Security On a Default Ubuntu Server 16.10 Install
-
How is that for a specific title? I have learned in the Linux world, being specific helps.
Anyway, due to various discussions here on ML over the past few days (and recent security lapses in general), I have been thinking about base installs. We typically tell people to install Ubuntu for things such as XO or the Ubiquiti Controller but do the instructions need more details on how to setup the server itself?
In many discussions I have had with @scottalanmiller he tells me I think about Linux wrong. That it is basically just secure out of the box. Easy, not like Windows. (Though some would argue that newer versions of Windows are also pretty secure out of the box.) This thought is also echoed in the documentation of Ubuntu, as well as on setup pages from places such as DigitalOcean.
So, let's take a default install of Ubuntu. We install it, set a strong password (or even use a SSH key) and run all updates. Is that it? Is that all we need to do? Is it truly secure?
I guess a good starting point would be a discussion on ... what do YOU do to your base Ubuntu installs to lock them down?
For me, it is what I mentioned above, and also...
- fail2ban
- set firewall to deny all incoming except SSH
- create a non-root user
-
@BRRABill said in Security On a Default Ubuntu Server 16.10 Install:
How is that for a specific title? I have learned in the Linux world, being specific helps.
Anyway, due to various discussions here on ML over the past few days (and recent security lapses in general), I have been thinking about base installs. We typically tell people to install Ubuntu for things such as XO or the Ubiquiti Controller but do the instructions need more details on how to setup the server itself?
In many discussions I have had with @scottalanmiller he tells me I think about Linux wrong. That it is basically just secure out of the box. Easy, not like Windows. (Though some would argue that newer versions of Windows are also pretty secure out of the box.) This thought is also echoed in the documentation of Ubuntu, as well as on setup pages from places such as DigitalOcean.
So, let's take a default install of Ubuntu. We install it, set a strong password (or even use a SSH key) and run all updates. Is that it? Is that all we need to do? Is it truly secure?
I guess a good starting point would be a discussion on ... what do YOU do to your base Ubuntu installs to lock them down?
For me, it is what I mentioned above, and also...
- fail2ban
- set firewall to deny all incoming except SSH
- create a non-root user
I have no idea what the default settings are for Ubuntu systems. Fail2Ban is a nice utility, but unless you are serving something public, it is a waste to configure. Granted most people are using a public service of some type so, because of that, it is a standard. But only because it is a public service.
I would assume that the firewall is locking everything by default, the same as CentOS firewalls does.
When it comes to the non-root user, I almost never do it on my CentOS systems because the systems are single purpose application servers and there is never remote SSH access.
-
@JaredBusch said
I have no idea what the default settings are for Ubuntu systems.
You don't have any Ubuntu servers set up? I know you aren't a XO user.
-
Ubuntu also has AppArmor, which is a bit like the SELinux in other distros.
https://wiki.ubuntu.com/AppArmor -
@JaredBusch what is your Unifi controller running on?
-
@Dashrender said in Security On a Default Ubuntu Server 16.10 Install:
@JaredBusch what is your Unifi controller running on?
Ubuntu. But I set that up two years ago. No idea what defaults are now.
-
Pretty sure that Ubuntu is fully firewalled out of the box. Don't know anything that isn't these days (except for the famous 1511 issue.)
