Server Hardening - Ubuntu 18

We will learn how to harden the Ubuntu server.

1.      Once Ubuntu is installed, update the server and remove unwanted packages. First of all check if assigned IP is in any blacklist or not.

#apt-get update
#apt-get upgrade
#apt-get autoremove

2.      SSH configuration
a.    Now, we will change configuration of SSH in order to make it more secure. Note that, a wrong setting or silly mistake can lock you out of the server. Hence proceed with caution. First, backup the SSH configuration file. Option b,c,d can be omitted while hardening servers on the platform as we already have platform based key authentication.

#cp /etc/ssh/sshd_config /etc/ssh/backup.sshd_config

b.      Now, create a non-root user with sudo privileges. Replace <username> with correct name.


#adduser <username>
#usermod -aG sudo <username>
#su — <username>

c.      Use key based authentication instead of password based. Key based authentication is considered safe because of complexity of the key. Generate a key using puttygen on local computer and then upload the key on the server in the file.


#<username>/.ssh/authorized_keys

d.      If .ssh directory is not present, you can create one by command


#mkdir <username>/.ssh

e.      Now is the time to edit actual SSH configuration file. Use nano or vim text editor. You need to change certain values.


#vim /etc/ssh/sshd_config
PasswordAuthentication
= No
PermitRootLogin
= No                        //Root will not be able to login remotely.
ClientAliveInterval
= 300                     //SSH connection will be terminated after 300 seconds of inactivity
ClientAliveCountMax
= 0

               AllowUsers = <username>   //Note that, we can allow multiple users. Rest all users will be blocked
               Port
= XXXX                                             //Default value is 22. You can change to other unused port e.g. 1234

               X11Forwarding ==> No

 

f.       Install Fail2ban service for blocking unnecessary/unauthorized attempts of logging into server

#apt-get install fail2ban

g.      Once installed, create backup of jail configuration of Fail2ban.

#cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

h.      Edit the jail config file and modify mentioned fields

#vim /etc/fail2ban/jail.local
[sshd]

              enabled = true
              port = ssh
             logpath = %(sshd_log)s

 

i.       After editing, restart the Fail2ban service


#service fail2ban restart

3.      Apache configuration

a. First thing is to hide apache default page. Then you need to hide directory listing to prevent public access of folder.

   #  vim /etc/apache2/conf-enabled/security.conf

       ServerSignature
==> Off

       ServerTokens ==> Prod

       Change “Options Indexes FollowSymLinks” to “Options -Indexes –FollowSymLinks” under <Directory /var/www/>

 

b. Now, we will install security modules for apache which will provide protection against brute force attacks, DDOS and HTTP brute force attacks

    #apt install libapache2-mod-security2 –y
    #apt install libapache2-mod-evasive –y

 

 

4.      Mail security

a.      Spamassasin is used to prevent spam mail attack on the server with postfix or sendmail. To install  and configure spamassasin, we need to add another user as well.


#
apt-get install spamassassin spamc
# adduser spamd --disabled-login                      //Skip the information of the user by pressing enter

b.      As spamassasin is installed, you need to edit its configuration file and modify certain values


#vim /etc/default/spamassassin

ENABLED
==> 1
SAHOME
==> "/var/log/spamassassin/"
OPTIONS
==> "--create-prefs --max-children 5 --username spamd --helper-home-dir /home/spamd/ -s /home/spamd/spamd.log"
CRON
==> 1

c.      As the config file is changed, you need to modify rules also. Edit the file and add/uncomment following field
# vim /etc/spamassassin/local.cf
rewrite_header Subject                                        [***** SPAM _SCORE_ *****]

required_score                                                                                     5.0

use_bayes                                                                                              1

bayes_auto_learn                                                                                1

d.      Once we have changed configuration parameters and added rules, restart the service.
#
service spamassassin restart



5.      Situational Configuration (Right now Ubuntu VPS does not have fucntioning platform firewall)

 

a.      Install CSF (ConfigServer Firewall) in order to open and allow the ports. Its installation is very simple


#wget http://download.configserver.com/csf.tgz
#tar -xvzf csf.tgz
#cd csf
#sh install.sh

b.      To add/remove ports from the firewall, edit config file of CSF and apply changes by ‘csf –r’. Note that ports which we want to allow should be added in the field "TCP_IN" of CSF config file below.


#vim /etc/csf/csf.conf
#csf –r

c.      If the VPS is used for website hosting, add the website in Uptime robot for continuous monitoring. Add monitor with ‘HTTPS’ parameter and add URL we want to monitor. Add necessary recipients to whom down/up alerts should be sent.

  • 1 Users Found This Useful
這篇文章有幫助嗎?

相關文章

New joinee induction checklist

  Induction checklist of New Joinee                 Name of New...

Requirement Gathering

  Whenever we are discussing with client and understanding their needs, few things...

Setup Tally on Cloud

  Hi, Setting up Tally on Cloud is simple task task. Following are steps to follow 1.     Set...

Gaming - setting up server

  Hi, Setting up windows server for gaming is very crucial step when it come to game renderning....

Gaming - order processing

  Once there is an order placed by user for gaming, it will be notified via email and in WHMCS...

Powered by WHMCompleteSolution