Last active
January 26, 2019 19:18
-
-
Save versvs/2d43ae5b8fcef691128c8528801f09fb to your computer and use it in GitHub Desktop.
Basic config and hardening of an Ubuntu server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########################################################################################## | |
# Basic configuration and some simple hardening for an Debian/Ubuntu server | |
########################################################################################## | |
# This guide assume that a fresh server is being configured. | |
# It is assumed that the user has root priviledges, | |
# and most of the sentences are to be run as superuser (root) | |
# Root Passwd; | |
# Set it to something complex, won't be used (more on that later), | |
# it is needed just in case something happens during these steps | |
passwd | |
# Update the system | |
apt-get update | |
apt-get dist-upgrade | |
# If a new kernel was installed, reboot the system to start using it now | |
shutdown -r now 'Kernel upgraded, a reboot is required' | |
# Optional steps would comprise the cleaning of any old, no longer needed Kernels | |
# See the name of the kernel currently being used | |
uname -r | |
# Outputs something like: | |
# `4.15.0-43-generic` | |
# get list of all installed kernels, filtering out the currently used kernel, to avoid errors | |
dpkg --list 'linux-image*'|awk '{ if ($1=="ii") print $2}'|grep -v `uname -r` | |
# Outputs something like: | |
# ``` | |
# linux-image-4.15.0-40-generic | |
# linux-image-4.15.0-41-generic | |
# linux-image-4.15.0-42-generic | |
# ``` | |
# remove all the unneeded kernels | |
# adapt and repeat this sentence to each of kernels present in your system that you'd like to purge | |
apt-get remove --purge linux-image-4.15.0-40-generic | |
# run autoremove, then upgrade grub list | |
apt-get autoremove | |
update-grub | |
# Now, let's get back to the mandatory steps | |
# Install fail2ban | |
apt-get install fail2ban | |
# create a user to log into the system and to handle any software deployed in it | |
useradd username | |
mkdir -p /home/username/.ssh | |
chmod 700 /home/username/.ssh | |
# set /bin/bash as shell for the new user | |
chsh -s /bin/bash username | |
# the login will be handled using SSH keys | |
# thus a public key needs to be added to the `authorized_keys` of the just-created user | |
# add the contents of any number of required public keys to that file | |
# example with `vi` (any editor is valid, i'm just a vi user) | |
vi /home/username/.ssh/authorized_keys | |
# set permissions for that file | |
chmod 400 /home/username/.ssh/authorized_keys | |
chown username:username /home/username -R | |
# set sudo password for the new user (won't be used to login, since a public key will be used for that) | |
passwd username | |
# add the new user to the sudoers | |
# comment all user/group grant lines and leave the two following: | |
# ``` | |
# root ALL=(ALL) ALL | |
# username ALL=(ALL) ALL | |
# ``` | |
visudo | |
# secure SSH editing `sshd_config` and adding the following lines, disable root login, disable login without public key | |
# ``` | |
# PermitRootLogin no | |
# PasswordAuthentication no | |
# AllowUsers username@(your-ip) username@(another-ip-if-any) | |
# ``` | |
vi /etc/ssh/sshd_config | |
# restart ssh to make the changes effective | |
service ssh restart | |
# add rules to the firewall and then enable it | |
# if you have a static IP, restrict the ssh login to your IP, otherwise just allow connections to port 22 | |
ufw allow from {your-ip} to any port 22 | |
ufw allow 80 | |
ufw allow 443 | |
ufw enable | |
# most probably, unattended-upgrades is already installed, but just in case... | |
apt-get install unattended-upgrades | |
# edit a couple of files to config unattended upgrades | |
# make `/etc/apt/apt.conf.d/10periodic` look like the following lines | |
# ``` | |
# APT::Periodic::Update-Package-Lists "1"; | |
# APT::Periodic::Download-Upgradeable-Packages "1"; | |
# APT::Periodic::AutocleanInterval "7"; | |
# APT::Periodic::Unattended-Upgrade "1"; | |
# ``` | |
vi /etc/apt/apt.conf.d/10periodic | |
# restrict allowed origins so that only security updates are downloaded | |
# most probably any other source will be already commented, but | |
# edit `/etc/apt/apt.conf.d/50unattended-upgrades` to confirm | |
# | |
# contents should look like this: | |
# Unattended-Upgrade::Allowed-Origins { | |
# "Ubuntu lucid-security"; | |
# // "Ubuntu lucid-updates"; | |
# }; | |
vi /etc/apt/apt.conf.d/50unattended-upgrades | |
# install logwatch, then edit its config file and add a line to receive email notifications | |
# add a line like the following one, don't forget to set the right email | |
# /usr/sbin/logwatch --output mail --mailto test@gmail.com --detail high | |
apt-get install logwatch | |
vi /etc/cron.daily/00logwatch | |
# Several sources were consulted while writing this: | |
# * Mostly: https://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers | |
# * Stack Overflow was used to confirm/change a few lines: https://stackoverflow.com/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment