DEV Community

Cover image for How to harden Ubuntu 16.04 Server security
Ayekple Clemence
Ayekple Clemence

Posted on • Originally published at anansewaa.com

How to harden Ubuntu 16.04 Server security

Ubuntu 16.04 Server Security

In this article, we will discuss some server security configurations that are best to protect Ubuntu 16.04 server environment.

Secure shared memory

First, open the configuration file for editing using the command below:

sudo nano /etc/fstab

Next, add the following line of code to the bottom of the configuration file:

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

Save and close the file. Then restart the server for the changes to take effect.

Enable ssh login for specific users

It is a good practice to enable ssh login for specific users. However, if you want to only allow secure shell entry for a user from a specific IP. Here are the steps to use.

For instance, allowing only secure shell entry for the user george, from IP address 192.168.6.32.

In the terminal, open the ssh config file using the following command:

sudo nano /etc/ssh/sshd_config

At the end of the file, add this line of code:

AllowUsers george@192.168.6.32

Save the file and restart sshd with the command below:

sudo service ssh restart

Currently, secure shell only allows entry by george, from IP address 192.168.6.32. At this point, if anyone other than george tries to ssh into the server; they will get a prompt for a password that will not be accepted or get denied access.
Since we all have different needs, you might want to allow all users on a particular network to access the server via ssh.

To do that, add the following line of code to the end of the ssh config file:

AllowUsers *@192.168.6.*

Restart the ssh server for changes to take effect.

Adding security login banner

Most people will not consider adding the login banner, but with the login banner, a malicious user might think twice about continuing. This process is purely psychological, but it is a step you should not overlook.

To configure it, open the configuration file with the following command:

sudo nano /etc/issue.net

Add a suitable warning and save file.

Next, disable the banner message from motd. Use the following command to open the configuration file:

sudo nano /etc/pam.d/sshd

In the configuration file, comment the following lines of code by adding # at the beginning of each line:

#session optional pam_motd.so motd=/run/motd.dynamic

#session optional pam_motd.so noupdate

Now, open the ssh configuration file and comment on this line of code:

#Banner /etc/issue.net

Next, save the file and restart the ssh server with the following command:

sudo service ssh restart

Harden the networking layer

To simply log all malformed IPs and prevent source routing of incoming packets the Ubuntu server, open the configuration file with the following command:

sudo nano /etc/sysctl.conf

Uncomment the following lines of code:

# IP Spoofing protection

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

​

# Ignore ICMP broadcast requests

net.ipv4.icmp_echo_ignore_broadcasts = 1



# Disable source packet routing

net.ipv4.conf.all.accept_source_route = 0

net.ipv6.conf.all.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv6.conf.default.accept_source_route = 0

​

# Ignore send redirects

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

​

# Block SYN attacks

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_max_syn_backlog = 2048

net.ipv4.tcp_synack_retries = 2

net.ipv4.tcp_syn_retries = 5

​

# Log Martians

net.ipv4.conf.all.log_martians = 1

net.ipv4.icmp_ignore_bogus_error_responses = 1

​

# Ignore ICMP redirects

net.ipv4.conf.all.accept_redirects = 0

net.ipv6.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv6.conf.default.accept_redirects = 0

​

# Ignore Directed pings

net.ipv4.icmp_echo_ignore_all = 1

Save the file, and restart the service with the following command

sudo sysctl -p

Preventing IP spoofing

Finally, to prevent the server’s IP from being spoofed, open the configuration file with the following command:

sudo nano /etc/host.conf

The initial configuration looks like this:

# The "order" line is only used by old versions of the C library.

order hosts,bind

multi on

Change the configuration to this:

# The "order" line is only used by old versions of the C library.

order bind,hosts

nospoof on

Save the file. Viola! No more IP spoofing.

Conclusion

The configuration above is only some of the enhancements you can make to improve your server security.

Top comments (3)

Collapse
 
rihan profile image
Rihan

Ubuntu 16.04 is 4 years old and reached EoL. Upgrade to 18.04 or wait for 20.04.

Collapse
 
ayekpleclemence profile image
Ayekple Clemence

That is true but some people are still using Ubuntu 16.04.
Also, I have an article on Upgrading from Ubuntu 16.04 to 18.04

Collapse
 
herawais profile image
Muhammad Awais

Ubuntu 20.04 released .
Any tips for that