Differences

This shows you the differences between two versions of the page.

--- digital:server:hardening [2018/11/17 17:03]
natrius ↷ Page moved from privat:digital:server:hardening to digital:server:hardening
+++ digital:server:hardening [2019/04/30 20:14] (current)
natrius
@@ Line 2: / Line 2: @@
 What i am doing or what i want to do to harden my server.
+## Prerequisites
+  * A fresh Ubuntu 18.04 installation
+  * Root privileges
 ## First minutes
 The first steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach ''_BREAKTIME_''. That should not consume too much time and then you can think about what you want to install afterwards.
+### What we will do
+  * Create a new user with sudo rights
+  * Test login with the new user
+  * Configure SSH (deactivate root login, password login, [optional] change Port)
+  * Install fail2ban (Configure short-term ban and a long-term ban)
+  * Update (Just in case)
+  * Install and configure UFW (Just allow used ports like ssh)
+  * BREAKTIME
 ### Create a new user with sudo rights
@@ Line 114: / Line 129: @@
 ### Install and configure UFW
-Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80.] and for hosted websites port 80 and if you intend to use letsencrypt or somethinglike that port 443 too.
+Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80.] and for hosted websites port 80 and if you intend to use letsencrypt or somethinglike that port 443 too. UFW does not play well with Docker, keep that in mind.
 Important commands for UFW
@@ Line 144: / Line 159: @@
 Install tools you want(vim, tmux, htop, nmap, sysstat, net-tools) or / and take look at https://github.com/n1trux/awesome-sysadmin
-Tools i am installing
-  * htop
-  * net-tools
 #### Mailserver
@@ Line 173: / Line 183: @@
 Disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces. This reduces attack vectors.
+#### Worth checking out
+zsh (instead of bash), glances, rsync, debug tools (lsof, gdb, iotop, slurm, strace), Enable Byobu, etckeeper (etckeeper init, etckeeper commit -m initial), vnstat, linuxbrew, git and checkout the dot files from git, learn Ansible (install python-minimal for ansible), chef bootstrap
 ### Check server
@@ Line 237: / Line 254: @@
 To integrate later
+  * https://github.com/imthenachoman/How-To-Secure-A-Linux-Server
   * DOD STIG checklists
   * https://www.cisecurity.org/cis-benchmarks/
@@ Line 243: / Line 261: @@
   * http://greenfly.org/talks/security/simple_hardening.html
   * https://www.cyberciti.biz/tips/linux-security.html
-  * https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure/
+  * https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure
+  * https://www.reddit.com/r/linuxadmin/comments/arx7xo/howtosecurealinuxserver_an_evolving_howto_guide/?sort=top
+  * https://github.com/imthenachoman/How-To-Secure-A-Linux-Server#custom-jails
+  * https://www.cisecurity.org/cis-benchmarks/

Tools

menus and quick search

quick search

site status

location indicator

Page Tools

meta data for this page

Differences