🟠Using Ubuntu
All about using
Initial hardening
References for some of these steps are at this site. It's pasted here for my convenience.
Encrypt your hard-drive
⚠️⚠️⚠️ THIS IS ONLY DOABLE WHEN YOU INSTALL UBUNTU ⚠️⚠️⚠️
On the installation page where you have to select your partition, opt to erase the disk and then select "Use LVM..." option and encrypt it using Linux Unified Key System (LUKS)
Setup Antivirus
Install and Bootstrap ClamAV
# install clamav
sudo apt install clamav clamav-freshclam;
# bootstrap clamav
sudo systemctl stop clamav-freshclam;
sudo freshclam;
sudo systemctl start clamav-freshclam;
# enable clamav to run at startup
sudo systemctl enable clamav-freshclam;
Setup ClamAV to run daily
Create the log file:
sudo touch /var/log/clamav/clamscan.log;
Use cron
to setup a daily job:
sudo vim /etc/cron.daily/clamav;
Paste in the following contents:
#!/bin/sh
MYLOG=/var/log/clamav/clamscan.log
echo "Scanning for viruses at `date`" >> $MYLOG
clamscan --recursive --infected --max-filesize=100M --max-scansize=100M --exclude=/boot / >> $MYLOG 2>&1
Setup Firewall
Confirm that `ufw` is installed
ufw --version;
Setup base rules for `ufw`
sudo ufw default deny incoming;
# common ports
sudo ufw deny ssh;
sudo ufw deny ftp;
sudo ufw deny smtp;
sudo ufw deny cups;
sudo ufw deny 69;
sudo ufw deny 514;
# samba
sudo ufw deny 137;
sudo ufw deny 138;
sudo ufw deny 139;
sudo ufw deny 445;
Enable `ufw`
If not already done, enable ufw
:
sudo ufw enable;
Enable `ufw` to run at startup
sudo systemctl enable ufw;
Secure `sysctl`
# make an archive of the configuration file
sudo cp --archive /etc/sysctl.conf /etc/sysctl.conf-COPY-$(date +"%Y%m%d%H%M%S");
# edit the configuration file
sudo vim /etc/sysctl.conf;
Paste in the following contents:
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
Finally, enable it:
sudo sysctl -p;
Secure `/proc`
Make a backup of the configuration file and then open it:
sudo cp --preserve /etc/fstab /etc/fstab-COPY-$(date +"%Y%m%d%H%M%S");
sudo vim /etc/fstab;
Paste the following line at the end of the file:
proc /proc proc defaults,hidepid=2 0 0
Reload the configuration by remounting /proc
:
sudo mount -o remount,hidepid=2 /proc;
Secure the kernel
Backup the configuration file:
sudo cp --archive /etc/modprobe.d/blacklist.conf /etc/modprobe.d/blacklist.conf-COPY-$(date +"%Y%m%d%H%M%S")
Open the configuration file:
sudo vim /etc/modprobe.d/blacklist.conf
Add the following lines at the end:
# Instruct modprobe to force inactive modules to always fail loading
install cramfs /bin/false
install freevxfs /bin/false
install hfs /bin/false
install hfsplus /bin/false
install jffs2 /bin/false
install udf /bin/false
Add some blocklists to `/etc/hosts` if you want
Checkout the repository at https://github.com/jmdugan/blocklists
Copy and paste the blocklists as needed into your
/etc/hosts
file
Albert Task Launcher
Troubleshooting
Last updated
Was this helpful?