Protect your Ubuntu Server

Security is relative. Using the methods described in this article cannot guarantee that your server is "safe", but it is certainly safer than before, it is also more secure than most servers. At least cainiao-level hackers cannot break the attack. Security is a continuous process and it is not achieved overnight. We believe that, the security field requires a bit of paranoia. The protection measures listed in this article have been tested in javastuserver10.04 (Lucid) and 10.10 (Maverick). If you want your new Ubuntu server Security is relativeUsing the methods described in this article cannot ensure that your server is "safe", but it is certainly safer than before, and more secure than most servers, at least cainiao-level hackers cannot break the attack. Security is a continuous process and it is not achieved overnight. We believe that security requires a bit of paranoia.

The protection measures listed in this article have been tested in Ubuntu Server 10.04 (Lucid) and 10.10 (Maverick). If you want to make your new Ubuntu Server indestructible, you should read this article carefully.

498) this. width = 498; "border = 0>

Ubuntu servers are well designed and regularly updated, which is relatively safe. the Ubuntu security team said they will continue to work hard to protect Ubuntu's security and will provide regular security updates.

·Do not open the port

·Role-based Management

·No X Server

·Security Update

·Kernel and compiler Protection

In this article, we will deal with security challenges from different parties, including system analysis, modification settings, firewall installation, rootkit scanning, and periodic maintenance system.

·Modify settings to enhance security

·Implement UFW and Simple Firewall

·Using denyhosts to automatically blacklist attackers

·Use Tiger to scan system vulnerabilities

·Use psad to detect intrusion attempts

·Install nmap and scan the ports opened by the System

·Use chkrootkit to check the system rootkit

·Monitoring log

Modify settings to enhance security

Protect shared memory

When attacking a running service (such as httpd), you often need to use/dev/shm to modify/etc/fstab to make it safer.

sudo vi /etc/fstab

Add the following line:

tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0

Prohibit root login through SSH

The Root account is disabled by default in Ubuntu. If you install Ubuntu on Slicehost or Linode, root is enabled, it is a good idea to prevent root users from logging on to the system through SSH.

sudo vi /etc/ssh/sshd_config

SetPermitRootLoginSetNo:

PermitRootLogin no

Of course, if you access your server through SSH, make sure that other users can use sudo normally before you disable SSH for root users.

Only allow users to use su

This will help prevent Elevation of Privilege. By default, Ubuntu does not provide a management group, so you need to create a management group first.

sudo groupadd admin

Add yourself to the Management Group:

sudo usermod -a -G admin andrew

Restrict/bin/su access, and only grant permissions to members of the Management Group:

sudo dpkg-statoverride --update --add root admin 4750 /bin/su

Check/bin/su permissions:

ls -lh /bin/su

The following output is displayed:

-rwsr-x--- 1 root admin 31K 2010-01-26 17:09 /bin/su

The source route of inbound data packets cannot be tracked.

sudo sysctl -w net.ipv4.conf.all.accept_source_route=0sudo sysctl ­-w net.ipv4.conf.default.accept_source_route=0

System users are not allowed to access the FTP server.

This is only required when ftpd is installed. As long as no warning is reported in the tiger scan report, SFTP is more secure than FTP. If possible, try to use SFTP.

Edit/etc/ftpusers:

sudo vi /etc/ftpusers

Add a system user to reject ftpd:

 
 

  
  
backup 
  
  
bin 
  
  
daemon 
  
  
games 
  
  
gnats 
  
  
irc 
  
  
libuuid 
  
  
list 
  
  
lp 
  
  
mail 
  
  
man 
  
  
mysql 
  
  
news 
  
  
ntp 
  
  
postfix 
  
  
proxy 
  
  
sshd 
  
  
sync 
  
  
sys 
  
  
syslog 
  
  
uucp 
  
  
www-data