Skip to content

Instantly share code, notes, and snippets.

@jagira

jagira/securing_the_server.md

Created January 24, 2024 03:40
Show Gist options
  • Save jagira/84724cf584d070fe176c4a30ec05154e to your computer and use it in GitHub Desktop.
Save jagira/84724cf584d070fe176c4a30ec05154e to your computer and use it in GitHub Desktop.
Download ZIP
Server Security Basics
Raw
securing_the_server.md

Securing the server

Securing a server is a continuous process as new vulnerabilities are discovered everyday. But you will be relatively safe if you take some basic security measures like locking root access, not allowing password authentication, setting up a basic firewall and log watching mechanism and enabling automatic updates.

1. Login as root and update package list and upgrade tools.

apt-get update
apt-get upgrade

2. Change root password

Change root password to something long and complex and note it somewhere. We are not going to use root account.

passwd

3. Create deploy user

We will be using deploy user to peform all of our deploy activities.

adduser deploy

4. Give root privileges to deploy user

Open sudoers file using visudo command.

Add the following line to sudoers file.

deploy      ALL=(ALL:ALL) ALL

5. Test deploy account

Test deploy user by switching user account and issuing some commands that require superuser access.

su deploy

sudo apt-get updates

6. Enabling passwordless logins to deploy account

Add your ssh key to authorized_keys on server so that you can login without passwords.

Run the following command from your dev machine.

ssh-copy-id deploy@SERVER-IP

7. Secure SSH and Lockdown SSH

Standard port for SSH is 22 and most attackers attack on that port. Change it to some random port number to increase security.

Also, restrict root login and password authentication.

Open sshd_config

sudo vi /etc/ssh/sshd_config

and make the following changes -

Port 23432
PermitRootLogin no
PasswordAuthentication no

8. Setup firewall

Ubuntu comes with ufw - a nice utility to configure firewall.

Only allow the ports you are planning to use.

ufw allow 80
ufw allow 443
ufw allow 23432

9. Install fail2ban

fail2ban monitors your log files and ban hosts that cause multiple authentication errors.

sudo apt-get install fail2ban

Default configuration is enough.

10. Install and setup logwatch to monitor intrusion attempts

Logwatch is a log analysis system. You can configure it to mail log analysis reports.

Install logwatch

sudo apt-get install logwatch

Setup a cron task for logwatch to mail you its daily reports

sudo vim /etc/cron.daily/00logwatch

add the following line:

/usr/sbin/logwatch --output mail --mailto test@gmail.com --detail high

11. Enable automatic security updates

After heartbleed and shellshock bugs, it makes sense to have automatic security updates enabled.

Install unattended-upgrades

apt-get install unattended-upgrades

vim /etc/apt/apt.conf.d/10periodic

Edit the file to look like this -

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment