Service to harden an Ubuntu Server [closed]

Recognising that securing a server is not an easy one time job is something I wish more web server owners would do, so congrats to you there.

While it isn't an easy one-time job, it is though not too difficult a job if you have time to learn the current threats and the time to keep abreast of any new threats. Simply following accepted good practise (proper password policies, being careful with you SSH/Apache/<whatever> configuration, keeping up-to-date with security patches, having a reasonable firewall setup, ...) and keeping up-to-date with security news will do the trick.

If you don't have the time or the inclination for the above (many don't, and those some who don't but think they do are a menace to themselves and the rest of the network!) then the other option is to employ a server management service. You'll find them advertising, and being discussed, at places geared around web/other hosting solutions like the webhostingtalk forums (http://www.webhostingtalk.com/) and their many kin. A good server management plan will get your server initially hardened and will see it monitored, patched and tweaked as needed. But you will lose some level of control as you will have to inform them of changes that you plan otherwise any guarantee that comes with the service will be void (they won't guarantee their work if your subsequent changes impact upon it).

I don't have any specific recommendations unfortunately as I'm a DIY (or at least do-it-within-the-company-perhaps-with-a-little-outside-consultation) man myself and have not used such services, and I'm guessing most posters on serverfault will be in a similar position. One thing I can say is that getting a good service probably isn't going to be particularly cheap - if you pay peanuts you'll get monkey's and you don't want faeces thrown at your server(s). Bad third-party server management can be worse than none at all as it will give you a false sense of safety while offering no real benefit at all.

Another option is to have your server and apps professionally penetration tested. This will give you a good detailed report of any major/middling/minor issues that exist, but will be expensive, will need to be repeated occasionally, and they will only test (you will have to devise and apply any changes needed to resolve weaknesses found).


I'm not sure how I can contact you 'off-site' but for the purpose of the thread, here are the basics:

1) Disable unnecessary services. Ubuntu isn't my strongpoint, but, I believe debian systems use 'rcconf' to switch off services. You can also modify the files directly in /etc/rc.d. You don't want to run anything that could leave you vulnerable, or require patching if you don't need the service so it's easier just to switch off

2) IPtables. Deny by default and open up services you need such as SSH and WWW. You should also block outbound IP traffic and whitelist those services you need. In the past I've been rooted by a PHP script with poor security which was used to upload a script which downloaded a more potent payload from a remote server. If outbound traffic was denied by default it could have saved me.

3) SSH, turn off password logins and use public/private key pairs instead

4) Install logwatch and check your system daily, this will enable you to spot if something changes

5) Remote logging, if you have the opportunity, log to a remote syslog host, this way you'll have logs if your system is compromised

6) Backups and recovery plan, whilst not part of security, it's comforting to know you can recover your system with minimum impact.

Anyone else want to contribute?


if you would like to take care of hardening by yourself - take a look here.