A few simple steps to make your Ubuntu 14.04 server more secure

A few simple steps to make your Ubuntu 14.04 server more secure

Security reinforcement for server operating systems is a process to reduce vulnerabilities and improve system security, including: install patches to eliminate known security vulnerabilities, remove unnecessary services, prohibit account and password logon, and disable unnecessary ports. Now I will summarize how to harden the Ubuntu 14.04 server.

System Version

Ubuntu 14.04.x LTS and enable the SSH service.

Update the system

Keeping the operating system updated is a necessary step after any operating system is installed, which will reduce the existing vulnerabilities in the current operating system. You can use the following command to update Ubuntu 14.04 or other versions:

1. Sudo apt-get update
2. Sudo apt-get upgrade
3. Sudo apt-get autoremove
4. Sudo apt-get autoclean

Enable Automatic Security Patch Update

It is necessary to enable automatic updates for security patches. This ensures the security of our servers to a large extent. To enable the automatic update function of Ubuntu 14.04.x, it is required.

Run the following command to install the module:

1. Sudo apt-get install unattended-upgrades

Run the following command:

1. Sudo dpkg-reconfigure-plow unattended-upgrades

After the appeal command is executed, A/etc/apt. conf. d/20auto-upgrades file is automatically created and the following configuration content is written:

1. APT: Periodic: Update-Package-Lists "1 ";
2. APT: Periodic: Unattended-Upgrade "1 ";

You can delete or clear the configuration file when you do not need it.

Disable root Account

Because the root account has too much power, we can use the following command to disable it:

1. Sudo passwd-l root

To re-enable the root account, run the following command:

1. Sudo passwd-u root

Disable IPv6

IPv6 has not been widely used around the world, but it also causes slow connections. We can temporarily disable the IPv6 function. To disable IPv6, edit the following configuration file:

1. Sudo vi/etc/sysctl. conf

Change the IPv6 Configuration File as follows:

1. Net. ipv6.conf. all. disable_ipv6 = 1
2. Net. ipv6.conf. default. disable_ipv6 = 1
3. Net. ipv6.conf. lo. disable_ipv6 = 1

After the change is complete, run the following command to make it take effect:

1. Sudo sysctl-p

Disable the RQBALANCE feature

The RQBALANCE feature is mainly used to improve performance by distributing hardware interruptions among multiple CPUs. I recommend disabling the RQBALANCE feature to avoid hardware interruptions to threads.

To disable the RQBALANCE feature, edit the following configuration file:

1. Sudo vi/etc/default/irqbalance

Change the value of ENABLED to 0.

1. ENABLED = 0

Fix OpenSSL painstaking efforts

The Heartbleed vulnerability is very popular. I will not introduce it here. You can Google it yourself. I need to note that the heartbleed vulnerability is in the following version of OpenSSL:

1.0.1
1.0.1a
1.0.1b
1.0.1c
1.0.1d
1.0.1e
1.0.1f

If you are using the appeal version, you must upgrade it as soon as possible. The command for viewing the OpenSSL version is as follows:

1. Sudo openssl version-v
2. Sudo openssl version-B

If the returned version is 1.0.1 or earlier than January 1, April 7, 2014, it may be subject to the Heartbleed attack and must be updated as soon as possible.

Fix Shellshock Bash Vulnerability

The Shellshock vulnerability allows users to specify Bash environment variables and access the system illegally. The vulnerability was exposed worldwide and is easily exploited.

We can use the following command to check:

1. Sudo env I = '() {:;}; echo Your system is Bash vulnerable 'bash-c "echo bash vulnerability test"

If you see the following current vulnerability, it proves that the system has this vulnerability:

Your system is Bash vulnerable
Bash vulnerability test

To upgrade the Bash version, run the following command:

1. Sudo apt-get update; sudo apt-get install -- only-upgrade bash

Set process restrictions

To prevent the system from being blocked, we should set process restrictions for users. Edit the following configuration file:

To protect your system from fork bomb attacks, you shocould set up a process limit for your users.

1. Sudo vi/etc/security/limits. conf

Edit the file content as follows:

1. User1 hard nproc 100
2. @ Group1 hard nproc 20

This configuration limits the processes of specific users and user groups to 100 and 20.

Disable unnecessary services

All services in Ubuntu require memory, CPU, and disk space. disabling or deleting unnecessary services can improve the overall system performance and reduce the attack surface. Run the following command to check which services are running in the current system:

1. Sudo initctl list | grep running

You can use the following command to disable services that are not needed:

1. Sudo update-rc.d-f service name remove
2. Sudo apt-get purge service name

Summary

In fact, we are only talking about how to reinforce the Ubuntu 14.04 server in a one-sided way, which is applicable to individual Ubuntu servers. If you want to consider more comprehensively, there will also be file and folder permissions, iptables firewall configuration and many other security configuration methods available, interested friends can carefully study.