I'll enumerate below a suite of guides I've followed to setup a Ubuntu server:
- https://www.informaticar.net/security-hardening-ubuntu-20-04
- https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-ubuntu-20-04/
- https://www.linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu
- https://www.linuxbabe.com/ubuntu/automatic-security-update-unattended-upgrades-ubuntu
- https://www.linuxbabe.com/security/harden-ssh-server
- https://www.linuxbabe.com/mail-server/host-multiple-mail-domains-in-postfixadmin
- https://www.linuxbabe.com/mail-server/block-email-spam-postfix
- https://www.linuxbabe.com/mail-server/block-email-spam-check-header-body-with-postfix-spamassassin
- https://www.linuxbabe.com/mail-server/opendmarc-postfix-ubuntu
- https://www.linuxbabe.com/mail-server/microsoft-outlook-ip-blacklist
- https://www.linuxbabe.com/security/10-steps-in-application-security-assessment
Optional:
- https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
- https://www.linuxbabe.com/ubuntu/set-up-local-dns-resolver-ubuntu-20-04-bind9
- https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04
Notes:
- For https://www.linuxbabe.com/mail-server/postfixadmin-create-virtual-mailboxes-ubuntu-20-04 I had to use part of https://linuxize.com/post/set-up-an-email-server-with-postfixadmin/ because I'm using PHP 8.0.
- I also had to download and install the latest version of
postfixadminfrom https://packages.ubuntu.com/impish/all/postfixadmin/download - This command might need to be run every 3 months to renew and merge certificates for multiple mail domains:
sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com --email you@example.com- compile the ModSecurity module for Nginx on a new version using https://www.linuxbabe.com/security/modsecurity-nginx-debian-ubuntu#upgrading-nginx
- download https://github.com/coreruleset/coreruleset/releases and update Nginx rules
Commands to upgrade Nginx and the ModSecurity module:
sudo apt-mark unhold nginx
sudo apt upgrade nginx
# The install process will fail because your ModSecurity module version doesn't match with the new version of Nginx
# So, let's update ModSecurity to the latest nginx version
# check nginx version
nginx -v
cd /usr/local/src/nginx
sudo apt install dpkg-dev
# download nginx sources
apt source nginx
cd nginx-1.23.1/ # or the version previously queried
./configure --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx
make modules
sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/
# resume upgrade process
sudo apt upgrade
sudo apt-mark hold nginx
apt-mark showhold