meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
digital:server:hardening [2018/12/04 10:51]
natrius [Installing Tools] 		digital:server:hardening [2019/04/30 20:14] (current)
natrius
Line 2: Line 2:
  
 What i am doing or what i want to do to harden my server.  What i am doing or what i want to do to harden my server. 
 +
 +## Prerequisites
 +
 +  * A fresh Ubuntu 18.04 installation
 +  * Root privileges
  
 ## First minutes ## First minutes
  
 The first steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach ''_BREAKTIME_''. That should not consume too much time and then you can think about what you want to install afterwards. The first steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach ''_BREAKTIME_''. That should not consume too much time and then you can think about what you want to install afterwards.
 +
 +### What we will do
 +
 +  * Create a new user with sudo rights
 +  * Test login with the new user
 +  * Configure SSH (deactivate root login, password login, [optional] change Port)
 +  * Install fail2ban (Configure short-term ban and a long-term ban)
 +  * Update (Just in case)
 +  * Install and configure UFW (Just allow used ports like ssh)
 +  * BREAKTIME
  
 ### Create a new user with sudo rights ### Create a new user with sudo rights
Line 114: Line 129:
 ### Install and configure UFW ### Install and configure UFW
  
-Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80.] and for hosted websites port 80 and if you intend to use letsencrypt or somethinglike that port 443 too.+Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80.] and for hosted websites port 80 and if you intend to use letsencrypt or somethinglike that port 443 too. UFW does not play well with Docker, keep that in mind.
  
 Important commands for UFW Important commands for UFW
Line 239: Line 254:
 To integrate later To integrate later
  
 +  * https://github.com/imthenachoman/How-To-Secure-A-Linux-Server
   * DOD STIG checklists   * DOD STIG checklists
   * https://www.cisecurity.org/cis-benchmarks/   * https://www.cisecurity.org/cis-benchmarks/
Line 246: Line 262:
   * https://www.cyberciti.biz/tips/linux-security.html   * https://www.cyberciti.biz/tips/linux-security.html
   * https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure   * https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure
 +  * https://www.reddit.com/r/linuxadmin/comments/arx7xo/howtosecurealinuxserver_an_evolving_howto_guide/?sort=top
 +  * https://github.com/imthenachoman/How-To-Secure-A-Linux-Server#custom-jails
 +  * https://www.cisecurity.org/cis-benchmarks/
 +
 +