Especially in 2017 everyone should be concerned about security. You don’t need to be a genius or completely paranoid in order to avoid most potentially compromising situations. Follow these instructions and you’ll have a basic understanding of what it is to secure your brand new, vanilla Ubuntu server. That said, if you use the web or have a publicly accessible service then there is always a chance you will be compromised. You cannot predict application patches with vulnerabilities or the colorful attempts a hacker that is specifically targeting you may employ. You may simply prep with your best effort.
Add your first user
sudo -s adduser <new_user> usermod -aG sudo <new_user>
Modify the SSHD config
Modify the following line:
PermitRootLogin = yes PermitRootLogin = no
Some blogs may advise you to change the port to a non-standard number (ie: 8022, 2222). I don’t believe this is a good idea: A. There is no such thing as security through obscurity B. This opens the door for password interception, assuming you’re using plaintext passwords instead of keys. A lot of amateur blogs will use the word non-standard port to reference anything above 1024, however, the proper terminology is a non-privileged port (meaning root does not have to be used to begin listening, any user can listen).
Ex. If you use port 2222 I can now create a script to mimic SSH and begin stealing your passwords like the troublesome child I am.
Setup Uncomplicated Firewall (UFW)
apt install ufw ufw allow 22/tcp
We’ve installed UFW and opened TCP port 22 for ssh connections.
Configure Automatic Security Updates
apt install unattended-upgrades dpkg-reconfigure unattended-upgrades
You’ll want to select the description:
This package can download and install security upgrades automatically and unattended, taking care to only install packages from the configured APT source, and checking for dpkg prompts about configuration file changes.
In future articles I’ll probably write some more on this subject. Here’s some more topics worth looking into in security:
- Keep in mind Linode does not support AppArmor, you will need to recompile the kernel
- Key based authentication
- Swap file security
- File ownership
- Principle of Least Privilege