Hardening Ubuntu 24.04 – Cygne Noir's

Introduction

Hardening Ubuntu 24.04 bertujuan untuk memperkuat sistem dengan menerapkan praktik terbaik keamanan (security best practices) agar node lebih tahan terhadap eksploitasi, serangan jaringan, maupun eskalasi hak akses.

Dengan penerapan langkah-langkah ini, setiap server akan memiliki tingkat keamanan yang lebih baik, mengurangi risiko kompromi, dan meningkatkan keandalan keseluruhan infrastruktur.

System Configuration

1. Update Patch

Pastikan kita menggunakan timezone yang sesuai lokasi

sudo timedatectl set-timezone Asia/Jakarta

sudo timedatectl set-timezone Asia/Jakarta

Pastikan semua paket sudah up-to-date

sudo apt update && sudo apt upgrade -y
sudo apt autoremove -y

sudo apt update && sudo apt upgrade -y
sudo apt autoremove -y

Mengaktifkan auto security update

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

2. User, SSH & Access Control

1.) Create user admin dan grant akses ke root menggunakan sudo

adduser user-admin
usermod -aG sudo user-admin

adduser user-admin
usermod -aG sudo user-admin

2.) Merubah default port ssh dengan menggunakan port non-standart

sudo sed -i 's/^#Port.*/Port 22122/' /etc/ssh/sshd_config

sudo sed -i 's/^#Port.*/Port 22122/' /etc/ssh/sshd_config

3.) Nonaktifkan login root via SSH pada

sudo sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config

sudo sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config

4.) Gunakan key-based authentication, bukan password: Check pada postingan dibawah

Setup SSH Login Using Key Based on Ubuntu 24.04

5.) Batasi akses SSH, menambahkan network yang akan diallow dan deny all

sudo sed -i '$ a sshd: 192.168.1.0/24' /etc/hosts.allow
sudo sed -i '$ a sshd: ALL' /etc/hosts.deny

sudo sed -i '$ a sshd: 192.168.1.0/24' /etc/hosts.allow
sudo sed -i '$ a sshd: ALL' /etc/hosts.deny

3. Network & Firewall

1.) Aktifkan firewall UFW dan buka port sesuai kebutuhan

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22122/tcp
sudo ufw enable

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22122/tcp
sudo ufw enable

2.) Disable IPv6 jika tidak digunakan

echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

4. Kernel & System Hardening

1.) Tambahkan parameter berikut ke /etc/sysctl.d/99-hardening.conf

sudo tee /etc/sysctl.d/99-hardening.conf << EOF
# Disable IP forwarding
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable SYN cookies
net.ipv4.tcp_syncookies = 1

# Disable kernel magic sysrq
kernel.sysrq = 0

# Hide kernel pointers
kernel.kptr_restrict = 2
EOF

sudo tee /etc/sysctl.d/99-hardening.conf << EOF
# Disable IP forwarding
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable SYN cookies
net.ipv4.tcp_syncookies = 1

# Disable kernel magic sysrq
kernel.sysrq = 0

# Hide kernel pointers
kernel.kptr_restrict = 2
EOF

2.) Kemudian aktifkan

sudo sysctl --system

sudo sysctl --system

5. Service Management

1.) Disable service yang tidak digunakan

sudo systemctl disable --now fwupd.service
sudo systemctl disable --now ModemManager.service
sudo systemctl disable --now udisks2.service
sudo systemctl disable --now upower.service

sudo systemctl disable --now fwupd.service
sudo systemctl disable --now ModemManager.service
sudo systemctl disable --now udisks2.service
sudo systemctl disable --now upower.service

6. Useful Tools for Security

a.) Fail2ban

1.) Install Fail2ban

sudo apt install fail2ban -y

sudo apt install fail2ban -y

2.) Konfigurasi fail2ban

sudo tee /etc/fail2ban/jail.local <<EOF
[sshd]
enabled = true
port    = ssh
filter  = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 30m
findtime = 10m
EOF

sudo tee /etc/fail2ban/jail.local <<EOF
[sshd]
enabled = true
port    = ssh
filter  = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 30m
findtime = 10m
EOF

3.) Restart service fail2ban

sudo systemctl restart fail2ban

sudo systemctl restart fail2ban

b.) Libpam-tmpdir

sudo apt install libpam-tmpdir

sudo apt install libpam-tmpdir

c.) PAM Password strength tools

1.) Install libpam-pwquality

sudo apt install libpam-pwquality

sudo apt install libpam-pwquality

2.) Ubah pwquality

sudo sed -i 's|^password\s\+requisite\s\+pam_pwquality\.so.*|password requisite pam_pwquality.so retry=3 minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1|' /etc/pam.d/common-password

sudo sed -i 's|^password\s\+requisite\s\+pam_pwquality\.so.*|password requisite pam_pwquality.so retry=3 minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1|' /etc/pam.d/common-password

d.) Malware security (chkrootkit)

sudo apt install chkrootkit

sudo apt install chkrootkit

7. Auditing & Logging

1.) Install auditd

sudo apt install auditd audispd-plugins -y
sudo systemctl enable auditd

sudo apt install auditd audispd-plugins -y
sudo systemctl enable auditd

2.) Menambahkan rules auditd dengan file /etc/audit/rules.d/hardening.rules

sudo tee /etc/audit/rules.d/hardening.rules << EOF
-w /etc/passwd -p wa -k passwd_changes
-w /etc/group -p wa -k group_changes
-w /etc/sudoers -p wa -k sudoers
-w /etc/ssh/sshd_config -p wa -k ssh_config
EOF

sudo tee /etc/audit/rules.d/hardening.rules << EOF
-w /etc/passwd -p wa -k passwd_changes
-w /etc/group -p wa -k group_changes
-w /etc/sudoers -p wa -k sudoers
-w /etc/ssh/sshd_config -p wa -k ssh_config
EOF

3.) restart service

sudo systemctl restart auditd

sudo systemctl restart auditd

4.) Check audit rules dan cek logs berdasarkan rules

sudo auditctl -l
sudo ausearch -k ssh_config | aureport -f -i

sudo auditctl -l
sudo ausearch -k ssh_config | aureport -f -i

Untuk logging secara default ubuntu 24.04 sudah terinstall rsyslog. Lebih direkomendasikan jika untuk log terintegrasi dengan Centralized Log Server seperti ELK Stack, Loki, maupun SIEM.

8. Filesystem & Storage Security

Gunakan filesystem dengan journaling (ext4/xfs). Aktifkan noexec,nodev,nosuid di /tmp dengan menambahkan di /etc/fstab.

sudo tee -a /etc/fstab << EOF
tmpfs /tmp tmpfs defaults,noexec,nodev,nosuid 0 0
EOF

sudo tee -a /etc/fstab << EOF
tmpfs /tmp tmpfs defaults,noexec,nodev,nosuid 0 0
EOF

9. Optional: Security Scanning & Benchmarking

Install lynis untuk scanning security kemudian jalankan audit system

sudo apt install lynis -y
sudo lynis audit system

sudo apt install lynis -y
sudo lynis audit system

Nanti ada beberapa saran dari hasil scan audit. Kita bisa mengabaikan saran yang sekiranya memang tidak bisa dikerjakan.

10. Reboot server

sudo reboot

sudo reboot

Post Views: 127