basic server security steps
DigitalOcean is a great compute provider, easy to use and not in your way.
Unfortunately, their default ubuntu server setup isn’t quite as secure as it
should or could be.
Therefor, I’ll be describing some simple steps to make your new server
much more secure.
add a management user
We need to avoid logging in via root, that’s the first target for anyone.
In this example, we’ll be creating another user called managethis, I’d recommend to
use your own name.
1 | useradd managethis |
ensure that the management user is able to login via ssh
DigitalOcean already added my ssh key to the authorized_keys list, all I need to do is copy it over to
the new user and make sure that OpenSSH is able to access it.
We’ll be using sudo su - to access the root account later on, to add another level of security; lets add a user password.
You wont be able to use this to login via OpenSSH, it’s just for sudo confirmation.
1 | # either |
setup logwatch and fail2ban
From Wikipedia: “Fail2ban is an intrusion prevention software framework which protects computer servers from brute-force attacks.”
Simply put, people will not be able to brute-force their way into your server that easily.
1 | apt-get update |
1 | vim /etc/sudo/sudoers.d/managethis |
1 | managethis ALL=(ALL) ALL |
Logwatch will send you all your logfiles via email, replace test@example.com with your own email
in 00logwatch.
1 | vim /etc/cron.daily/00logwatch |
1 | /usr/sbin/logwatch --output mail --mailto test@example.com --detail high |
deactivate root login via ssh
Open the sshd_config file and change the following options. If your file doesn’t have an option, add it to it.
1 | vim /etc/ssh/sshd_config |
1 | PermitRootLogin no |
You can pick any port number for the ssh port however, the following would be advised:
The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. It is good practice to follow their port assignment guidelines. Having said that, port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023 and SHOULD NOT be used. Registered Ports are those from 1024 through 49151 should
also be avoided too. Dynamic and/or Private Ports are those from 49152 through 65535 and can be used. Though nothing is stopping you from using reserved port numbers, our suggestion may help avoid technical issues with port allocation in the future.
Also, please make sure that you activate the ssh port in the firewall via ufw allow 50683 (change the number according to the port that you choose) and
remember that from now on you need to connect specifying the port: ssh managethis@YOURSERVERIPADDRESS -p 50683 you can avoid having to type all this all the time
by simply defining it in your ~/.ssh/config file on your own machine.
To apply the changes we need to restart OpenSSH.
1 | service ssh restart |
enable the ubuntu firewall
The UncomplicatedFirewall is a frontend for iptables, using it is exactly that - easy, all you need to do is:
1 | ufw allow 22 |
Please don’t forget to allow the custom ssh port you’ve set earlier.
In case that you’re planing to run a webserver:
1 | ufw allow 22 |
[optional] unattended-upgrades setup
1 | apt-get install unattended-updates |
Open the 10periodic apt file and
1 | vim /etc/apt/apt.conf.d/10periodic |
add this:
1 | APT::Periodic::Update-Package-Lists "1"; |
Ensure that you’re happy with the packages it’ll install for you:
1 | vim /etc/apt/apt.conf.d/50unattended-upgrades |
thanks to
This post is a summary of security steps that I found around the internet. Please let me know
if I’ve forgotten to link back.