Below is a (perpetually updated) security checklist for securing a self-managed Ubuntu server. Recently WordPress released patch v4.8.3 that fixed some SQL injection issues. Is your OS, Database, Web Server, OS and software up to date?
Although I have recently blogged about securing Ubuntu in the cloud, and running a server Audit with Lynus, this new post is really about obtaining a mindset change and allocating time (each week) to ensure your self-managed servers and software is kept up to date. You can easily list down the actions you need to follow but keeping a system up to date is hard work. Sites like www.shodan.io will reveal what servers or services are vulnerable, let software updates lapse long enough and an open exploit may open a hole to your system. It only takes minutes to set up a $2.5 a month Ubuntu server with Vultr, $5 a month Digital Ocean Server or AWS server but you need to maintain it.
I highly recommend that you watch the following video that highlights the need for even minor vulnerabilities to be patched asap. If you leave one minor vulnerability open you will give hackers a foothold into your system.
Follow @jawache on twitter.
Troy Hunt has a great post about the simplicity of hacking. Hacking is child’s play.
General Security Checklist
- Do Setup a Firewall and only allow needed ports to accept data (use tools like Portscan and Shodan.io to find open ports).
- Use least access permissions (on NGINX, PHP and MySQL processes).
- Use strong unique passwords for every service (1Password and sites like Gibson Research Corp have password generators, use www.howsecureismypassword.net to check tour passwords strength)
- Enable logging.
Find log files on your system:
cd / find -iname "*.log"
Output (handy logs to review):
./var/log/mongodb/mongod.log ./var/log/fail2ban.log ./var/log/mysql/error.log ./var/log/ufw.log ./var/log/lynis.log ./var/log/dpkg.log ./var/log/nginx/error.log ./var/log/nginx/nginxcriterror.log ./var/log/nginx/access.log ./var/log/audit/audit.log ./var/log/php7.0-fpm.log ./var/log/mail.log ./backup/backup.log ./scripts/boot.log etc
- Enable brute force detection and banning (fail2ban etc) Read more here.
- Secure folders with service accounts.
- Do secure software (e.g WordPress Wordfence)
- Do use SSL Certificates (and use modern cyphers and test with https://www.ssllabs.com/ssltest/)
- Monitor SSL vulnerabilities.
- Do a Lynis security report.
- Install a Virus scanner (read here).
- Secure MySQL/Databases.
First, find the version of MySQL
mysql --version mysql Ver 14.14 Distrib 5.7.19, for Linux (x86_64)
Read this Digital Ocean guide on securing MySQL.
- Other: _______
Application (coding) checklist
Retain and protect information.
- Disable errors (PHP: turn off or here)
- Enable logging (web server, PHP and or node)
- Sanitize data (never trust uses data) in code (see how to do this in PHP 7)
- Do no develop on production boxes (use parameterised queries and follow OWASP application security procedures.
- Read the OWASP Secure Coding Practices – Quick Reference Guide
Plan for the worst, hope for the best.
- Use the latest Long Term Support (LTS) version or Ubuntu
- Update packages
View app packages (Ubuntu 16.04) with updates
sudo /usr/lib/update-notifier/apt-check -p
View app packages (Ubuntu 16.04) with updates
apt list --upgradable
To update packages type (remember to backup data and config files first)
sudo apt-get update && sudo apt-get upgrade
Among other things, you will see the following information
The following packages will be upgraded: binutils certbot cracklib-runtime curl distro-info-data grub-common grub-pc grub-pc-bin grub2-common initramfs-tools initramfs-tools-bin initramfs-tools-core libapache2-mod-php7.0 libcrack2 libcurl3 libcurl3-gnutls libgnutls-openssl27 libgnutls30 libicu55 libpam-systemd libsystemd0 libudev1 linux-firmware linux-libc-dev lshw mdadm mysql-client-5.7 mysql-client-core-5.7 mysql-common mysql-server mysql-server-5.7 mysql-server-core-5.7 nodejs php7.0 php7.0-cli php7.0-common php7.0-curl php7.0-dev php7.0-fpm php7.0-gd php7.0-imap php7.0-intl php7.0-json php7.0-ldap php7.0-mbstring php7.0-mysql php7.0-opcache php7.0-pgsql php7.0-phpdbg php7.0-pspell php7.0-readline php7.0-recode php7.0-snmp php7.0-tidy php7.0-xml php7.0-zip python-acme python-certbot python-certbot-nginx python-cffi-backend python-chardet python-idna python-six python3-chardet python3-distupgrade python3-six python3-update-manager systemd systemd-sysv ubuntu-release-upgrader-core udev update-manager-core wget
Show available updates
/usr/lib/update-notifier/apt-check --human-readable 0 packages can be updated. 0 updates are security updates.
- Only work on code checked into GitHub or BitBucket (You will thank me when data or servers disappear).
- Backup configuration files or backup to remote servers (my rsync guide here)
- Use snapshots of VM’s.
- Use Green/Blue server deployments (toggle one server a Prod and the other and Dev/Test and have one ready for a hot spare). Digital Ocean has a good guide here.
- Consider forcing Content Security Polic and Public Key Pinning or at least using LetsEncrypt SSL certificates.
- Take Snapshots of VM’s (automate)
- Backup MySQL databases:
sudo mysqldump --all-databases > /backup/dump-$( date '+%Y-%m-%d_%H-%M-%S' ).sql -u root -p
Dedicate time to securing your site.
- Spend one day a week (or automate) the updating of the OS/Software (no excuses).
- Follow people on twitter and subscribe to newsletters of those that are security conscious
Don’t forget to read securing Ubuntu in the cloud blog post here.
And check out the extensive Hardening a Linux Server guide at thecloud.org.uk: https://thecloud.org.uk/wiki/index.php?title=Hardening_a_Linux_Server
More to come..
Donate and make this blog better
Ask a question or recommend an article
v1.2 added link to Hardening Linux Server link
v1.1 added @jawache link