Iptables is a firewall utility that uses policy chains to allow or block traffic.  It can configure IPv4 tables, chains or rules provided by the Linux kernel firewall.

Some key things to consider:

1. Installation:

apt install iptables
apt install iptables-persistent

2. Verify if iptables is enabled and see the firewall rules:

iptables -L -n -v

3. Flush iptables rules

iptables -F

4. When working remotely, it is recommended to allow incoming SSH or port 22 connections

iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

5. Take note that there’s a chance of conflict if running both iptables,ufw and nftables, so it is recommended to remove it.

apt purge nftables

apt purge ufw

ufw disable

6. Loopback interface is allowed to accept traffic. Other interfaces should be configured to deny traffic to the loopback network:

IPv4: 127.0.0.0/8

Apply the rules:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j DROP

7. Outbound connections are allowed for all interfaces. Configure also to allow established connections.

iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state –state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state –state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state –state ESTABLISHED -j ACCEPT

8. Allow only open ports that are needed

There are few ways to verify open or listening ports, e.g. using “ss” command

Sample Output:

root@freelinux:~# ss -4tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:5355 *:*
udp UNCONN 0 0 127.0.0.53%lo:53 *:*
udp UNCONN 0 0 10.0.2.15%enp0s3:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:5355 *:*
tcp LISTEN 0 128 *:22 *:*

Syntax to allow open ports:

iptables -A INPUT -p <protocol> –dport <port> -m state –state NEW -j ACCEPT

9. Default deny should be configured

The concept is to allow ports or hosts then last rule is to default deny to drop all the traffic.

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

The post Iptables Firewall Recommended Configuration on Ubuntu Linux first appeared on Free Linux Tutorials.

Ip6tables is a firewall utility that uses policy chains to allow or block traffic.  It can configure IPv6 tables, chains or rules provided by the Linux kernel firewall.

Some key things to consider:

1. Installation: (When installing iptables package, it will include the ip6tables)

apt install iptables
apt install iptables-persistent

2. Verify if iptables is enabled:

ip6tables -L -n -v

3. Flush iptables rules

ip6tables -F

4. When working remotely, it is recommended to allow incoming SSH or port 22 connections

ip6tables -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

5. Take note that there’s a chance of conflict if running both iptables,ufw and nftables, so it is recommended to remove it.

apt purge nftables

apt purge ufw

ufw disable

6. Loopback interface is allowed to accept traffic. Other interfaces should be configured to deny traffic to the loopback network:

IPv6: ::1/128

Apply the rules:

ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -s ::1 -j DROP

7. Outbound connections are allowed for all interfaces. Configure also to allow established connections.

ip6tables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m state –state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p icmp -m state –state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m state –state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m state –state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmp -m state –state ESTABLISHED -j ACCEPT

8. Allow only open ports that are needed

There are few ways to verify open or listening ports, e.g. using “ss” command

Sample Output:

root@freelinux:~# ss -4tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:5355 *:*
udp UNCONN 0 0 127.0.0.53%lo:53 *:*
udp UNCONN 0 0 10.0.2.15%enp0s3:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:5355 *:*
tcp LISTEN 0 128 *:22 *:*

Execute this command to see the firewall rules

ip6tables -L INPUT -v -n

Syntax to allow open ports:

ip6tables -A INPUT -p <protocol> –dport <port> -m state –state NEW -j ACCEPT

9. Default deny should be configured

The concept is to allow ports or hosts then last rule is to default deny to drop all the traffic.

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

The post Ip6tables Firewall Recommended Configuration on Ubuntu Linux first appeared on Free Linux Tutorials.

Nftables is the replacement for iptables, ebtables and arptables. It is a subsystem of Linux kernel providing filtering and classification of network packets,datagrams or frames.

Some key things to consider:

1.Installation:

apt install nftables

2. Verify if nftables is enabled:

systemctl enable nftables

3. Flush all the rules

nft flush ruleset

4. When working remotely, it is recommended to allow incoming SSH or port 22 connections prior the base chains

nft add rule inet filter input tcp dport ssh accept

Base chains should exist which is the container for rules. There are two types
a. base chains – entry point for packets from networking stack
b. regular chain – can be used as a jump target and better organizing the rules.

Syntax for creating base chains:

nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \; }

Config:

nft create chain inet filter input { type filter hook input priority 0 \; }
nft create chain inet filter forward { type filter hook forward priority 0 \; }
nft create chain inet filter output { type filter hook output priority 0 \; }

5. Take note that there’s a chance of conflict if running both nftables and ufw, so it is recommended to remove ufw

apt purge ufw

ufw disable

6. Loopback interface is allowed to accept traffic. Other interfaces should be configured to deny traffic to the loopback network:

IPv4: 127.0.0.0/8
IPv6: ::1

Apply the rules:

nft add rule inet filter input iif lo accept
nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop
nft add rule inet filter input ip6 saddr ::1 counter drop

7. Outbound connections are allowed for all interfaces. Configure also to allow established connections.

nft add rule inet filter input ip protocol tcp ct state established accept
nft add rule inet filter input ip protocol udp ct state established accept
nft add rule inet filter input ip protocol icmp ct state established accept
nft add rule inet filter output ip protocol tcp ct state new,related,established accept
nft add rule inet filter output ip protocol udp ct state new,related,established accept
nft add rule inet filter output ip protocol icmp ct state new,related,established accept

8. Allow only open ports that are needed

There are few ways to verify open or listening ports, e.g. using “ss” command

Sample Output:

root@freelinux:~# ss -4tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:5355 *:*
udp UNCONN 0 0 127.0.0.53%lo:53 *:*
udp UNCONN 0 0 10.0.2.15%enp0s3:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:5355 *:*
tcp LISTEN 0 128 *:22 *:*

Syntax to allow open ports:

nft add rule [<family>] <table> <chain> <matches> <statements>

9. Default deny should be configured

The concept is to allow ports or hosts then last rule is to default deny to drop all the traffic.

nft chain inet filter input { policy drop \; }
nft chain inet filter forward { policy drop \; }
nft chain inet filter output { policy drop \; }

Here’s a sample config of /etc/nftables.conf file:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
chain input {
type filter hook input priority 0; policy drop;

#Loopback traffic
iif “lo” accept
ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
ip6 saddr ::1 counter packets 0 bytes 0 drop

#Established connections are configured
ip protocol tcp ct state established,related,new accept
ip protocol tcp ct state established,related,new accept
ip protocol udp ct state established,related,new accept
ip protocol icmp ct state established,related,new accept

# Allow SSH,HTTP, HTTPS traffic from all
tcp dport { 22, 80, 443 } ct state new accept

# Base chain for hook forward
}
chain forward {
type filter hook forward priority 0; policy drop;
}

#Base chain for hook output
chain output {
type filter hook output priority 0; policy drop;

The post Nftables Recommended Configuration on Ubuntu Linux first appeared on Free Linux Tutorials.

As part of the Best Security Practices, it is recommended to disable all services that are not required for normal operation to prevent the vulnerabilities exploitation of these services for Redhat Enterprise Linux (RHEL) or CentOS Linux.

These are the following services that need to audit, uninstall or remove to reduce the number of possible threats.

1.  Internet Service Daemon(Inetd) / eXtended Internet Daemon (Xinetd)
-is a super-server daemon that provides Internet services. Xinetd replaced the original inetd, and listens for well known services.

Command to check if xinetd is installed or not:

rpm -q xinetd

Recommendation: Remove the package/s to reduce attack area

dnf remove xinetd

2. X Windows System
– this provides the Graphical User Interface or GUI for users to have graphical login access, and interact with a mouse and keyboard.

Command to check if X Windows System is installed or not:

 rpm -qa xorg-x11*

Recommendation: Remove the package/s to reduce attack area

yum remove xorg-x11*
dnf remove xorg-x11*

3.  Common Unix Print System (CUPS)
– this enables a system to function as a print server

Command to check if CUPS is installed or not:

rpm -qa cups

Recommendation: Remove the package/s if system does not act as the Print Server to reduce attack area

systemctl disable cups
yum remove cups
dnf remove cups

4. Avahi Server
-is a system that facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. It is a free zeroconf implementation that allows programs to discover and publish services or hosts running on a local network with no specific config.

Command to check if Avahi Server is installed or not:

rpm -qa avahi-daemon

Recommendation: Remove the package/s

systemctl disable avahi-daemon
yum remove avahi-daemon
dnf remove avahi-daemon

5. Lightweight Directory Access Protocol (LDAP) Server
– is an open and cross platform software protocol that is used for directory services authentication.

Command to check if LDAP  is installed or not:

rpm -qa slapd

Recommendation: Remove the package if the system is not acting as the LDAP server to reduce attack area.

systemctl disable slapd
yum remove slapd
dnf remove slapd

6. Network File System (NFS)
-it is a distributed file system protocol that enables user to access remote data and files , retrieval of data from multiple directories and disks across a shared network

Command to check if NFS is installed or not:

rpm -qa nfs

Recommendation: Remove the package if the system is not acting as the NFS server to reduce attack area. There are few ways to do this:

systemctl disable nfs
systemctl disable rpcbind
chkconfig portmap off
chkconfig nfs off
dnf remove nfs-utils
yum remove nfs-utils

7.  File Transfer Protocol (FTP) Server
-is a network protocol for transferring of files between computers .

Command to check if FTP is installed or not: (default installed is the VSFTP)

rpm -qa vsftpd

Recommendation: Remove the package if the system is not acting as the FTP server to reduce attack area.

systemctl disable vsftpd
dnf remove vsftpd
yum remove vsftpd

8. Samba Server
– it allows system admin to share file systems and directory with Windows desktops, via the Server Message Block (SMB) protocol.

Command to check if Samba is installed or not:

rpm -qa samba

Recommendation: Remove the package if the system is not acting as the FTP server to reduce attack area.

systemctl disable samba
yum remove samba
dnf remove samba

9. Network Information Service (NIS)
-is a client-server directory service protocol used for distributing system configuration files. It is formally known as Yellow Pages.

Command to check if  NIS is installed or not:

rpm -qa ypserv

Recommendation: Remove the package as it is an insecure system that has been vulnerable to attacks like DOS, buffer overflows and has poor authentication in terms of querying NIS maps.

systemctl disable ypserv
yum remove ypserv
dnf remove ypserv

10. HTTP Proxy Server
-it is a server application that acts as an intermediary for clients requests seeking resources from servers. It can cache data to speed up common HTTP requests. The standard proxy server used in many distributions is the “Squid”.

Command to check if  Squid is installed or not:

rpm -qa squid

Recommendation: Remove the package if the servers does not act as the HTTP proxy server to reduce potential attack

systemctl disable squid
yum remove squid
dnf remove squid

11. SNMP Server
– SNMP is a network-management protocol that is used to monitor network devices, collect statistics and performance.

Command to check if  SNMP server is installed or not:

rpm -qa snmpd

Recommendation: Remove the package if the servers does not act as the SNMP server.  SNMP client can keep.

systemctl disable snmpd
yum remove snmpd
dnf remove snmpd

12. DHCP Server
-a network server that dynamically assigns IP addresses and other network parameters to client devices

Command to check if  DHCP server is installed or not:

rpm -qa dhcpd

Recommendation: Remove the package if the servers does not act as the DCHP server to reduce potential attack

systemctl disable dhcpd
yum remove dhcpd
dnf remove dhcpd

13. Domain Name System (DNS) Server
-DNS is a system that translates domain names to IP addresses for computers, services or other network resources. The most common DNS server on Linux is Bind.

Command to check if  Bind server is installed or not:

rpm -qa named

Recommendation: Remove the package if the servers does not act as the DNS server to reduce potential attack

systemctl disable named
dnf remove named
yum remove named

14. HTTP or Web Server
-is a system that uses Hypertext Transfer Protocol(HTTP) to respond on requests by cliensts over the World Wide Web. There are few web servers (Refer to Top 5 Open-Source Web Servers on Linux ) that can run on Linux that need to be audited.

Command to check if  Apache server is installed or not:

rpm -qa httpd

Recommendation: Remove the package if the servers does not act as the Web server to reduce potential attack

systemctl disable httpd
yum remove httpd
dnf remove httpd

15. IMAP & POP3 Server
–Internet Message Access Protocol (IMAP) Server or IMAP is an email protocol for retrieving and managing emails from the receiving server. It stores message on the server and synchronizes across multiple devices

Command to check if  IMAP server is installed or not:

rpm -qa doevecot

Recommendation: Remove the package if the servers does not act as the IMAP server to reduce potential attack

systemctl disable dovecot
yum remove dovecot
dnf remove dovecot

Post Office Protocol (POP3) Server
-3 stands for the latest version. It  is an email protocol for retrieving and managing emails from the receiving server. but compares to IMAP, it downloads email from a server to a single computer then deletes email from the server.

Command to check if  POP3 server is installed or not:

rpm -qa doevecot

Recommendation: Remove the package if the servers does not act as the POP3 server to reduce potential attack

systemctl disable dovecot
yum remove dovecot
dnf remove dovecot

Honorable Mention:

Rsync Service
– it is used to synchronize files between seems locally or over network links.

Command to check if  Rsync service is installed or not:

rpm -qa rsyncd

Recommendation: Remove the package if rysnc is not being used as it uses unencrypted protocols for communication to reduce attack area.

systemctl disable rsyncd
dnf remove rsyncd
yum remove rsyncd

The post Top 15 Services to Remove for Securing Redhat or CentOS Linux appeared first on Free Linux Tutorials.

As part of Best Security Practices, it is recommended to remove service clients that are not required for normal operation to reduce local attack. Here are the following programs or clients that need to remove. (Not in particular order)

1.NIS Client
-it is used to bind a machine to NIS server, and receive the distributed config files. NIC is an insecure system and can be vulnerable to attacks like DOS, buffer overflows. It has poor authentication mechanism as well.

Command to verify if NIS is installed or not:

rpm -q ypbind

Recommendation: to remove nis package

yum remove ypbind
dnf remove ypbind

2. Telnet Client

-it allows users to establish connections to other systems via the telnet protocol. It is insecure and and not encrypted, meaning it could allow unauthorized users to steal credentials.
Note: Some users required telnet for testing and troubleshooting,e.g. if ports are open, so this depends on the environment and requirement.

Command to verify if telnet is installed or not:

rpm -q telnet

Recommendation: to remove telnet

yum remove telnet
dnf remove telnet

3. Lightweight Directory Access Protocol (LDAP) client
-LDAP provides a method of looking up information from a central database, and was a replacement to NIS.

Command to verify if LDAP client is installed or not:

rpm -q openldap-clients

Recommendation: to remove LDAP client to reduce potential attack area

yum remove openldap-clients
dnf remove openldap-clients

The post Top 3 Service Clients to remove for Securing Redhat or CentOS Linux appeared first on Free Linux Tutorials.

Here’s how to install the program “auditd” and best security practice and  recommended settings for system auditing.

1.Install the auditd

a. Verify if the package is installed or not, using the rpm command

 rpm -q audit audit-libs

b. If not installed, you will see something like “package audit is not installed’

dnf install audit audit-libs

2. Enable the auditd

systemctl -enable auditd

to verify, if enabled, use this command:

systemctl is-enabled auditd

3. Set the parameter on your bootloader to enable during bootup

on your /etc/default/grub, add the “audit=1″

Before:
GRUB_CMDLINE_LINUX=””

After:

GRUB_CMDLINE_LINUX=”audit=1″

 

To update the grub2 configuration, run this command:

update-grub

4. Configure auditd’s backlog limit

Default setting is 64 records, it is recommended to have 8192 or bigger. On your /etc/default/grub, add the:

Syntax:
audit_backlog_limit=<SIZE of BACKLOG>

GRUB_CMDLINE_LINUX=”audit_backlog_limit=8192″

To update the grub2 configuration, run this command:

update-grub

5.  Configure to keep logs when reach max file size

Under the /etc/audit/auditd.conf, set the max log file action to keep logs.

max_log_file_action = keep_logs

6.  Configure the log file size of auditd

Log will be rotated once it reaches the maximum size set in the config. The default size is 6MB and it is recommended to adjust to a bigger size if the system has free disk space.

Edit the file /etc/audit/auditd.conf, and set the max log file:

max_log_file = <XX MB>

7. Create some rules based on your requirements.

Here are some parameters that are recommended to use for more secure environment

Create the rules under the directory /etc/audit/rules.d/

a. Create time-change rules to make sure events are collected on correct date or time. Sample rule as follows:

Create the file /etc/audit/rules.d/time.rules with the following contents:

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change

b. Create system-locale rules to record changes to network files or system calls

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/system-locale.rules with the following contents:

For 32-bit system:

-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale

For 64-bit system:

-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale

c. Create identity rules to record user related information, e.g. username, passwords, group

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/identity.rules with the following contents:

-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

d. Create login rules to record login and logout events.

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/logins.rules with the following contents:

-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins

e. Create permission mode rules to monitor file attributes, ownership and permission changes

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/permissions.rules with the following contents:

For 32-bit system:

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295
-k perm_mod

For 64-bit system:

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295
-k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295
-k perm_mod

f. Create file-change rules to monitor file renaming or deletion.

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/file-change.rules with the following contents:

For 32-bit system:

-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

For 64-bit system:

-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

g. Create scope rules to monitor scope changes particularly the /etc/sudoers file

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/scope.rules with the following contents:

-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope

g. Create sudo rules to monitor the administrators with temporary elevated privileges

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/sudo.rules with the following contents:

For 32-bit system:

-a exit,always -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions

For 64-bit system:

-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions

h. Create modules rules to monitor for any loading and unloading of kernel modules using the insmod,rmmod or modprobe commands.

Create the rules under the directory /etc/audit/rules.d/

Create the file /etc/audit/rules.d/modules.rules with the following contents:

For 32-bit system:

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules

For 64-bit system:

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

Note: To take effect the changes, it needs reloading the config or system reboot

Options:
-l ( auditctl -l) –> List all rules 1 per line
-e [0,1,2] (audtictl -e) where:
0 = temporarily disable auditing
1= enable auditing
2 = lock the audit configuration

Sample:

tux@freelinux:~$ sudo auditctl -e 1 /etc/audit/rules.d/logins.rules
[sudo] password for tux:
parameter passed without an option given

If rule is activated, you can see from your /var/log/audit/audit.log file

type=USER_LOGIN msg=audit(1618394064.654:214583): pid=7256 uid=0 auid=1001 ses=55349 msg=’op=login id=1001 exe=”/usr/sbin/sshd” hostname=192.168.10.105 addr=192.168.10.105 terminal=/dev/pts/9 res=success’

The post Auditd Recommended Configuration on Redhat or CentOS Linux for System Auditing appeared first on Free Linux Tutorials.

Secure Shell or SSH is a cryptographic network protocol used to securely log or access to remote systems. The most popular tool is the OpenSSH which provides a large suite of secure tunneling capabilities and different authentication methods.

Installation:

dnf install openssh-server

yum install openssh-server

If there’s any configuration changes on sshd configuration (/etc/ssh/sshd_config), reload the config to take effect.

systemctl reload sshd

You can use the “-t” options to check the validity of the configuration file. If no error, it will not display anything

sshd -t

Best Security Practice Configuration for /etc/ssh/sshd_config

1. Root Login is disabled
-don’t permit login via SSH to use root, instead to access using individual account. Then if need to escalate to root access, use “sudo” or “su”

PermitRootLogin no

2. Disable Empty passwords

PermitEmptyPasswords no

3. Set the appropriate Log Level
-set to INFO to record login activity of users accessing the SSH.

LogLevel INFO

4. Client Alive Interval should be configured
-sets the timeout interval (in seconds) wherein sshd will send a message to request a response from client if no data has been received. Recommended settings is 5 minutes.

ClientAliveInterval  300

5. Client Alive Count Max should be configured
-sets the number of client alive messages which may be sent without receiving messages back from the client. Recommended setting is 3

ClientAliveCountMax 3

6. X11 Forwarding should be disabled
-if servers do not have GUI or X window system installed, this must be disabled to reduce potential risks

X11Forwarding no

7. Maximum Authentication Attempts should be limited
– recommended to set to 4 as maximum login authentication attempts  per connection

MaxAuthTries 4

8. IgnoreRhosts should be enabled
– .rhosts and .shosts files will not be used in HostBasedAuthentication or RhostsRSAAuthentication

IgnoreRhosts yes

9. HostBasedAuthentication should be disabled
-this will disable to use .rhosts files

HostbasedAuthentication no

10. PermitUserEnvironment should be disabled
-this option should be disable to prevent users of bypassing security controls

PermitUserEnvironment no

11. Strong ciphers should be used
-the ciphers to be used for authentication should be strong.

Avoid weak ciphers like the Cipher Block Chaining (CBC) and 3 Des
aes128-cbc
aes192-cbc
aes256-cbc
3des-cbc

Instead,use strong ciphers like
aes256-ctr
aes192-ctr
aes128-ctr

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

12. Login Grace Time is set
-it sets the time allowed for successful authentication. Recommended setting is 1 minute (60 secs)

LoginGraceTime 60

13.  Warning Banner is configured
– it will set to show banner or contents to the user before authentication is allowed.  You can set the /etc/issue.net as the banner

Banner /etc/issue.net

14.  Pluggable Authentication Module (PAM) is enabled
– enables PAM authentication

UsePAM yes

15.  Allow TCP Forwarding is disabled
-it is used in SSH for tunneling application ports, so it is advisable to disable to reduce security risks and backdoors

AllowTcpForwarding no

16.  Max Sessions is set
– it sets the maximum number of open sessions allowed from a given connection.  Recommended setting is not more than 10.

MaxSessions 10

17.  MaxStartups is configured
-it sets the maximum number of unauthenticated connections.

MaxStartups 10:30:100

18. Access is limited
– limit users and group that can access the system.

AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>

19.  Strong key exchange algorithms should be used
– keys are exchanged during communication between the sender and receiver

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Avoid weak key exchange algorithms such as:
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1

20.  Strong Message Authentication Codes (MAC) algorithm should be used
–  strong MAC algorithm should be used in SSH communication

MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

Avoid using weak MAC algorithms such as:
hmac-md5
hmac-md5-96
hmac-ripemd160 hmac-sha1
hmac-sha1-96
umac-64@openssh.com
umac-128@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

The post Top 20 Recommended SSH Configuration on Redhat or CentOS Linux appeared first on Free Linux Tutorials.

Uncomplicated Firewall (UFW)
-frontend for iptables and is a program for managing a netfilter firewall.

Some key things to consider:

1. Installation:

dnf install epel-release -y
dnf install ufw -y

2. Verify if ufw is enabled:

systemctl is-enabled ufw

3. Enabling the ufw will flush its chains and may result of disconnection with sessions like SSH.  So when working remotely,  it is recommended to allow SSH or port 22 first before enabling it.

ufw allow proto tcp from any to any port 22

Enable the ufw:

ufw enable

4. Take note that there’s a chance of conflict if running both ufw and the iptables package, so it is recommended to remove it.

dnf remove iptables

5.  Loopback interface is allowed to accept traffic. Other interfaces should be configured to deny traffic to the loopback network:

IPv4: 127.0.0.0/8
IPv6: ::1/128

Apply the rules:

ufw allow in on lo
ufw allow out from lo
ufw deny in from 127.0.0.0/8
ufw deny in from ::1

6. Outbound connections are allowed for all interfaces

ufw allow out on all

Sample Output:

root@freelinux:~# ufw allow out on all
Rule added
Rule added (v6)

root@freelinux:~# ufw status
Status: active

To Action From
— —— —-
Anywhere ALLOW OUT Anywhere on all
Anywhere (v6) ALLOW OUT Anywhere (v6) on all

7. Allow only open ports that are needed

There are few ways to verify open or listening ports, e.g. using “ss” command

Sample Output:

root@freelinux:~# ss -4tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:5355 *:*
udp UNCONN 0 0 127.0.0.53%lo:53 *:*
udp UNCONN 0 0 10.0.2.15%enp0s3:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:5355 *:*
tcp LISTEN 0 128 *:22 *:*

root@freelinux:~# ufw status
Status: active

To Action From
— —— —-
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)

Anywhere ALLOW OUT Anywhere on all
Anywhere (v6) ALLOW OUT Anywhere (v6) on all

Syntax:

ufw allow in <portnumber>/<tcp or udp protocol>

8. Default deny should be configured

The concept is to allow ports or hosts then last rule is to default deny to drop all the traffic.

For example you want to allow the following ports and services
a. allow incoming web access (http & https)
b. allow incoming SSH access
c. allow outgoing for DNS or port 53
d. allow logging
e. deny everything

ufw allow in http
ufw allow in https
ufw allow in ssh
ufw allow out 53
ufw logging on

ufw default deny incoming
ufw default deny outgoing
ufw default deny routed

Sample Output:

root@freelinux:~# ufw allow in http
Rule added
Rule added (v6)
root@freelinux:~# ufw allow in https
Rule added
Rule added (v6)
root@freelinux:~# ufw allow in ssh
Rule added
Rule added (v6)
root@freelinux:~# ufw allow out 53
Rule added
Rule added (v6)
root@freelinux:~# ufw logging on
Logging enabled

root@freelinux:~# ufw default deny incoming
Default incoming policy changed to ‘deny’
(be sure to update your rules accordingly)
root@freelinux:~# ufw default deny outgoing
Default outgoing policy changed to ‘deny’
(be sure to update your rules accordingly)
root@freelinux:~# ufw default deny routed
Default routed policy changed to ‘deny’
(be sure to update your rules accordingly)

Verify:
root@freelinux:~# ufw status
Status: active

To Action From
— —— —-
22/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)

Anywhere ALLOW OUT Anywhere on all
53 ALLOW OUT Anywhere
Anywhere (v6) ALLOW OUT Anywhere (v6) on all
53 (v6) ALLOW OUT Anywhere (v6)

Configuration files are located in /etc/ufw folder:
/etc/ufw/before.rules
/etc/ufw/before6.rules
/etc/ufw/after.rules
/etc/ufw/after6.rules
/etc/ufw/ufw.conf
/etc/ufw/sysctl.conf

The post Uncomplicated Firewall (UFW) Recommended Configuration on Redhat or CentOS Linux appeared first on Free Linux Tutorials.

Iptables is a firewall utility that uses policy chains to allow or block traffic.  It can configure IPv4 tables, chains or rules provided by the Linux kernel firewall.

Some key things to consider:

1. Installation:

dnf install iptables

2. Verify if iptables is enabled and see the firewall rules:

systemctl status iptables
iptables -L -n -v

3. Flush iptables rules

iptables -F

4. When working remotely, it is recommended to allow incoming SSH or port 22 connections

iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

5. Take note that there’s a chance of conflict if running with firewalld,ufw and nftables, so it is recommended to remove it.

systemctl disable firewalld
systemctl –now mask firewalld
systemctl –now mask nftables
ufw disable

6. Loopback interface is allowed to accept traffic. Other interfaces should be configured to deny traffic to the loopback network:

IPv4: 127.0.0.0/8

Apply the rules:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j DROP

7. Outbound connections are allowed for all interfaces. Configure also to allow established connections.

iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state –state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state –state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state –state ESTABLISHED -j ACCEPT

8. Allow only open ports that are needed

There are few ways to verify open or listening ports, e.g. using “ss” command

Sample Output:

root@freelinux:~# ss -4tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:5355 *:*
udp UNCONN 0 0 127.0.0.53%lo:53 *:*
udp UNCONN 0 0 10.0.2.15%enp0s3:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:5355 *:*
tcp LISTEN 0 128 *:22 *:*

Syntax to allow open ports:

iptables -A INPUT -p <protocol> –dport <port> -m state –state NEW -j ACCEPT

9. Default deny should be configured

The concept is to allow ports or hosts then last rule is to default deny to drop all the traffic.

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

The post Iptables Firewall Recommended Configuration on Redhat or CentOS Linux appeared first on Free Linux Tutorials.

Ip6tables is a firewall utility that uses policy chains to allow or block traffic.  It can configure IPv6 tables, chains or rules provided by the Linux kernel firewall.

Some key things to consider:

1. Installation: (When installing iptables package, it will include the ip6tables)

dnf install iptables

2. Verify if iptables is enabled:

systemctl status iptables
ip6tables -L -n -v

3. Flush iptables rules

ip6tables -F

4. When working remotely, it is recommended to allow incoming SSH or port 22 connections

ip6tables -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

5. Take note that there’s a chance of conflict if running both iptables,ufw and nftables, so it is recommended to remove it.

systemctl disable firewalld
systemctl –now mask firewalld
systemctl –now mask nftables
ufw disable

6. Loopback interface is allowed to accept traffic. Other interfaces should be configured to deny traffic to the loopback network:

IPv6: ::1/128

Apply the rules:

ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -s ::1 -j DROP

7. Outbound connections are allowed for all interfaces. Configure also to allow established connections.

ip6tables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m state –state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p icmp -m state –state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m state –state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m state –state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmp -m state –state ESTABLISHED -j ACCEPT

8. Allow only open ports that are needed

There are few ways to verify open or listening ports, e.g. using “ss” command

Sample Output:

root@freelinux:~# ss -4tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:5355 *:*
udp UNCONN 0 0 127.0.0.53%lo:53 *:*
udp UNCONN 0 0 10.0.2.15%enp0s3:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:5355 *:*
tcp LISTEN 0 128 *:22 *:*

Execute this command to see the firewall rules

ip6tables -L INPUT -v -n

Syntax to allow open ports:

ip6tables -A INPUT -p <protocol> –dport <port> -m state –state NEW -j ACCEPT

9. Default deny should be configured

The concept is to allow ports or hosts then last rule is to default deny to drop all the traffic.

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

The post Ip6tables Firewall Recommended Configuration on Redhat or CentOS Linux appeared first on Free Linux Tutorials.

Nftables is the replacement for iptables, ebtables and arptables. It is a subsystem of Linux kernel providing filtering and classification of network packets,datagrams or frames.

Some key things to consider:

1.Installation:

dnf install nftables

2. Verify if nftables is enabled:

systemctl enable nftables

3. Flush all the rules

nft flush ruleset

4. When working remotely, it is recommended to allow incoming SSH or port 22 connections prior the base chains

nft add rule inet filter input tcp dport ssh accept

Base chains should exist which is the container for rules. There are two types
a. base chains – entry point for packets from networking stack
b. regular chain – can be used as a jump target and better organizing the rules.

Syntax for creating base chains:

nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \; }

Config:

nft create chain inet filter input { type filter hook input priority 0 \; }
nft create chain inet filter forward { type filter hook forward priority 0 \; }
nft create chain inet filter output { type filter hook output priority 0 \; }

5. Take note that there’s a chance of conflict if running both nftables and ufw, so it is recommended to remove ufw

dnf remove ufw
ufw disable

6. Loopback interface is allowed to accept traffic. Other interfaces should be configured to deny traffic to the loopback network:

IPv4: 127.0.0.0/8
IPv6: ::1

Apply the rules:

nft add rule inet filter input iif lo accept
nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop
nft add rule inet filter input ip6 saddr ::1 counter drop

7. Outbound connections are allowed for all interfaces. Configure also to allow established connections.

nft add rule inet filter input ip protocol tcp ct state established accept
nft add rule inet filter input ip protocol udp ct state established accept
nft add rule inet filter input ip protocol icmp ct state established accept
nft add rule inet filter output ip protocol tcp ct state new,related,established accept
nft add rule inet filter output ip protocol udp ct state new,related,established accept
nft add rule inet filter output ip protocol icmp ct state new,related,established accept

8. Allow only open ports that are needed

There are few ways to verify open or listening ports, e.g. using “ss” command

Sample Output:

root@freelinux:~# ss -4tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:5355 *:*
udp UNCONN 0 0 127.0.0.53%lo:53 *:*
udp UNCONN 0 0 10.0.2.15%enp0s3:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:5355 *:*
tcp LISTEN 0 128 *:22 *:*

Syntax to allow open ports:

nft add rule [<family>] <table> <chain> <matches> <statements>

9. Default deny should be configured

The concept is to allow ports or hosts then last rule is to default deny to drop all the traffic.

nft chain inet filter input { policy drop \; }
nft chain inet filter forward { policy drop \; }
nft chain inet filter output { policy drop \; }

Here’s a sample config of /etc/nftables.conf file:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
chain input {
type filter hook input priority 0; policy drop;

#Loopback traffic
iif “lo” accept
ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
ip6 saddr ::1 counter packets 0 bytes 0 drop

#Established connections are configured
ip protocol tcp ct state established,related,new accept
ip protocol tcp ct state established,related,new accept
ip protocol udp ct state established,related,new accept
ip protocol icmp ct state established,related,new accept

# Allow SSH,HTTP, HTTPS traffic from all
tcp dport { 22, 80, 443 } ct state new accept

# Base chain for hook forward
}
chain forward {
type filter hook forward priority 0; policy drop;
}

#Base chain for hook output
chain output {
type filter hook output priority 0; policy drop;

The post Nftables Recommended Configuration on Redhat or CentOS Linux appeared first on Free Linux Tutorials.

Here’s the following recommendation for filesystem and directories configuration. It will be easier to do it during the initial OS installation but if need to repartition the existing system, it is recommended that full backup is performed.

1.Disable unneeded filesystems using rmmod command

rmmod <filesystem>

a. freevxfs (free version of Veritas type filesystem)
b. cramfs
c. jffs2 (journaling flash filesystem)
d. hfs (hierarchical filesystem)
e. hfsplus
f. udf (universal disk format) filesystem
g. FAT (File Allocation Table) filesystem  (Take note: it used by UEFI system for the EFI boot partition, so disabling the vfat module can prevent UEFI systems to boot)

2. Directory /tmp is configured with appropriate set option.  Mount tmpfs to /tmp.
Note: /tmp is directory with world-writable access used as temporary user and application storage. Recommended option sets are:
-noexec (cannot install executable code)
-nodev (cannot contain special devices)
-nosuid (cannot contain setuid files)
a. Configure /etc/fstab:

tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0

b. Create tmp.mount file and save it under /etc/systemd/system folder

cp -v /usr/share/systemd/tmp.mount /etc/systemd/system/

Under /etc/systemd/system/tmp.mount, configure /tmp mount

[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec

c. Reload systemd

systemctl daemon-reload

d. Enable and start tmp.mount

systemctl –now enable tmp.mount

3.  Directory /dev/shm is configured with appropriate option set. Mount tmpfs  at /dev/shm
Note: /dev/shm is traditional shared memory concept. It is an efficient means of passing data between programs.
Recommended option sets are:
-noexec (cannot install executable code)
-nodev (cannot contain special devices)
-nosuid (cannot contain setuid files)

Under /etc/fstab:

 tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,seclabel 0 0

Remount /dev/shm

mount -o remount,noexec,nodev,nosuid /dev/shm

4.  Directory /var and sub-folders should be in separate partition
/var = is directory used to temporarily store dynamic data for system services
New installation: create custom partition /var
Already installed: create new partition and configure /etc/fstab

<device> on /var type ext4 (rw,relatime,data=ordered)

Recommended option sets are:
-noexec (cannot install executable code)
-nodev (cannot contain special devices)
-nosuid (cannot contain setuid files)

a. /var/tmp
– is directory used for temporary user and application storage

<device> on /var/tmp type ext4 (rw,nosuid,nodev,noexec,relatime)

Remount:

mount -o remount,nosuid,nodev,noexec /var/tmp

b. /var/log
-is directory used to store log data for services

<device> on /var/log type ext4 (rw,nosuid,nodev,noexec,relatime)

mount -o remount,nosuid,nodev,noexec /var/log

c. /var/log/audit
-is directory used to store log data for auditd daemon

<device> on /var/log/audit type ext4 (rw,relatime,data=ordered)

5. Directory /home should be on separate partition with appropriate option sets.
Recommended option sets are:
-noexec (cannot install executable code)
-nodev (cannot contain special devices)
-nosuid (cannot contain setuid files)

on /home type ext4 (rw,nodev,relatime,data=ordered)

Remount:

mount -o remount,nodev /home

6.  Automounting should be removed or disabled
autofs allowws mounting of devices (USB,DVD/CD) automatically

apt purge autofs

7.  USB storage should be disabled

Verify if it installed:

modprobe -n -v usb-storage

Unload the module usb-storage

rmmod usb-storage

The post Ubuntu Linux Recommended Filesystem Configuration appeared first on Free Linux Tutorials.

It is recommended that a patch management system is maintained and configured.

Verify that the system’s package repositories are configured.

sudo apt-cache policy

Sample Output:

tux@freelinux:~$ sudo apt-cache policy
[sudo] password for tux:
Package files:
100 /var/lib/dpkg/status
release a=now
500 http://security.ubuntu.com/ubuntu xenial-security/multiverse i386 Packages
release v=16.04,o=Ubuntu,a=xenial-security,n=xenial,l=Ubuntu,c=multiverse,b=i386
origin security.ubuntu.com
500 http://security.ubuntu.com/ubuntu xenial-security/multiverse amd64 Packages
release v=16.04,o=Ubuntu,a=xenial-security,n=xenial,l=Ubuntu,c=multiverse,b=amd64
origin security.ubuntu.com

Implement GPG keys signing to verify  integrity of the packages during installation. This is make sure that it is obtained from valid source(s).

Verify if package manager’s GPG keys are correctly configured.

sudo apt-key list

Sample Output:

tux@freelinux:~$ sudo apt-key list
/etc/apt/trusted.gpg
——————–
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub 2048g/79164387 2004-09-12
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
pub 1024D/3E5C1192 2010-09-20
uid Ubuntu Extras Archive Automatic Signing Key <ftpmaster@ubuntu.com>
pub 4096R/991BC93C 2018-09-17
uid Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

Setting up Automatic Updates:

1.Install the “unattended-upgrades”package

sudo apt install unattended-upgrades

2. Edit the configuration /etc/apt/apt.conf.d/50unattended-upgrades. Remove the double slash (//) to enable
Before:
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
“${distro_id}:${distro_codename}”;
“${distro_id}:${distro_codename}-security”;
// Extended Security Maintenance; doesn’t necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
“${distro_id}ESMApps:${distro_codename}-apps-security”;
“${distro_id}ESM:${distro_codename}-infra-security”;
// “${distro_id}:${distro_codename}-updates”;
// “${distro_id}:${distro_codename}-proposed”;
// “${distro_id}:${distro_codename}-backports”;
};

After:
“${distro_id}:${distro_codename}-updates”;

Additional Options:
Unattended-Upgrade::Remove-Unused-Dependencies “true”;
Unattended-Upgrade::Mail “admin@freelinuxtutorials.com”;
Unattended-Upgrade::MailOnlyOnError “true”;

3. Configure /etc/apt/apt.conf.d/20auto-upgrades to enable

sudo vi /etc/apt/apt.conf.d/20auto-upgrades

APT::Periodic::Update-Package-Lists “1”;
APT::Periodic::Download-Upgradeable-Packages “1”;
APT::Periodic::AutocleanInterval “30”;
APT::Periodic::Unattended-Upgrade “1”;

where: Interval = days

Testing:

sudo unattended-upgrades –dry-run –debug

Verifying logs:

/var/log/unattended-upgrades/unattended-upgrades.log

The post Configure Automatic Software Updates on Ubuntu Linux appeared first on Free Linux Tutorials.