Below is a (perpetually updated) security checklist for securing a self-managed Ubuntu server. Recently WordPress released patch v4.8.3 that fixed some SQL injection issues. Is your OS, Database, Web Server, OS and software up to date?
Although I have recently blogged about securing Ubuntu in the cloud, and running a server Audit with Lynus, this new post is really about obtaining a mindset change and allocating time (each week) to ensure your self-managed servers and software is kept up to date. You can easily list down the actions you need to follow but keeping a system up to date is hard work. Sites like www.shodan.io will reveal what servers or services are vulnerable, let software updates lapse long enough and an open exploit may open a hole to your system. It only takes minutes to set up a $2.5 a month Ubuntu server with Vultr, $5 a month Digital Ocean Server or AWS server but you need to maintain it.
I highly recommend that you watch the following video that highlights the need for even minor vulnerabilities to be patched asap. If you leave one minor vulnerability open you will give hackers a foothold into your system.
Follow @jawache on twitter.
Troy Hunt has a great post about the simplicity of hacking. Hacking is child’s play.
General Security Checklist
- Do Setup a Firewall and only allow needed ports to accept data (use tools like Portscan and Shodan.io to find open ports).
- Use least access permissions (on NGINX, PHP and MySQL processes).
- Use strong unique passwords for every service (1Password and sites like Gibson Research Corp have password generators, use www.howsecureismypassword.net to check tour passwords strength)
- Enable logging.
Find log files on your system:
Output (handy logs to review):
./var/log/mongodb/mongod.log ./var/log/fail2ban.log ./var/log/mysql/error.log ./var/log/ufw.log ./var/log/lynis.log ./var/log/dpkg.log ./var/log/nginx/error.log ./var/log/nginx/nginxcriterror.log ./var/log/nginx/access.log ./var/log/audit/audit.log ./var/log/php7.0-fpm.log ./var/log/mail.log ./backup/backup.log ./scripts/boot.log etc
- Enable brute force detection and banning (fail2ban etc) Read more here.
- Secure folders with service accounts.
- Do secure software (e.g WordPress Wordfence)
- Do use SSL Certificates (and use modern cyphers and test with https://www.ssllabs.com/ssltest/)
- Monitor SSL vulnerabilities.
- Do a Lynis security report.
- Install a Virus scanner (read here).
- Secure MySQL/Databases.
First, find the version of MySQL
mysql --version mysql Ver 14.14 Distrib 5.7.19, for Linux (x86_64)
Read the official MySQL manual here and security guidelines here.
Read this Digital Ocean guide on securing MySQL.
- Other: _______
Application (coding) checklist
Retain and protect information.
- Disable errors (PHP: turn off or here)
- Enable logging (web server, PHP and or node)
- Sanitize data (never trust uses data) in code (see how to do this in PHP 7)
- Do no develop on production boxes (use parameterised queries and follow OWASP application security procedures.
- Read the OWASP Secure Coding Practices – Quick Reference Guide
Infrastructure
Plan for the worst, hope for the best.
- Use the latest Long Term Support (LTS) version or Ubuntu
- Update packages
View app packages (Ubuntu 16.04) with updates
View app packages (Ubuntu 16.04) with updates
To update packages type (remember to backup data and config files first)
Among other things, you will see the following information
Show available updates
- Only work on code checked into GitHub or BitBucket (You will thank me when data or servers disappear).
- Backup configuration files or backup to remote servers (my rsync guide here)
- Use snapshots of VM’s.
- Use Green/Blue server deployments (toggle one server a Prod and the other and Dev/Test and have one ready for a hot spare). Digital Ocean has a good guide here.
- Consider forcing Content Security Polic and Public Key Pinning or at least using LetsEncrypt SSL certificates.
- Take Snapshots of VM’s (automate)
- Backup MySQL databases:
sudo mysqldump --all-databases > /backup/dump-$( date '+%Y-%m-%d_%H-%M-%S' ).sql -u root -p
Other Useful Linus Terminal Commands.
Mindset/Culture
Dedicate time to securing your site.
- Spend one day a week (or automate) the updating of the OS/Software (no excuses).
- Follow people on twitter and subscribe to newsletters of those that are security conscious
Don’t forget to read securing Ubuntu in the cloud blog post here.
And check out the extensive Hardening a Linux Server guide at thecloud.org.uk: https://thecloud.org.uk/wiki/index.php?title=Hardening_a_Linux_Server
More to come..
Donate and make this blog better
Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]
v1.2 added link to Hardening Linux Server link
v1.1 added @jawache link
Short (Article):