Security is relative. Using the methods described in this article cannot guarantee that your server is "safe", but it is certainly safer than before, it is also more secure than most servers. At least cainiao-level hackers cannot break the attack. Security is a continuous process and it is not achieved overnight. We believe that, the security field requires a bit of paranoia. The protection measures listed in this article have been tested in javastuserver10.04 (Lucid) and 10.10 (Maverick). If you want your new Ubuntu server
Security is relativeUsing the methods described in this article cannot ensure that your server is "safe", but it is certainly safer than before, and more secure than most servers, at least cainiao-level hackers cannot break the attack. Security is a continuous process and it is not achieved overnight. We believe that security requires a bit of paranoia.
The protection measures listed in this article have been tested in Ubuntu Server 10.04 (Lucid) and 10.10 (Maverick). If you want to make your new Ubuntu Server indestructible, you should read this article carefully.
498) this. width = 498; "border = 0>
Ubuntu servers are well designed and regularly updated, which is relatively safe. the Ubuntu security team said they will continue to work hard to protect Ubuntu's security and will provide regular security updates.
·Do not open the port
·Role-based Management
·No X Server
·Security Update
·Kernel and compiler Protection
In this article, we will deal with security challenges from different parties, including system analysis, modification settings, firewall installation, rootkit scanning, and periodic maintenance system.
·Modify settings to enhance security
·Implement UFW and Simple Firewall
·Using denyhosts to automatically blacklist attackers
·Use Tiger to scan system vulnerabilities
·Use psad to detect intrusion attempts
·Install nmap and scan the ports opened by the System
·Use chkrootkit to check the system rootkit
·Monitoring log
Modify settings to enhance security
Protect shared memory
When attacking a running service (such as httpd), you often need to use/dev/shm to modify/etc/fstab to make it safer.
sudo vi /etc/fstab
Add the following line:
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
Prohibit root login through SSH
The Root account is disabled by default in Ubuntu. If you install Ubuntu on Slicehost or Linode, root is enabled, it is a good idea to prevent root users from logging on to the system through SSH.
sudo vi /etc/ssh/sshd_config
SetPermitRootLoginSetNo:
PermitRootLogin no
Of course, if you access your server through SSH, make sure that other users can use sudo normally before you disable SSH for root users.
Only allow users to use su
This will help prevent Elevation of Privilege. By default, Ubuntu does not provide a management group, so you need to create a management group first.
sudo groupadd admin
Add yourself to the Management Group:
sudo usermod -a -G admin andrew
Restrict/bin/su access, and only grant permissions to members of the Management Group:
sudo dpkg-statoverride --update --add root admin 4750 /bin/su
Check/bin/su permissions:
ls -lh /bin/su
The following output is displayed:
-rwsr-x--- 1 root admin 31K 2010-01-26 17:09 /bin/su
The source route of inbound data packets cannot be tracked.
sudo sysctl -w net.ipv4.conf.all.accept_source_route=0sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
System users are not allowed to access the FTP server.
This is only required when ftpd is installed. As long as no warning is reported in the tiger scan report, SFTP is more secure than FTP. If possible, try to use SFTP.
Edit/etc/ftpusers:
sudo vi /etc/ftpusers
Add a system user to reject ftpd:
- backup
- bin
- daemon
- games
- gnats
- irc
- libuuid
- list
- lp
- mail
- man
- mysql
- news
- ntp
- postfix
- proxy
- sshd
- sync
- sys
- syslog
- uucp
- www-data