Question
Best practices for hardening new sever in 2017
When setting up droplets on Digital Ocean it is encouraged to setup some basic security and monitoring. I have read around quite a lot recently on best practices for hardening a new Ubuntu server. Below are the steps I have compiled. Does the community have any suggestions for tweaks to this list including additions or removals?
- Create a non-root user [2, 3, 7, 8]
- Add non-root to the sudoers group [2, 3, 8]
- Add public ssh key to non-root user [1, 2, 3, 8]
- Deny all inbound traffic with ufw firewall [1, 3, 4, 7]
- Open required ports within the ufw firewall [1, 3, 4, 7]
- Update SSH config - Password-less logins [2, 3, 7, 8, 9]
- Update SSH config - Disable root login [2, 3, 5, 7, 8, 9]
- Update SSH config - Change ssh port [2, 3, 7, 8, 9]
- Unattended upgrades [3, 4, 6, 7]
- Postfix for emails [2, 3, 6]
- Logswatch to send daily summary emails [3]
- Fail2ban [2, 3, 7]
- Set the timezone to UTC and install NTP [2]
- Secure shared memory [5]
- Add a security login banner [[5]
- Harden the networking layer [5]
- Prevent IP spoofing [5]
Sources
1. Digital Ocean - 7 Security Measures to Protect your Servers
2. Digital Ocean - What do you do with your first five minutes on a new server
3. Securing a Server with Ansible
4. Ghost on Digitalocean 512MB
5. Tech Republic - How to harden ubuntu server 16-04 security in five step
6. How to configure Auto-Updates on Linux Ubuntu Servers
7. Linode - Securing your Server
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×