Ubuntu Hardening for Local Users
Hello, all!
I've recently been looking for a free Unix shell provider, but I'm not having much luck. Given that, I'm considering leasing a VPS and starting my own shell provider. I'm currently looking at my options.
I've settled on Ubuntu Server 26.04 (amd64) as my base OS. My question is this: What additional steps should I take in hardening the Ubuntu Server install beyond what I'd do to secure it from a network perspective? Given that I'm going to have local users, that greatly increases my threat surface. Here are some of the ideas that I've noted down in my research:
- Remove the suid-root bit from any system binaries not requiring it.
- Mount /proc with 'hidepid=1' (or 'hidepid=2') to restrict non-root access to /proc
- Install libpam-pwquality and ensure that your users are selecting good passwords
- Disable password-based authentication in favor of pubkey authentication
- Some sysctl.conf(5) tunings (TCP syncookies, ignore reverse path filtering, etc.)
I vaguely remember 'grsecurity,' a patch to the Linux kernel, adding some useful additional layers, but I was unable to determine licensing/costs from their website. Is that something I should continue to look into?
Please advise me as to what steps you would take to harden an Ubuntu Server instance destined for service as a public shell server. Ideally, I'd like this host locked down to the point that no non-root user can even determine if other user's are logged in.