DEV Community

Cover image for Securing Ubuntu for Production
Sm0ke
Sm0ke

Posted on • Originally published at docs.deploypro.dev

Securing Ubuntu for Production

Hello Coders!

This article presents a short checklist on how to secure Ubuntu in production, protect the sensitive data and ensure the server's stability. Thanks for reading!

πŸ‘‰ Content provided by DeployPRO, a product that simplifies the deployment process - Works with AWS, Azure and DO


Update and Patch Software

  • Regularly update the operating system and software packages using apt or apt-get to apply security patches.
  • Set up automatic security updates to keep your system up to date.

Firewall Configuration

  • Enable the Uncomplicated Firewall (UFW) and configure it to allow only necessary incoming and outgoing traffic.
  • Restrict SSH access to specific IP addresses or use key-based authentication for SSH.

SSH Security

  • Disable SSH root login (PermitRootLogin no in /etc/ssh/sshd_config).
  • Use strong SSH key pairs for authentication.
  • Set up SSH key passphrase protection.
  • Change the default SSH port (if necessary) to reduce automated attacks.

User and Password Management

  • Create individual user accounts for each person who needs access.
  • Implement strong password policies and enforce regular password changes.
  • Disable unused or unnecessary user accounts.
  • Use tools like Fail2ban to protect against brute-force attacks.

Two-Factor Authentication (2FA)

Implement 2FA for SSH and other critical services to add an extra layer of security.


Secure File Permissions

  • Review and configure file permissions and ownership for sensitive directories and files.
  • Use the principle of least privilege to grant access only to necessary users and groups.

Monitoring and Logging

  • Set up centralized logging and monitoring using tools like rsyslog and logrotate.
  • Regularly review logs for signs of unusual or suspicious activity.

Intrusion Detection

Install and configure intrusion detection systems (IDS) like Fail2ban or OSSEC to monitor for and respond to security threats.


Secure Web Applications

  • If running web applications, ensure they are up to date and follow best security practices.
  • Consider using a web application firewall (WAF) to protect against web-based attacks.

Disable Unused Services

  • Disable unnecessary services and daemons to reduce the attack surface.
  • Use systemctl or service to manage services.

Regular Backups

Implement regular backups and test restoration procedures to ensure data recovery in case of a breach or system failure.


Security Updates

Subscribe to security mailing lists or monitoring services to stay informed about vulnerabilities and updates.


File Integrity Monitoring

Set up file integrity monitoring (FIM) to detect unauthorized changes to critical system files.


AppArmor/SELinux

Consider using AppArmor or SELinux to confine the actions of processes and limit potential damage from security breaches.


Disable IPv6 (if not needed)

If your server doesn't require IPv6, consider disabling it to reduce potential attack vectors.


Security Audit

Periodically conduct security audits and vulnerability assessments of your server.


Hardening Guides

Follow hardening guidelines provided by Ubuntu or other trusted sources specific to your application and use case.


Physical Security

If applicable, ensure physical access to the server is restricted to authorized personnel.


Regularly Review Security Policies

Continuously review and update your security policies and procedures to adapt to evolving threats.


As an ending note, remember that security is an ongoing process. Regularly assess your server's security posture and adapt to emerging threats. Additionally, always keep backups and a disaster recovery plan in place to minimize potential data loss or downtime in case of a security incident.


Resources

Top comments (0)