Just how should a server be safeguarded?
If I were you, I would certainly check into iptables (typical Linux firewall) and also see what solutions are running. Primarily you intend to just be running the solutions you require, i.e. not running an internet server when you simply intend to arrangement an email server, and also to just have the ports open that you in fact call for. Every little thing else needs to be secured down!
Overview to iptables : https://help.ubuntu.com/community/IptablesHowTo
Hope this aids!
p.s If you require even more aid hop on irc and also struck the #ubuntu - server network on freenode
Three points I often tend to advise are :
Mount all around the world writable locations (/ tmp,/ var/tmp) as 'noexec' : This essentially is secure without traits, other than (since creating) unless you pick to upgrade your system. See bug # 572723 on Launchpad for even more information there.
Do not install any kind of compilers or assemblers unless definitely essential : I assume this self informative.
Get going with AppArmor : AppArmor can be viewed as a choice to SELinux, and also is wonderful attribute of Ubuntu to sandbox running applications to guarantee they do not have anymore accessibility than what they require. I advise assessing the overview on the discussion forums if you are interested. http://ubuntuforums.org/showthread.php?t=1008906
This a little bit non - details, yet as a whole you will certainly require to
Run a firewall program like iptables or ufw to take care of link to open ports.
Just install software program your call for.
Just run solutions that are vital to the operating of the server.
Maintain that software program approximately day with all security spots.
Set up new customers with the least advantages they call for to execute their obligations.
Run denyhosts or fail2ban to look for strength strikes.
Run logwatch to email you of any kind of abnormalities in log documents.
Examine your logs usually for dubious tasks.
Usage sudo constantly and also make use of solid passwords.
Disable weak and also moderate toughness ciphers in SSL for apache, exim, proftpd, dovecot etc
Set solutions to just pay attention to localhost (where ideal).
Run chkrootkit daily.
Run clamscan as usually as is called for to look for windows infections (if ideal).
Be cautious, recognize your server, recognize what it needs to be doing and also what it shoudn't be doing.
You will just maintain points safe and secure by frequently examining and also safeguarding. If you do not recognize what something does or just how or why, or something looks dubious, simply ask others for suggestions.
Awesome solution by Richard Holloway. If you are seeking a details detailed overview check out the adhering to 2 component overview from Slicehost collection.
I utilize it virtually anywhere when I need to arrangement an Ubuntu Server instance. I make certain you would certainly enjoy it.
Various other wonderful resource is the Linode Library at http://library.linode.com/
Do check out the write-ups at both areas. Lots of details is readily available there and also you will certainly be equipped with adequate expertise to manage your server simply great.
PS : In no other way, a collection can be an alternative to a wonderful sys admin's instinct, understanding and also choice making capacities.
- Install and also set up iptables with an ideal ruleset for your setting. Filtering system both incoming and also outgoing website traffic.
- psad to identify and also signal concerning any kind of port checks versus your system.
- Usage fail2ban to stop strength login efforts versus SSH.
- Forbid remote accessibility making use of the origin account, as this among various other points suggests that if an opponent is mosting likely to try to strength accessibility to your server they need to exercise both the username and also the password.
- Usage solid passwords for all customer accounts.
- Restriction SSH accessibility to just be readily available from particular IP addresses when possible.
- Usage Tripwire of an additional Host - based breach discovery system.
- Display the server with a network checking program like nagios.