Skip to content

Instantly share code, notes, and snippets.

@asimpson

asimpson/foo.org Secret

Created Nov 17, 2018
Embed
What would you like to do?

A few things to do on a new linux box to secure it.

Change the root password to something long and complex. You won’t need to remember it, just store it somewhere secure - this password will only be needed if you lose the ability to log in over ssh or lose your sudo password.

passwd

Run updates

apt-get update

apt-get upgrade

Set up your login user.

useradd NEWNAMEHERE

mkdir /home/NEWNAMEHERE

mkdir /home/NEWNAMEHERE/.ssh

chmod 700 /home/NEWNAMEHERE/.ssh

Set up public key auth

vim /home/deploy/.ssh/authorized_keys

Add the contents of the id_rsa.pub on your local machine and any other public keys that you want to have access to this server to this file.

Change the permissions on ssh stuff.

chmod 400 /home/NEWNAMEHERE/.ssh/authorized_keys

chown deploy:deploy /home/NEWNAMEHERE -R

Now test your new account logging into your new server with the new user (keep the terminal window with the root login open). If you’re successful, switch back to the terminal with the root user active and set a sudo password for your login user:

passwd NEWNAMEHERE

Set a complex password - you can either store it somewhere secure or make it something memorable to the team. This is the password you’ll use to sudo.

Enable sudo:

visudo

Comment all existing user/group grant lines and add:

root ALL=(ALL) ALL

NEWNAMEHERE ALL=(ALL) ALL

Lock down ssh

vim /etc/ssh/sshd_config

Ensure permit root login is disabled. PermitRootLogin no

Restart ssh service ssh restart

Set up a firewall

ufw allow 22

ufw allow 80

ufw allow 443

ufw enable

Set up security updates to auto-install

apt-get install unattended-upgrades

This file:

vim /etc/apt/apt.conf.d/10periodic

Should have this in it:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Open: vim /etc/apt/apt.conf.d/50unattended-upgrades

Make sure this is in there:

Unattended-Upgrade::Allowed-Origins {
        "Ubuntu lucid-security";
//      "Ubuntu lucid-updates";
};

Took my preferred bits from: https://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment