This article presents a short checklist on how to secure Ubuntu in production, protect the sensitive data and ensure the server's stability. Thanks for reading!
👉 Content provided by DeployPRO, a product that simplifies the deployment process -
Works with AWS, Azure and DO
- Regularly update the operating system and software packages using
apt-getto apply security patches.
- Set up automatic security updates to keep your system up to date.
- Enable the Uncomplicated Firewall (UFW) and configure it to allow only necessary incoming and outgoing traffic.
- Restrict SSH access to specific IP addresses or use key-based authentication for SSH.
- Disable SSH root login (
- Use strong SSH key pairs for authentication.
- Set up SSH key passphrase protection.
- Change the default SSH port (if necessary) to reduce automated attacks.
- Create individual user accounts for each person who needs access.
- Implement strong password policies and enforce regular password changes.
- Disable unused or unnecessary user accounts.
- Use tools like Fail2ban to protect against brute-force attacks.
Implement 2FA for SSH and other critical services to add an extra layer of security.
- Review and configure file permissions and ownership for sensitive directories and files.
- Use the principle of least privilege to grant access only to necessary users and groups.
- Set up centralized logging and monitoring using tools like rsyslog and logrotate.
- Regularly review logs for signs of unusual or suspicious activity.
Install and configure intrusion detection systems (IDS) like Fail2ban or OSSEC to monitor for and respond to security threats.
- If running web applications, ensure they are up to date and follow best security practices.
- Consider using a web application firewall (WAF) to protect against web-based attacks.
- Disable unnecessary services and daemons to reduce the attack surface.
serviceto manage services.
Implement regular backups and test restoration procedures to ensure data recovery in case of a breach or system failure.
Subscribe to security mailing lists or monitoring services to stay informed about vulnerabilities and updates.
Set up file integrity monitoring (FIM) to detect unauthorized changes to critical system files.
Consider using AppArmor or SELinux to confine the actions of processes and limit potential damage from security breaches.
If your server doesn't require IPv6, consider disabling it to reduce potential attack vectors.
Periodically conduct security audits and vulnerability assessments of your server.
Follow hardening guidelines provided by Ubuntu or other trusted sources specific to your application and use case.
If applicable, ensure physical access to the server is restricted to authorized personnel.
Continuously review and update your security policies and procedures to adapt to evolving threats.
As an ending note, remember that security is an ongoing process. Regularly assess your server's security posture and adapt to emerging threats. Additionally, always keep backups and a disaster recovery plan in place to minimize potential data loss or downtime in case of a security incident.