It is easy to deploy servers to the cloud within a few minutes, you can have a cloud-based server that you (or others can use). ubuntu has a great guide on setting up basic security issues but what do you need to do.
Advertisement:
If you do not secure your server expect it to be hacked into. Below are tips on securing your cloud server.
First, read more on scanning your server with Lynis security scan.
Always use up to date software
Always use update software, malicious users can detect what software you use with sites like shodan.io (or use port scan tools) and then look for weaknesses from well-published lists (e.g WordPress, Windows, MySQL, node, LifeRay, Oracle etc). People can even use Google to search for login pages or sites with passwords in HTML (yes that simple). Once a system is identified by a malicious user they can send automated bots to break into your site (trying millions of passwords a day) or use tools to bypass existing defences (Security researcher Troy Hunt found out it’s child’s play).
Portscan sites like https://mxtoolbox.com/SuperTool.aspx?action=scan are good for knowing what you have exposed.
You can also use local programs like nmap to view open ports
Instal nmap
1 | sudo apt-get install nmap |
Find open ports
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | nmap -v -sT localhost Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-08 23:57 AEST Initiating Connect Scan at 23:57 Scanning localhost (127.0.0.1) [1000 ports] Discovered open port 80/tcp on 127.0.0.1 Discovered open port 3306/tcp on 127.0.0.1 Discovered open port 22/tcp on 127.0.0.1 Discovered open port 9101/tcp on 127.0.0.1 Discovered open port 9102/tcp on 127.0.0.1 Discovered open port 9103/tcp on 127.0.0.1 Completed Connect Scan at 23:57, 0.05s elapsed (1000 total ports) Nmap scan report for localhost (127.0.0.1) Host is up (0.00020s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql 9101/tcp open jetdirect 9102/tcp open jetdirect 9103/tcp open jetdirect Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds Raw packets sent: 0 (0B) | Rcvd: 0 (0B) |
Limit ssh connections
Read more here.
Use ufw to set limits on login attempts
1 | sudo ufw limit ssh comment 'Rate limit hit for openssh server' |
Only allow known IP’s access to your valuable ports
1 | sudo ufw allow from 123.123.123.123/32 to any port 22 |
Delete unwanted firewall rules
1 2 | sudo ufw status numbered sudo ufw delete 8 |
Only allow known IP’s to certain ports
1 | sudo ufw allow from 123.123.123.123 to any port 80/tcp |
Also, set outgoing traffic to known active servers and ports
1 | sudo ufw allow out from 123.123.123.123 to any port 22 |
Don’t use weak/common Diffie-Hellman key for SSL certificates, more information here.
1 2 3 4 | openssl req -new -newkey rsa:4096 -nodes -keyout server.key -out server.csr Generating a 4096 bit RSA private key ... |
More info on generating SSL certs here and setting here and setting up Public Key Pinning here.
Intrusion Prevention Software
Do run fail2ban: Guide here https://www.linode.com/docs/security/using-fail2ban-for-security
I use iThemes Security to secure my WordPress and block repeat failed logins from certain IP addresses.
iThemes Security can even lock down your WordPress.
You can set iThemes to auto lock out users on x failed logins
Remember to use allowed whitelists though (it is so easy to lock yourself out of servers).
Passwords
Do have strong passwords and change the root password provided by the hosts. https://howsecureismypassword.net/ is a good site to see how strong your password is from brute force password attempts. https://www.grc.com/passwords.htm is a good site to obtain a strong password. Do follow Troy Hunt’s blog and twitter account to keep up to date with security issues.
Configure a Firewall Basics
You should install a firewall on your Ubuntu and configure it and also configure a firewall with your hosts (e.g AWS, Vultr, Digital Ocean).
Configure a Firewall on AWS
My AWS server setup guide here. AWS allow you to configure the firewall here in the Amazon Console.
Type | Protocol | Port Range | Source | Comment |
HTTP | TCP | 80 | 0.0.0.0/0 | Opens a web server port for later |
All ICMP | ALL | N/A | 0.0.0.0/0 | Allows you to ping |
All traffic | ALL | All | 0.0.0.0/0 | Not advisable long term but OK for testing today. |
SSH | TCP | 22 | 0.0.0.0/0 | Not advisable, try and limit this to known IP’s only. |
HTTPS | TCP | 443 | 0.0.0.0/0 | Opens a secure web server port for later |
Configure a Firewall on Digital Ocean
Configuring a firewall on Digital Ocean (create a $5/m server here). You can configure your Digital Ocean droplet firewall by clicking Droplet, Networking then Manage Firewall after logging into Digital Ocean.
Configure a Firewall on Vultr
Configuring a firewall on Vultr (create a $2.5/m server here).
Don’t forget to set IP rules for IPV4 and IPV6, Only set the post you need to allow and ensure applications have strong passwords.
Ubuntu has a firewall built in (documentation).
1 | sudo ufw status |
Enable the firewall
1 | sudo ufw enable |
Adding common ports
1 2 3 4 5 6 7 8 9 10 11 | sudo ufw allow ssh/tcp sudo ufw logging on sudo ufw allow 22 sudo ufw allow 80 sudo ufw allow 53 sudo ufw allow 443 sudo ufw allow 873 sudo ufw enable sudo ufw status sudo ufw allow http sudo ufw allow https |
Add a whitelist for your IP (use http://icanhazip.com/ to get your IP) to ensure you won’t get kicked out of your server.
1 | sudo ufw allow from 123.123.123.123/24 to any port 22 |
More help here. Here is a good guide on ufw commands. Info on port numbers here.
1 | https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers |
If you don’t have a Digital Ocean server for $5 a month click here and if a $2.5 a month Vultr server here.
Backups
rsync is a good way to copy files to another server or use Bacula
1 | sudo apt install bacula |
Basics
Initial server setup guide (Digital Ocean).
Sudo (admin user)
Read this guide on the Linux sudo command (the equivalent if run as administrator on Windows).
Users
List users on an Ubuntu OS (or compgen -u)
1 | cut -d: -f1 /etc/passwd |
Common output
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | cut -d: -f1 /etc/passwd root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody systemd-timesync systemd-network systemd-resolve systemd-bus-proxy syslog _apt lxd messagebus uuidd dnsmasq sshd pollinate ntp mysql clamav |
Add User
1 | sudo adduser new_username |
e.g
1 2 3 4 5 6 | sudo adduser bob Adding user `bob' ... Adding new group `bob' (1000) ... Adding new user `bob' (1000) with group `bob' ... Creating home directory `/home/bob' ... etc.. |
Add user to a group
1 | sudo usermod -a -G MyGroup bob |
Show users in a group
1 | getent group MyGroup | awk -F: '{print $4}' |
This will show users in a group
Remove a user
1 2 | sudo userdel username sudo rm -r /home/username |
Rename user
1 | usermod -l new_username old_username |
Change user password
1 | sudo passwd username |
Groups
Show all groups
1 | compgen -ug |
Common output
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | compgen -g root daemon bin sys adm tty disk lp mail proxy sudo www-data backup irc etc |
You can create your own groups but first, you must be aware of group ids
1 | cat /etc/group |
Then you can see your systems groups and ids.
Create a group
1 | groupadd -g 999 MyGroup |
Permissions
Read this https://help.ubuntu.com/community/FilePermissions
How to list users on Ubuntu.
Read more on setting permissions here.
Chmod help can be found here.
Install Fail2Ban
I used this guide on installing Fail2Ban.
1 | apt-get install fail2ban |
Check Fail2Ban often and add blocks to the firewall of known bad IPs
1 | fail2ban-client status |
Best practices
Ubuntu has a guide on basic security setup here.
Startup Processes
It is a good idea to review startup processes from time to time.
1 2 | sudo apt-get install rcconf sudo rcconf |
Accounts
- Read up on the concept of least privilege access for apps and services here.
- Read up on chmod permissions.
Updates
Do update your operating system often.
1 2 | sudo apt-get update sudo apt-get upgrade |
Minimal software
Only install what software you need
Exploits and Keeping up to date
Do keep up to date with exploits and vulnerabilities
- Follow 0xDUDE on twitter.
- Read the GDI.Foundation page.
- Visit the Exploit Database
- Vulnerability & Exploit Database
- Subscribe to the Security Now podcast.
Secure your applications
- NodeJS: Enable logging in applications you install or develop.
Ban repeat Login attempts with FailBan
Fail2Ban config
1 | sudo nano /etc/fail2ban/jail.conf |
1 2 3 4 5 6 7 | [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 |
Hosts File Hardening
1 | sudo nano /etc/host.conf |
Add
1 2 | order bind,hosts nospoof on |
Add a whitelist with your ip on /etc/fail2ban/jail.conf (see this)
1 2 3 4 5 6 | [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8 |
Restart the service
1 2 | sudo service fail2ban restart sudo service fail2ban status |
Intrusion detection (logging) systems
Tripwire will not block or prevent intrusions but it will log and give you a heads up with risks and things of concern
Install Tripwire.
1 | sudo apt-get install tiger tripwire |
Running Tripwire
1 | sudo tiger |
This will scan your system for issues of note
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | sudo tiger Tiger UN*X security checking system Developed by Texas A&M University, 1994 Updated by the Advanced Research Corporation, 1999-2002 Further updated by Javier Fernandez-Sanguino, 2001-2015 Contributions by Francisco Manuel Garcia Claramonte, 2009-2010 Covered by the GNU General Public License (GPL) Configuring... Will try to check using config for 'x86_64' running Linux 4.4.0-89-generic... --CONFIG-- [con005c] Using configuration files for Linux 4.4.0-89-generic. Using configuration files for generic Linux 4. Tiger security scripts *** 3.2.3, 2008.09.10.09.30 *** 20:42> Beginning security report for simon. 20:42> Starting file systems scans in background... 20:42> Checking password files... 20:42> Checking group files... 20:42> Checking user accounts... 20:42> Checking .rhosts files... 20:42> Checking .netrc files... 20:42> Checking ttytab, securetty, and login configuration files... 20:42> Checking PATH settings... 20:42> Checking anonymous ftp setup... 20:42> Checking mail aliases... 20:42> Checking cron entries... 20:42> Checking 'services' configuration... 20:42> Checking NFS export entries... 20:42> Checking permissions and ownership of system files... --CONFIG-- [con010c] Filesystem 'fuse.lxcfs' used by 'lxcfs' is not recognised as a valid filesystem 20:42> Checking for indications of break-in... --CONFIG-- [con010c] Filesystem 'fuse.lxcfs' used by 'lxcfs' is not recognised as a valid filesystem 20:42> Performing rootkit checks... 20:42> Performing system specific checks... 20:46> Performing root directory checks... 20:46> Checking for secure backup devices... 20:46> Checking for the presence of log files... 20:46> Checking for the setting of user's umask... 20:46> Checking for listening processes... 20:46> Checking SSHD's configuration... 20:46> Checking the printers control file... 20:46> Checking ftpusers configuration... 20:46> Checking NTP configuration... 20:46> Waiting for filesystems scans to complete... 20:46> Filesystems scans completed... 20:46> Performing check of embedded pathnames... 20:47> Security report completed for simon. Security report is in `/var/log/tiger/security.report.simon.170809-20:42'. |
My Output.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 | sudo nano /var/log/tiger/security.report.username.170809-18:42 Security scripts *** 3.2.3, 2008.09.10.09.30 *** Wed Aug 9 18:42:24 AEST 2017 20:42> Beginning security report for username (x86_64 Linux 4.4.0-89-generic). # Performing check of passwd files... # Checking entries from /etc/passwd. --WARN-- [pass014w] Login (bob) is disabled, but has a valid shell. --WARN-- [pass014w] Login (root) is disabled, but has a valid shell. --WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync). --WARN-- [pass012w] Home directory /nonexistent exists multiple times (3) in /etc/passwd. --WARN-- [pass012w] Home directory /run/systemd exists multiple times (2) in /etc/passwd. --WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck -r). # Performing check of group files... # Performing check of user accounts... # Checking accounts from /etc/passwd. --WARN-- [acc021w] Login ID dnsmasq appears to be a dormant account. --WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not accessible. # Performing check of /etc/hosts.equiv and .rhosts files... # Checking accounts from /etc/passwd... # Performing check of .netrc files... # Checking accounts from /etc/passwd... # Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab... --WARN-- [root001w] Remote root login allowed in /etc/ssh/sshd_config # Performing check of PATH components... --WARN-- [path009w] /etc/profile does not export an initial setting for PATH. # Only checking user 'root' # Performing check of anonymous FTP... # Performing checks of mail aliases... # Checking aliases from /etc/aliases. # Performing check of `cron' entries... --WARN-- [cron005w] Use of cron is not restricted # Performing check of 'services' ... # Checking services from /etc/services. --WARN-- [inet003w] The port for service ssmtp is also assigned to service urd. --WARN-- [inet003w] The port for service pipe-server is also assigned to service search. # Performing NFS exports check... # Performing check of system file permissions... --ALERT-- [perm023a] /bin/su is setuid to `root'. --ALERT-- [perm023a] /usr/bin/at is setuid to `daemon'. --ALERT-- [perm024a] /usr/bin/at is setgid to `daemon'. --WARN-- [perm001w] The owner of /usr/bin/at should be root (owned by daemon). --WARN-- [perm002w] The group owner of /usr/bin/at should be root. --ALERT-- [perm023a] /usr/bin/passwd is setuid to `root'. --ALERT-- [perm024a] /usr/bin/wall is setgid to `tty'. # Checking for known intrusion signs... # Testing for promiscuous interfaces with /bin/ip # Testing for backdoors in inetd.conf # Performing check of files in system mail spool... # Performing check for rookits... # Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks... --WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit installation Possible Linux/Ebury - Operation Windigo installetd # Performing system specific checks... # Performing checks for Linux/4... # Checking boot loader file permissions... --WARN-- [boot02] The configuration file /boot/grub/menu.lst has group permissions. Should be 0600 --FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world permissions. Should be 0600 --WARN-- [boot06] The Grub bootloader does not have a password configured. # Checking for vulnerabilities in inittab configuration... # Checking for correct umask settings for init scripts... --WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS # Checking Logins not used on the system ... # Checking network configuration --FAIL-- [lin013f] The system is not protected against Syn flooding attacks --WARN-- [lin017w] The system is not configured to log suspicious (martian) packets # Verifying system specific password checks... # Checking OS release... --WARN-- [osv004w] Unreleased Debian GNU/Linux version `stretch/sid' # Checking installed packages vs Debian Security Advisories... # Checking md5sums of installed files # Checking installed files against packages... --WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.dep' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.alias.bin' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.devname' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.softdep' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.alias' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.symbols.bin' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.builtin.bin' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.symbols' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.dep.bin' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.dep' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.alias.bin' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.devname' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.softdep' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.alias' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.symbols.bin' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.builtin.bin' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.symbols' does not belong to any package. --WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.dep.bin' does not belong to any package. --WARN-- [lin001w] File `/lib/udev/hwdb.bin' does not belong to any package. # Performing check of root directory... # Checking device permissions... --WARN-- [dev003w] The directory /dev/block resides in a device directory. --WARN-- [dev003w] The directory /dev/char resides in a device directory. --WARN-- [dev003w] The directory /dev/cpu resides in a device directory. --FAIL-- [dev002f] /dev/fuse has world permissions --WARN-- [dev003w] The directory /dev/hugepages resides in a device directory. --FAIL-- [dev002f] /dev/kmsg has world permissions --WARN-- [dev003w] The directory /dev/lightnvm resides in a device directory. --WARN-- [dev003w] The directory /dev/mqueue resides in a device directory. --FAIL-- [dev002f] /dev/rfkill has world permissions --WARN-- [dev003w] The directory /dev/vfio resides in a device directory. # Checking for existence of log files... --FAIL-- [logf005f] Log file /var/log/btmp permission should be 660 --FAIL-- [logf007f] Log file /var/log/messages does not exist # Checking for correct umask settings for user login shells... --WARN-- [misc021w] There is no umask definition for the dash shell --WARN-- [misc021w] There is no umask definition for the bash shell # Checking symbolic links... # Performing check of embedded pathnames... 20:47> Security report completed for username. |
More on Tripwire here.
Hardening PHP
Hardening PHP config (and backing the PHP config it up), first create an info.php file in your website root folder with this info
1 2 3 | <?php phpinfo() ?> |
Now look for what PHP file is loading
Back that your PHP config file
TIP: Delete the file with phpinfo() in it as it is a security risk to leave it there.
TIP: Read the OWASP cheat sheet on using PHP securely here and securing php.ini here.
Some common security changes
1 2 3 4 5 6 7 8 | file_uploads = On expose_php = Off error_reporting = E_ALL display_errors = Off display_startup_errors = Off log_errors = On error_log = /php_errors.log ignore_repeated_errors = Off |
Don’t forget to review logs, more config changes here.
Antivirus
Yes, it is a good idea to run antivirus in Ubuntu, here is a good list of antivirus software
I am installing ClamAV as it can be installed on the command line and is open source.
1 | sudo apt-get install clamav |
ClamAV help here.
Scan a folder
1 | sudo clamscan --max-filesize=3999M --max-scansize=3999M --exclude-dir=/www/* -i -r / |
Setup auto update antivirus definitions
1 | sudo dpkg-reconfigure clamav-freshclam |
I set auto updates 24 times a day (every hour) via daemon updates.
tip: Download manual antivirus update definitions. If you only have a 512MB server your update may fail and you may want to stop fresh claim/php/nginx and mysql before you update to ensure the antivirus definitions update. You can move this to a con job and set this to update at set times over daemon to ensure updates happen.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | sudo /etc/init.d/clamav-freshclam stop sudo service php7.0-fpm stop sudo /etc/init.d/nginx stop sudo /etc/init.d/mysql stop sudo freshclam -v Current working dir is /var/lib/clamav Max retries == 5 ClamAV update process started at Tue Aug 8 22:22:02 2017 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 1152 Software version from DNS: 0.99.2 Retrieving http://db.au.clamav.net/main.cvd Trying to download http://db.au.clamav.net/main.cvd (IP: 193.1.193.64) Downloading main.cvd [100%] Loading signatures from main.cvd Properly loaded 4566249 signatures from new main.cvd main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Querying main.58.82.1.0.C101C140.ping.clamav.net Retrieving http://db.au.clamav.net/daily.cvd Trying to download http://db.au.clamav.net/daily.cvd (IP: 193.1.193.64) Downloading daily.cvd [100%] Loading signatures from daily.cvd Properly loaded 1742284 signatures from new daily.cvd daily.cvd updated (version: 23644, sigs: 1742284, f-level: 63, builder: neo) Querying daily.23644.82.1.0.C101C140.ping.clamav.net Retrieving http://db.au.clamav.net/bytecode.cvd Trying to download http://db.au.clamav.net/bytecode.cvd (IP: 193.1.193.64) Downloading bytecode.cvd [100%] Loading signatures from bytecode.cvd Properly loaded 66 signatures from new bytecode.cvd bytecode.cvd updated (version: 308, sigs: 66, f-level: 63, builder: anvilleg) Querying bytecode.308.82.1.0.C101C140.ping.clamav.net Database updated (6308599 signatures) from db.au.clamav.net (IP: 193.1.193.64) sudo service php7.0-fpm restart sudo /etc/init.d/nginx restart sudo /etc/init.d/mysql restart sudo /etc/init.d/clamav-freshclam start |
Manual scan with a bash script
Create a bash script
1 2 3 4 5 6 7 | mkdir /script sudo nano /scripts/updateandscanav.sh # Include contents below. # Save and quit chmod +X /scripts/updateandscanav.sh |
Bash script contents to update antivirus definitions.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | sudo /etc/init.d/clamav-freshclam stop sudo service php7.0-fpm stop sudo /etc/init.d/nginx stop sudo /etc/init.d/mysql stop sudo freshclam -v sudo service php7.0-fpm restart sudo /etc/init.d/nginx restart sudo /etc/init.d/mysql restart sudo /etc/init.d/clamav-freshclam start sudo clamscan --max-filesize=3999M --max-scansize=3999M -v -r / |
Edit the crontab to run the script every hour
1 2 | crontab -e 1 * * * * /bin/bash /scripts/updateandscanav.sh > /dev/null 2>&1 |
Uninstalling Clam AV
You may need to uninstall Clamav if you don’t have a lot of memory or find updates are too big.
1 2 | sudo apt-get remove --auto-remove clamav sudo apt-get purge --auto-remove clamav |
Setup Unattended Ubuntu Security updates
1 2 | sudo apt-get install unattended-upgrades sudo unattended-upgrades -d |
At login, you should receive
1 | 0 updates are security updates. |
Other
Check out the extensive Hardening a Linux Server guide at thecloud.org.uk: https://thecloud.org.uk/wiki/index.php?title=Hardening_a_Linux_Server
Donate and make this blog better
Ask a question or recommend an article
v1.92 added hardening a linux server link