A few simple steps to make your Ubuntu 14.04 server more secure
Security reinforcement for server operating systems is a process to reduce vulnerabilities and improve system security, including: install patches to eliminate known security vulnerabilities, remove unnecessary services, prohibit account and password logon, and disable unnecessary ports. Now I will summarize how to harden the Ubuntu 14.04 server.
System Version
Ubuntu 14.04.x LTS and enable the SSH service.
Update the system
Keeping the operating system updated is a necessary step after any operating system is installed, which will reduce the existing vulnerabilities in the current operating system. You can use the following command to update Ubuntu 14.04 or other versions:
- Sudo apt-get update
- Sudo apt-get upgrade
- Sudo apt-get autoremove
- Sudo apt-get autoclean
Enable Automatic Security Patch Update
It is necessary to enable automatic updates for security patches. This ensures the security of our servers to a large extent. To enable the automatic update function of Ubuntu 14.04.x, it is required.
Run the following command to install the module:
- Sudo apt-get install unattended-upgrades
Run the following command:
- Sudo dpkg-reconfigure-plow unattended-upgrades
After the appeal command is executed, A/etc/apt. conf. d/20auto-upgrades file is automatically created and the following configuration content is written:
- APT: Periodic: Update-Package-Lists "1 ";
- APT: Periodic: Unattended-Upgrade "1 ";
You can delete or clear the configuration file when you do not need it.
Disable root Account
Because the root account has too much power, we can use the following command to disable it:
- Sudo passwd-l root
To re-enable the root account, run the following command:
- Sudo passwd-u root
Disable IPv6
IPv6 has not been widely used around the world, but it also causes slow connections. We can temporarily disable the IPv6 function. To disable IPv6, edit the following configuration file:
- Sudo vi/etc/sysctl. conf
Change the IPv6 Configuration File as follows:
- Net. ipv6.conf. all. disable_ipv6 = 1
- Net. ipv6.conf. default. disable_ipv6 = 1
- Net. ipv6.conf. lo. disable_ipv6 = 1
After the change is complete, run the following command to make it take effect:
- Sudo sysctl-p
Disable the RQBALANCE feature
The RQBALANCE feature is mainly used to improve performance by distributing hardware interruptions among multiple CPUs. I recommend disabling the RQBALANCE feature to avoid hardware interruptions to threads.
To disable the RQBALANCE feature, edit the following configuration file:
- Sudo vi/etc/default/irqbalance
Change the value of ENABLED to 0.
- ENABLED = 0
Fix OpenSSL painstaking efforts
The Heartbleed vulnerability is very popular. I will not introduce it here. You can Google it yourself. I need to note that the heartbleed vulnerability is in the following version of OpenSSL:
1.0.1
1.0.1a
1.0.1b
1.0.1c
1.0.1d
1.0.1e
1.0.1f
If you are using the appeal version, you must upgrade it as soon as possible. The command for viewing the OpenSSL version is as follows:
- Sudo openssl version-v
- Sudo openssl version-B
If the returned version is 1.0.1 or earlier than January 1, April 7, 2014, it may be subject to the Heartbleed attack and must be updated as soon as possible.
Fix Shellshock Bash Vulnerability
The Shellshock vulnerability allows users to specify Bash environment variables and access the system illegally. The vulnerability was exposed worldwide and is easily exploited.
We can use the following command to check:
- Sudo env I = '() {:;}; echo Your system is Bash vulnerable 'bash-c "echo bash vulnerability test"
If you see the following current vulnerability, it proves that the system has this vulnerability:
Your system is Bash vulnerable
Bash vulnerability test
To upgrade the Bash version, run the following command:
- Sudo apt-get update; sudo apt-get install -- only-upgrade bash
Set process restrictions
To prevent the system from being blocked, we should set process restrictions for users. Edit the following configuration file:
To protect your system from fork bomb attacks, you shocould set up a process limit for your users.
- Sudo vi/etc/security/limits. conf
Edit the file content as follows:
- User1 hard nproc 100
- @ Group1 hard nproc 20
This configuration limits the processes of specific users and user groups to 100 and 20.
Disable unnecessary services
All services in Ubuntu require memory, CPU, and disk space. disabling or deleting unnecessary services can improve the overall system performance and reduce the attack surface. Run the following command to check which services are running in the current system:
- Sudo initctl list | grep running
You can use the following command to disable services that are not needed:
- Sudo update-rc.d-f service name remove
- Sudo apt-get purge service name
Summary
In fact, we are only talking about how to reinforce the Ubuntu 14.04 server in a one-sided way, which is applicable to individual Ubuntu servers. If you want to consider more comprehensively, there will also be file and folder permissions, iptables firewall configuration and many other security configuration methods available, interested friends can carefully study.