Include /etc/modsecurity/rules/*.conf

# sudo systemctl restart apache2

Test if it’s working by loading – http://serverIP/index.html?exec=/bin/bash on your browser. You should receive a 403 forbidden error.

Anything more ? Comment your thoughts.

Need any help to implement ? Contact US