Best Practices for Security on Your New Ubuntu Server: Users, Console and Firewall

Reading Time: 4 minutes

Thank you for taking the time to review this important information. You will find this guide broken down into six major sections that coincide with Ubuntu’s security policy guide. The major topics we talk on throughout these articles are as follows:

User Management

User management is one of the most important aspects of any security plan. Balancing your users’ access requirements against their everyday needs, versus the overall security of the server will demand a clear view of those goals to ensure users have the tools they need to get the job done as well as protect the other users’ privacy and confidentiality. We have three types or levels of user access:

  1. Root: This is the main administrator of the server. The root account has full access to everything on the server.  The root user can lock down or, loosen users roles, set file permissions, and ownership, limit folder access, install and remove services or applications, repartition drives and essentially modify any area of the server’s infrastructure. The phrase “with great power comes great responsibility” comes to mind in reference to the root user.
  2. A sudoer (user): This is a user who has been granted special access to a Linux application called sudo.  The “sudoer” user has elevated rights to run a function or program as another user. This user will be included in a specific user group called the sudo group. The rules this user has access to are defined within the “visudo” file which defines and limits their access and can only be initially modified by the root user.
  3. A user: This is a regular user who has been set up using the adduser command, given access to and, who owns the files and folders within the user /home/user/ directory as defined by the basic settings in the /etc/skel/.profile file.

Linux can add an extreme level of granularity to defined user security levels. This allows for the server’s (root user) administrator to outline and delineate as many roles and user types as needed to meet the requirements set forth by the server owner and its assigned task.

 

Enforce Strong Passwords

Because passwords are one of the mainstays in the user’s security arsenal, enforcing strong passwords are a must. In order to enact this guideline, we can modify the file responsible for this setting located here:  /etc/pam.d/common-password.

To enact this guideline, we can modify the file responsible for this setting by using the ‘chage’ command:

chage -m 90 username

This command simply states that the user’s password must be changed every 90 days.

/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1

 

Restrict Use of Old Passwords

Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux Mint.
vi /etc/pam.d/common-passwordAdd the following line to ‘auth‘ section.

auth        sufficient  pam_unix.so likeauth nullok

Add the following line to ‘password‘ section to disallow a user from re-using last five of his or her passwords.

sufficient    pam_unix.so nullok use_authtok md5 shadow remember=5Only the last five passwords are remembered by the server. If you tried to use any of five old passwords, you would get an error like:
Password has been already used. Choose another.

 

Checking Accounts for Empty Passwords

Any account having an empty password means its opened for unauthorized access to anyone on the web and it’s a part of security within a Linux server. So, you must make sure all accounts have strong passwords, and no one has any authorized access. Empty password accounts are security risks, and that can be easily hackable. To check if there were any accounts with an empty password, use the following command.

cat /etc/shadow | awk -F: '($2==""){print $1}'

 

What is Console Security?

Console security simply implies that limiting access to the physical server itself is key to ensuring that only those with the proper access can reach the server. Anyone who has access to the server can gain entry to the server, reboot it, remove hard drives, disconnect cables or even power down the server! To curtail malicious actors with harmful intent, we can make sure that servers are kept in a secure location. Another step we can take is to disable the Ctrl+Alt+Delete function. To accomplish this run the following commands:

systemctl mask ctrl-alt-del.target
systemctl daemon-reload
This forces attackers to take more drastic measures to access the server and also limits accidental reboots.

What is UFW?

UFW is simply a front end for a program called iptables which is the actual firewall itself and, UFW provides an easy means to set up and design the needed protection. Ubuntu provides a default firewall frontend called UFW (Uncomplicated firewall). This is another line of defense to keep unwanted or malicious traffic from actually breaching the internal processes of the server.

 

Firewall Logs

The firewall log is a log file which creates and stores information about attempts and other connections to the server. Monitoring these logs for unusual activity and/or attempts to access the server maliciously will aid in securing the server.

When using UFW, you can enable logging by entering the following command in a terminal:

ufw logging on

To disable logging, simply run the following command:

ufw logging off

To learn more about firewalls, visit our Knowledge Base articles.

We’ve covered the importance of passwords, user roles, console security and firewalls all of which are imperative to protecting your Linux server. Let’s continue onto the next article where we’ll cover AppArmor, certificates, eCryptfs and Encrypted LVM.

 

How to Install Logwatch on Fedora 22

Reading Time: 1 minute

Logwatch is a Perl-based log management tool for analyzing, summarizing, and reporting on a server’s log files. It is most often used to send a short digest of a server’s log activity to a system administrator.

What are log files? Logs are application-generated files useful for tracking down and understanding what has happened in the past.

Pre-Flight Check

  • These instructions are intended specifically for installing the Logwatch on Fedora 22.
  • I’ll be working from a Liquid Web Self Managed Fedora 22 server, and I’ll be logged in as root.

Continue reading “How to Install Logwatch on Fedora 22”

How to Install Docker on Ubuntu 15.04

Reading Time: 1 minute

Introduction

Docker is a container-based software framework for automating deployment of applications. “Containers” are encapsulated, lightweight, and portable application modules.

Pre-Flight Check

  • These instructions are intended for installing Docker.
  • I’ll be working from a Liquid Web Self Managed Ubuntu 15.04 server, and I’ll be logged in as root.

Continue reading “How to Install Docker on Ubuntu 15.04”

How to Install Logwatch on Fedora 21

Reading Time: 1 minute

Logwatch is a Perl-based log management tool for analyzing, summarizing, and reporting on a server’s log files. It is most often used to send a short digest of server’s log activity to a system administrator.

What are log files? Logs are application-generated files useful for tracking down and understanding what has happened in the past.

Pre-Flight Check

  • These instructions are intended specifically for installing the Logwatch on Fedora 21.
  • I’ll be working from a Liquid Web Self Managed Fedora 21 server, and I’ll be logged in as root.

Continue reading “How to Install Logwatch on Fedora 21”

How to Install Logwatch on Fedora 20

Reading Time: 1 minute

Logwatch is a Perl-based log management tool for analyzing, summarizing, and reporting on a server’s log files. It is most often used to send a short digest of server’s log activity to a system administrator.

What are log files? Logs are application-generated files useful for tracking down and understanding what has happened in the past.

Pre-Flight Check
  • These instructions are intended specifically for installing the Logwatch on Fedora 20.
  • I’ll be working from a Liquid Web Self Managed Fedora 20 server, and I’ll be logged in as root.

Continue reading “How to Install Logwatch on Fedora 20”

How to Install Logwatch on Ubuntu 14.04 LTS

Reading Time: 1 minute

Logwatch is a Perl-based log management tool for analyzing, summarizing, and reporting on a server’s log files. It is most often used to send a short digest of server’s log activity to a system administrator.

What are log files? Logs are application-generated files useful for tracking down and understanding what has happened in the past.

Pre-Flight Check
  • These instructions are intended specifically for installing the Logwatch on Ubuntu 12.04 LTS.
  • I’ll be working from a Liquid Web Core Managed Ubuntu 12.04 LTS server, and I’ll be logged in as root.

Continue reading “How to Install Logwatch on Ubuntu 14.04 LTS”

How to Install Logwatch on Ubuntu 12.04 LTS

Reading Time: 1 minute

Logwatch is a Perl-based log management tool for analyzing, summarizing, and reporting on a server’s log files. It is most often used to send a short digest of server’s log activity to a system administrator.

What are log files? Logs are application-generated files useful for tracking down and understanding what has happened in the past.

Pre-Flight Check
  • These instructions are intended specifically for installing the Logwatch on Ubuntu 12.04 LTS.
  • I’ll be working from a Liquid Web Core Managed Ubuntu 12.04 LTS server, and I’ll be logged in as root.

Continue reading “How to Install Logwatch on Ubuntu 12.04 LTS”

How to Install Logwatch on CentOS 7

Reading Time: 1 minute

Logwatch is a Perl-based log management tool for analyzing, summarizing, and reporting on a server’s log files. It is most often used to send a short digest of server’s log activity to a system administrator.

What are log files? Logs are application-generated files useful for tracking down and understanding what has happened in the past.

Pre-Flight Check
  • These instructions are intended specifically for installing the Logwatch on CentOS 7.
  • I’ll be working from a Liquid Web Core Managed CentOS 7 server, and I’ll be logged in as root.

Continue reading “How to Install Logwatch on CentOS 7”

How to Install Logwatch on CentOS 6

Reading Time: 1 minute

Logwatch is a Perl-based log management tool for analyzing, summarizing, and reporting on a server’s log files. It is most often used to send a short digest of server’s log activity to a system administrator.

What are log files? Logs are application-generated files useful for tracking down and understanding what has happened in the past.

Pre-Flight Check
  • These instructions are intended specifically for installing the Logwatch on CentOS 6.
  • I’ll be working from a Liquid Web Core Managed CentOS 6.5 server, and I’ll be logged in as root.

Continue reading “How to Install Logwatch on CentOS 6”