Harden VPS

Post tags: | security | vps |

Ubuntu 14.04 LTS production server harden

Allowed access

  • ssh
  • http
  • https

Use of VPS

  • ssh in
  • gitlab server - remote ssh access - local https access
  • x2go server - remote ssh access
  • weechat runs on tmux - remote ssh access

Research

Bryan Kennedy First 5 Minutes On A Server

This is a basic starting point. Look at the other links here for additions or modifications.

Server security doesn’t need to be complicated. My security philosophy is simple: adopt principles that will protect you from the most frequent attack vectors, while keeping administration efficient enough that you won’t develop “security cruft”. If you use your first 5 minutes on a server wisely, I believe you can do that.

Any seasoned sysadmin can tell you that as you grow and add more servers & developers, user administration inevitably becomes a burden. Maintaining conventional access grants in the environment of a fast growing startup is an uphill battle - you’re bound to end up with stale passwords, abandoned intern accounts, and a myriad of “I have sudo access to Server A, but not Server B” issues. There are account sync tools to help mitigate this pain, but IMHO the incremental benefit isn’t worth the time nor the security downsides. Simplicity is the heart of good security.

Our servers are configured with two accounts: root and deploy. The deploy user has sudo access via an arbitrarily long password and is the account that developers log into. Developers log in with their public keys, not passwords, so administration is as simple as keeping the authorized_keys file up-to-date across servers. Root login over ssh is disabled, and the deploy user can only log in from our office IP block.

digitalocean.com How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server

Justin Ellingwood Initial Server Setup with Ubuntu 14.04

rubytreesoftware.com Securely Setup Ubuntu 14.04 Server

other