Practical Web Programming

Monday, January 04, 2016

Basic Security Installs for Ubuntu

The original idea of this post was taken from My First 5 Minutes On A Server; Or, Essential Security for Linux Servers. As I build my server, I follow it but some of it's recommendation does not fit my requirements (ex: connecting via SSH only on certains IPs, which locked me out on several occasions). This post is my own "concoction". This assumes that you already have a fresh server running with only root as user.
  1. Login as root and set root password
    passwd
    
    It's always good to use a strong root password. I recommend Random Password Generator for this.
  2. Update Ubuntu
    apt-get update
    apt-get upgrade
    
  3. Install Fail2ban
    apt-get install fail2ban
    
    Fail2ban is a daemon that monitors login attempts to a server and blocks suspicious activity as it occurs. It’s well configured out of the box.
  4. Create user and set-up user folders
    useradd deploy
    mkdir /home/deploy
    mkdir /home/deploy/.ssh
    chmod 700 /home/deploy/.ssh
    
  5. Change deploy user's login shell with the 'chsh' command. This will make sure that deploy user will have a more interactive shell.
    sudo chsh -s /bin/bash deploy
    
  6. Require public key authentication for logging in
    vim /home/deploy/.ssh/authorized_keys
    
    Add the contents of the id_rsa.pub on your local machine and any other public keys that you want to have access to this server to this file.
  7. Lock down authorized_keys file and change owner of user folder
    chmod 400 /home/deploy/.ssh/authorized_keys
    chown deploy:deploy /home/deploy -R
    
  8. Test the new user (deploy) in a new terminal window and generate SSH key. This will be used when connecting to github or bitbucket
    ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
    
    Above code creates a new ssh key, using the provided email as a label.

    Logout user (deploy) and go back to the window where you are logged as root.
  9. Change deploy user password. This password will be used when doing sudo commands
    passwd deploy
    
  10. Change default text editor to your preference (I like Vim)
    update-alternatives --config editor
    
  11. Comment all existing user/group grant lines
    visudo
    
    Add the following line:
    root    ALL=(ALL) ALL
    deploy  ALL=(ALL) ALL
    
    This will grant sudo access to the deploy user when they enter the proper password.
  12. Set up a firewall to further secure the server using ufw.
    ufw allow 22
    ufw allow 80
    ufw allow 443
    ufw enable
    
  13. Enable automatic security updates
    apt-get install unattended-upgrades
    
    vim /etc/apt/apt.conf.d/10periodic
    
    Update the file to look like this:
    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Download-Upgradeable-Packages "1";
    APT::Periodic::AutocleanInterval "7";
    APT::Periodic::Unattended-Upgrade "1";
    
    One more config file to edit:
    vim /etc/apt/apt.conf.d/50unattended-upgrades
    
    Update the file to look like below. This will enable security updates only:
    Unattended-Upgrade::Allowed-Origins {
            "Ubuntu lucid-security";
    //      "Ubuntu lucid-updates";
    };
    
    or
    Unattended-Upgrade::Allowed-Origins {
            "${distro_id}:${distro_codename}";
            "${distro_id}:${distro_codename}-security";
    //      "${distro_id}:${distro_codename}-updates";
    //      "${distro_id}:${distro_codename}-proposed";
    //      "${distro_id}:${distro_codename}-backports";
    };
    

0 comments:

Recent Post