If you are going to use ubuntu with compromised systems then i strongly urge you to try this configuration:
Try this config (NOTE: IT IS STILL A WORK IN PROGRESS) BUT IT HELPS
Code:
# copy and paste this "sudo gedit /etc/ufw/before.rules" without the quotes in terminal
# Then copy from the next line of rules to replace the firewall default rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
################################################## ################################################
# FIREWALL ARRANGEMENT PREVENTS DDoS DROPPING INVALID BEFORE PROCESSING VALID PLUS FULL TRACKING #
################################################## ################################################
################################################## #####################################
# drop INVALID inbound packets (logs these in loglevel medium and higher)
################################################## #####################################
-A ufw-before-input -p all -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -p all -m state --state INVALID -j DROP
################################################## #####################################
################################################## #####################################
# DROP FROM UNSPEC(0.0.0.0) - [Ensure source address verification is on]
################################################## #####################################
-A ufw-before-input -p all -m addrtype --src-type UNSPEC -j DROP
################################################## #####################################
################################################## #####################################
# DROP FROM UNREACHABLE - [Ensure source address verification is on]
# To use this ensure [icmp - destination-unreachable] is accepted
################################################## #####################################
#-A ufw-before-input -p all -m addrtype --src-type UNREACHABLE -j DROP
################################################## #####################################
################################################## #####################################
# DROP FROM MULTICAST [affects IGMP] - [Ensure source address verification is on]
################################################## #####################################
-A ufw-before-input -p all -m addrtype --src-type MULTICAST -j DROP
################################################## #####################################
################################################## #####################################
# DROP FROM LOCAL - [Ensure source address verification is on]
################################################## #####################################
-A ufw-before-input -p all -m addrtype --src-type LOCAL --dst-type ANYCAST -j DROP
-A ufw-before-input -p all -m addrtype --src-type LOCAL --dst-type MULTICAST -j DROP
-A ufw-before-input -p all -m addrtype --src-type LOCAL --dst-type BROADCAST -j DROP
################################################## #####################################
################################################## #####################################
# [Prevent malicious tcp looped/reversed connection initiation]
# [Packets with only 'syn' bit set and 'ACK,RST and FIN bits cleared']
################################################## #####################################
-A ufw-before-input -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j DROP
################################################## #####################################
# [allow all on loopback]
# Any traffic that a computer program sends to the loopback interface
# is immediately received on the same interface.
# This works without any actual network connection–so it is useful for testing services
# without exposing them to security risks from remote network access.
# This is primarily a means of testing the transmission or transportation infrastructure.
# ***** CAUTION - IT IS A TARGET FOR SPOOFING TO LEAK TRAFFIC TO REMOTE NETWORK *****
# ***** [BLOCK ALL TRAFFIC GOING OUT TO 127.0.0.0/8 WITH THE USER FIREWALL] *****
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we initiated and already have a connection
-A ufw-before-input -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
# connection loop tracking/processing for initiated outbound connections
-A ufw-before-output -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
################################################## #####################################
# DROP TO UNSPEC(0.0.0.0)
################################################## #####################################
-A ufw-before-output -p all -m addrtype --dst-type UNSPEC -j DROP
################################################## #####################################
################################################## #####################################
# DROP TO PROHIBIT
################################################## #####################################
-A ufw-before-output -p all -m addrtype --dst-type PROHIBIT -j DROP
################################################## #####################################
################################################## #####################################
# DROP CASTING [WE ARE NOT A ROUTER]
# [BROADCAT USED BY DHCP CLIENT FOR DHCP DISCOVERY]
################################################## #####################################
-A ufw-before-output -p all -m addrtype --dst-type ANYCAST -j DROP
-A ufw-before-output -p all -m addrtype --dst-type MULTICAST -j DROP
################################################## #####################################
# connection tracking initiation for outbound
-A ufw-before-output -p all -m state --state NEW -j ACCEPT
################################################## #########################################
# -----[ok icmp codes]
# *****[because the state{NEW,ESTABLISHED,RELATED} of icmp cannot be verified]*****
# *****[firewall rule set arrangement above will DROP icmp as INVALID regardless if it is set to ACCEPT]*****
################################################## #########################################
# ********** DROP all of these packets to prevent DDoS **********
# Use REJECT with caution - possible DDoS generating reject packets
# ********** [source-quench] is used for traffic throttling **********
################################################## #########################################
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
################################################## ##########################################
################################################## ##########################################
# allow DHCP client to work
# [UDP PERMITS ONLY SOURCE TO DESTINATION PORT VERIFICATION ONLY] - [ENSURE SOURCE ADDRESS VERIFICATION IS ON]
# Initially DHCP Client sends a [broadcast] request and recieves a [UNICAST] DHCP discovery response
-A ufw-before-input -p udp --sport 67 --dport 68 -m addrtype --src-type LOCAL --dst-type UNICAST -j ACCEPT
# Allow L2TP only over IPSEC
-A ufw-before-input -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
################################################## ###########################################
################################################## ########
# -----*****traffic of not-local below*****----- #
################################################## ########
-A ufw-before-input -j ufw-not-local
# if [LOCAL] RETURN - [Process internet traffic]
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if [MULTICAST] DROP
# *****[PREVENT DDoS]*****
-A ufw-not-local -m addrtype --dst-type MULTICAST -j DROP
# if [ANYCAST] DROP
# *** PREVENT ROGUE SERVERS FROM CAUSING DDoS ATTACKS ***
-A ufw-not-local -m addrtype --dst-type ANYCAST -j DROP
# if [BROADCAST] DROP
# *****[PREVENT DDoS]*****
# Broadcasting may be abused to perform a DoS-attack.
# The attacker sends fake ping request with the source IP-address of the victim computer.
# The victim computer is flooded by the replies from all computers in the domain.
-A ufw-not-local -m addrtype --dst-type BROADCAST -j DROP
# all other non-local packets are dropped
# [If rate is above the specified below then start logging traffic]
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# Deny MULTICAST mDNS for service discovery
# If intended for use (be sure the MULTICAST line above is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j DROP
# Deny MULTICAST UPnP for service discovery
# If intended for use (be sure the MULTICAST line above is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j DROP
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
#
# OPEN TERMINAL AND COPY AND PASTE "sudo gedit /etc/ufw/after.rules"
# REPLACE CONTENTS WITH CONTENTS BELOW THIS LINE
#
# rules.input-after
#
# Rules that should be run after the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-after-input
# ufw-after-output
# ufw-after-forward
#
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
# End required lines
# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -m addrtype --dst-type UNICAST -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 138 -m addrtype --dst-type UNICAST -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 139 -m addrtype --dst-type UNICAST -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 445 -m addrtype --dst-type UNICAST -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 67 -m addrtype --dst-type UNICAST -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 67 -m addrtype --dst-type UNICAST -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 68 -m addrtype --dst-type UNICAST -j ufw-skip-to-policy-input
# don't log noisy CASTS - [Handles both 'LAN' and 'WAN' traffic]
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type MULTICAST -j DROP
-A ufw-after-input -m addrtype --dst-type ANYCAST -j DROP
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
# Copy and paste "sudo gedit /etc/sysctl.conf" into terminal and hit enter
# Copy and paste the configuration below into opened document and Save the document
# Then copy and paste "sudo sysctl -p" into terminal and hit enter
#
################################################## ########################
## COPY FROM THE LINE JUST ABOVE THIS TEXT
################################################## ########################
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
################################################## ############3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to prevent some spoofing attacks
# FOR SERVER TURN IT OFF BY SETTING VALUE TO 0, FOR DESKTOP LEAVE IT ON WITH VALUE 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#
#
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
# Block SYN attacks
# Syn cookies acts as a recovery back up to the backlog/syn retries/syn ackretries
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
#
#
# Preferably prevent packet forwarding for IPv4 by setting value to 0
# *****ENABLE PACKET FORWARDING IF YOU INTEND TO USE OPENVPN*****
# *****'MITM' MONITORING BODIES CAN HIJACK TRAFFIC AND DIRECT TO LESS SECURE DESTINATION*****
# To enable it change the value "0" below to value "1"
net.ipv4.ip_forward = 1
#
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding = 0
#
#
################################################## #################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
#
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
#
#
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
#
#
# Do not accept ICMP redirects (prevent MITM attacks)
# ***[Make sure no one can alter the routing tables]***
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
#
#
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
net.ipv4.conf.all.secure_redirects = 0
#
#
# Do not send ICMP redirects (we are not a router)
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#
#
# Do not accept IP source route packets (we are not a router)
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
#
#
########## IPv6 networking start ##############
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0
# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0
# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1
########## IPv6 networking ends ##############
#
#
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
#
#
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
#
#
# Ignore ICMP broadcast requests
# *****Avoid a smurf attack*****
net.ipv4.icmp_echo_ignore_broadcasts = 1
#
#
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
#
#
# increase system file descriptor limit
fs.file-max = 65536
#
#
# (Default swappiness value is 60 - Proposed to be balanced)
# For speed & Longetivity of HDD/SSD - Decrease swappiness value
# (USB recommended = <5, SSD recommended = 10, HDD recommended = 15)
# For security prevention of RAM exploit - Increase the swappiness value
# *************************CAUTION****************** *********************
# IF INSTALLATION DOES NOT HAVE A SWAP PARTITION
# OPEN TERMINAL AND TYPE "sudo apt-get install zram-config"
# ONLY AFTER DOING A FULL SYSTEM UPDATE
# ************************************************** *********************
vm.swappiness = 0
vm.vfs_cache_pressure = 50
#
#
## Turn on Stack protection
kernel.randomize_va_space = 1
#
#
################################################## ##########
# Exec-shield no longer supported from ubuntu 11 and above
################################################## ##########
#
#
# Kernel protection and optimization
kernel.kptr_restrict = 1
kernel.yama.ptrace_scope = 1
kernel.sem = 250 32000 100 128
kernel.shmall = 2097152
kernel.shmmax = 134217728
kernel.shmmni = 4096
#
#
# Disable suid binaries from core dumps
fs.suid_dumpable = 0
#
#
# Decrease the time default value for tcp_fin_timeout connection
# Reduces the FIN2 wait time
net.ipv4.tcp_fin_timeout = 10
#
#
# Decrease the time default value for tcp_keepalive_time connection in seconds
net.ipv4.tcp_keepalive_time = 3600
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 3
#
#
# Reduce IP default time to live (ttl) from default 64 in seconds
# Recommended value is [18] - [In seconds] for privacy
# USE *** 24 when in a monitored environment *** and on slow internet
# TTL is a timer value included in packets sent over TCP/IP-based networks
# that tells the recipients how long to hold or use the packet or any of its included data
# before expiring and discarding the packet or data.
# *** While in transit the value reduces by 1 at every hop/interchange ***
net.ipv4.ip_default_ttl = 24
#
#
# Enable Forward RTO-Recovery (F-RTO) defined in RFC4138
# F-RTO is an enhanced recovery algorithm for TCP retransmission timeouts.
# It is particularly beneficial in wireless environments
# where packet loss is typically due to random radio interference
# 1 basic version is enabled.
# 2 enables SACK enhanced F-RTO if flow uses SACK.
net.ipv4.tcp_frto = 2
#
#
# Set FRTO response to 0
# 0 = Rate halving based; a smooth and conservative response
# 1 = Very conservative response; it interacts poorly with the rest of Linux TCP
# 2 = Aggressive response; undoes congestion control measures that are now known to be unnecessary
net.ipv4.tcp_frto_response = 2
#
#
# Turn on tcp abort on overflow
# Resets listening services in event on flood DDoS attack
net.ipv4.tcp_abort_on_overflow = 1
#
#
# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
#
#
# Turn on the tcp_sack - Enable select acknowledgments (SACKS)
net.ipv4.tcp_sack = 1
#
#
# Enable tcp_fack - Enable FACK congestion avoidance and fast restransmission
net.ipv4.tcp_fack = 1
#
#
# Enable tcp_dsack - TCP Duplicate SACK support - [Added congestion avoidance measure].
net.ipv4.tcp_dsack = 1
#
#
# Enable thin duplicate ACK
# Enable dynamic triggering of retransmissions after one dupACK for thin streams.
# If set, a check is performed upon reception of a dupACK to determine if the stream is thin (less than 4 packets in flight).
# This improves retransmission latency for non-aggressive thin streams, often found to be time-dependent.
net.ipv4.tcp_thin_dupack = 1
#
#
# Enable thin linear timeouts
# Enable dynamic triggering of linear timeouts for thin streams.
# If set, a check is performed upon reception of a dupACK to determine if the stream is thin (less than 4 packets in flight).
# This improves retransmission latency for non-aggressive thin streams, often found to be time-dependent.
net.ipv4.tcp_thin_linear_timeouts = 1
#
#
# Reduce tcp re-odering - Default is 3
net.ipv4.tcp_reordering = 2
#
#
# Reduce tcp_retries1 - Default is 3
# How many times to retry before deciding that something is wrong
# and it is necessary to report this suspection to network layer.Minimal RFC value is 3
net.ipv4.tcp_retries1 = 2
#
#
# Reduce tcp_retries2 - Default is 15 corresponds to ~13-30min depending on RTO.
# The default value of 15 yields a hypothetical timeout of 924.6 seconds
# and is a lower bound for the effective timeout.
# How may times to retry before killing alive TCP connection.
# The RFC 1122 specified minimum limit of 100 seconds is typically deemed too short.
# RFC1122 says that the limit should be longer than 100 sec
# which corresponds to a value of at least 8.
net.ipv4.tcp_retries2 = 10
#
#
# Enable pmtu - (Path Maximum Transfer Unit) with value 0, disable with value 1
net.ipv4.ip_no_pmtu_disc = 0
#
#
# Turn on the tcp_timestamps
net.ipv4.tcp_timestamps = 1
#
#
# Increase the maximum tcp time wait buckets
# Maximal number of timewait sockets held by system simultaneously.
# If this number is exceeded time-wait socket is immediately destroyed and warning is printed.
# [This limit exists only to prevent simple DoS attacks], you _must_ not lower the limit artificially,
# but rather increase it (probably, after increasing installed memory) - Max port capacity is [65535]
net.ipv4.tcp_max_tw_buckets = 4096
#
#
# Increase the maximum total TCP buffer-space allocatable
net.ipv4.tcp_mem = 4096 87380 8388608
#
#
# Increase the maximum TCP write-buffer-space allocatable
net.ipv4.tcp_wmem = 4096 87380 8388608
#
#
# Increase the maximum TCP read-buffer space allocatable
net.ipv4.tcp_rmem = 4096 87380 8388608
#
#
# Increase TCP queue length
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
#
#
# Increase the maximum and default receive socket buffer size
net.core.rmem_max = 8388608
net.core.rmem_default = 8388608
#
#
# Increase the maximum and default send socket buffer size
net.core.wmem_max = 8388608
net.core.wmem_default = 8388608
#
#
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 8388608
#
#
# increase Linux auto tuning TCP buffer limits
net.core.netdev_max_backlog = 4096
#
#
# Reduce igmp group membership - [Default = 20]
# Change the maximum number of multicast groups we can subscribe to.
net.ipv4.igmp_max_memberships = 0
#
#
# Optimizing network traffic
# [Vegas congestion avoidance detects congestion]
# [before packet loss unlike others that detect after loss]
net.ipv4.tcp_congestion_control = vegas
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 0
net.ipv4.tcp_orphan_retries = 2
net.ipv4.tcp_max_orphans = 256
net.ipv4.tcp_rfc1337 = 1
net.ipv4.udp_mem = 4096 87380 8388608
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
#
#
# Use/Don't use Explicit Congestion Notification in our packets.
# ECN is only used when both ends of the TCP flow support it.
# It is useful to avoid packet loss due to congestion.
# Disable for security [If disabled some routers don't like it]
# 0 disable ECN
# 1 ECN enabled
# 2 Only server-side ECN enabled. If the other end does not support ECN, behavior is like with ECN disabled.
net.ipv4.tcp_ecn = 0
#
#
# This option tells the handler how long to keep an IP fragment in memory, 20 seconds in this case.
# Only fragments that can not yet be assembled are kept here,
# since fragments that can be assembled have already been moved.
net.ipv4.ipfrag_time = 20
#
#
# ipfrag_max_dist is a non-negative integer value which defines the maximum "disorder"
# which is allowed among fragments which share a common IP source address. [Default = 64]
# Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can result in unnecessarily dropping fragment queues
# when normal reordering of packets occurs, which could lead to poor application performance.
# Using a very large value, e.g. 50000, increases the likelihood of incorrectly reassembling IP fragments
# that originate from different IP datagrams, which could result in data corruption.
net.ipv4.ipfrag_max_dist = 256
#
#
# We don't really want to proxy ARP for anyone, do we?
# This option is turned off by default, but just to be safe..
net.ipv4.conf.all.proxy_arp = 0
#
#
#Increase system IP port limits
# Increase range with larger physical RAM (>128mb)
# Reduce range with lesser physical RAM (<128mb)
net.ipv4.ip_local_port_range = 2000 65000
#
#
# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
#
#
# Set maximum amount of memory allocated to shm to 128MB
kernel.shmmax = 134217728
#
#
# Reboots system after 20 seconds of kernel panic
kernel.panic = 20
#
#
# Turn on route flush
net.ipv4.route.flush = 1
#
#