-
Notifications
You must be signed in to change notification settings - Fork 0
/
server_admin.txt
58 lines (45 loc) · 2.08 KB
/
server_admin.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Recently, my friend had just setup a cloud instance running Ubuntu, and all of a sudden he saw different
URLs being accessed from his server, and several unknown files listed.
I used not to be so much involved with this because for all the previous projects, there was always someone
taking care of Server Administration. I felt useless to this friend, all I could do was provide some ideas
on what he can do, mentioning technologies that I have heard of or I have used occasionally in the past.
here is a short list of technologies that I have used for server security
1. Use of RSA keys for authentication. never user the password
2. Using fail2ban, a great daemon tool that monitors login attempts.
The great advantage of fail2ban is that it blocks any activity that seems suspious, hence
the need for the key authentication.
Details: https://www.fail2ban.org/wiki/index.php/Main_Page
You will most likely have a ~/.ssh directory. secure it with 700 mode and then create ~/.ssh/authorized_keys
make yourself the owner of the this file.
stop login from ssh
nano /etc/ssh/sshd_config
add the following
PermitRootLogin no
PasswordAuthentication no
AllowUsers username@[ip_addr] username@[ip_addr]
you may want to restart ssh service
setup a firewall.
Ubuntu comes with ufw.
to configure it to only open certain ports, running
ufw allow from [ip_addr] to any port # to allow ssh for you only
ufw allow 80 # for http
ufw allow 443 # for https
ufw enable # so enable the firewall
Details: https://help.ubuntu.com/community/UFW
Automatic Updates.
It is not a good practice to enable automatic updates for everything on a server.
block everything else
edit
nano /etc/apt/apt.conf.d/#periodic # (#) is some number
update it so it looks like so
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
allow security updates
Edit this conf
nano /etc/apt/apt.conf.d/#unattended-upgrades (#) some priority number
Unattended-Upgrade::Allowed-Origins {
"Ubuntu lucid-security";
// "Ubuntu lucid-updates";
};