Beruflich Dokumente
Kultur Dokumente
SUBSCRIBE
My First 10 Minutes On
a Server - Primer for
Securing Ubuntu
14 JUNE 2016
apt-get update
apt-get upgrade
useradd deploy
mkdir /home/deploy
mkdir /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
Setup your prefered shell for the deploy user, here we use
bash:
le.
vim /home/deploy/.ssh/authorized_keys
le can be read by
le).
passwd deploy
visudo
le with:
Add the %sudo group below the root user as shown below.
Make sure to comment out any other users and groups with
a #. (users have no pre x and groups start with %.) Most
fresh installs won't have any there, but just make sure.
root
ALL=(ALL) ALL
%sudo
ALL=(ALL:ALL) ALL
exec su -l deploy
This starts a new interactive shell for the deploy user with
the new permissions to the sudo group. It will require your
deploy's password, but feels faster than logging out and
vim /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
AllowUsers deploy@(your-VPN-or-static-IP)
AddressFamily inet
Setting up a rewall
Setting up a rewall
There are usually two camps. Those who use IPtables
directly and those who use a handy interface called ufw
which is a layer on top of IPtables meant to simplify things.
Simple is generally better with security. The DigitalOcean
ufw is really good and goes over the basics.
ufw is installed by default on Ubuntu and is just an apt-get
install ufw away on Debian.
le.
vim /etc/default/ufw
IPV6=yes
For the rest of the ports that we're going to open up, we
can just use the ufw tool from command line which is very
handy.
The
c.
sure you have a static IP or secure VPN that you connect to.
A dynamic IP will leave you locked out of your box some
day in the future.
vim /etc/apt/apt.conf.d/10periodic
Update this
le to match this:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
vim /etc/apt/apt.conf.d/50unattended-upgrades
Make the
Unattended-Upgrade::Allowed-Origins {
"Ubuntu lucid-security";
//"Ubuntu lucid-updates";
};
fail2ban
les
2 Factor Authentication
2FA is not optional for us when building anything that has
very sensitive requirements. Theoretically, if you're
enforcing 2FA (on top of all these other measures), then in
order to gain access to your server (baring application
vulnerabilities), the attacker would have to have:
su deploy
google-authenticator
Logwatch
This is really more of a simple pleasure and a monitoring
tool that helps you see what's going on after the fact.
Logwatch monitors your log les and when con gured
sends you a daily email with the information parsed very
nicely. The output is quite entertaining to watch and you'll
be surprised at how many attempts are made every day to
gain access to your server. I install it if for no other reason
vim /etc/cron.daily/00logwatch
le:
All done
There you are. Your main concern and point of vunerability
after completing this will be your application and services.
These are another animal entirely though.
We're making a big push to externalize our processes and
best practices, if you're interested in learning more take a
look at our repository. We open source all of our policies
and best practices as well as continue to add to them there.
Have suggestions or questions? Comment below or submit
a PR/issue on the Github repo! There are also a lot of really
Want to
Subscribetogetupdatesonsoftwareengineering,technology,and
ourtechR&Dwork.
emailaddress
Subscribe
21Comments
CodelittIncubator
Share
Recommend 9
Login
SortbyBest
Jointhediscussion
DanielDeGroff 2daysago
Greatarticle.AsimilararticleI'vefoundgoesabitdeeperintoafew
areasifanyonewantstoreallygetnerdy.
https://www.inversoft.com/guid...
6
Reply Share
CodelittIncubator
Mod >DanielDeGroff
2daysago
Thislooksreallythorough.Greatjobputtingsomuchtimeinto
thisarticleforthecommunity!
4
Reply Share
duanejeffers 2daysago
Onesmallnote:OnUbuntuyoucanaddanyusertotheadmingroup
(`usermodGadmin<username>`),insteadofeditingthesudoersfile.
Thereasonisiftheservergetscompromised,andyouneedtoreplace
thesudoersfile,theyoucanuseadefaultfileandnotinterruptthe
deployprocess.
2
Reply Share
Berzerker>duanejeffers 2daysago
Mostimplementationsofsudoadda%sudogroupbydefaultto
thesudoersfile.Ondebian,forexample,youcanjustusermod
aGsudo<user>withoutneedingtoeditthesudoersfile.
Reply Share
MariusGedminas>Berzerker adayago
Ubuntuhasa%sudogroupsince14.04LTS.Sincethis
articlementions"lucid",whichwasreleasedin2010,it
makessensethatasudogrouphadtobeaddedmanually.
AlthoughUbuntuhadan%admingroupinsudoerssince
theverybeginning,soeverythingcanbedonewithout
touching/etc/sudoers.
Reply Share
AlexSydell 9hoursago
Thisisagreatlistofthebasicseveryoneshoulddowhensettingupan
Ubuntuserver.
IwroteacoupleAnsibleplaybooksawhilebackthatdomostofthese
IwroteacoupleAnsibleplaybooksawhilebackthatdomostofthese
automatically:
https://github.com/alexsydell/...
Pullrequestswithothercommonsensesetupandsecuritystepsorif
anythingdoesn'tworkareverywelcome!
1
Reply Share
jideel 2daysago
Iwouldaddpamsshagentauthwhichcouldperhapssaveyoufromthe
burdenofthesharedencryptedpassword:
https://blog.0xbadc0de.be/arch...,http://pamsshagentauth.sourcef...
1
Reply Share
Dr.Oetker anhourago
Valuablewriteup!Doyouknowtripwire,and(ifyes)whydidyounot
includeitinthelist?
Reply Share
JanMallari 6hoursago
Goodread.Quickquestion,whenIrebootedmyEC2instance,Ican't
SSHintomyserveranymore.Canyouhelpmewiththis?
Reply Share
JanMallari>JanMallari 5hoursago
Ithink,Igotthiscoverednow.Isuspecttheissueonmypartis
here,AllowUsersdeploy@(yourVPNorstaticIP).
Iincludedtheparenthesesonmyconfig.
Reply Share
MarcoPivetta 19hoursago
Reply Share
JohnHammer adayago
Thankssomuchforwritingthisarticle.Ithinkyouhavesavedme
atleast80hrsofwork.
Reply Share
Evropi adayago
Note:useaptinsteadofaptget.
Reply Share
JamieStarke adayago
Thisseemssimilartothe"Myfirst5minutesonaserver"articleIreada
whileback.IfyouuseChef,Ihaveacookbookformostofthisexcept
whileback.IfyouuseChef,Ihaveacookbookformostofthisexcept
2FA:https://github.com/jrstarke/ch...
Reply Share
geschtonkenflapped adayago
fail2banDOESNOTsupportipv6.
https://github.com/fail2ban/fa...
Reply Share
AlexM.>geschtonkenflapped adayago
fail2banDOESNOTsupportipv6?ohGosh,whyDOESitNOT
supportipv6?doesanybodyknowwhyitDOESNOTsupport
ipv6?I'lltrynottoforgetthefactthatDOESNOTsupportipv6!
I'mgoingtotelleveryonethatitDOESNOTsupportipv6.
Maybeit'llmakeeveryonerememberthatitfail2banDOESNOT
supportipv6.
Reply Share
TimothyJBruce 2daysago
Iwouldaddthreethings(whichIdotomyservers).Ofcourse,thevalue
ofaddingthesewillvaryfromminedependingonothermeasures.
1.Ibackup/etconadailybasisintoacompressedfile.AndIkeepthem
aroundforacoupleofweeks.ThiswayIhavesomethingtocheck
shouldanewpackagereplacetheconfigfilein/etc.
2.IusetheprogramAIDE(availableinyourdistroorfrom
SourceForege)tomonitorchangestofilesin/bin,/sbin,/usr/binand
/usr/sbin.Ijustrunchecksumsonthesefilesonadaily(ormore
frequentbasis)foranyunauthorizedchanges.Iftheyweren'tchanged
byvirtueofapatch,it'saconcernforme.
3.Onsomeothersystems,IalsorunAIDEon/etctowatchforchanges
(andalertme)whenthecontentsofaconfigurationfilehavechanged,
whichmayindicateaproblem.
StillaGREATarticle.Thanksforwritingitup.
TJ
Reply Share
MariusGedminas>TimothyJBruce adayago
etckeeperiswonderfulforkeepingtrackofchangesunder/etc.I
justswitchfromUbuntu'sbizarredefaultofBazaarbacktothe
upstreamdefaultofGit.
Reply Share
Davor 2daysago
Nicearticle.YoumightwanttolookintoU2Ffor2FA.Itworksgreat
andimprovesusability.
Reply Share
aeikenberry 2daysago
Nicechecklist!
Reply Share
Nevi_me 2daysago
Thanks!Veryuseful
Reply Share
Cody Littlewood
Miami