Server Setup
Very basic server setup for Ubuntu server.
Initial update
apt update
apt upgrade
Create a user
adduser myuser
Add the user to the sudo
group if necessary:
adduser myuser sudo
SSH configuration
Upload the user’s public key:
ssh -i ~/.ssh/mykey myuser@host
Set up /etc/ssh/sshd_config
:
PermitRootLogin no
StrictMode yes
PubkeyAuthentication yes
PasswordAuthentication no
X11Forwarding no # Unless you intend to use GUI on the server.
Restart the SSH daemon:
systemctl restart sshd
Enable automatic security updates
sudo apt install unattended-upgrades
Then set up /etc/apt/apt.conf.d/10periodic
:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
Make sure unattended security updates are enabled in /etc/apt/apt.conf.d/50unattended-upgrades
:
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
fail2ban
apt install fail2ban
Firewall
apt install ufw
Allow SSH access and enable the firewall:
ufw allow ssh
ufw enable
Then allow additional ports as required by the services running on the host. For example, for HTTP:
ufw allow 80
ufw allow 443
Logwatch
apt install logtwatch
Send emails daily:
nano /etc/cron.daily/00logwatch
/usr/sbin/logwatch --output mail --mailto admin@domain.com --detail high
Change the address from which the email appears to come from:
nano /usr/share/logwatch/dist.conf/logwatch.conf
MailFrom = server-name
Apparmor
apt install apparmor apparmor-profiles
Make sure to install apparmor-profiles
, which includes profiles for everyday applications.
Nginx
Modern SSL/TLS Configuration
SSL Config - Generate a config for the web server.
SSL Test - Test the server.
Headers
add_header X-Frame-Options DENY always;
DENY
is a better default. Use SAMEORIGIN
if the web application requires iframes of its own.