Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
How to connect with ssh with different droplet/vps Question Question
Having problem with remote login on Ubuntu after being updated to 15.04 Question Question

Question

What is your server security check list?

Posted November 29, 2016 17.2k views
Linux BasicsSecurity

Locking down the root acount, using SSH keys, installing fail2ban, and setting up a basic firewall are all things we should be doing in the first five minutes on a new server. After these basics, what other steps do you take to harden your servers? Are there security utilities that you consider essential? Have you implemented any intrusion detection?

Let’s share what’s on our server security check lists.

Add a comment
asb
By:
asb

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
How to connect with ssh with different droplet/vps Question Question
Having problem with remote login on Ubuntu after being updated to 15.04 Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
6 answers
justincf November 30, 2016
  1. Password-less logins.
  2. Change SSH port – no need for fail2ban then.
  3. Close all ports by default, and then manually open individual ports that are needed.
  4. Related to #3 limit access to open ports (by source/destination) wherever possible.
  5. Remove all unnecessary packages/services that came preinstalled.
  6. Update all packages, restart the entire server (assuming some of them may need it).

Those are the basics I always run.

Reply Report
  • majemedia November 30, 2016

    to add to these:

    • unattended upgrades (security)
    • locking down mysql
    • weekly port scans
    • reboots as necessary (for unattended upgrades)
    Reply Report
  • rschuetzler September 27, 2017

    Just for posterity’s sake (since I came across this post in a Google search), changing the SSH port does not remove the need for fail2ban. A good port scanning tool (e.g., nmap) can discover what services are running, even if they’re running on a non-standard port. So while changing the SSH port might provide some protection against brute force scans for open port 22, it won’t mean nobody can see that you’re running SSH.

    Reply Report
sierracircle December 2, 2016

Related to security in an after-the-fact sort of way: Backups..lots of backups. Regular backups of your web-folders and databases in different folders for different times.
Have those backups initiated from a different server that ssh’s into the droplet and backs up things then disconnects.

Also: a snapshot of your droplet in a working state.

If your server is compromised, or crashes ..you can spin-up a droplet from that image and then restore your web-folder and databases from the most recent backup.

Reply Report
kyroskoh December 5, 2016

I usually recommend people to follow “CIS Security Benchmarks”, for example for Ubuntu 14.04

Reply Report
asb November 29, 2016

While they might not be the first things that come to mind when thinking about security, monitoring and logging can play an important in role. Often no one notices when a system is initially compromised. The Linux Auditing System is one powerful tool that provides an audit trail for actions that occur on a server allowing you to notice when something out of the ordinary happens. Other useful software for monitoring your servers include Nagios and Prometheus. Both can alert you when resource usage like bandwidth is abnormal. As your infrastructure becomes more complex, setting up centralized logging allows you to search and visualize your logs all in one place. The ELK Stack (Elasticsearch, Logstash, and Kibana) is a popular solution for this.

How To Install Nagios 4 and Monitor Your Servers on Ubuntu 14.04
by Mitchell Anicas
In this tutorial, we will cover the installation of Nagios 4, a very popular open source monitoring system, on Ubuntu 14.04. We will cover some basic configuration, so you will be able to monitor host resources via the web interface. Nagios is useful for keeping an inventory of your servers, and making sure your critical services are up and running. Using a monitoring system, like Nagios, is an essential tool for any production server environment.
Reply Report
newbie November 30, 2016

@asb
hi bro,
i was just thinking, this tutorials could be used with ubuntu 16.04 without any issue or not?
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04

How To Protect SSH with Fail2Ban on Ubuntu 14.04
by Justin Ellingwood
Fail2ban is a daemon that can be run on your server to dynamically block clients that fail to authenticate correctly with your services repeatedly. This can help mitigate the affect of brute force attacks and illegitimate users of your services. In this guide, we'll show demonstrate how to install and configure fail2ban to protect SSH and Nginx on an Ubuntu 14.04 server.
Reply Report
  • asb November 30, 2016

    Ubuntu 14.04 shipped version 0.8.11 while 16.04 is shipping 0.9.3, but fail2ban is pretty stable. There shouldn’t be any issues following that tutorial on 16.04 as all the basic functionality is the same. Though there have been a number of improvements around more advanced usage and additional filters shipped. So looking over the release notes might be a good idea.

    One minor change in the Debian/Ubuntu package to be aware of is that the distro defaults are now done in /etc/fail2ban/jail.d/defaults-debian.conf rather than in /etc/fail2ban/jail.conf directly.

    Reply Report
rizaandhini03 January 3, 2017
[deleted]
Reply Report

Related

Looking for something else?

Ask a new question Search for more help