damiann · August 14, 2013 19:30
diff --git a/gistfile1.txt b/gistfile1.txt
 Let’s Get Started

 Our box is freshly hatched, virgin pixels at the prompt. I favor Ubuntu; if you use another version of linux, your commands may vary. Five minutes to go:

 passwd

 Change the root password to something long and complex. You won’t need to remember it, just store it somewhere secure - this password will only be needed if you lose the ability to log in over ssh or lose your sudo password.

 apt-get update
 apt-get upgrade

 The above gets us started on the right foot.

 Install Fail2ban
 apt-get install fail2ban

 Fail2ban is a daemon that monitors login attempts to a server and blocks suspicious activity as it occurs. It’s well configured out of the box.

 Now, let’s set up your login user. Feel free to name the user something besides ‘deploy’, it’s just a convention we use:

 useradd deploy
 mkdir /home/deploy
 mkdir /home/deploy/.ssh
 chmod 700 /home/deploy/.ssh

 Require public key authentication

 The days of passwords are over. You’ll enhance security and ease of use in one fell swoop by ditching those passwords and employing public key authentication for your user accounts.

 vim /home/deploy/.ssh/authorized_keys

 Add the contents of the id_rsa.pub on your local machine and any other public keys that you want to have access to this server to this file.

 chmod 400 /home/deploy/.ssh/authorized_keys
 chown deploy:deploy /home/deploy -R
 Test The New User & Enable Sudo

 Now test your new account logging into your new server with the deploy user (keep the terminal window with the root login open). If you’re successful, switch back to the terminal with the root user active and set a sudo password for your login user:

 passwd deploy

 Set a complex password - you can either store it somewhere secure or make it something memorable to the team. This is the password you’ll use to sudo.

 visudo

 Comment all existing user/group grant lines and add:

 root    ALL=(ALL) ALL
 deploy  ALL=(ALL) ALL

 The above grants sudo access to the deploy user when they enter the proper password.

 Lock Down SSH

 Configure ssh to prevent password & root logins and lock ssh to particular IPs:
 vim /etc/ssh/sshd_config

 Add these lines to the file, inserting the ip address from where you will be connecting:
 PermitRootLogin no
 PasswordAuthentication no
 AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)

 Now restart ssh:
 service ssh restart
 Set Up A Firewall

 No secure server is complete without a firewall. Ubuntu provides ufw, which makes firewall management easy. Run:

 ufw allow from {your-ip} to any port 22
 ufw allow 80
 ufw allow 443
 ufw enable

 This sets up a basic firewall and configures the server to accept traffic over port 80 and 443. You may wish to add more ports depending on what your server is going to do.

 Enable Automatic Security Updates

 I’ve gotten into the apt-get update/upgrade habit over the years, but with a dozen servers, I found that servers I logged into less frequently weren’t staying as fresh. Especially with load-balanced machines, it’s important that they all stay up to date. Automated security updates scare me somewhat, but not as badly as unpatched security holes.

 apt-get install unattended-upgrades
 vim /etc/apt/apt.conf.d/10periodic

 Update the file to look like this:
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Download-Upgradeable-Packages "1";
 APT::Periodic::AutocleanInterval "7";
 APT::Periodic::Unattended-Upgrade "1";

 One more config file to edit:
 vim /etc/apt/apt.conf.d/50unattended-upgrades

 Update the file to look like below. You should probably keep updates disabled and stick with security updates only:
 Unattended-Upgrade::Allowed-Origins {
        "Ubuntu lucid-security";
 //      "Ubuntu lucid-updates";
 };

 Install Logwatch To Keep An Eye On Things

 Logwatch is a daemon that monitors your logs and emails them to you. This is useful for tracking and detecting intrusion. If someone were to access your server, the logs that are emailed to you will be helpful in determining what happened and when - as the logs on your server might have been compromised.

 apt-get install logwatch
 vim /etc/cron.daily/00logwatch

 add this line:
 /usr/sbin/logwatch --output mail --mailto [email protected] --detail high
	Let’s Get Started

	Our box is freshly hatched, virgin pixels at the prompt. I favor Ubuntu; if you use another version of linux, your commands may vary. Five minutes to go:

	passwd

	Change the root password to something long and complex. You won’t need to remember it, just store it somewhere secure - this password will only be needed if you lose the ability to log in over ssh or lose your sudo password.

	apt-get update
	apt-get upgrade

	The above gets us started on the right foot.

	Install Fail2ban
	apt-get install fail2ban

	Fail2ban is a daemon that monitors login attempts to a server and blocks suspicious activity as it occurs. It’s well configured out of the box.

	Now, let’s set up your login user. Feel free to name the user something besides ‘deploy’, it’s just a convention we use:

	useradd deploy
	mkdir /home/deploy
	mkdir /home/deploy/.ssh
	chmod 700 /home/deploy/.ssh

	Require public key authentication

	The days of passwords are over. You’ll enhance security and ease of use in one fell swoop by ditching those passwords and employing public key authentication for your user accounts.

	vim /home/deploy/.ssh/authorized_keys

	Add the contents of the id_rsa.pub on your local machine and any other public keys that you want to have access to this server to this file.

	chmod 400 /home/deploy/.ssh/authorized_keys
	chown deploy:deploy /home/deploy -R
	Test The New User & Enable Sudo

	Now test your new account logging into your new server with the deploy user (keep the terminal window with the root login open). If you’re successful, switch back to the terminal with the root user active and set a sudo password for your login user:

	passwd deploy

	Set a complex password - you can either store it somewhere secure or make it something memorable to the team. This is the password you’ll use to sudo.

	visudo

	Comment all existing user/group grant lines and add:

	root ALL=(ALL) ALL
	deploy ALL=(ALL) ALL

	The above grants sudo access to the deploy user when they enter the proper password.

	Lock Down SSH

	Configure ssh to prevent password & root logins and lock ssh to particular IPs:
	vim /etc/ssh/sshd_config

	Add these lines to the file, inserting the ip address from where you will be connecting:
	PermitRootLogin no
	PasswordAuthentication no
	AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)

	Now restart ssh:
	service ssh restart
	Set Up A Firewall

	No secure server is complete without a firewall. Ubuntu provides ufw, which makes firewall management easy. Run:

	ufw allow from {your-ip} to any port 22
	ufw allow 80
	ufw allow 443
	ufw enable

	This sets up a basic firewall and configures the server to accept traffic over port 80 and 443. You may wish to add more ports depending on what your server is going to do.

	Enable Automatic Security Updates

	I’ve gotten into the apt-get update/upgrade habit over the years, but with a dozen servers, I found that servers I logged into less frequently weren’t staying as fresh. Especially with load-balanced machines, it’s important that they all stay up to date. Automated security updates scare me somewhat, but not as badly as unpatched security holes.

	apt-get install unattended-upgrades
	vim /etc/apt/apt.conf.d/10periodic

	Update the file to look like this:
	APT::Periodic::Update-Package-Lists "1";
	APT::Periodic::Download-Upgradeable-Packages "1";
	APT::Periodic::AutocleanInterval "7";
	APT::Periodic::Unattended-Upgrade "1";

	One more config file to edit:
	vim /etc/apt/apt.conf.d/50unattended-upgrades

	Update the file to look like below. You should probably keep updates disabled and stick with security updates only:
	Unattended-Upgrade::Allowed-Origins {
	"Ubuntu lucid-security";
	// "Ubuntu lucid-updates";
	};

	Install Logwatch To Keep An Eye On Things

	Logwatch is a daemon that monitors your logs and emails them to you. This is useful for tracking and detecting intrusion. If someone were to access your server, the logs that are emailed to you will be helpful in determining what happened and when - as the logs on your server might have been compromised.

	apt-get install logwatch
	vim /etc/cron.daily/00logwatch

	add this line:
	/usr/sbin/logwatch --output mail --mailto [email protected] --detail high