Today, I have stumbled upon an useful script, which is used to secure your Ubuntu OS with simple mouse clicks. You don't need to be an enperienced Linux administrator to use this. All you need to to do is just download, extract, and run the script. This script will take care of everything. Your job is to click YES or Cancel. That's it, Plain and simple. The Fan Club team have created a simple GUI script called "Ubuntu Server Secure (shortly USS)", that consists of popular GUI security administration tools to harden and audit the security on an Ubuntu Desktop or Server operating system. This script will install and configure all required applications automatically in the background.
This script will do the following 17 tasks automatically on your Ubuntu system:
- Install and Configure UFW firewall;
- Secure shared memory;
- Disable SSH root login and change SSH default port;
- Protect su by limiting access only to admin group;
- Harden network sysctl settings;
- Disable OpenDNS recursion;
- Prevent IP spoofing;
- Harden PHP;
- Install and configure ModSecurity;
- Protect from DDoS attacks with ModEvasive;
- Install and configure DenyHosts to scan logs and ban suspicious hosts;
- Install and configure PSAD intrusion detection application;
- Check for rootkits using RKHunter;
- Install and configure NMAP to scan open ports;
- Analyze system logs using LogWatch;
- Install and configure SELinux;
- Install and configure Tiger security audit and intrusion tool.
The only caveat of this script is it needs GUI, that means you have to install Unity or Gnome DE in your Ubuntu server. If you are already using Ubuntu desktop, it's fine. And also, the script is pretty old. While I go-through this script, I found that it was written back in 2012 for Ubuntu 12.04 LTS version. It seems the developers have abandoned this script at the alpha stage and moved to next project. I can't find the latest version of this script anywhere on their site. However, this script is still working on latest Ubuntu 16.04 LTS operating system. If you are a developer, you can analyze the script and update this script if it contains any flaws or just notify the bugs or ideas to improve this script to the original developers.
Now, let us secure and harden our Ubuntu system using this script.
Secure Ubuntu using "Ubuntu Server Secure (USS)" script
DISCLAIMER: Use this script with care. Neither me, nor the owner of this script is responsible for any kind damage of your Ubuntu systems. This script is provided purely for alpha testing and can harm your system if used incorrectly. Before using this script in production environment, test it thoroughly in any testing machine. Once you happy with it, you may use it on your production systems.
This script is created using Zenity. So, you need to install it in your Ubuntu system to use this script. As may know, Zenity is pre-installed by default starting from Ubuntu 12.04 LTS. If it is not installed by any chance, you can install it using apt package manager.
Also, you need to install gksu, a gtk front-end for su and sudo commands and wget, command line down-loader.
To install them, just run the following command from the Terminal:
sudo apt-get install gksu wget
Next, you need to deploy a standard LAMP stack in your system. Refer the following link to install LAMP stack in Ubuntu 16.04 LTS.
Download and Install USS
Run the following command from your Terminal window to download this script.
Once you downloaded, extract it using command:
sudo tar -zxvf ubuntu-server-secure.tar.gz
Go to the extracted folder:
Make the script as executable with command:
sudo chmod +x ubuntu-server-secure.sh
Finally, run the following command to start the script.
gksudo sh ubuntu-server-secure.sh
You will see the following screen. Just select the security features you want to implement in your Ubuntu system. I want to deploy all of them, so I checked all features.
From now on, you need to answer a series of Yes or No type questions. Don't worry, all questions are self-explanatory.
First, let us change the default SSH port. Since it is just a demo purpose, I go with default values. You can change the values as your own liking.
Select Yes to open the new SSH port through UFW firewall.
Select Yes to restart SSH service to take effect the changes.
Enter the name for the new admin group:
Enter which current user should be added to the new admin group. Please note that users added in this group can only do administrative tasks using "su" or "sudo" commands.
Click Yes to restart sysctl with new settings:
Select Yes to restart Apache service after securing PHP:
Next, we need to configure the ModSecurity. Enter the value for page request body limit in bytes. If you are not sure, just leave the default values. It's just fine.
Select Yes to restart Apache2 service with ModSecurity to take effect the changes.
Enter a valid Email id to receive ModEvasive notifications:
Select Yes to restart Apache2 with ModEvasive:
Enter a valid email id to receive DenyHosts notifications:
Enter Email id to receive PSAD notifications:
Select Yes to run RKHunter check:
Select Yes to run Nmap port scan:
Select Yes to run LogWatch on your system:
Select Yes to check Apparmor status:
Finally, let us run the Tiger intrusion detection tool to audit the security and harden our Ubuntu system
Click Ok to end the Ubuntu secure script.
Now, we have fixed some common security issues in the Ubuntu system. You can check the complete log file at: /var/log/uss_YYYY-MM-DD.log (replace YYYY-MM-DD with current date).
Also, the fan club team has published a step by step article about securing Ubuntu 16.04 LTS(part 1) in their website. It is an updated guide with some additional security tools for Ubuntu 16.04 LTS. Have a look at this link if you're interested.