Ubuntu Server Secure – A script to secure and harden Ubuntu

Today, I have stumbled upon an useful script, which is used to secure your Ubuntu OS with simple mouse clicks. You don’t need to be an enperienced Linux administrator to use this. All you need to to do is just download, extract, and run the script. This script will take care of everything. Your job is to click YES or Cancel. That’s it, Plain and simple. The Fan Club team have created a simple GUI script called “Ubuntu Server Secure (shortly USS)”, that consists of popular GUI security administration tools to harden and audit the security on an Ubuntu Desktop or Server operating system. This script will install and configure all required applications automatically in the background.

This script will do the following 17 tasks automatically on your Ubuntu system:

  1. Install and Configure UFW firewall;
  2. Secure shared memory;
  3. Disable SSH root login and change SSH default port;
  4. Protect su by limiting access only to admin group;
  5. Harden network sysctl settings;
  6. Disable OpenDNS recursion;
  7. Prevent IP spoofing;
  8. Harden PHP;
  9. Install and configure ModSecurity;
  10. Protect from DDoS attacks with ModEvasive;
  11. Install and configure DenyHosts to scan logs and ban suspicious hosts;
  12. Install and configure PSAD intrusion detection application;
  13. Check for rootkits using RKHunter;
  14. Install and configure NMAP to scan open ports;
  15. Analyze system logs using LogWatch;
  16. Install and configure SELinux;
  17. Install and configure Tiger security audit and intrusion tool.

The only caveat of this script is it needs GUI, that means you have to install Unity or Gnome DE in your Ubuntu server. If you are already using Ubuntu desktop, it’s fine. And also, the script is pretty old. While I go-through this script, I found that it was written back in 2012 for Ubuntu 12.04 LTS version. It seems the developers have abandoned this script at the alpha stage and moved to next project. I can’t find the latest version of this script anywhere on their site. However, this script is still working on latest Ubuntu 16.04 LTS operating system. If you are a developer, you can analyze the script and update this script if it contains any flaws or just notify the bugs or ideas to improve this script to the original developers.

Now, let us secure and harden our Ubuntu system using this script.

Secure Ubuntu using “Ubuntu Server Secure (USS)” script

DISCLAIMER: Use this script with care. Neither me, nor the owner of this script is responsible for any kind damage of your Ubuntu systems. This script is provided purely for alpha testing and can harm your system if used incorrectly. Before using this script in production environment, test it thoroughly in any testing machine. Once you happy with it, you may use it on your production systems.

Requirements:

This script is created using Zenity. So, you need to install it in your Ubuntu system to use this script. As may know, Zenity is pre-installed by default starting from Ubuntu 12.04 LTS. If it is not installed by any chance, you can install it using apt package manager.

Also, you need to install gksu, a gtk front-end for su and sudo commands and wget, command line down-loader.

To install them, just run the following command from the Terminal:

sudo apt-get install gksu wget

Next, you need to deploy a standard LAMP stack in your system. Refer the following link to install LAMP stack in Ubuntu 16.04 LTS.

Download and Install USS

Run the following command from your Terminal window to download this script.

wget https://www.thefanclub.co.za/sites/default/files/public/downloads/ubuntu-server-secure.tar.gz

Once you downloaded, extract it using command:

sudo tar -zxvf ubuntu-server-secure.tar.gz

Go to the extracted folder:

cd ubuntu-server-secure

Make the script as executable with command:

sudo chmod +x ubuntu-server-secure.sh

Finally, run the following command to start the script.

gksudo sh ubuntu-server-secure.sh

You will see the following screen. Just select the security features you want to implement in your Ubuntu system. I want to deploy all of them, so I checked all features.

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_002

From now on, you need to answer a series of Yes or No type questions. Don’t worry, all questions are self-explanatory.

First, let us change the default SSH port. Since it is just a demo purpose, I go with default values. You can change the values as your own liking.

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_003

Select Yes to open the new SSH port through UFW firewall.

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_004

Select Yes to restart SSH service to take effect the changes.

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_005

Enter the name for the new admin group:

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_006

Enter which current user should be added to the new admin group. Please note that users added in this group can only do administrative tasks using “su” or “sudo” commands.

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_007

Click Yes to restart sysctl with new settings:

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_008

Select Yes to restart Apache service after securing PHP:

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_009

Next, we need to configure the ModSecurity. Enter the value for page request body limit in bytes. If you are not sure, just leave the default values. It’s just fine.

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_010

Select Yes to restart Apache2 service with ModSecurity to take effect the changes.

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_011

Enter a valid Email id to receive ModEvasive notifications:

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_012

Select Yes to restart Apache2 with ModEvasive:

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_013

Enter a valid email id to receive DenyHosts notifications:

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_014

Enter Email id to receive PSAD notifications:

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_015

Select Yes to run RKHunter check:

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_016

Select Yes to run Nmap port scan:

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_017

Select Yes to run LogWatch on your system:

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_018

Select Yes to check Apparmor status:

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_019

Finally, let us run the Tiger intrusion detection tool to audit the security and harden our Ubuntu system

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_020

Click Ok to end the Ubuntu secure script.

Ubuntu 16.04 LTS Desktop [Running] - Oracle VM VirtualBox_021

Now, we have fixed some common security issues in the Ubuntu system. You can check the complete log file at: /var/log/uss_YYYY-MM-DD.log (replace YYYY-MM-DD with current date).

Also, the fan club team has published a step by step article about securing Ubuntu 16.04 LTS(part 1) in their website. It is an updated guide with some additional security tools for Ubuntu 16.04 LTS. Have a look at this link if you’re interested.

That’s all for now folks. have you tried this script? Let me know what do you think about this script in the comment section below. I will be here with another interesting article soon. Until then, stay tuned with OSTechNix.

Cheers!

Source and reference link:

Thanks for stopping by!

How can I benefit from this blog:

Have a Good day!!

You may also like...

  • LHammonds

    I’m gonna have to pass on this one even before digging into the script. Why? We are talking about securing a “server” and the 1st requirement of this “script” is to install a GUI desktop….on…a…server. Does anyone else here see a problem with that? The GUI itself adds a huge attack surface which typically never exists on a server in the 1st place. Not sure why author didn’t just script an ASCII menu with something like “dialog.” Curiosity might get me to look at what it is trying to do but I’ll never run this script.

  • Tibor Sekelj

    DO NOT USE THIS SCRIPT AND DESCRIPTION ABOVE. installing graphic interface on server is a serious rookie mistake. (as others pointed out: it adds more unnecessary software to your server and opens up potential holes in your security)

  • UltraSec 2010

    Can we get an ubuntu server version of this script cos there is no way I am going to pull up a GUI desktop on my server.

    • SK

      I’m afraid there is no such script. May be you should contact the developer.