Safeguarding a fresh Ubuntu web server
I generally install RKHunter, which checks for rootkits and also does honesty checks of numerous vital system binaries. It's in the typical repo, and also will certainly run daily from cron. It's not excellent, securitywise, yet it's a reduced - initiative thing to add, and also it gives an action of defense.
Install logcheck, yet fine-tune to make sure that you never ever receive messages from normal occasions, or else you'll enter the behavior of overlooking the e-mails.
Examine which procedures are paying attention making use of netstat, and also see to it absolutely nothing's running that does not require to run. Several daemons can be set up just to pay attention on the inner IP (or localhost) as opposed to all user interfaces.
Ubuntu is based off Debian and also I've located the Securing Debian Manual to be really valuable in Debian - based circulations in entirely strolling you via your system and also examining every component. It's primarily an actually, actually thorough response to your inquiry.
I can not consider any kind of Ubuntu-specific tweaks, yet below's a couple of that relate to all circulations :
- Uninstall all unneeded plans
- Use public-key just verification in SSH
- Disable origin logins using SSH (does not relate to Ubuntu)
- Use the manufacturing setups for PHP (php.ini-recommended)
- Configure MySQL to make use of outlets just
Of training course this checklist isn't full, and also you'll never ever be entirely secure, yet it covers all the ventures I have actually seen in the real world.
Additionally, the ventures I have actually seen were generally pertaining to unsecure customer code, not unsecure arrangement. The default arrangements in marginal, web server circulations often tend to be rather safe and secure.
One fast point that I do beforehand is install DenyHosts. It will consistently browse the/ var/log/secure, seeking fallen short logins, and also after a number of failings, obstruct the IP. I set it to obstruct after the first no-such-user, on the 2nd effort at origin, and also after a number of pursue actual users (in instance you screw up, yet you need to be making use of a SSH public key to login).