The role of server administrator comes with the responsibility of securing and maintaing the server. Acually, proper maintainance is part of the security stratgey, as security updates need to be installed on e regular basis. I found an accessible and up-to-date (May 2018) chapter on server security in Jay LaCroix. Mastering Ubuntu Server – Second Edition.
Topics on this page
- Backup
- Update software
- SSH
- Firewall
- Lock passwords
- Secure http with Certbot
- Prevent multiple login attempts
- Service auditing
- Manage log files with logrotate
Backup
No matter how secure your server is, there is always a risk of loss of data, if not by malicious attacks, than by hardware failure. Regular backups on independent media can help to limit damage. A simple option at DigitalOcean is to include weekly backups (at an additional charge of $1 per month). Alternatively, you can make your pick from available open source back-up software for linix.
Update software
Keeping your system up-to-date is an important part of maintainance and security. Be aware that new loopholes, that may threaten system integrity, are discovered all the time. To update your server, first update your repositories and next upgrade the software.
sudo apt update sudo apt upgrade
The upgrade command will update packages that have already been installed, but it will not add or remove any dependecies. It won’t install anything new and will not update the kernels. To do this, you need to dist-upgrade, where relevant followed by a restart of certain services or sometimes a complete reboot.
sudo apt dist-upgrade sudo systemctl restart [service] sudo reboot
In interesting service to keep your ubuntu kernel safe between regular maintainance is Livepatch. You can get a free [token] for upto 3 servers and have security patches added to your kernel automatically, while the server is running. It is as simple as logging iin with an Ubuntu One account, get a [token], run two commands and check the service.
sudo snap install canonical-livepatch sudo canonical-livepatch enable [token] sudo canonical-livepatch status
SSH authentication
SSH authentication is the preferred way to connect to the server. With SmarTTY as an SSH client it is very easy to setup SSH authentication. You can simply provide SmarTTY with the host name, username and password. Check the box to “Setup public key authetication and don’t ask password again” and choose the option “Public key in Windows key store (associated with your user account): Auto“. Check “Save this connection to connections list” and click “Connect“. SmarTTY will now set up a secure SSH connection and forget your password.
SmarTTY with public key backup
Hardening SSH
One simple way to distract automatic robot searches from your SSH port is to change the default value of port 22. The port value can be set in ect/ssh/sshd_config. Uncomment #Port 22 around line 13. You can use any unused port from 1 to 65535, but it’s recommended to choose a privileged port from 1 to 1024.
Port 65332
This will in no way protect against targeted attacks, because a simple port scan will reveal the new port, but it will hide the port from random port 22 attacks. To SSH connect with your new port, you need to adjust your host name in ShanTTY.
Host name: ip-address:65332
While at ect/ssh/sshd_config it might be a good idea to block root ssh login by setting PermitRootLogin no. Make sure you have created a newuser with adminstrative rights for access to the server (see: basic configuration). Don’t shut yourselve out of your own server!
After changing ect/ssh/sshd_config, you need to reload the configuration, for the changes to take effect.
$ sudo systemctl reload ssh
Firewall
The firewall should already have been configured and enabled at the basic configuration of the webserver. Set the firewall as precise and strict as needed for use of the server (tutorial). For basic use, the webserver will probably need ports 80 and 443 (Nginx Full). For SSH authentication, you will either use 22/tcp (OpenSSH) or specify your own choice.
$ sudo ufw status $ sudo ufw status verbose $ sudo ufw allow 65332
If needed you can remove rules by number or by name.
$ sudo ufw status numbered $ sudo ufw delete 2 $ sudo ufw delete allow OpenSSH
Lock passwords
After you have secure SSH connections configured and tested at your brand new port, you can lock down your passwords. It is of particular relevance to lock down root, because this will be the first account hostile attacks will target. Since root as a username is already defnied, a brute force attack need only resolve the password. You can lock with the option -l and unlock with the option -u.
$ sudo passwd -l root $ sudo passwd -u root
Secure http with Certbot
To encrypt your webtrafic from prying eyes, you can need to secure http with Certbot. This is particularely relevant to protect your data. When logging into your database with phpMyAdmin without encryption, you are inviting cyberpirates to login along with you. Encryption is your first and most easy line of defense.
Prevent multiple login attempts
Install Fail2Ban or do the same simply with with iptables
Service auditing
Check your attack service and reduce open ports.
$ sudo netstat -tulpn
Inspect authorization log
$ sudo grep "failure" /var/log/auth.log > ~/auth-failure.txt $ sudo grep "sshd" /var/log/auth.log > ~/auth-sshd.txt $ sudo grep "CRON" /var/log/auth.log > ~/auth-cron.txt