Most of these tips are really wrong:<p>* Why using an embedded board for firewall? I can see using an hw firewall, but only in very limited corner cases (i.e. when it does inspection in ASIC)<p>* what has ssh to do with apache?<p>* having 10 (wow! Look at me!) desktops and keeping one for 5 tail windows is the perfect recipe to NOT notice anomalies.<p>* ...<p>Total rubbish IMHO.
There are my thoughts:<p>Fail2Ban - "It updates firewall rules to reject the IP address." stopped reading here, NOTHING changes my firewall rules, I do.<p>Non standard ports - I run on my server sshd on port 22, never had a single problem, yes sometimes I get some attempts, denyhosts helps but it is a problem for those days you type your own password wrong too many times. Also totally unrelated to apache.<p>Hardware firewall - Not knowing much about this I can't say much either, but my bet is that for a simple server it is overkill.<p>Virtual hosts - Useless thing in my opinion.<p>PhpMyAdmin - Don't use it.<p>Updates - I'm ok with this one, but you can't just update somethimes things break.<p>Check logs - Not a bad idea at all but not like that, get something to look for suspicious patterns or you will go insane.<p>.htaccess - Block addresses? Seriously? With htaccess? I would go with firewall rules, and a complete country? Don't like that idea.
This article's title should have been "8 things the author did to secure their specific Ubuntu server."<p>It's strange that it the link got so many votes. While the article has a few points about security, it's nowhere sufficient enough to be considered acceptable reading material for improving your site or server's security. (case in point: complete lack of anything on their list addressing integrity of your files/content, also nothing about backups)<p>It would be a shame if anyone from HN took the approach the author describes in the above article and felt any sense of increased security on their site or about to be launched web app (there is a whole heck of a lot more out there than "install a few things, make a few tweaks, look what i did")
<p><pre><code> Do it now! Modify /etc/ssh/ssh_config.
</code></pre>
Correct me if I'm wrong, but shouldn't it be:<p><pre><code> Do it now! Modify /etc/ssh/sshd_config.</code></pre>
"Invest in a good hardware firewall." <= this one always makes me laugth
even more so when it lists linux based firewalls afterwards "anyways" (not that ipfilter is any bad or less secure than anything else)<p>Love the "watch the log real time" too :-)
I hate the praise that fail2ban gets. It is useful, but it is not securing anything really, unless maybe you run a public ssh box that has other users who have bad passwords. It will keep the logs cleaner though. A better way to secure SSH on a web server would be to restrict access by firewall and/or disallow password logins.
This is mostly useless advice. Some are simpletons of a hardening Linux. But come on, what's to have a hardware firewall instead of netfilter? Even it does not mention about ids/ips configurations.
The article raises some common-sense good points, but as others have noted, a lot of it is crappy advice.<p>> When a user points their computer towards your server, they generally use your ip address. If they have malicious intentions, they will go fishing for your phpmyadmin, mail, or other vulnerable services.<p>A malicious person can just as easily go fishing for vulnerable web-accessible pages using your domain name. example.com/phpmyadmin is no more secure than 12.34.56.78/phpmyadmin.<p>> 5. Block access to phpmyadmin<p>Nope, just don't install it in the first place. Especially if you're going to access it remotely over plain HTTP. If you really absolutely want to use phpmyadmin, put it in its own virtual host that is only accessible from localhost. Then tunnel into your server to access it.<p>> 8. Use .htaccess ... to block a range of IP addresses<p>Using .htaccess to block IPs? Whoa, wrong tool for the job. You might have no other choice if you're on a shared server, but there are much better IP blocking solutions if you're setting up your own Linux server.
Thanks for the corrections and opinions on the article. For someone just getting into Ubuntu and Linux, these are the basics from my perspective. While best practices are always disputed in I.T., I appreciate the continued discussion.
As someone who is bootstrapping a web app all alone I really appreciated this. I know a few people are getting hung up on some "wrong" points but after looking into it I have to say that obviously one shouldn't just implement these measures exactly as written. Everyone's mileage will vary. The point is to consider these options and implement them in a smart way. That means keeping SSH on 22 if using fail2ban. Sure, SSH and Apache don't have much to do with each other but any thinking person gets the point: you're running a web server on apache and access it over ssh all the time, therefore make sure to secure that connection regardless of your chosen web server software.<p>I dont get all the negativity. Those are some common sense things that can be easily overlooked. I thinking blocking entire countries may not be smart for business but you never know who might want that. I'd also add disabling the root user, installing a software firewall like ufw, and invest in an SSL cert (they're not that expensive compared to the losses you could incur should some ass decide to attack your server). Thanks for this. Merry Christmas.
ugh, securing ubuntu is like using a fishnet to carry water.
why just not use a distro that was meant to be used on the server, and not userfriendly desktop with server label glued as an afterthought?