A photo of Mitesh Shah

Mitesh Shah

Linux Expert | Automation Enthusiast | Security Consultant

Email Skype Github Twitter Resume Hire Me Keybase LinkedIn Stackoverflow


First 5 Minutes on Setup Linux Server Security

6 minutes to read (631 words) ()

Overview

Setup FQDN Hostname

$ sudo vim /etc/hostname
srv1.example.com

Setup Timezone

$ sudo timedatectl set-timezone Etc/UTC

Setup UMASK

  • To know more about UMASK Click Here
  • By default - Ubuntu will allow to go inside another user home directory and read the data.
  • By changing UMASK any new user account home directory permission set from 755 to 750
  • More information - Permissive Home Directory Access 
$ sudo echo umask 0027 >> /etc/profile

Update System Packages

$ sudo apt-get update
$ sudo apt-get dist-upgrade

Setup NTP

$ sudo apt-get install ntp

Setup User & PS1

$ sudo useradd user -ms /bin/bash
$ sudo passwd user
$ sudo chmod 0750 /home/user
$ sudo echo 'PS1="\`if [ \$? = 0 ]; then echo \[\e[37m\]^_^[\u@\H:\w]\\$ \[\e[0m\]; else echo \[\e[31m\]O_O[\u@\H:\w]\\$ \[\e[0m\]; fi\`"' >> /home/user/.bashrc

Disable SSH Password Based Logins

  • Make sure your SSH Keys has been added on server.
$ ssh-copy-id root@exaample.com
  • Configure ssh to prevent password based logins
# Change Following Values
$ sudo vim /etc/ssh/sshd_config
PasswordAuthentication no

# Restart SSH
$ sudo service ssh restart

Enable Automatic Security Updates

  • Update the file to look like below.
  • You should probably keep updates disabled and stick with security updates only.
$ sudo apt-get install unattended-upgrades
$ sudo vim /etc/apt/apt.conf.d/10periodic
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
//	"${distro_id}:${distro_codename}";
  	"${distro_id}:${distro_codename}-security";
//	"${distro_id}:${distro_codename}-updates";
//	"${distro_id}:${distro_codename}-proposed";
//	"${distro_id}:${distro_codename}-backports";
};

Install Fail2Ban

$ sudo apt-get install Fail2Ban

Firewall Setup

# Enable UFW
$ sudo ufw enable
# By default Deny Everything
$ sudo ufw default deny
# Allow Port 22 SSH
$ sudo ufw allow 22
# Allow Port 80 HTTP
$ sudo ufw allow 80
# Allow Port 443 HTTPS
$ sudo ufw allow 443
# Limit Connections to SSH which slowdown SSH Attacks
$ sudo ufw limit ssh/tcp

Install Logwatch To Keep An Eye On Things

$ sudo apt-get install logwatch
$ sudo vim /etc/cron.daily/00logwatch
#!/bin/bash

#Check if removed-but-not-purged
test -x /usr/share/logwatch/scripts/logwatch.pl || exit 0

#execute
/usr/sbin/logwatch --output mail --mailto Mr.Miteshah@gmail.com --detail high

#Note: It's possible to force the recipient in above command
#Just pass --mailto address@a.com instead of --output mail




Post Navigation