1

I bought (and just received) a new 1u dell poweredge 860 (got it on ebay for $35).

I finished installing Ubuntu Server (Ubuntu Server 12.04.3 LTS), install apache/mariadb/memcache/php5

works great but I am scared about security.

so far I am the only one using the server but eventually more people (friends, friends of friends) will use this server, use ssh etc...

I want to know what can I do to secure all the information and not get hacked, both from the web or ssh or ddos and any other attack possible.

Does Ubuntu Server does it for you right away? or I have to fix it my self?

Thank you

EDIT:

I installed (so far):

  • All dev tools
  • ssh server
  • LAMP

I didn't install:

  • Graphical interface
Pat R Ellery
  • 11
  • 11
  • 1
    Your question is very broad, there are many ways a server can get "hacked" (or compromised). Lets focus on the network-facing security - you've listed installed packages that suggest this will be a typical LAMP-like setup. Are there any other network-facing services that you will be running beyond this (e.g., DLNA, Samba, etc.)? – plasmid87 Nov 11 '13 at 14:37
  • Here's a piece of advice for you: don't give accounts to anyone you don't trust. It's that simple. You aren't an experienced sysadmin, and aren't prepared to deal with potentially malicious users. You could spend weeks preparing this thing, only to have another zero-day exploit announced, after which, the server is compromised, along with all of yours (and your friends) data. – EEAA Nov 11 '13 at 14:38
  • [This QA](http://serverfault.com/q/212269) will likely be helpful in your process. As it stands, though, this is off-topic as it does not related to professional systems administration. – EEAA Nov 11 '13 at 14:40
  • possible duplicate of [Tips for Securing a LAMP Server](http://serverfault.com/questions/212269/tips-for-securing-a-lamp-server) – TheCleaner Nov 11 '13 at 14:45
  • @plasmid87 I updated the OP. Does it make sense if I say I install a level 3 server? (my friend just asked me that) – Pat R Ellery Nov 11 '13 at 14:54
  • "level 3 server" means 0 to me. Could you elaborate? – tombull89 Nov 11 '13 at 15:55
  • @plasmid87 I am sorry I have no idea what that means ... it's my first time .. maybe it mean base install without the bells and whistles . – Pat R Ellery Nov 11 '13 at 15:57
  • Have a look at the answer from @sgtbeano. The essential message is to understand what services are running and network-accessible (e.g., SSH, HTTP server, etc.) and then secure them as best you can. System security isn't atomic (secure or not secure) and there are many different security measures that can be implemented; the key is deciding what's most appropriate for your situation. – plasmid87 Nov 11 '13 at 16:06
  • @PatREllery There's no possible way we can tell you `How to secure a new server OS installation` - as others have pointed out there are just too many possible attack vectors, and security cannot be achieved through a checklist. In addition your question and comments indicate that you lack the basic experience required to implement a secure architecture which means you really have two choices: Get hacked a few times and recover from it ("learn by doing"), or have a professional help you implement and manage your environment and reduce (though by no means eliminate) the risk of a compromise. – voretaq7 Nov 11 '13 at 17:17

2 Answers2

2

Search can be really useful;

https://askubuntu.com/questions/146775/what-can-be-done-to-secure-ubuntu-server

From the above answer;

Here is a list of things I do to secure my server.

Turn on UFW (sudo ufw enable) and then only allow ports that are actually used. (sudo ufw allow 80)

Make sure MySQL only allows connections from localhost.

Enable TLS on mail services. Even if it's a self signed cert. You don't want passwords sent in the clear.

Install ssh bruteforce blockers like denyhosts or fail2ban. (sudo apt-get install denyhosts) Look into making ssh key-based logins only.

Learn AppArmor. If you use fairly vanilla configurations, then it's extremely easy. Just make sure it's turned on. It will help reduce zero-day exploits.

Depending on physical access to the server, you may even want to look at encrypting the data on the harddisk.

Follow other recommendations in this link. EDIT: I forgot to edit this when I didn't have enough reputation to add more links. The link meant here is the last link below.

Never trust your users. If you are having multiple users with access to the system, lock them down. If you have to give them sudo access, give them only what they need.

Use common sense. Think real hard about how you'd get in if you were ever locked out. Then close those holes.

You should search for "Ubuntu Hardening" and take a look at the very long list you'll get back.

UFW which is mentioned in the quote above stands for Uncomplicated Firewall (https://help.ubuntu.com/community/UFW) which is a great and easy to use way of managing IPTables.

Regarding DDNS type attacks, you may want to look at pairing NGINX as a front-end static proxy for Apache if you're serving web content and then employ something like CloudFlare to handle your DNS and resilience.

There's a wealth of good articles on best practices and service setup over at Digital Ocean;

https://www.digitalocean.com/community/community_tags/ubuntu

The AskUbuntu sister site is also a wealth of knowledge and help relating to your OS;

https://askubuntu.com/

Community
  • 1
sgtbeano
  • 340
  • 5
  • 14
0

This is the article I found most useful - http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics

The whole thing took only a few hours to go through, most time being spent in the mod_security part as there was an incompatibility with some of the latest OWASP rules and I had to roll back to an earlier version (NB v2.2.5 worked fine and the instructions explain how to apply an earlier ruleset).

Jeremy Gooch
  • 433
  • 1
  • 4
  • 11