roadracer Posted January 5, 2009 Share Posted January 5, 2009 What are the essential steps to harden a fresh install of Ubuntu 8.10 LAMP server that will host public websites? Quote Link to comment Share on other sites More sharing options...
trq Posted January 5, 2009 Share Posted January 5, 2009 For starters I would be installing from a minimal base, Ubuntu (by default) is rather bloated. From there, there are allot of guides you could follow. The basic steps however are to make sure there is no software installed that doesn't need to be (espeically any daemons / servers), the software you do have is installed and configured properly and that file permissions are setup appropriately. If you google 'hardening linux' or 'securing linux' you'll find a bunch of helpfull guides. Quote Link to comment Share on other sites More sharing options...
apacheguy Posted January 5, 2009 Share Posted January 5, 2009 I run my site on Windows so I can't give you much advice, but you may want to look at this site: http://www.linuxsecurity.com/content/view/133913/171/ Quote Link to comment Share on other sites More sharing options...
neogranas Posted January 5, 2009 Share Posted January 5, 2009 I use a Red Hat based system, but you may look if fail2ban is available through apt. It works from iptables to find anyone trying to log into your system and failing within parameters. Mine looks for anyone trying to get in through SSH or FTP but fails on the login 3 times within a minute. If that happens, it bans their IP for 6 months. You can set the amount of failures within whatever time and how long you want to ban. You can also set it to allow your IP no matter how many times you fail the login, which prevents you from banning your own IP. Quote Link to comment Share on other sites More sharing options...
corbin Posted January 6, 2009 Share Posted January 6, 2009 I use a Red Hat based system, but you may look if fail2ban is available through apt. It works from iptables to find anyone trying to log into your system and failing within parameters. Mine looks for anyone trying to get in through SSH or FTP but fails on the login 3 times within a minute. If that happens, it bans their IP for 6 months. You can set the amount of failures within whatever time and how long you want to ban. You can also set it to allow your IP no matter how many times you fail the login, which prevents you from banning your own IP. I got my self banned from a server once... It was very awkward, ya know, since it was hosting a web site of mine. lol. Luckily my ISP does IPs based on MACs and my router (like most) can change MAC addresses. Quote Link to comment Share on other sites More sharing options...
roadracer Posted January 7, 2009 Author Share Posted January 7, 2009 I run my site on Windows so I can't give you much advice, but you may want to look at this site: http://www.linuxsecurity.com/content/view/133913/171/ I missed this one on my first websearch--thanks! It is among the better ones I am now reading/considering/testing. Quote Link to comment Share on other sites More sharing options...
roadracer Posted January 7, 2009 Author Share Posted January 7, 2009 I use a Red Hat based system, but you may look if fail2ban is available through apt. It works from iptables to find anyone trying to log into your system and failing within parameters. Mine looks for anyone trying to get in through SSH or FTP but fails on the login 3 times within a minute. If that happens, it bans their IP for 6 months. You can set the amount of failures within whatever time and how long you want to ban. You can also set it to allow your IP no matter how many times you fail the login, which prevents you from banning your own IP. I will check it out. Perhaps fail2ban would be a good thing to have on the web server in case I don't get my new routing/firewall rules just right. I could also just as easily run my webs on CentOS or stripped down Fedora and not Ubuntu. I am thinking about using the Debian-based pfSense distro on a dedicated server as a firewall with multiple NICs and VLANS for my different LAN and DMZ subnets. I think this will be more secure than my current multiple router with DMZ setup--even for the present Windows servers. The more one learns, the more choices must be made... Quote Link to comment Share on other sites More sharing options...
steviewdr Posted January 8, 2009 Share Posted January 8, 2009 http://www.debian.org/doc/manuals/securing-debian-howto/ -steve Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.