Okay, I’ve redone this entire post because I received negative feedback which is understandable as I didn’t put a whole lot of work into it but this is a script that I put together and have used for many years which I’m willing to share for anyone who’s interested in adding a little security to any Ubuntu installation that you may have.
Instead of posting the code here, I’ve opted to putting the code on Pastebin, you’ll find it here. It originally contained ppa’s which I’ve now taken out because those are personal anyway and it only decreases the security so I advise against adding them anyway if security is your objective.
If you’d like to know more about the decisions made in the script, I have added links to the Arch Wiki for pages that will explain everything and what it does, mostly all of what I do is through information provided by the people who wrote the Arch Wiki.
I by no means know iptables, I simply copy and pasted what I put in the script. I made custom commands for disabling IPv6 if you’re interested but I have not included them as that’s been giving me kernel problems anyway.
It would be worth adding why you set these things and why and why not they might they useful? I’m a bit confused by some of them.
Why disable IPv6? (it doesnt need to be disabled for security and may break things),
Why are iptables rules set but also ufw? why allow http if its to be a guide for securing ubuntu? (reasoning for your commands would clear that up i think)
Some of your sysctl are already defaults and don’t need to be set.
None of your ppa’s have anything to do with security?
Disabling ICMP doesn’t really do anything security wise, makes it a tiny bit more difficult maybe but its inconsequential. It does make network troubleshooting more difficult for you though.
I will be adding more to it but I disable IPv6 because not every VPN supports it and you’ll end up leaking if you don’t disable it. I suppose using UFW is redundant but I put it in there anyway as a backup. I’ve had this script for years so it’s static and I can’t be sure what’s default now compared to the past. This is just how I set things up, I added the ppa’s because that is the software I use, I might as well throw it in there. And everything is explained via the Arch Wiki. Your router will block those ports anyway and you can remove those if you don’t need them open.
While attending to arguable minutiae like disabling IPv6, you missed the forest for the trees. You forgot the #1 most important change of all, the only truly meaningful one; installing the unattended-upgrades package and configuring it to automatically install security updates.
Well that could be debated because you may not want all of the security updates and if you were being careful, you’d want to make sure you had a good look at your updates before installing any.
No. Everybody should autoinstall security updates on Linux. They don’t break your workflow or force you to reboot like on Windows, and updates tagged security should never change functionality, all they do is fix security issues, so they shouldn’t impact your services and applications.
When you actually get hacked in the real world, it’s due to one of two things. First is running obsolete software and second is a misconfiguration. This fixes one of those.
I think the title should be more like “disabling ipv6 on Ubuntu” or something.
IMHO the gold standard for securing an OS is going to be a DISA STIG. Which only covers (as of right now) Windows, MAC, RHEL, Solaris, Oracle, HP-UX, AIX