Basic Security Installs for Ubuntu

The original idea of this post was taken from My First 5 Minutes On A Server; Or, Essential Security for Linux Servers. As I build my server, I follow it but some of it's recommendation does not fit my requirements (ex: connecting via SSH only on certains IPs, which locked me out on several occasions). This post is my own "concoction". This assumes that you already have a fresh server running with only root as user.

1. Login as root and set root password

   passwd
   

   It's always good to use a strong root password. I recommend Random Password Generator for this.
2. Update Ubuntu

   apt-get update
   apt-get upgrade
   

3. Install Fail2ban

   apt-get install fail2ban
   

   Fail2ban is a daemon that monitors login attempts to a server and blocks suspicious activity as it occurs. It’s well configured out of the box.
4. Create user and set-up user folders

   useradd deploy
   mkdir /home/deploy
   mkdir /home/deploy/.ssh
   chmod 700 /home/deploy/.ssh
   

5. Change deploy user's login shell with the 'chsh' command. This will make sure that deploy user will have a more interactive shell.

   sudo chsh -s /bin/bash deploy
   

6. Require public key authentication for logging in

   vim /home/deploy/.ssh/authorized_keys
   

   Copy and paste the contents of the id_rsa.pub on your local machine and any other public keys that you want to have access to this server to the /home/deploy/.ssh/authorized_keys file. Save and close the file.
7. Lock down authorized_keys file and change owner of user folder

   chmod 400 /home/deploy/.ssh/authorized_keys
   chown deploy:deploy /home/deploy -R
   

8. Test the new user (deploy) in a new terminal window

   ssh deploy@<IP_OF_DROPLET>
   

9. While connected as deploy, generate SSH key. This will be used when connecting to github or bitbucket

   ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
   

10. Logout user (deploy), close the the terminal and go back to the terminal where you are logged as root.

    exit
    

11. Change deploy user password. This password will be used when doing sudo commands

    passwd deploy
    

12. Change default text editor to your preference (I like Vim)

    update-alternatives --config editor
    

13. Comment all existing user/group grant lines

    visudo
    

    Add the following line:

    root    ALL=(ALL:ALL) ALL
    deploy  ALL=(ALL:ALL) ALL
    

    This will grant sudo access to the deploy user when they enter the proper password.
14. Set up a firewall to further secure the server using ufw.

    ufw allow 22
    ufw allow 80
    ufw allow 443
    ufw enable
    

15. Enable automatic security updates

    apt-get install unattended-upgrades
    
    vim /etc/apt/apt.conf.d/10periodic
    

    Update the file to look like this:

    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Download-Upgradeable-Packages "1";
    APT::Periodic::AutocleanInterval "7";
    APT::Periodic::Unattended-Upgrade "1";
    

    One more config file to edit:

    vim /etc/apt/apt.conf.d/50unattended-upgrades
    

    Update the file to look like below. This will enable security updates only:

    Unattended-Upgrade::Allowed-Origins {
            "Ubuntu lucid-security";
    //      "Ubuntu lucid-updates";
    };
    

    or

    Unattended-Upgrade::Allowed-Origins {
            "${distro_id}:${distro_codename}";
            "${distro_id}:${distro_codename}-security";
    //      "${distro_id}:${distro_codename}-updates";
    //      "${distro_id}:${distro_codename}-proposed";
    //      "${distro_id}:${distro_codename}-backports";
    };
    

16. Restart server and you're done!

    reboot