What Can Be Done To Secure Ubuntu Server?












34















I have a project to secure Ubuntu Server as much as I can.
The server is a web hosting server. The server will be running LAMP , Mail , and DNS.










share|improve this question

























  • What services will be running?

    – wojox
    Jun 5 '12 at 12:43











  • LAMP , Mail , DNS

    – One Zero
    Jun 5 '12 at 12:49











  • I have made a Ubuntu Server Cheat Sheet and I'd like to share it with you. First few pages are general linux commands, then specific server packages and the last page is a server security checklist. The checklist unites tips and hardenings from many websites. I hope it helps you! Licensed under the WTFPL license. You can view/download/whatever the checklist here. I update it from time to time.

    – Noah Krasser
    Jul 26 '17 at 12:32
















34















I have a project to secure Ubuntu Server as much as I can.
The server is a web hosting server. The server will be running LAMP , Mail , and DNS.










share|improve this question

























  • What services will be running?

    – wojox
    Jun 5 '12 at 12:43











  • LAMP , Mail , DNS

    – One Zero
    Jun 5 '12 at 12:49











  • I have made a Ubuntu Server Cheat Sheet and I'd like to share it with you. First few pages are general linux commands, then specific server packages and the last page is a server security checklist. The checklist unites tips and hardenings from many websites. I hope it helps you! Licensed under the WTFPL license. You can view/download/whatever the checklist here. I update it from time to time.

    – Noah Krasser
    Jul 26 '17 at 12:32














34












34








34


37






I have a project to secure Ubuntu Server as much as I can.
The server is a web hosting server. The server will be running LAMP , Mail , and DNS.










share|improve this question
















I have a project to secure Ubuntu Server as much as I can.
The server is a web hosting server. The server will be running LAMP , Mail , and DNS.







server security dns lamp hosting






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jun 27 '12 at 23:55









pl1nk

4,42852143




4,42852143










asked Jun 5 '12 at 12:20









One ZeroOne Zero

17.4k2272106




17.4k2272106













  • What services will be running?

    – wojox
    Jun 5 '12 at 12:43











  • LAMP , Mail , DNS

    – One Zero
    Jun 5 '12 at 12:49











  • I have made a Ubuntu Server Cheat Sheet and I'd like to share it with you. First few pages are general linux commands, then specific server packages and the last page is a server security checklist. The checklist unites tips and hardenings from many websites. I hope it helps you! Licensed under the WTFPL license. You can view/download/whatever the checklist here. I update it from time to time.

    – Noah Krasser
    Jul 26 '17 at 12:32



















  • What services will be running?

    – wojox
    Jun 5 '12 at 12:43











  • LAMP , Mail , DNS

    – One Zero
    Jun 5 '12 at 12:49











  • I have made a Ubuntu Server Cheat Sheet and I'd like to share it with you. First few pages are general linux commands, then specific server packages and the last page is a server security checklist. The checklist unites tips and hardenings from many websites. I hope it helps you! Licensed under the WTFPL license. You can view/download/whatever the checklist here. I update it from time to time.

    – Noah Krasser
    Jul 26 '17 at 12:32

















What services will be running?

– wojox
Jun 5 '12 at 12:43





What services will be running?

– wojox
Jun 5 '12 at 12:43













LAMP , Mail , DNS

– One Zero
Jun 5 '12 at 12:49





LAMP , Mail , DNS

– One Zero
Jun 5 '12 at 12:49













I have made a Ubuntu Server Cheat Sheet and I'd like to share it with you. First few pages are general linux commands, then specific server packages and the last page is a server security checklist. The checklist unites tips and hardenings from many websites. I hope it helps you! Licensed under the WTFPL license. You can view/download/whatever the checklist here. I update it from time to time.

– Noah Krasser
Jul 26 '17 at 12:32





I have made a Ubuntu Server Cheat Sheet and I'd like to share it with you. First few pages are general linux commands, then specific server packages and the last page is a server security checklist. The checklist unites tips and hardenings from many websites. I hope it helps you! Licensed under the WTFPL license. You can view/download/whatever the checklist here. I update it from time to time.

– Noah Krasser
Jul 26 '17 at 12:32










8 Answers
8






active

oldest

votes


















43














Here is a list of things I do to secure my server.




  1. Turn on UFW (sudo ufw enable) and then only allow ports that are actually used. (sudo ufw allow 80)

  2. Make sure MySQL only allows connections from localhost.

  3. Enable TLS on mail services. Even if it's a self signed cert. You don't want passwords sent in the clear.

  4. Install ssh bruteforce blockers like denyhosts or fail2ban. (sudo apt-get install denyhosts)

  5. Look into making ssh key-based logins only.

  6. Learn AppArmor. If you use fairly vanilla configurations, then it's extremely easy. Just make sure it's turned on. It will help reduce zero-day exploits.

  7. Depending on physical access to the server, you may even want to look at encrypting the data on the harddisk.

  8. Follow other recommendations in this link. EDIT: I forgot to edit this when I didn't have enough reputation to add more links. The link meant here is the last link below.

  9. Never trust your users. If you are having multiple users with access to the system, lock them down. If you have to give them sudo access, give them only what they need.

  10. Use common sense. Think real hard about how you'd get in if you were ever locked out. Then close those holes.


A few more things to consider. Most people forget about physical access. All the software configurations in the world don't mean anything if I can physically walk in with a LiveCD and steal your data. Beware of social engineering. Ask questions to verify who is on the phone and make sure they have authorization to make the request they are making.



Since I'm still a 'new' user, I can't post more than 2 links. You can read up more about this subject here: https://help.ubuntu.com/12.04/serverguide/index.html and pay special attention to https://help.ubuntu.com/12.04/serverguide/security.html






share|improve this answer





















  • 2





    An alternative to using UFW (while still using built in out of the box firewalls in Ubuntu) is to lock down your system with extremely specific iptables rules to disallow external access to any service you aren't going to utilize, if you have an odd-ball setup that requires advanced rouing and stuff though.

    – Thomas Ward
    Jun 7 '12 at 13:23






  • 2





    @LordofTime Agreed. I actually use iptables myself, but ufw is just fine for most basic installs. Also UFW is more or less just a wrapper for most common iptables configurations anyway. The underlying system is still the same.

    – Patrick Regan
    Jun 7 '12 at 13:34






  • 2





    +1 for ufw ,you are not a new user ,you are member for 1 year :p

    – Tachyons
    Jun 7 '12 at 13:36






  • 1





    Indeed, I just wanted to point out that in certain instances iptables will have better usability over ufw in certain cases

    – Thomas Ward
    Jun 7 '12 at 13:46






  • 1





    Consider BastilleLinux it's also a good security hardening suite.

    – pl1nk
    Jun 7 '12 at 23:05





















13














Secure shared memory



/dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure.



Open a Terminal Window and enter the following :



sudo vi /etc/fstab


Add the following line and save. You will need to reboot for this setting to take effect :



tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0


Harden network with sysctl settings



The /etc/sysctl.conf file contain all the sysctl settings.
Prevent source routing of incoming packets and log malformed IP's enter the following in a terminal window



sudo vi /etc/sysctl.conf


Edit the /etc/sysctl.conf file and un-comment or add the following lines :



# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1


To reload sysctl with the latest changes, enter:



sudo sysctl -p


Prevent IP Spoofing



Open a Terminal and enter the following :



sudo vi /etc/host.conf


Add or edit the following lines :



order bind,hosts
nospoof on


Harden PHP for security



Edit the php.ini file :



sudo vi /etc/php5/apache2/php.ini


Add or edit the following lines :



disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
magic_quotes_gpc = On


Web Application Firewall - ModSecurity



http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server



Protect from DDOS (Denial of Service) attacks - ModEvasive



http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server



Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban



@DenyHosts



DenyHosts is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.



Open a Terminal and enter the following :



sudo apt-get install denyhosts


After installation edit the configuration file /etc/denyhosts.conf and change the email, and other settings as required.



To edit the admin email settings open a terminal window and enter:



sudo vi /etc/denyhosts.conf


Change the following values as required on your server :



ADMIN_EMAIL = root@localhost
SMTP_HOST = localhost
SMTP_PORT = 25
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
SMTP_FROM = DenyHosts nobody@localhost
#SYSLOG_REPORT=YES


@ Fail2Ban



Fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.



Fail2ban scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.



Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.
Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).



Open a Terminal and enter the following :



sudo apt-get install fail2ban


After installation edit the configuration file /etc/fail2ban/jail.local and create the filter rules as required.



To edit the settings open a terminal window and enter:



sudo vi /etc/fail2ban/jail.conf


Activate all the services you would like fail2ban to monitor by changing enabled = false to *enabled = true*



For example if you would like to enable the SSH monitoring and banning jail, find the line below and change enabled from false to true. Thats it.



[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3


If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address.



destemail = root@localhost


and change the following line from :



action = %(action_)s


to:



action = %(action_mwl)s


You can also create rule filters for the various services that you would like fail2ban to monitor that is not supplied by default.



sudo vi /etc/fail2ban/jail.local


Good instructions on how to configure fail2ban and create the various filters can be found on HowtoForge - click here for an example



When done with the configuration of Fail2Ban restart the service with :



sudo /etc/init.d/fail2ban restart


You can also check the status with.



sudo fail2ban-client status


Check for rootkits - RKHunter and CHKRootKit.



Both RKHunter and CHKRootkit basically do the same thing - check your system for rootkits. No harm in using both.



Open a Terminal and enter the following :



sudo apt-get install rkhunter chkrootkit


To run chkrootkit open a terminal window and enter :



sudo chkrootkit


To update and run RKHunter. Open a Terminal and enter the following



sudo rkhunter --update
sudo rkhunter --propupd
sudo rkhunter --check


Scan open ports - Nmap



Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.



Open a Terminal and enter the following :



sudo apt-get install nmap


Scan your system for open ports with :



nmap -v -sT localhost


SYN scanning with the following :



sudo nmap -v -sS localhost


Analyse system LOG files - LogWatch



Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.



Open a Terminal and enter the following :



sudo apt-get install logwatch libdate-manip-perl


To view logwatch output use less :



sudo logwatch | less


To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :



sudo logwatch --mailto mail@domain.com --output mail --format html --range 'between -7 days and today' 


Audit your system security - Tiger.



Tiger is a security tool that can be use both as a security audit and intrusion detection system.



Open a Terminal and enter the following :



sudo apt-get install tiger


To run tiger enter :



sudo tiger


All Tiger output can be found in the /var/log/tiger



To view the tiger security reports, open a Terminal and enter the following :



sudo less /var/log/tiger/security.report.*


For More Help






share|improve this answer
























  • PHP: magic_quotes_gpc = On. Magic quotes has been first deprecated and then removed: php.net/manual/en/security.magicquotes.whynot.php

    – Tim
    Jun 3 '14 at 16:40



















13





+250









Since you said this is web-hosting-server... I would like to share my best practices and experience of 5 long years in the web-hosting line.




  1. From my past experiences, rather than going into configuration hell straight away, you should first assemble the low hanging grapes of security as indicated on the given article.


  2. Since you are having LAMP, thus you must be very cautious bout PHP and its php.ini settings. This is a good link for securing PHP. PHP has super powers which may become security loop when not configured properly.


  3. You may use a cron job to check when your files were modified without your permission and possibly hacked; using this cron job. I prefer Notepad++ to compare the cron results (directly download the cron email from your web server and open in Notepad++).


  4. If you want to install some SEM, then cPanel is best preferred (however paid). Webmin and zpanel are very good free alternatives. Webmin is better for it atleast uses self signed certificates and adds security.


  5. If you want something to work right out of the box then you may go for Turnkey Linux. It is based on Ubuntu, extremely easy to implement and flexible to your needs. With very little effort you get security out of the box. This is their LAMP stack. I personally use and prefer this only.


  6. If you are starting from scratches, then you may also install ISPconfig3. Instruction Here.


  7. you may test your security by trying to penetrate your security using Back-Track-Linux.


  8. keep complex long and random passwords. Dont store them on PC. write them down. Use a live CD to access these logins.


  9. get a brute force protection software like fail2ban.


  10. Dont run those daemons which you don't need.


  11. Block all the unnecessary ports. be extremely careful with SSH port (22).


  12. Get yourself with a static IP on the system through which you gonna manage the server. Make most of the things IP block and only allow your particular IP to access those configuration places like port 22.



In the end of the day... work with utter piece of mind, don't get emotional with the install and applying common sense takes you far beyond.



**My heartiest best wishes to you. good luck.**





share|improve this answer





















  • 1





    PHP can also be dangerous when trusting user input (sql injection for example).

    – NoBugs
    Jun 12 '12 at 0:24











  • @NoBugs I absolutely agree with this point. Its not possible to compress everything in one singly answer. My answer contains many hyperlinks an as such these websites containing those pages are really very useful. Hope my answer and included links help the community :)

    – Z9iT
    Jun 12 '12 at 21:50






  • 2





    #9: No, ramdom passowrds are bad, the key is in the length, ie. "D0g....................." is stronger than "PrXyc.N(n4k77#L!eVdAfp9". Explanation at explainxkcd.com/2011/08/10/password-strength

    – papukaija
    Jun 12 '12 at 22:01








  • 2





    @papukaija i suggest you to google on brute force attacks and dictionary attacks.. Random long password are the only way to secure yourself from such attacks.

    – Z9iT
    Jun 12 '12 at 22:29



















6














Make use of the Bastille Linux project.



It provides an interactive tool to perform additional security hardening measures to increase the over-all security, and decrease the susceptibility of compromise for your Ubuntu system (from Bastille Linux).



It offers an assessment and reporting functionality, so that it can tell you what parts of the system aren't locked down. It examines the system in a read-only fashion, reporting on the status of each of its hardening items. For example, Bastille might check whether the DNS server is locked in a chroot prison, whether telnet is turned off, or even if passwords are required to be a good length. You can take a look at a Web-only demo of this through this link (more info).



You can have preview of the Web (only) demo here.



BastillleLinux






share|improve this answer



















  • 1





    I can second that recommendation. For running exposed hosts (e.g. web-servers), bastille goes a long way towards securing the system.

    – Floyd
    Jun 10 '12 at 15:21











  • This looks similar to the SELinux system that you find on CentOS/Redhat but I bet SELinux is more modern.

    – djangofan
    Jun 12 '12 at 21:35



















3














Use nmap on all interfaces on the machine, so you know what services you run on your machine. This is an essential tool for security.



Remove all services you don't need on your external interfaces. You can configure MySQL to only listen on specific interfaces, like localhost.



Use ufw to protect your SSH service (and possible others) so that it doesn't allow too many (failed) connections per minute from same machine. That will make brute force attacks harder. To change port number isn't that usefull, just obscurity, no security.



Be restrictive with the number of accounts on your machine. Also don't install more packages/programs than you actually uses. Only install X11-clients, not a X11-server.



Only allow ssh-login to the machine with digital certificates, no password. That will also make brute force attacks hard/impossible.






share|improve this answer

































    2














    I would also consult the CIS Debian Benchmarks document and it has a significant number of procedures and processes for hardening the operating system that will apply to Ubuntu since it's a derivative of Debian. I would also consult:




    • Securing Debian Howto

    • Debian Hardening Walkthrough

    • Hardening The Linux Kernel With Grsecurity (Debian)






    share|improve this answer































      0














      Security always comes with a price. Setting some realistic boundaries will help you in getting your goals. I would consider the following aspects:




      • Against what are you protecting yourself (which type of villain, what is his budget)?

      • What are your attack vectors?


      Checking all the links that are posted here, I think this one should be added. It goes into detail about not only how to setup your software, but also to think about the security plan. As a plus, every command to execute is explained with a source to it.



      Securing an Ubuntu Webserver on Xenial 16.04






      share|improve this answer































        0














        I made a post about this not long ago on how to secure ubuntu 16.04-18.04. These steps include:



        Replace Password Login With Authorized keys
        Install a Firewall on Your Linux Server



        and some more.
        https://hostup.org/blog/how-to-secure-a-ubuntu-linux-server-in-3-simple-steps/






        share|improve this answer








        New contributor




        Davh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.




















          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f146775%2fwhat-can-be-done-to-secure-ubuntu-server%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          8 Answers
          8






          active

          oldest

          votes








          8 Answers
          8






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          43














          Here is a list of things I do to secure my server.




          1. Turn on UFW (sudo ufw enable) and then only allow ports that are actually used. (sudo ufw allow 80)

          2. Make sure MySQL only allows connections from localhost.

          3. Enable TLS on mail services. Even if it's a self signed cert. You don't want passwords sent in the clear.

          4. Install ssh bruteforce blockers like denyhosts or fail2ban. (sudo apt-get install denyhosts)

          5. Look into making ssh key-based logins only.

          6. Learn AppArmor. If you use fairly vanilla configurations, then it's extremely easy. Just make sure it's turned on. It will help reduce zero-day exploits.

          7. Depending on physical access to the server, you may even want to look at encrypting the data on the harddisk.

          8. Follow other recommendations in this link. EDIT: I forgot to edit this when I didn't have enough reputation to add more links. The link meant here is the last link below.

          9. Never trust your users. If you are having multiple users with access to the system, lock them down. If you have to give them sudo access, give them only what they need.

          10. Use common sense. Think real hard about how you'd get in if you were ever locked out. Then close those holes.


          A few more things to consider. Most people forget about physical access. All the software configurations in the world don't mean anything if I can physically walk in with a LiveCD and steal your data. Beware of social engineering. Ask questions to verify who is on the phone and make sure they have authorization to make the request they are making.



          Since I'm still a 'new' user, I can't post more than 2 links. You can read up more about this subject here: https://help.ubuntu.com/12.04/serverguide/index.html and pay special attention to https://help.ubuntu.com/12.04/serverguide/security.html






          share|improve this answer





















          • 2





            An alternative to using UFW (while still using built in out of the box firewalls in Ubuntu) is to lock down your system with extremely specific iptables rules to disallow external access to any service you aren't going to utilize, if you have an odd-ball setup that requires advanced rouing and stuff though.

            – Thomas Ward
            Jun 7 '12 at 13:23






          • 2





            @LordofTime Agreed. I actually use iptables myself, but ufw is just fine for most basic installs. Also UFW is more or less just a wrapper for most common iptables configurations anyway. The underlying system is still the same.

            – Patrick Regan
            Jun 7 '12 at 13:34






          • 2





            +1 for ufw ,you are not a new user ,you are member for 1 year :p

            – Tachyons
            Jun 7 '12 at 13:36






          • 1





            Indeed, I just wanted to point out that in certain instances iptables will have better usability over ufw in certain cases

            – Thomas Ward
            Jun 7 '12 at 13:46






          • 1





            Consider BastilleLinux it's also a good security hardening suite.

            – pl1nk
            Jun 7 '12 at 23:05


















          43














          Here is a list of things I do to secure my server.




          1. Turn on UFW (sudo ufw enable) and then only allow ports that are actually used. (sudo ufw allow 80)

          2. Make sure MySQL only allows connections from localhost.

          3. Enable TLS on mail services. Even if it's a self signed cert. You don't want passwords sent in the clear.

          4. Install ssh bruteforce blockers like denyhosts or fail2ban. (sudo apt-get install denyhosts)

          5. Look into making ssh key-based logins only.

          6. Learn AppArmor. If you use fairly vanilla configurations, then it's extremely easy. Just make sure it's turned on. It will help reduce zero-day exploits.

          7. Depending on physical access to the server, you may even want to look at encrypting the data on the harddisk.

          8. Follow other recommendations in this link. EDIT: I forgot to edit this when I didn't have enough reputation to add more links. The link meant here is the last link below.

          9. Never trust your users. If you are having multiple users with access to the system, lock them down. If you have to give them sudo access, give them only what they need.

          10. Use common sense. Think real hard about how you'd get in if you were ever locked out. Then close those holes.


          A few more things to consider. Most people forget about physical access. All the software configurations in the world don't mean anything if I can physically walk in with a LiveCD and steal your data. Beware of social engineering. Ask questions to verify who is on the phone and make sure they have authorization to make the request they are making.



          Since I'm still a 'new' user, I can't post more than 2 links. You can read up more about this subject here: https://help.ubuntu.com/12.04/serverguide/index.html and pay special attention to https://help.ubuntu.com/12.04/serverguide/security.html






          share|improve this answer





















          • 2





            An alternative to using UFW (while still using built in out of the box firewalls in Ubuntu) is to lock down your system with extremely specific iptables rules to disallow external access to any service you aren't going to utilize, if you have an odd-ball setup that requires advanced rouing and stuff though.

            – Thomas Ward
            Jun 7 '12 at 13:23






          • 2





            @LordofTime Agreed. I actually use iptables myself, but ufw is just fine for most basic installs. Also UFW is more or less just a wrapper for most common iptables configurations anyway. The underlying system is still the same.

            – Patrick Regan
            Jun 7 '12 at 13:34






          • 2





            +1 for ufw ,you are not a new user ,you are member for 1 year :p

            – Tachyons
            Jun 7 '12 at 13:36






          • 1





            Indeed, I just wanted to point out that in certain instances iptables will have better usability over ufw in certain cases

            – Thomas Ward
            Jun 7 '12 at 13:46






          • 1





            Consider BastilleLinux it's also a good security hardening suite.

            – pl1nk
            Jun 7 '12 at 23:05
















          43












          43








          43







          Here is a list of things I do to secure my server.




          1. Turn on UFW (sudo ufw enable) and then only allow ports that are actually used. (sudo ufw allow 80)

          2. Make sure MySQL only allows connections from localhost.

          3. Enable TLS on mail services. Even if it's a self signed cert. You don't want passwords sent in the clear.

          4. Install ssh bruteforce blockers like denyhosts or fail2ban. (sudo apt-get install denyhosts)

          5. Look into making ssh key-based logins only.

          6. Learn AppArmor. If you use fairly vanilla configurations, then it's extremely easy. Just make sure it's turned on. It will help reduce zero-day exploits.

          7. Depending on physical access to the server, you may even want to look at encrypting the data on the harddisk.

          8. Follow other recommendations in this link. EDIT: I forgot to edit this when I didn't have enough reputation to add more links. The link meant here is the last link below.

          9. Never trust your users. If you are having multiple users with access to the system, lock them down. If you have to give them sudo access, give them only what they need.

          10. Use common sense. Think real hard about how you'd get in if you were ever locked out. Then close those holes.


          A few more things to consider. Most people forget about physical access. All the software configurations in the world don't mean anything if I can physically walk in with a LiveCD and steal your data. Beware of social engineering. Ask questions to verify who is on the phone and make sure they have authorization to make the request they are making.



          Since I'm still a 'new' user, I can't post more than 2 links. You can read up more about this subject here: https://help.ubuntu.com/12.04/serverguide/index.html and pay special attention to https://help.ubuntu.com/12.04/serverguide/security.html






          share|improve this answer















          Here is a list of things I do to secure my server.




          1. Turn on UFW (sudo ufw enable) and then only allow ports that are actually used. (sudo ufw allow 80)

          2. Make sure MySQL only allows connections from localhost.

          3. Enable TLS on mail services. Even if it's a self signed cert. You don't want passwords sent in the clear.

          4. Install ssh bruteforce blockers like denyhosts or fail2ban. (sudo apt-get install denyhosts)

          5. Look into making ssh key-based logins only.

          6. Learn AppArmor. If you use fairly vanilla configurations, then it's extremely easy. Just make sure it's turned on. It will help reduce zero-day exploits.

          7. Depending on physical access to the server, you may even want to look at encrypting the data on the harddisk.

          8. Follow other recommendations in this link. EDIT: I forgot to edit this when I didn't have enough reputation to add more links. The link meant here is the last link below.

          9. Never trust your users. If you are having multiple users with access to the system, lock them down. If you have to give them sudo access, give them only what they need.

          10. Use common sense. Think real hard about how you'd get in if you were ever locked out. Then close those holes.


          A few more things to consider. Most people forget about physical access. All the software configurations in the world don't mean anything if I can physically walk in with a LiveCD and steal your data. Beware of social engineering. Ask questions to verify who is on the phone and make sure they have authorization to make the request they are making.



          Since I'm still a 'new' user, I can't post more than 2 links. You can read up more about this subject here: https://help.ubuntu.com/12.04/serverguide/index.html and pay special attention to https://help.ubuntu.com/12.04/serverguide/security.html







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Jun 7 '12 at 13:42

























          answered Jun 7 '12 at 13:19









          Patrick ReganPatrick Regan

          54645




          54645








          • 2





            An alternative to using UFW (while still using built in out of the box firewalls in Ubuntu) is to lock down your system with extremely specific iptables rules to disallow external access to any service you aren't going to utilize, if you have an odd-ball setup that requires advanced rouing and stuff though.

            – Thomas Ward
            Jun 7 '12 at 13:23






          • 2





            @LordofTime Agreed. I actually use iptables myself, but ufw is just fine for most basic installs. Also UFW is more or less just a wrapper for most common iptables configurations anyway. The underlying system is still the same.

            – Patrick Regan
            Jun 7 '12 at 13:34






          • 2





            +1 for ufw ,you are not a new user ,you are member for 1 year :p

            – Tachyons
            Jun 7 '12 at 13:36






          • 1





            Indeed, I just wanted to point out that in certain instances iptables will have better usability over ufw in certain cases

            – Thomas Ward
            Jun 7 '12 at 13:46






          • 1





            Consider BastilleLinux it's also a good security hardening suite.

            – pl1nk
            Jun 7 '12 at 23:05
















          • 2





            An alternative to using UFW (while still using built in out of the box firewalls in Ubuntu) is to lock down your system with extremely specific iptables rules to disallow external access to any service you aren't going to utilize, if you have an odd-ball setup that requires advanced rouing and stuff though.

            – Thomas Ward
            Jun 7 '12 at 13:23






          • 2





            @LordofTime Agreed. I actually use iptables myself, but ufw is just fine for most basic installs. Also UFW is more or less just a wrapper for most common iptables configurations anyway. The underlying system is still the same.

            – Patrick Regan
            Jun 7 '12 at 13:34






          • 2





            +1 for ufw ,you are not a new user ,you are member for 1 year :p

            – Tachyons
            Jun 7 '12 at 13:36






          • 1





            Indeed, I just wanted to point out that in certain instances iptables will have better usability over ufw in certain cases

            – Thomas Ward
            Jun 7 '12 at 13:46






          • 1





            Consider BastilleLinux it's also a good security hardening suite.

            – pl1nk
            Jun 7 '12 at 23:05










          2




          2





          An alternative to using UFW (while still using built in out of the box firewalls in Ubuntu) is to lock down your system with extremely specific iptables rules to disallow external access to any service you aren't going to utilize, if you have an odd-ball setup that requires advanced rouing and stuff though.

          – Thomas Ward
          Jun 7 '12 at 13:23





          An alternative to using UFW (while still using built in out of the box firewalls in Ubuntu) is to lock down your system with extremely specific iptables rules to disallow external access to any service you aren't going to utilize, if you have an odd-ball setup that requires advanced rouing and stuff though.

          – Thomas Ward
          Jun 7 '12 at 13:23




          2




          2





          @LordofTime Agreed. I actually use iptables myself, but ufw is just fine for most basic installs. Also UFW is more or less just a wrapper for most common iptables configurations anyway. The underlying system is still the same.

          – Patrick Regan
          Jun 7 '12 at 13:34





          @LordofTime Agreed. I actually use iptables myself, but ufw is just fine for most basic installs. Also UFW is more or less just a wrapper for most common iptables configurations anyway. The underlying system is still the same.

          – Patrick Regan
          Jun 7 '12 at 13:34




          2




          2





          +1 for ufw ,you are not a new user ,you are member for 1 year :p

          – Tachyons
          Jun 7 '12 at 13:36





          +1 for ufw ,you are not a new user ,you are member for 1 year :p

          – Tachyons
          Jun 7 '12 at 13:36




          1




          1





          Indeed, I just wanted to point out that in certain instances iptables will have better usability over ufw in certain cases

          – Thomas Ward
          Jun 7 '12 at 13:46





          Indeed, I just wanted to point out that in certain instances iptables will have better usability over ufw in certain cases

          – Thomas Ward
          Jun 7 '12 at 13:46




          1




          1





          Consider BastilleLinux it's also a good security hardening suite.

          – pl1nk
          Jun 7 '12 at 23:05







          Consider BastilleLinux it's also a good security hardening suite.

          – pl1nk
          Jun 7 '12 at 23:05















          13














          Secure shared memory



          /dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure.



          Open a Terminal Window and enter the following :



          sudo vi /etc/fstab


          Add the following line and save. You will need to reboot for this setting to take effect :



          tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0


          Harden network with sysctl settings



          The /etc/sysctl.conf file contain all the sysctl settings.
          Prevent source routing of incoming packets and log malformed IP's enter the following in a terminal window



          sudo vi /etc/sysctl.conf


          Edit the /etc/sysctl.conf file and un-comment or add the following lines :



          # IP Spoofing protection
          net.ipv4.conf.all.rp_filter = 1
          net.ipv4.conf.default.rp_filter = 1

          # Ignore ICMP broadcast requests
          net.ipv4.icmp_echo_ignore_broadcasts = 1

          # Disable source packet routing
          net.ipv4.conf.all.accept_source_route = 0
          net.ipv6.conf.all.accept_source_route = 0
          net.ipv4.conf.default.accept_source_route = 0
          net.ipv6.conf.default.accept_source_route = 0

          # Ignore send redirects
          net.ipv4.conf.all.send_redirects = 0
          net.ipv4.conf.default.send_redirects = 0

          # Block SYN attacks
          net.ipv4.tcp_syncookies = 1
          net.ipv4.tcp_max_syn_backlog = 2048
          net.ipv4.tcp_synack_retries = 2
          net.ipv4.tcp_syn_retries = 5

          # Log Martians
          net.ipv4.conf.all.log_martians = 1
          net.ipv4.icmp_ignore_bogus_error_responses = 1

          # Ignore ICMP redirects
          net.ipv4.conf.all.accept_redirects = 0
          net.ipv6.conf.all.accept_redirects = 0
          net.ipv4.conf.default.accept_redirects = 0
          net.ipv6.conf.default.accept_redirects = 0

          # Ignore Directed pings
          net.ipv4.icmp_echo_ignore_all = 1


          To reload sysctl with the latest changes, enter:



          sudo sysctl -p


          Prevent IP Spoofing



          Open a Terminal and enter the following :



          sudo vi /etc/host.conf


          Add or edit the following lines :



          order bind,hosts
          nospoof on


          Harden PHP for security



          Edit the php.ini file :



          sudo vi /etc/php5/apache2/php.ini


          Add or edit the following lines :



          disable_functions = exec,system,shell_exec,passthru
          register_globals = Off
          expose_php = Off
          magic_quotes_gpc = On


          Web Application Firewall - ModSecurity



          http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server



          Protect from DDOS (Denial of Service) attacks - ModEvasive



          http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server



          Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban



          @DenyHosts



          DenyHosts is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.



          Open a Terminal and enter the following :



          sudo apt-get install denyhosts


          After installation edit the configuration file /etc/denyhosts.conf and change the email, and other settings as required.



          To edit the admin email settings open a terminal window and enter:



          sudo vi /etc/denyhosts.conf


          Change the following values as required on your server :



          ADMIN_EMAIL = root@localhost
          SMTP_HOST = localhost
          SMTP_PORT = 25
          #SMTP_USERNAME=foo
          #SMTP_PASSWORD=bar
          SMTP_FROM = DenyHosts nobody@localhost
          #SYSLOG_REPORT=YES


          @ Fail2Ban



          Fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.



          Fail2ban scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.



          Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.
          Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).



          Open a Terminal and enter the following :



          sudo apt-get install fail2ban


          After installation edit the configuration file /etc/fail2ban/jail.local and create the filter rules as required.



          To edit the settings open a terminal window and enter:



          sudo vi /etc/fail2ban/jail.conf


          Activate all the services you would like fail2ban to monitor by changing enabled = false to *enabled = true*



          For example if you would like to enable the SSH monitoring and banning jail, find the line below and change enabled from false to true. Thats it.



          [ssh]

          enabled = true
          port = ssh
          filter = sshd
          logpath = /var/log/auth.log
          maxretry = 3


          If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address.



          destemail = root@localhost


          and change the following line from :



          action = %(action_)s


          to:



          action = %(action_mwl)s


          You can also create rule filters for the various services that you would like fail2ban to monitor that is not supplied by default.



          sudo vi /etc/fail2ban/jail.local


          Good instructions on how to configure fail2ban and create the various filters can be found on HowtoForge - click here for an example



          When done with the configuration of Fail2Ban restart the service with :



          sudo /etc/init.d/fail2ban restart


          You can also check the status with.



          sudo fail2ban-client status


          Check for rootkits - RKHunter and CHKRootKit.



          Both RKHunter and CHKRootkit basically do the same thing - check your system for rootkits. No harm in using both.



          Open a Terminal and enter the following :



          sudo apt-get install rkhunter chkrootkit


          To run chkrootkit open a terminal window and enter :



          sudo chkrootkit


          To update and run RKHunter. Open a Terminal and enter the following



          sudo rkhunter --update
          sudo rkhunter --propupd
          sudo rkhunter --check


          Scan open ports - Nmap



          Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.



          Open a Terminal and enter the following :



          sudo apt-get install nmap


          Scan your system for open ports with :



          nmap -v -sT localhost


          SYN scanning with the following :



          sudo nmap -v -sS localhost


          Analyse system LOG files - LogWatch



          Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.



          Open a Terminal and enter the following :



          sudo apt-get install logwatch libdate-manip-perl


          To view logwatch output use less :



          sudo logwatch | less


          To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :



          sudo logwatch --mailto mail@domain.com --output mail --format html --range 'between -7 days and today' 


          Audit your system security - Tiger.



          Tiger is a security tool that can be use both as a security audit and intrusion detection system.



          Open a Terminal and enter the following :



          sudo apt-get install tiger


          To run tiger enter :



          sudo tiger


          All Tiger output can be found in the /var/log/tiger



          To view the tiger security reports, open a Terminal and enter the following :



          sudo less /var/log/tiger/security.report.*


          For More Help






          share|improve this answer
























          • PHP: magic_quotes_gpc = On. Magic quotes has been first deprecated and then removed: php.net/manual/en/security.magicquotes.whynot.php

            – Tim
            Jun 3 '14 at 16:40
















          13














          Secure shared memory



          /dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure.



          Open a Terminal Window and enter the following :



          sudo vi /etc/fstab


          Add the following line and save. You will need to reboot for this setting to take effect :



          tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0


          Harden network with sysctl settings



          The /etc/sysctl.conf file contain all the sysctl settings.
          Prevent source routing of incoming packets and log malformed IP's enter the following in a terminal window



          sudo vi /etc/sysctl.conf


          Edit the /etc/sysctl.conf file and un-comment or add the following lines :



          # IP Spoofing protection
          net.ipv4.conf.all.rp_filter = 1
          net.ipv4.conf.default.rp_filter = 1

          # Ignore ICMP broadcast requests
          net.ipv4.icmp_echo_ignore_broadcasts = 1

          # Disable source packet routing
          net.ipv4.conf.all.accept_source_route = 0
          net.ipv6.conf.all.accept_source_route = 0
          net.ipv4.conf.default.accept_source_route = 0
          net.ipv6.conf.default.accept_source_route = 0

          # Ignore send redirects
          net.ipv4.conf.all.send_redirects = 0
          net.ipv4.conf.default.send_redirects = 0

          # Block SYN attacks
          net.ipv4.tcp_syncookies = 1
          net.ipv4.tcp_max_syn_backlog = 2048
          net.ipv4.tcp_synack_retries = 2
          net.ipv4.tcp_syn_retries = 5

          # Log Martians
          net.ipv4.conf.all.log_martians = 1
          net.ipv4.icmp_ignore_bogus_error_responses = 1

          # Ignore ICMP redirects
          net.ipv4.conf.all.accept_redirects = 0
          net.ipv6.conf.all.accept_redirects = 0
          net.ipv4.conf.default.accept_redirects = 0
          net.ipv6.conf.default.accept_redirects = 0

          # Ignore Directed pings
          net.ipv4.icmp_echo_ignore_all = 1


          To reload sysctl with the latest changes, enter:



          sudo sysctl -p


          Prevent IP Spoofing



          Open a Terminal and enter the following :



          sudo vi /etc/host.conf


          Add or edit the following lines :



          order bind,hosts
          nospoof on


          Harden PHP for security



          Edit the php.ini file :



          sudo vi /etc/php5/apache2/php.ini


          Add or edit the following lines :



          disable_functions = exec,system,shell_exec,passthru
          register_globals = Off
          expose_php = Off
          magic_quotes_gpc = On


          Web Application Firewall - ModSecurity



          http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server



          Protect from DDOS (Denial of Service) attacks - ModEvasive



          http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server



          Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban



          @DenyHosts



          DenyHosts is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.



          Open a Terminal and enter the following :



          sudo apt-get install denyhosts


          After installation edit the configuration file /etc/denyhosts.conf and change the email, and other settings as required.



          To edit the admin email settings open a terminal window and enter:



          sudo vi /etc/denyhosts.conf


          Change the following values as required on your server :



          ADMIN_EMAIL = root@localhost
          SMTP_HOST = localhost
          SMTP_PORT = 25
          #SMTP_USERNAME=foo
          #SMTP_PASSWORD=bar
          SMTP_FROM = DenyHosts nobody@localhost
          #SYSLOG_REPORT=YES


          @ Fail2Ban



          Fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.



          Fail2ban scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.



          Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.
          Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).



          Open a Terminal and enter the following :



          sudo apt-get install fail2ban


          After installation edit the configuration file /etc/fail2ban/jail.local and create the filter rules as required.



          To edit the settings open a terminal window and enter:



          sudo vi /etc/fail2ban/jail.conf


          Activate all the services you would like fail2ban to monitor by changing enabled = false to *enabled = true*



          For example if you would like to enable the SSH monitoring and banning jail, find the line below and change enabled from false to true. Thats it.



          [ssh]

          enabled = true
          port = ssh
          filter = sshd
          logpath = /var/log/auth.log
          maxretry = 3


          If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address.



          destemail = root@localhost


          and change the following line from :



          action = %(action_)s


          to:



          action = %(action_mwl)s


          You can also create rule filters for the various services that you would like fail2ban to monitor that is not supplied by default.



          sudo vi /etc/fail2ban/jail.local


          Good instructions on how to configure fail2ban and create the various filters can be found on HowtoForge - click here for an example



          When done with the configuration of Fail2Ban restart the service with :



          sudo /etc/init.d/fail2ban restart


          You can also check the status with.



          sudo fail2ban-client status


          Check for rootkits - RKHunter and CHKRootKit.



          Both RKHunter and CHKRootkit basically do the same thing - check your system for rootkits. No harm in using both.



          Open a Terminal and enter the following :



          sudo apt-get install rkhunter chkrootkit


          To run chkrootkit open a terminal window and enter :



          sudo chkrootkit


          To update and run RKHunter. Open a Terminal and enter the following



          sudo rkhunter --update
          sudo rkhunter --propupd
          sudo rkhunter --check


          Scan open ports - Nmap



          Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.



          Open a Terminal and enter the following :



          sudo apt-get install nmap


          Scan your system for open ports with :



          nmap -v -sT localhost


          SYN scanning with the following :



          sudo nmap -v -sS localhost


          Analyse system LOG files - LogWatch



          Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.



          Open a Terminal and enter the following :



          sudo apt-get install logwatch libdate-manip-perl


          To view logwatch output use less :



          sudo logwatch | less


          To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :



          sudo logwatch --mailto mail@domain.com --output mail --format html --range 'between -7 days and today' 


          Audit your system security - Tiger.



          Tiger is a security tool that can be use both as a security audit and intrusion detection system.



          Open a Terminal and enter the following :



          sudo apt-get install tiger


          To run tiger enter :



          sudo tiger


          All Tiger output can be found in the /var/log/tiger



          To view the tiger security reports, open a Terminal and enter the following :



          sudo less /var/log/tiger/security.report.*


          For More Help






          share|improve this answer
























          • PHP: magic_quotes_gpc = On. Magic quotes has been first deprecated and then removed: php.net/manual/en/security.magicquotes.whynot.php

            – Tim
            Jun 3 '14 at 16:40














          13












          13








          13







          Secure shared memory



          /dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure.



          Open a Terminal Window and enter the following :



          sudo vi /etc/fstab


          Add the following line and save. You will need to reboot for this setting to take effect :



          tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0


          Harden network with sysctl settings



          The /etc/sysctl.conf file contain all the sysctl settings.
          Prevent source routing of incoming packets and log malformed IP's enter the following in a terminal window



          sudo vi /etc/sysctl.conf


          Edit the /etc/sysctl.conf file and un-comment or add the following lines :



          # IP Spoofing protection
          net.ipv4.conf.all.rp_filter = 1
          net.ipv4.conf.default.rp_filter = 1

          # Ignore ICMP broadcast requests
          net.ipv4.icmp_echo_ignore_broadcasts = 1

          # Disable source packet routing
          net.ipv4.conf.all.accept_source_route = 0
          net.ipv6.conf.all.accept_source_route = 0
          net.ipv4.conf.default.accept_source_route = 0
          net.ipv6.conf.default.accept_source_route = 0

          # Ignore send redirects
          net.ipv4.conf.all.send_redirects = 0
          net.ipv4.conf.default.send_redirects = 0

          # Block SYN attacks
          net.ipv4.tcp_syncookies = 1
          net.ipv4.tcp_max_syn_backlog = 2048
          net.ipv4.tcp_synack_retries = 2
          net.ipv4.tcp_syn_retries = 5

          # Log Martians
          net.ipv4.conf.all.log_martians = 1
          net.ipv4.icmp_ignore_bogus_error_responses = 1

          # Ignore ICMP redirects
          net.ipv4.conf.all.accept_redirects = 0
          net.ipv6.conf.all.accept_redirects = 0
          net.ipv4.conf.default.accept_redirects = 0
          net.ipv6.conf.default.accept_redirects = 0

          # Ignore Directed pings
          net.ipv4.icmp_echo_ignore_all = 1


          To reload sysctl with the latest changes, enter:



          sudo sysctl -p


          Prevent IP Spoofing



          Open a Terminal and enter the following :



          sudo vi /etc/host.conf


          Add or edit the following lines :



          order bind,hosts
          nospoof on


          Harden PHP for security



          Edit the php.ini file :



          sudo vi /etc/php5/apache2/php.ini


          Add or edit the following lines :



          disable_functions = exec,system,shell_exec,passthru
          register_globals = Off
          expose_php = Off
          magic_quotes_gpc = On


          Web Application Firewall - ModSecurity



          http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server



          Protect from DDOS (Denial of Service) attacks - ModEvasive



          http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server



          Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban



          @DenyHosts



          DenyHosts is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.



          Open a Terminal and enter the following :



          sudo apt-get install denyhosts


          After installation edit the configuration file /etc/denyhosts.conf and change the email, and other settings as required.



          To edit the admin email settings open a terminal window and enter:



          sudo vi /etc/denyhosts.conf


          Change the following values as required on your server :



          ADMIN_EMAIL = root@localhost
          SMTP_HOST = localhost
          SMTP_PORT = 25
          #SMTP_USERNAME=foo
          #SMTP_PASSWORD=bar
          SMTP_FROM = DenyHosts nobody@localhost
          #SYSLOG_REPORT=YES


          @ Fail2Ban



          Fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.



          Fail2ban scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.



          Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.
          Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).



          Open a Terminal and enter the following :



          sudo apt-get install fail2ban


          After installation edit the configuration file /etc/fail2ban/jail.local and create the filter rules as required.



          To edit the settings open a terminal window and enter:



          sudo vi /etc/fail2ban/jail.conf


          Activate all the services you would like fail2ban to monitor by changing enabled = false to *enabled = true*



          For example if you would like to enable the SSH monitoring and banning jail, find the line below and change enabled from false to true. Thats it.



          [ssh]

          enabled = true
          port = ssh
          filter = sshd
          logpath = /var/log/auth.log
          maxretry = 3


          If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address.



          destemail = root@localhost


          and change the following line from :



          action = %(action_)s


          to:



          action = %(action_mwl)s


          You can also create rule filters for the various services that you would like fail2ban to monitor that is not supplied by default.



          sudo vi /etc/fail2ban/jail.local


          Good instructions on how to configure fail2ban and create the various filters can be found on HowtoForge - click here for an example



          When done with the configuration of Fail2Ban restart the service with :



          sudo /etc/init.d/fail2ban restart


          You can also check the status with.



          sudo fail2ban-client status


          Check for rootkits - RKHunter and CHKRootKit.



          Both RKHunter and CHKRootkit basically do the same thing - check your system for rootkits. No harm in using both.



          Open a Terminal and enter the following :



          sudo apt-get install rkhunter chkrootkit


          To run chkrootkit open a terminal window and enter :



          sudo chkrootkit


          To update and run RKHunter. Open a Terminal and enter the following



          sudo rkhunter --update
          sudo rkhunter --propupd
          sudo rkhunter --check


          Scan open ports - Nmap



          Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.



          Open a Terminal and enter the following :



          sudo apt-get install nmap


          Scan your system for open ports with :



          nmap -v -sT localhost


          SYN scanning with the following :



          sudo nmap -v -sS localhost


          Analyse system LOG files - LogWatch



          Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.



          Open a Terminal and enter the following :



          sudo apt-get install logwatch libdate-manip-perl


          To view logwatch output use less :



          sudo logwatch | less


          To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :



          sudo logwatch --mailto mail@domain.com --output mail --format html --range 'between -7 days and today' 


          Audit your system security - Tiger.



          Tiger is a security tool that can be use both as a security audit and intrusion detection system.



          Open a Terminal and enter the following :



          sudo apt-get install tiger


          To run tiger enter :



          sudo tiger


          All Tiger output can be found in the /var/log/tiger



          To view the tiger security reports, open a Terminal and enter the following :



          sudo less /var/log/tiger/security.report.*


          For More Help






          share|improve this answer













          Secure shared memory



          /dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure.



          Open a Terminal Window and enter the following :



          sudo vi /etc/fstab


          Add the following line and save. You will need to reboot for this setting to take effect :



          tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0


          Harden network with sysctl settings



          The /etc/sysctl.conf file contain all the sysctl settings.
          Prevent source routing of incoming packets and log malformed IP's enter the following in a terminal window



          sudo vi /etc/sysctl.conf


          Edit the /etc/sysctl.conf file and un-comment or add the following lines :



          # IP Spoofing protection
          net.ipv4.conf.all.rp_filter = 1
          net.ipv4.conf.default.rp_filter = 1

          # Ignore ICMP broadcast requests
          net.ipv4.icmp_echo_ignore_broadcasts = 1

          # Disable source packet routing
          net.ipv4.conf.all.accept_source_route = 0
          net.ipv6.conf.all.accept_source_route = 0
          net.ipv4.conf.default.accept_source_route = 0
          net.ipv6.conf.default.accept_source_route = 0

          # Ignore send redirects
          net.ipv4.conf.all.send_redirects = 0
          net.ipv4.conf.default.send_redirects = 0

          # Block SYN attacks
          net.ipv4.tcp_syncookies = 1
          net.ipv4.tcp_max_syn_backlog = 2048
          net.ipv4.tcp_synack_retries = 2
          net.ipv4.tcp_syn_retries = 5

          # Log Martians
          net.ipv4.conf.all.log_martians = 1
          net.ipv4.icmp_ignore_bogus_error_responses = 1

          # Ignore ICMP redirects
          net.ipv4.conf.all.accept_redirects = 0
          net.ipv6.conf.all.accept_redirects = 0
          net.ipv4.conf.default.accept_redirects = 0
          net.ipv6.conf.default.accept_redirects = 0

          # Ignore Directed pings
          net.ipv4.icmp_echo_ignore_all = 1


          To reload sysctl with the latest changes, enter:



          sudo sysctl -p


          Prevent IP Spoofing



          Open a Terminal and enter the following :



          sudo vi /etc/host.conf


          Add or edit the following lines :



          order bind,hosts
          nospoof on


          Harden PHP for security



          Edit the php.ini file :



          sudo vi /etc/php5/apache2/php.ini


          Add or edit the following lines :



          disable_functions = exec,system,shell_exec,passthru
          register_globals = Off
          expose_php = Off
          magic_quotes_gpc = On


          Web Application Firewall - ModSecurity



          http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server



          Protect from DDOS (Denial of Service) attacks - ModEvasive



          http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server



          Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban



          @DenyHosts



          DenyHosts is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.



          Open a Terminal and enter the following :



          sudo apt-get install denyhosts


          After installation edit the configuration file /etc/denyhosts.conf and change the email, and other settings as required.



          To edit the admin email settings open a terminal window and enter:



          sudo vi /etc/denyhosts.conf


          Change the following values as required on your server :



          ADMIN_EMAIL = root@localhost
          SMTP_HOST = localhost
          SMTP_PORT = 25
          #SMTP_USERNAME=foo
          #SMTP_PASSWORD=bar
          SMTP_FROM = DenyHosts nobody@localhost
          #SYSLOG_REPORT=YES


          @ Fail2Ban



          Fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.



          Fail2ban scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.



          Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.
          Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).



          Open a Terminal and enter the following :



          sudo apt-get install fail2ban


          After installation edit the configuration file /etc/fail2ban/jail.local and create the filter rules as required.



          To edit the settings open a terminal window and enter:



          sudo vi /etc/fail2ban/jail.conf


          Activate all the services you would like fail2ban to monitor by changing enabled = false to *enabled = true*



          For example if you would like to enable the SSH monitoring and banning jail, find the line below and change enabled from false to true. Thats it.



          [ssh]

          enabled = true
          port = ssh
          filter = sshd
          logpath = /var/log/auth.log
          maxretry = 3


          If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address.



          destemail = root@localhost


          and change the following line from :



          action = %(action_)s


          to:



          action = %(action_mwl)s


          You can also create rule filters for the various services that you would like fail2ban to monitor that is not supplied by default.



          sudo vi /etc/fail2ban/jail.local


          Good instructions on how to configure fail2ban and create the various filters can be found on HowtoForge - click here for an example



          When done with the configuration of Fail2Ban restart the service with :



          sudo /etc/init.d/fail2ban restart


          You can also check the status with.



          sudo fail2ban-client status


          Check for rootkits - RKHunter and CHKRootKit.



          Both RKHunter and CHKRootkit basically do the same thing - check your system for rootkits. No harm in using both.



          Open a Terminal and enter the following :



          sudo apt-get install rkhunter chkrootkit


          To run chkrootkit open a terminal window and enter :



          sudo chkrootkit


          To update and run RKHunter. Open a Terminal and enter the following



          sudo rkhunter --update
          sudo rkhunter --propupd
          sudo rkhunter --check


          Scan open ports - Nmap



          Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.



          Open a Terminal and enter the following :



          sudo apt-get install nmap


          Scan your system for open ports with :



          nmap -v -sT localhost


          SYN scanning with the following :



          sudo nmap -v -sS localhost


          Analyse system LOG files - LogWatch



          Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.



          Open a Terminal and enter the following :



          sudo apt-get install logwatch libdate-manip-perl


          To view logwatch output use less :



          sudo logwatch | less


          To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :



          sudo logwatch --mailto mail@domain.com --output mail --format html --range 'between -7 days and today' 


          Audit your system security - Tiger.



          Tiger is a security tool that can be use both as a security audit and intrusion detection system.



          Open a Terminal and enter the following :



          sudo apt-get install tiger


          To run tiger enter :



          sudo tiger


          All Tiger output can be found in the /var/log/tiger



          To view the tiger security reports, open a Terminal and enter the following :



          sudo less /var/log/tiger/security.report.*


          For More Help







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jun 15 '12 at 14:51









          One ZeroOne Zero

          17.4k2272106




          17.4k2272106













          • PHP: magic_quotes_gpc = On. Magic quotes has been first deprecated and then removed: php.net/manual/en/security.magicquotes.whynot.php

            – Tim
            Jun 3 '14 at 16:40



















          • PHP: magic_quotes_gpc = On. Magic quotes has been first deprecated and then removed: php.net/manual/en/security.magicquotes.whynot.php

            – Tim
            Jun 3 '14 at 16:40

















          PHP: magic_quotes_gpc = On. Magic quotes has been first deprecated and then removed: php.net/manual/en/security.magicquotes.whynot.php

          – Tim
          Jun 3 '14 at 16:40





          PHP: magic_quotes_gpc = On. Magic quotes has been first deprecated and then removed: php.net/manual/en/security.magicquotes.whynot.php

          – Tim
          Jun 3 '14 at 16:40











          13





          +250









          Since you said this is web-hosting-server... I would like to share my best practices and experience of 5 long years in the web-hosting line.




          1. From my past experiences, rather than going into configuration hell straight away, you should first assemble the low hanging grapes of security as indicated on the given article.


          2. Since you are having LAMP, thus you must be very cautious bout PHP and its php.ini settings. This is a good link for securing PHP. PHP has super powers which may become security loop when not configured properly.


          3. You may use a cron job to check when your files were modified without your permission and possibly hacked; using this cron job. I prefer Notepad++ to compare the cron results (directly download the cron email from your web server and open in Notepad++).


          4. If you want to install some SEM, then cPanel is best preferred (however paid). Webmin and zpanel are very good free alternatives. Webmin is better for it atleast uses self signed certificates and adds security.


          5. If you want something to work right out of the box then you may go for Turnkey Linux. It is based on Ubuntu, extremely easy to implement and flexible to your needs. With very little effort you get security out of the box. This is their LAMP stack. I personally use and prefer this only.


          6. If you are starting from scratches, then you may also install ISPconfig3. Instruction Here.


          7. you may test your security by trying to penetrate your security using Back-Track-Linux.


          8. keep complex long and random passwords. Dont store them on PC. write them down. Use a live CD to access these logins.


          9. get a brute force protection software like fail2ban.


          10. Dont run those daemons which you don't need.


          11. Block all the unnecessary ports. be extremely careful with SSH port (22).


          12. Get yourself with a static IP on the system through which you gonna manage the server. Make most of the things IP block and only allow your particular IP to access those configuration places like port 22.



          In the end of the day... work with utter piece of mind, don't get emotional with the install and applying common sense takes you far beyond.



          **My heartiest best wishes to you. good luck.**





          share|improve this answer





















          • 1





            PHP can also be dangerous when trusting user input (sql injection for example).

            – NoBugs
            Jun 12 '12 at 0:24











          • @NoBugs I absolutely agree with this point. Its not possible to compress everything in one singly answer. My answer contains many hyperlinks an as such these websites containing those pages are really very useful. Hope my answer and included links help the community :)

            – Z9iT
            Jun 12 '12 at 21:50






          • 2





            #9: No, ramdom passowrds are bad, the key is in the length, ie. "D0g....................." is stronger than "PrXyc.N(n4k77#L!eVdAfp9". Explanation at explainxkcd.com/2011/08/10/password-strength

            – papukaija
            Jun 12 '12 at 22:01








          • 2





            @papukaija i suggest you to google on brute force attacks and dictionary attacks.. Random long password are the only way to secure yourself from such attacks.

            – Z9iT
            Jun 12 '12 at 22:29
















          13





          +250









          Since you said this is web-hosting-server... I would like to share my best practices and experience of 5 long years in the web-hosting line.




          1. From my past experiences, rather than going into configuration hell straight away, you should first assemble the low hanging grapes of security as indicated on the given article.


          2. Since you are having LAMP, thus you must be very cautious bout PHP and its php.ini settings. This is a good link for securing PHP. PHP has super powers which may become security loop when not configured properly.


          3. You may use a cron job to check when your files were modified without your permission and possibly hacked; using this cron job. I prefer Notepad++ to compare the cron results (directly download the cron email from your web server and open in Notepad++).


          4. If you want to install some SEM, then cPanel is best preferred (however paid). Webmin and zpanel are very good free alternatives. Webmin is better for it atleast uses self signed certificates and adds security.


          5. If you want something to work right out of the box then you may go for Turnkey Linux. It is based on Ubuntu, extremely easy to implement and flexible to your needs. With very little effort you get security out of the box. This is their LAMP stack. I personally use and prefer this only.


          6. If you are starting from scratches, then you may also install ISPconfig3. Instruction Here.


          7. you may test your security by trying to penetrate your security using Back-Track-Linux.


          8. keep complex long and random passwords. Dont store them on PC. write them down. Use a live CD to access these logins.


          9. get a brute force protection software like fail2ban.


          10. Dont run those daemons which you don't need.


          11. Block all the unnecessary ports. be extremely careful with SSH port (22).


          12. Get yourself with a static IP on the system through which you gonna manage the server. Make most of the things IP block and only allow your particular IP to access those configuration places like port 22.



          In the end of the day... work with utter piece of mind, don't get emotional with the install and applying common sense takes you far beyond.



          **My heartiest best wishes to you. good luck.**





          share|improve this answer





















          • 1





            PHP can also be dangerous when trusting user input (sql injection for example).

            – NoBugs
            Jun 12 '12 at 0:24











          • @NoBugs I absolutely agree with this point. Its not possible to compress everything in one singly answer. My answer contains many hyperlinks an as such these websites containing those pages are really very useful. Hope my answer and included links help the community :)

            – Z9iT
            Jun 12 '12 at 21:50






          • 2





            #9: No, ramdom passowrds are bad, the key is in the length, ie. "D0g....................." is stronger than "PrXyc.N(n4k77#L!eVdAfp9". Explanation at explainxkcd.com/2011/08/10/password-strength

            – papukaija
            Jun 12 '12 at 22:01








          • 2





            @papukaija i suggest you to google on brute force attacks and dictionary attacks.. Random long password are the only way to secure yourself from such attacks.

            – Z9iT
            Jun 12 '12 at 22:29














          13





          +250







          13





          +250



          13




          +250





          Since you said this is web-hosting-server... I would like to share my best practices and experience of 5 long years in the web-hosting line.




          1. From my past experiences, rather than going into configuration hell straight away, you should first assemble the low hanging grapes of security as indicated on the given article.


          2. Since you are having LAMP, thus you must be very cautious bout PHP and its php.ini settings. This is a good link for securing PHP. PHP has super powers which may become security loop when not configured properly.


          3. You may use a cron job to check when your files were modified without your permission and possibly hacked; using this cron job. I prefer Notepad++ to compare the cron results (directly download the cron email from your web server and open in Notepad++).


          4. If you want to install some SEM, then cPanel is best preferred (however paid). Webmin and zpanel are very good free alternatives. Webmin is better for it atleast uses self signed certificates and adds security.


          5. If you want something to work right out of the box then you may go for Turnkey Linux. It is based on Ubuntu, extremely easy to implement and flexible to your needs. With very little effort you get security out of the box. This is their LAMP stack. I personally use and prefer this only.


          6. If you are starting from scratches, then you may also install ISPconfig3. Instruction Here.


          7. you may test your security by trying to penetrate your security using Back-Track-Linux.


          8. keep complex long and random passwords. Dont store them on PC. write them down. Use a live CD to access these logins.


          9. get a brute force protection software like fail2ban.


          10. Dont run those daemons which you don't need.


          11. Block all the unnecessary ports. be extremely careful with SSH port (22).


          12. Get yourself with a static IP on the system through which you gonna manage the server. Make most of the things IP block and only allow your particular IP to access those configuration places like port 22.



          In the end of the day... work with utter piece of mind, don't get emotional with the install and applying common sense takes you far beyond.



          **My heartiest best wishes to you. good luck.**





          share|improve this answer















          Since you said this is web-hosting-server... I would like to share my best practices and experience of 5 long years in the web-hosting line.




          1. From my past experiences, rather than going into configuration hell straight away, you should first assemble the low hanging grapes of security as indicated on the given article.


          2. Since you are having LAMP, thus you must be very cautious bout PHP and its php.ini settings. This is a good link for securing PHP. PHP has super powers which may become security loop when not configured properly.


          3. You may use a cron job to check when your files were modified without your permission and possibly hacked; using this cron job. I prefer Notepad++ to compare the cron results (directly download the cron email from your web server and open in Notepad++).


          4. If you want to install some SEM, then cPanel is best preferred (however paid). Webmin and zpanel are very good free alternatives. Webmin is better for it atleast uses self signed certificates and adds security.


          5. If you want something to work right out of the box then you may go for Turnkey Linux. It is based on Ubuntu, extremely easy to implement and flexible to your needs. With very little effort you get security out of the box. This is their LAMP stack. I personally use and prefer this only.


          6. If you are starting from scratches, then you may also install ISPconfig3. Instruction Here.


          7. you may test your security by trying to penetrate your security using Back-Track-Linux.


          8. keep complex long and random passwords. Dont store them on PC. write them down. Use a live CD to access these logins.


          9. get a brute force protection software like fail2ban.


          10. Dont run those daemons which you don't need.


          11. Block all the unnecessary ports. be extremely careful with SSH port (22).


          12. Get yourself with a static IP on the system through which you gonna manage the server. Make most of the things IP block and only allow your particular IP to access those configuration places like port 22.



          In the end of the day... work with utter piece of mind, don't get emotional with the install and applying common sense takes you far beyond.



          **My heartiest best wishes to you. good luck.**






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Dec 9 '14 at 15:58









          Goran Miskovic

          530414




          530414










          answered Jun 9 '12 at 23:55









          Z9iTZ9iT

          4,08792640




          4,08792640








          • 1





            PHP can also be dangerous when trusting user input (sql injection for example).

            – NoBugs
            Jun 12 '12 at 0:24











          • @NoBugs I absolutely agree with this point. Its not possible to compress everything in one singly answer. My answer contains many hyperlinks an as such these websites containing those pages are really very useful. Hope my answer and included links help the community :)

            – Z9iT
            Jun 12 '12 at 21:50






          • 2





            #9: No, ramdom passowrds are bad, the key is in the length, ie. "D0g....................." is stronger than "PrXyc.N(n4k77#L!eVdAfp9". Explanation at explainxkcd.com/2011/08/10/password-strength

            – papukaija
            Jun 12 '12 at 22:01








          • 2





            @papukaija i suggest you to google on brute force attacks and dictionary attacks.. Random long password are the only way to secure yourself from such attacks.

            – Z9iT
            Jun 12 '12 at 22:29














          • 1





            PHP can also be dangerous when trusting user input (sql injection for example).

            – NoBugs
            Jun 12 '12 at 0:24











          • @NoBugs I absolutely agree with this point. Its not possible to compress everything in one singly answer. My answer contains many hyperlinks an as such these websites containing those pages are really very useful. Hope my answer and included links help the community :)

            – Z9iT
            Jun 12 '12 at 21:50






          • 2





            #9: No, ramdom passowrds are bad, the key is in the length, ie. "D0g....................." is stronger than "PrXyc.N(n4k77#L!eVdAfp9". Explanation at explainxkcd.com/2011/08/10/password-strength

            – papukaija
            Jun 12 '12 at 22:01








          • 2





            @papukaija i suggest you to google on brute force attacks and dictionary attacks.. Random long password are the only way to secure yourself from such attacks.

            – Z9iT
            Jun 12 '12 at 22:29








          1




          1





          PHP can also be dangerous when trusting user input (sql injection for example).

          – NoBugs
          Jun 12 '12 at 0:24





          PHP can also be dangerous when trusting user input (sql injection for example).

          – NoBugs
          Jun 12 '12 at 0:24













          @NoBugs I absolutely agree with this point. Its not possible to compress everything in one singly answer. My answer contains many hyperlinks an as such these websites containing those pages are really very useful. Hope my answer and included links help the community :)

          – Z9iT
          Jun 12 '12 at 21:50





          @NoBugs I absolutely agree with this point. Its not possible to compress everything in one singly answer. My answer contains many hyperlinks an as such these websites containing those pages are really very useful. Hope my answer and included links help the community :)

          – Z9iT
          Jun 12 '12 at 21:50




          2




          2





          #9: No, ramdom passowrds are bad, the key is in the length, ie. "D0g....................." is stronger than "PrXyc.N(n4k77#L!eVdAfp9". Explanation at explainxkcd.com/2011/08/10/password-strength

          – papukaija
          Jun 12 '12 at 22:01







          #9: No, ramdom passowrds are bad, the key is in the length, ie. "D0g....................." is stronger than "PrXyc.N(n4k77#L!eVdAfp9". Explanation at explainxkcd.com/2011/08/10/password-strength

          – papukaija
          Jun 12 '12 at 22:01






          2




          2





          @papukaija i suggest you to google on brute force attacks and dictionary attacks.. Random long password are the only way to secure yourself from such attacks.

          – Z9iT
          Jun 12 '12 at 22:29





          @papukaija i suggest you to google on brute force attacks and dictionary attacks.. Random long password are the only way to secure yourself from such attacks.

          – Z9iT
          Jun 12 '12 at 22:29











          6














          Make use of the Bastille Linux project.



          It provides an interactive tool to perform additional security hardening measures to increase the over-all security, and decrease the susceptibility of compromise for your Ubuntu system (from Bastille Linux).



          It offers an assessment and reporting functionality, so that it can tell you what parts of the system aren't locked down. It examines the system in a read-only fashion, reporting on the status of each of its hardening items. For example, Bastille might check whether the DNS server is locked in a chroot prison, whether telnet is turned off, or even if passwords are required to be a good length. You can take a look at a Web-only demo of this through this link (more info).



          You can have preview of the Web (only) demo here.



          BastillleLinux






          share|improve this answer



















          • 1





            I can second that recommendation. For running exposed hosts (e.g. web-servers), bastille goes a long way towards securing the system.

            – Floyd
            Jun 10 '12 at 15:21











          • This looks similar to the SELinux system that you find on CentOS/Redhat but I bet SELinux is more modern.

            – djangofan
            Jun 12 '12 at 21:35
















          6














          Make use of the Bastille Linux project.



          It provides an interactive tool to perform additional security hardening measures to increase the over-all security, and decrease the susceptibility of compromise for your Ubuntu system (from Bastille Linux).



          It offers an assessment and reporting functionality, so that it can tell you what parts of the system aren't locked down. It examines the system in a read-only fashion, reporting on the status of each of its hardening items. For example, Bastille might check whether the DNS server is locked in a chroot prison, whether telnet is turned off, or even if passwords are required to be a good length. You can take a look at a Web-only demo of this through this link (more info).



          You can have preview of the Web (only) demo here.



          BastillleLinux






          share|improve this answer



















          • 1





            I can second that recommendation. For running exposed hosts (e.g. web-servers), bastille goes a long way towards securing the system.

            – Floyd
            Jun 10 '12 at 15:21











          • This looks similar to the SELinux system that you find on CentOS/Redhat but I bet SELinux is more modern.

            – djangofan
            Jun 12 '12 at 21:35














          6












          6








          6







          Make use of the Bastille Linux project.



          It provides an interactive tool to perform additional security hardening measures to increase the over-all security, and decrease the susceptibility of compromise for your Ubuntu system (from Bastille Linux).



          It offers an assessment and reporting functionality, so that it can tell you what parts of the system aren't locked down. It examines the system in a read-only fashion, reporting on the status of each of its hardening items. For example, Bastille might check whether the DNS server is locked in a chroot prison, whether telnet is turned off, or even if passwords are required to be a good length. You can take a look at a Web-only demo of this through this link (more info).



          You can have preview of the Web (only) demo here.



          BastillleLinux






          share|improve this answer













          Make use of the Bastille Linux project.



          It provides an interactive tool to perform additional security hardening measures to increase the over-all security, and decrease the susceptibility of compromise for your Ubuntu system (from Bastille Linux).



          It offers an assessment and reporting functionality, so that it can tell you what parts of the system aren't locked down. It examines the system in a read-only fashion, reporting on the status of each of its hardening items. For example, Bastille might check whether the DNS server is locked in a chroot prison, whether telnet is turned off, or even if passwords are required to be a good length. You can take a look at a Web-only demo of this through this link (more info).



          You can have preview of the Web (only) demo here.



          BastillleLinux







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jun 8 '12 at 23:45









          pl1nkpl1nk

          4,42852143




          4,42852143








          • 1





            I can second that recommendation. For running exposed hosts (e.g. web-servers), bastille goes a long way towards securing the system.

            – Floyd
            Jun 10 '12 at 15:21











          • This looks similar to the SELinux system that you find on CentOS/Redhat but I bet SELinux is more modern.

            – djangofan
            Jun 12 '12 at 21:35














          • 1





            I can second that recommendation. For running exposed hosts (e.g. web-servers), bastille goes a long way towards securing the system.

            – Floyd
            Jun 10 '12 at 15:21











          • This looks similar to the SELinux system that you find on CentOS/Redhat but I bet SELinux is more modern.

            – djangofan
            Jun 12 '12 at 21:35








          1




          1





          I can second that recommendation. For running exposed hosts (e.g. web-servers), bastille goes a long way towards securing the system.

          – Floyd
          Jun 10 '12 at 15:21





          I can second that recommendation. For running exposed hosts (e.g. web-servers), bastille goes a long way towards securing the system.

          – Floyd
          Jun 10 '12 at 15:21













          This looks similar to the SELinux system that you find on CentOS/Redhat but I bet SELinux is more modern.

          – djangofan
          Jun 12 '12 at 21:35





          This looks similar to the SELinux system that you find on CentOS/Redhat but I bet SELinux is more modern.

          – djangofan
          Jun 12 '12 at 21:35











          3














          Use nmap on all interfaces on the machine, so you know what services you run on your machine. This is an essential tool for security.



          Remove all services you don't need on your external interfaces. You can configure MySQL to only listen on specific interfaces, like localhost.



          Use ufw to protect your SSH service (and possible others) so that it doesn't allow too many (failed) connections per minute from same machine. That will make brute force attacks harder. To change port number isn't that usefull, just obscurity, no security.



          Be restrictive with the number of accounts on your machine. Also don't install more packages/programs than you actually uses. Only install X11-clients, not a X11-server.



          Only allow ssh-login to the machine with digital certificates, no password. That will also make brute force attacks hard/impossible.






          share|improve this answer






























            3














            Use nmap on all interfaces on the machine, so you know what services you run on your machine. This is an essential tool for security.



            Remove all services you don't need on your external interfaces. You can configure MySQL to only listen on specific interfaces, like localhost.



            Use ufw to protect your SSH service (and possible others) so that it doesn't allow too many (failed) connections per minute from same machine. That will make brute force attacks harder. To change port number isn't that usefull, just obscurity, no security.



            Be restrictive with the number of accounts on your machine. Also don't install more packages/programs than you actually uses. Only install X11-clients, not a X11-server.



            Only allow ssh-login to the machine with digital certificates, no password. That will also make brute force attacks hard/impossible.






            share|improve this answer




























              3












              3








              3







              Use nmap on all interfaces on the machine, so you know what services you run on your machine. This is an essential tool for security.



              Remove all services you don't need on your external interfaces. You can configure MySQL to only listen on specific interfaces, like localhost.



              Use ufw to protect your SSH service (and possible others) so that it doesn't allow too many (failed) connections per minute from same machine. That will make brute force attacks harder. To change port number isn't that usefull, just obscurity, no security.



              Be restrictive with the number of accounts on your machine. Also don't install more packages/programs than you actually uses. Only install X11-clients, not a X11-server.



              Only allow ssh-login to the machine with digital certificates, no password. That will also make brute force attacks hard/impossible.






              share|improve this answer















              Use nmap on all interfaces on the machine, so you know what services you run on your machine. This is an essential tool for security.



              Remove all services you don't need on your external interfaces. You can configure MySQL to only listen on specific interfaces, like localhost.



              Use ufw to protect your SSH service (and possible others) so that it doesn't allow too many (failed) connections per minute from same machine. That will make brute force attacks harder. To change port number isn't that usefull, just obscurity, no security.



              Be restrictive with the number of accounts on your machine. Also don't install more packages/programs than you actually uses. Only install X11-clients, not a X11-server.



              Only allow ssh-login to the machine with digital certificates, no password. That will also make brute force attacks hard/impossible.







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Jun 12 '12 at 2:55

























              answered Jun 6 '12 at 20:48









              AndersAnders

              1,363712




              1,363712























                  2














                  I would also consult the CIS Debian Benchmarks document and it has a significant number of procedures and processes for hardening the operating system that will apply to Ubuntu since it's a derivative of Debian. I would also consult:




                  • Securing Debian Howto

                  • Debian Hardening Walkthrough

                  • Hardening The Linux Kernel With Grsecurity (Debian)






                  share|improve this answer




























                    2














                    I would also consult the CIS Debian Benchmarks document and it has a significant number of procedures and processes for hardening the operating system that will apply to Ubuntu since it's a derivative of Debian. I would also consult:




                    • Securing Debian Howto

                    • Debian Hardening Walkthrough

                    • Hardening The Linux Kernel With Grsecurity (Debian)






                    share|improve this answer


























                      2












                      2








                      2







                      I would also consult the CIS Debian Benchmarks document and it has a significant number of procedures and processes for hardening the operating system that will apply to Ubuntu since it's a derivative of Debian. I would also consult:




                      • Securing Debian Howto

                      • Debian Hardening Walkthrough

                      • Hardening The Linux Kernel With Grsecurity (Debian)






                      share|improve this answer













                      I would also consult the CIS Debian Benchmarks document and it has a significant number of procedures and processes for hardening the operating system that will apply to Ubuntu since it's a derivative of Debian. I would also consult:




                      • Securing Debian Howto

                      • Debian Hardening Walkthrough

                      • Hardening The Linux Kernel With Grsecurity (Debian)







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Jun 9 '12 at 14:53









                      Justin AndruskJustin Andrusk

                      3,43511416




                      3,43511416























                          0














                          Security always comes with a price. Setting some realistic boundaries will help you in getting your goals. I would consider the following aspects:




                          • Against what are you protecting yourself (which type of villain, what is his budget)?

                          • What are your attack vectors?


                          Checking all the links that are posted here, I think this one should be added. It goes into detail about not only how to setup your software, but also to think about the security plan. As a plus, every command to execute is explained with a source to it.



                          Securing an Ubuntu Webserver on Xenial 16.04






                          share|improve this answer




























                            0














                            Security always comes with a price. Setting some realistic boundaries will help you in getting your goals. I would consider the following aspects:




                            • Against what are you protecting yourself (which type of villain, what is his budget)?

                            • What are your attack vectors?


                            Checking all the links that are posted here, I think this one should be added. It goes into detail about not only how to setup your software, but also to think about the security plan. As a plus, every command to execute is explained with a source to it.



                            Securing an Ubuntu Webserver on Xenial 16.04






                            share|improve this answer


























                              0












                              0








                              0







                              Security always comes with a price. Setting some realistic boundaries will help you in getting your goals. I would consider the following aspects:




                              • Against what are you protecting yourself (which type of villain, what is his budget)?

                              • What are your attack vectors?


                              Checking all the links that are posted here, I think this one should be added. It goes into detail about not only how to setup your software, but also to think about the security plan. As a plus, every command to execute is explained with a source to it.



                              Securing an Ubuntu Webserver on Xenial 16.04






                              share|improve this answer













                              Security always comes with a price. Setting some realistic boundaries will help you in getting your goals. I would consider the following aspects:




                              • Against what are you protecting yourself (which type of villain, what is his budget)?

                              • What are your attack vectors?


                              Checking all the links that are posted here, I think this one should be added. It goes into detail about not only how to setup your software, but also to think about the security plan. As a plus, every command to execute is explained with a source to it.



                              Securing an Ubuntu Webserver on Xenial 16.04







                              share|improve this answer












                              share|improve this answer



                              share|improve this answer










                              answered May 3 '18 at 13:10









                              DaanDaan

                              1134




                              1134























                                  0














                                  I made a post about this not long ago on how to secure ubuntu 16.04-18.04. These steps include:



                                  Replace Password Login With Authorized keys
                                  Install a Firewall on Your Linux Server



                                  and some more.
                                  https://hostup.org/blog/how-to-secure-a-ubuntu-linux-server-in-3-simple-steps/






                                  share|improve this answer








                                  New contributor




                                  Davh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                  Check out our Code of Conduct.

























                                    0














                                    I made a post about this not long ago on how to secure ubuntu 16.04-18.04. These steps include:



                                    Replace Password Login With Authorized keys
                                    Install a Firewall on Your Linux Server



                                    and some more.
                                    https://hostup.org/blog/how-to-secure-a-ubuntu-linux-server-in-3-simple-steps/






                                    share|improve this answer








                                    New contributor




                                    Davh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                    Check out our Code of Conduct.























                                      0












                                      0








                                      0







                                      I made a post about this not long ago on how to secure ubuntu 16.04-18.04. These steps include:



                                      Replace Password Login With Authorized keys
                                      Install a Firewall on Your Linux Server



                                      and some more.
                                      https://hostup.org/blog/how-to-secure-a-ubuntu-linux-server-in-3-simple-steps/






                                      share|improve this answer








                                      New contributor




                                      Davh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.










                                      I made a post about this not long ago on how to secure ubuntu 16.04-18.04. These steps include:



                                      Replace Password Login With Authorized keys
                                      Install a Firewall on Your Linux Server



                                      and some more.
                                      https://hostup.org/blog/how-to-secure-a-ubuntu-linux-server-in-3-simple-steps/







                                      share|improve this answer








                                      New contributor




                                      Davh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.









                                      share|improve this answer



                                      share|improve this answer






                                      New contributor




                                      Davh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.









                                      answered 8 hours ago









                                      DavhDavh

                                      1




                                      1




                                      New contributor




                                      Davh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.





                                      New contributor





                                      Davh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.






                                      Davh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.






























                                          draft saved

                                          draft discarded




















































                                          Thanks for contributing an answer to Ask Ubuntu!


                                          • Please be sure to answer the question. Provide details and share your research!

                                          But avoid



                                          • Asking for help, clarification, or responding to other answers.

                                          • Making statements based on opinion; back them up with references or personal experience.


                                          To learn more, see our tips on writing great answers.




                                          draft saved


                                          draft discarded














                                          StackExchange.ready(
                                          function () {
                                          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f146775%2fwhat-can-be-done-to-secure-ubuntu-server%23new-answer', 'question_page');
                                          }
                                          );

                                          Post as a guest















                                          Required, but never shown





















































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown

































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown







                                          Popular posts from this blog

                                          數位音樂下載

                                          When can things happen in Etherscan, such as the picture below?

                                          格利澤436b