I thought about doing a step by step bash script or CLI walkthrough but decided to go with the high levels steps. If we wanted to ensure our Linux servers are configured in alignment with Cyber Essentials what are the main areas we need to consider? For this I’m using Ubuntu Server as a base, I’ve not gone through every line in the standard but these should be in line with the 5 areas and fit within the Cyber Essentials theme. As always there are many ways to skin a cat! (don’t skin cats they are frens!). Anyway hope this is useful.

• We must apply updates every 14 days – see AutomaticSecurityUpdates – Community Help Wiki (ubuntu.com)
  • Install cron-apt or create a custom cron job
  • or install and configure the unattended-upgrades package (thanks @CisoDiagonal)
• We must enable the firewall – see Security – Firewall | Ubuntu
  • Install and enable UFW
    • Allow HTTP/HTTPS/SSH as required
• We must ensure there are two accounts
  • One root user
  • One user
• Use ssh auth (public/private key) for SSH access
• Administrative interfaces must be protected
  • Install fail2ban
  • Use Allow Lists (IP Restrictions)
• Web Services should be protected (fail2ban or a WAF e.g., Word fence)
• Deploy a secure password policy (e.g., with libpam-pwquality)
• Use a network-based firewall policy (if cloud provider restricts SSH)
• AV
  • Install CLAMAV
  • Install a third-party AV Solution
  • Install an EDR
• Ensure only required software is deployed (it’s easier to build the software required on from a very small image than to remove things)

As you can see this really is a subset of all the capabilities and controls you may want in a business environment, you should really be thinking about:

• Limit Egress Traffic
• Web Content Filtering
• Protective DNS
• Backup
• Encryption in Transit
• Encryption at Rest (Full Disk Encryption and data encryption)
• Configuration Hardening
• Auditing/Logging and Alerting
• Operational Processes
• Incident Response Processes

You could also consider using a VPN, IP Allow listing or a software defined vpn (connectionless vpn etc.) to create access methods which do not require exposures of services like ssh.

Now the challenge also is, the systems need to be suitable for the business purpose, retrofitting security controls and hardening is so often much harder to do than say!

Resources

Ubuntu LTS – NCSC.GOV.UK

Device-Security-Guidance-Configuration-Packs/Linux/UbuntuLTS at main · ukncsc/Device-Security-Guidance-Configuration-Packs (github.com)

About Cyber Essentials – NCSC.GOV.UK