Basic Ubuntu Network Hardening

by Stephen Fluin 2010.02.27

Hardening a linux system is something easy to do, and can have a lot of additional security benefits for the paranoid, and for those who might be targets. There are a lot of guides to hardening different parts of the system. I'm going to review the steps I took recently in order to harden one of my desktop computers.

Understand what is open

Before you can harden anything, you need to understand how exposed your currently are. There are a few ways of doing this, and I recommend you try at least a couple. The first way is to use nmap to scan your IP address. You will need to do this from another computer, preferably in your local network. This scan will provide information about all of the ports your computer responded on. The second way I recommend you understand what your system is exposed to is to run the command netsat -atuv. This command will return a list of listening and active connections your computer has.

Review the open ports list

This step will require some knowledge of your system and of networking. Each port typically serves a standardized purpose. This means that you will need port 22 open, for example, if you want to allow incoming ssh connections. You will need port 25 open if you want to run a mail server. You will need port 80 or 443 open if you want to run a web server. Unless you want no remote access on your machine (a valid assumption for some people), you will need to be careful what you disable.

In my default install ports list, I have ssh, smtp, mdns, bootpc, and port 37319 open. You can tell a port is open from netstat, as it will look as follows:

Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN

In this output, the "*:ssh" means that SSH is listening on all network addresses, and that any computer that can connect to mine can open a connection with SSH. THe "localhost:ipp" means that my CUPS printer setup is NOT listening on any address, and that only programs local to my machine can open connections. Localhost servers are generally safe and won't expose your machine to malicious remote users, unless they break your user authentication, or already have a local user.

Secure smtp or Postfix (port 25)

Postfix by default listens to your network and trusts mail reporting that it is coming from your local network. This typically isn't needed, and you can secure postfix to only listen to the local machine for additional security. Open the file /etc/postfix/ find a line containing "inet_interfaces = all", and change it to "inet_interfaces = localhost". You then restart postfix with sudo postfix stop and sudo postfix start. You should check netstat -atuv again to ensure this worked.

Secure mdns (port 5353)

After researching mdns briefly, it seems this is something I wish to keep. This allows computers on the local network to find other computers using friendly names. This means that your computer will auto resolve when using "hostname", rather than always having to rely on your router, or needing to use the IP directly. This is useful to me, and worth the security risk to leave open.

Secure bootpc (port 68)

Bootpc is a part of the standard DHCP system. How DHCP works is that you send out a multicast UDP packet to the network requesting information from any available server. This means that you must also have a process listening for responses. This is a standard part of linux networking. You could remove your DHCP capabilities, but the boopc listener shouldn't be a security risk.

Remember to use a firewall

One of the important things to remember is that you should always use a separate firewall between yourself and the internet, and only use port forwarding for the things you absolutely need to be able to forward. I recommend only forwarding SSH, as you can use SSH to tunnel any other sorts of traffic. I also recommend running SSH on a nonstandard port, as this will reduce the amount of "doorknocking" your computer receives. These security steps are primarily designed to protect you if someone else has gained access to your network, or if there is another compromised machine somewhere behind your firewall.