How I spend my first 5 minutes on a server

The premise of this thing is not good advice.<p>1) Your first couple minutes on a server should be used to install a configuration management client, if your bootstrap policies somehow don't already install one.<p>2) Everything else listed in this document should be configured by a configuration management system.<p>3) "User account sync tools" should have no place in a modern infrastructure, you should use your configuration management tool to (at the bare minimum) deploy /etc/passwd and /etc/sudoers across your infrastructure.<p>4) You should not use shared/role accounts. The "incremental cost" is paid back immediately when someone leaves your organization; having to update everyone of a changed password or having a password change have any negative impact at all should not be a thing your company does.<p>This stuff isn't hard. It's worth doing right.

Firstly, a nice checklist. Easy actionable steps, repeatable, and pretty much most of what you need.<p>Secondly, you are about 4-5 hours away from learning puppet (or Chef) and making this checklist into actual code.<p>Thirdly, you now have a checklist of items that you can use in a job interview if you get the oppertunity to gain a new-hire or an intern.<p>Lastly, good on you for submitting this to a peer-review on HN. We can be a picky lot.<p>TL;DR Checklists are a good first step for building a proper config management system.

Beginner or not, you should probably use visudo [1] instead of<p><pre><code> vim /etc/sudoers </code></pre> for the sanity checks that it provides, if nothing else. A botched edit of /etc/sudoers that locks you (along with every other user) out of administrative access is an unpleasant way to learn this.<p>[1] <a href="http://linux.die.net/man/8/visudo" rel="nofollow">http://linux.die.net/man/8/visudo</a>

1. You should do "apt-get dist-upgrade" to get new kernel packages as well, otherwise you are stuck on an old kernel. (You might want that. I prefer updated kernel for the security, firefoxen, etc.). "apt-get upgrade" will only update existing packages - but the kernel updates require new packages to be installed.<p>2. If you're on ubuntu, root already has no password, and your initial setup user (whether it is called "deploy" or "kilroy") is in the sudoers file.<p>3. Other things I install in the "5 minutes with server" are: htop molly-guard screen git-core etckeeper<p>git-core because I prefer my etckeeper in git, but if you want it in bzr you don't need git-core. INSTALL AND CONFIGURE ETCKEEPER AS SOON AS YOU CAN, seriously. You need it. You'll thank me when you try to figure out when and how something in /etc got borked. (you need to edit /etc/etckeeper/etckeeper.conf if you use gif. You need to do "etckeeper init" and then "etckeeper commit" to establish the baseline)<p>molly-guard stops you from rebooting the wrong server<p>screen (or alternatively tmux) lets you keep your session open through ssh session disconnects (e.g. when moving from wifi to 3G, or between 3G towers that give you different external IP). The most useful way to use screen is "screen -xR" which also lets you share your session with someone else should you need to.

The first five minutes on any of my servers involve giving it a name, installing puppet and adding the server name to my central puppet config.<p>You seriously do this by hand for every server? That seems error prone and a huge waste of time when tools like puppet and chef exist.

&#62; No secure server is complete without a firewall.<p>Comments like those are why I normally point people to actual security expects (like, say, Schneier), and why I recommend that new admins should ignore as much as possible the practices chanted by the industry. A secure server does not need a firewall. A firewall can be used to secure a server against a specific threat, but that's it. The days of ping of death are behind us.<p>I would like to point out that following the article's guide and firewalling away ICMP, you can end up with a lot of trouble. (see <a href="http://serverfault.com/questions/84963/why-not-block-icmp" rel="nofollow">http://serverfault.com/questions/84963/why-not-block-icmp</a>). Some ICMP messages are not blocked by default by ufw, so I'm unsure how damaging ufw is when used like this.<p>At any rate, a Firewall is a block. A new fresh server install won't have ports that needs to be blocked. By putting up a firewall, there is nothing to be gained. Before the firewall, the ports are closed. After adding the firewall, the ports are closed. All that is gained is a hurdle the next time one wants to install something like a monitor tool (like Munin), or a new service.<p>It might be useful as a last line of defense against malware regarding outgoing traffic. I am normally against that kind of thing however (as focusing on the cause is better than the effect). At best, one can catch a spam malware, but any bot net, web server, ddos or other type of malware are untouched by the rules (port 80 and 443 is allowed). If the server has email sending configured so root message can be sent, then the spam malware can use that route and the firewall will just sit there.<p>So let's take a newly installed machine. What threats can be identified and what risks are we trying to mitigate with the help of this firewall (as specified by the article)? The only thing I can think of is either a Zero day TCP/IP stack vulnerability (not a realistic threat), or that the admin doesn't trust the other admins when they install new services. Yes, if an admin installs a new email server and enables relaying to the whole world against the explicit recommendation in bold font by the install wizard and the configuration file, a firewall can block that admins' actions. Then again, that same admin could just as well have disabled the firewall to "get the mail to work", so I'm not sure it's a viable defense against bad admins.

Maybe this is considered a preinstallation step, but the very first thing to do is set the system time on the hardware, before you even boot the OS for the first time. Then the first step after booting is to confirm the time and reset it, if necessary. This is essential for accurate and usable logs, file times, version control timestamps, etc.<p>It's also a good idea to ensure that sshd has fresh keys that are unique to that machine. Hopefully, your images are installed without sshd keys, otherwise you'll have multiple servers with the exact same keys, which is considered bad practice. During initial configuration <i>before deployment</i>, you might want to remove the keys so that sshd will create fresh ones when it starts:<p><pre><code> rm -rf /etc/ssh/ssh_host_*</code></pre>

Looking through the responses here, I'm hopeful that someone will launch a "Sysacademy" variant for system administration training. There are tutorials scattered around the web, but (at least for those of us who don't know where to look), there doesn't seem to be one place that puts in under one umbrella.

&#62; <i>vim /home/deploy/.ssh/authorized_keys [and] Add the contents of the id_rsa.pub on your local machine and any other public keys that you want to have access to this server to this file.</i><p>Cool trick: use ssh-copy-id &#60;server&#62; from the client machine.<p>From the man page:<p><pre><code> ssh-copy-id - install your public key in a remote machine's authorized_keys </code></pre> It is much easier than editing the remote .ssh/authorized_keys file since copying and pasting the key is error prone due to extra new lines typically added by the terminal emulator.

My big thing is making sure 1) the machine comes back up cleanly after a reboot and 2) is current on all patches 3) is running as little as possible.<p>Also a big fan of externally verifying what ports are open, and making sure the system is in monitoring, backup, config management systems. Config management is kind of optional if you have a small number of servers which don't duplicate configurations, though, and there's often no need to back up the OS, but any data should be backed up automatically.

Don't forget:<p><pre><code> netstat -ntap | less ps aux | less </code></pre> Also check to see what's enabled to run at boot time via whatever your flavor uses.<p>Check for unusual daemons, ssh running on other ports (yes, the provider pre-loaded systems with a back-door ssh without disclosing it to us).<p>This is especially important when you are taking over admin on a server you didn't setup yourself. Other folks have weird ideas on how to admin things. Like webmin for example...<p>I also like epylog for finding unexpected stuff in the logs.

I went through the article and then read every single post on this thread. I am not a security expert so I won't even try to contribute except to say that I see a lot of people offering criticism without taking the extra step of explaining how they would go about hardening a fresh Linux install (or a pile-o-servers in a rack, whatever is applicable).<p>It'd sure be nice for those of us who are not security experts to read alternative approaches rather than, paraphrasing and not picking on anyone, "using a firewall is dumb" or "blocking ssh is pointless".<p>I like isolated ideas such as using a script to completely automate the provisioning of new boxes. Kind of a no-brainer if you ask me. The problem is that such recommendations are not followed by something like "Here's the script I use on Ubuntu 12.04 LTS".<p>How about it guys? Would you care to attempt to produce a canonical HN "How to harden your server" reference?<p>Maybe one of the security experts on HN can start a repository on Github to evolve a canonical script. I'm pretty much 100% Ubuntu 12.04 LTS, so it is my hope that this is one of the platforms that is addressed.<p>I did some looking around and this is what I found (I am in no position to evaluate the merits of any of these at anything beyond an intermediate level):<p><a href="https://github.com/bluedragonz/server-shield" rel="nofollow">https://github.com/bluedragonz/server-shield</a><p><a href="https://github.com/eglimi/linux_hardening" rel="nofollow">https://github.com/eglimi/linux_hardening</a><p><a href="http://www.cyberciti.biz/tips/linux-security.html" rel="nofollow">http://www.cyberciti.biz/tips/linux-security.html</a><p><a href="http://ubuntuforums.org/showthread.php?t=1002167" rel="nofollow">http://ubuntuforums.org/showthread.php?t=1002167</a><p><a href="http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics" rel="nofollow">http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lt...</a><p><a href="http://www.andrewault.net/2010/05/17/securing-an-ubuntu-server/" rel="nofollow">http://www.andrewault.net/2010/05/17/securing-an-ubuntu-serv...</a><p><a href="http://ubuntuforums.org/showthread.php?t=1919111" rel="nofollow">http://ubuntuforums.org/showthread.php?t=1919111</a><p><a href="https://help.ubuntu.com/12.04/serverguide/security.html" rel="nofollow">https://help.ubuntu.com/12.04/serverguide/security.html</a><p><a href="http://www.sans.org/score/checklists/linuxchecklist.pdf" rel="nofollow">http://www.sans.org/score/checklists/linuxchecklist.pdf</a><p><a href="http://nvd.nist.gov/scap/content/stylesheet/scap-rhel5-document.htm" rel="nofollow">http://nvd.nist.gov/scap/content/stylesheet/scap-rhel5-docum...</a><p><a href="http://blogs.csoonline.com/ubuntu_lts_vulnerability_scrub_against_national_vulnerability_database_nvd_nist_gov" rel="nofollow">http://blogs.csoonline.com/ubuntu_lts_vulnerability_scrub_ag...</a><p><a href="http://ubuntuforums.org/showthread.php?t=510812" rel="nofollow">http://ubuntuforums.org/showthread.php?t=510812</a>

Your first 5 seconds should probably be<p><pre><code> w last dmesg</code></pre>

It saddens me each time I see a security best practice guide that suggest turning off ssh access for root. Its a very useful feature, and the security industry should focus on the security problems rather than removing features without thinking about the actually benefits of doing so.<p>Sysadmins with root access should be able to handle a random 8 character or longer password, and that number is large enough for a secure public accessible ssh. If your not a sysadmin or unable to remember a random password, try go with a passphrase like "correct horse battery staple". If you have too many machines and thus can't remember passwords, then use a master password locally with a bit larger password and store certs there.<p>To do some math to illustrate the security of a random 8 character long password, someone would need to fill a 100/100 line for several hundred years to get through them all. By that time you should have noticed the constantly full connection, and be happy you haven't died of old age yet even after your 200th birthday.<p>However, 8 character passwords are not the suggested length by security experts. They suggest using a 10 character long password, as that is also secure in the case that your password hash somehow got lost.<p>For the several servers that I have, I have been more worried about the logs from failed attempts than I have been of anyone guessing the password. Logs wears on the hard drive, so one might want to install fail2ban to lower the number of writes to it. It also decrease the noise level in the server room.

Nice writeup. Although I prefer to automatically configure using Chef, I didn't know of fail2ban and logwatch -- I will definitely look into those.<p>Also, since this post is for beginners, you should mention about restarting the sshd over the lish tty and not over the ssh ptty.

1. I don't think it's a good idea to use the same account by multiple people.<p>2. And you're not using a configuration management tool (like SaltStack, which is also a remote execution engine) this will give you: - a central point to manage all your server - predictable configuration on all servers with the same role - a configuration documentation place (and even history if you git the confs) - will make managing multiple users a breeze<p>3. Use VPN and private services on private IP.

So I'll agree with many of the commentators that several of the practices suggested aren't 'ideal.' However, they are easy and possibly better than having no 'practice' at all.<p>Just as an example, the shared user account with unique SSH keys per user. Sure, it's obnoxious in some respects, but many of the criticisms I'm reading in the comments like "but they could reinstate their access with a cron job that re-adds their key when they leave" and such are silly - presumably those who are using the shared account are developers/sysadmins with sudo privileges. Regardless of whether they have a shared account they have privileges to do whatever they feel like to the systems in question. Hence I'd argue it's a fairly reasonable solution for the situation when you don't have the time/resources to configure something more complex and you have to trust all parties anyway.<p>I think there are two larger takeaways:<p>First - Managing multiple users across many servers and dev systems is not easy enough, particularly for smaller organizations, and only gets worse when you try to get more granular about who can do what.<p>Second - umm... no idea anymore. Forgot what was second. Automation is good?

I find it very bad practice to blindly pass -f to commands.<p><pre><code> chown deploy:deploy /home/deploy -Rf</code></pre>

I'd propose using OSSEC over logwatch &#38; fail2ban. Ossec seems to be a bit of an obscure tool, but a thoroughly functional one at that. Logwatch gives a bit too much info at once to interpret properly, while OSSEC will only alert you when something is actually up.<p>Ossec provides (among some other things):<p>* Log file monitoring, with severity levels, occurence counting, time-based rules and auto-response. This means (for instance) you get to watch your auth.log for failed login attempts and after 10 failures fire a script to ban him, alert sysop by email or have hubot alert your sysops. Or whatever floats your boat.<p>* File integrity monitoring. Make sure noone's been mucking around with your files. It has real-time support (through inotify), but if you don't want use that, make sure you store the database it keeps off-server for forensics if need be. Pro-tip: FIM and auto-updates are a tad unnerving.<p>* It can watch command output. You can use that to make sure the `netstat -tnap` output doesn't change, for instance.<p>* For larger/more compliant instances, it has a client&#60;-&#62;server setup available.

I wouldn't bother with fail2ban considering password based SSH logins are disabled (which is good).<p>Since the author is using ufw to control iptables, better to just use "ufw limit" rules for SSH port 22 to slow down the rate of any automated SSH bots trying to give your server a workout.

To prevent having to log into root via remote console, set up a second backup account with an ssh key and sudo access, and then put that key somewhere safe.<p>The chances of both that and the deploy user getting corrupted at the same time is unlikely.

I was wondering about this the other day, is<p><pre><code> PasswordAuthentication no </code></pre> really that necessary if a strong password is used?<p>Honestly, being a private key screw-up away from never being able to log in again scares me a little.

I dunno about this guy but apt-get update/apt-get upgrade takes upwards of 15 minutes on new installs (as does yum upgrade on rhel-compatible systems). Kinda eats up into my first 5 minutes on a server.

The guide recommends blocking SSH access to anything other than your own IP address. The problem is that my IP number sometimes changes at which point I end up locked out totally.<p>So to get around this you either have to allow SSH from anywhere or you have to use some remote KVM system. Most of the remote KVM systems seem to be based on Java applets which is not really something you want to enable on your system.<p>So what is the best way to get around this? Just open up SSH and be diligent about your SSH security? implement port knocking?

I like the KISS aspect of this, though for accountability purposes, I prefer each user to have their own account.<p>One correction for you: the sshd_config lines should have no "=" symbol.

I use "adduser" instead of "useradd". Its more convinient as it does the remainings steps automatically for your. It comes with ubuntu by default. Any downsides?

<a href="https://github.com/Xeoncross/lowendscript" rel="nofollow">https://github.com/Xeoncross/lowendscript</a><p>I just use this bash script when setting up a new VPS. It pretty much takes care of it all for you, plus it sets up a ngnix/mysql stack already optimised for law RAM machines.<p>Also sets up 3proxy which is handy for viewing Hulu/Netflix :)

Imagine you are a fairly normal windows user or even sysadmin. Imagine you are considering Linux to replace some task that a windows server performs.<p>Now imagine the conclusion after reading this thread. As some one who can just about get something useful done in Linux, this thread makes me want to never use it again, it just looks too scary. Loads of disagreements which seems to have lots of dire consequences. OK, great discussion for deep geekery, but scary as hell for normals.<p>Now, when ever I see those annoying posts from smug Linux users who jump in every time a Win or Mac user highlights a problem, I now have this discussion to point to as to why Mac and Win users wont generally go near Linux.<p>Sorry chaps (and chapesses), I am on your side, Linux is a great thing, but this has to be the worst advert for Linux ever.

While I agree these practices seem pretty safe/standard, it's still enough manual work that many people will just skip half of it out of laziness for small projects.<p>Does anyone have good reusable Puppet (or bash scripts) published that they use on all new servers?

Why install fail2ban and logwatch instead of csf?

A few gentle suggestions:<p>&#62; <i>The days of passwords are over. You’ll enhance security and ease of use in one fell swoop by ditching those passwords and employing public key authentication for your user accounts.</i><p>ssh keys are better than passwords only because they contain (and require) more information. On the other hand, if your dev's machine is lost or stolen or compromised, so is your ssh key. This is especially a problem in environments with a shared account with full access, as you have. So, it's probably a good idea to make sure you're using a passphrase with your ssh key (during ssh-keygen), unless you need a passwordless login for a shell script or other automated remote system.<p>&#62; <i>passwd deploy: Set a complex password - you can either store it somewhere secure or make it something memorable to the team. This is the password you'll use to sudo.</i><p>Not necessarily. Anybody with access to the "deploy" account can use "passwd" to change its password to anything they like. (Edit: I'm wrong on this! passwd does require your current password; I've just gotten used to doing it for other accounts via sudo, which doesn't.) Changing the passwd on your own account doesn't require sudo. For this reason, I think it's better to simply give deploy nopasswd access to everything, and then delete and lock deploy's password to prevent it from being used at all (passwd -d -l deploy). You'll have effectively the same amount of security, but this way nobody will need to remember or retrieve a complex password, and you'll prevent, say, some accident in /etc/ssh/sshd_config from making deploy remotely accessible via a password.<p>You can do something better than this though, but it takes a little effort. Deployment is often the same steps over and over again (an rsync or an occasional apachectl graceful in my case). You can give the deploy user nopasswd access to <i>only</i> a shell script that's writable only by root; this way, deploy can still do 90% or more of their job without ever being given system administrator rights. You do have to be a little careful writing shell scripts though -- $<i></i>* and "$@" still trip me up once in a while.<p>&#62; <i>Logwatch is a daemon that monitors your logs and emails them to you. This is useful for tracking and detecting intrusion.</i><p>This seems of dubious security value to me -- probably better as a generic sysadmin tool, so that you get annoyed by noisy logs and seek out and fix minor problems instead of ignoring them. Thing is, if someone does get access to your server, you pretty much can't trust it at all anymore. With services like Linode, you're really better off just launching a clean new instance, re-running your setup script (if you have one), and moving your data over.<p>I had to deal with the occasional intrusion in some pretty icky servers at an ISP once upon a time. We used rkhunter for a while, but I learned pretty quick that successful attacks against Linux servers are plenty enough sophisticated to alter all the basic tools that you would use to detect and remove the rootkit.<p>There is one caveat: I've been playing around with the idea of setting up rsyslogd to route syslog messages to mysql, and then using mysql replication to have an up-to-the-second offsite copy. I'd combine that with Snoopy (<a href="https://github.com/a2o/snoopy" rel="nofollow">https://github.com/a2o/snoopy</a>) or something similar. The point isn't to try to clean up an intrusion, it's to see how the intrusion happened so that I could close that hole. I haven't gotten around to setting this up yet, so I can't say anything terribly smart about it.<p>Finally: if you're going to have a problem with unauthorized access to your Linux or BSD server, it's <i>probably</i> going to be via one of its services, not via brute force ssh or anything similar. So, if you're concerned about this kind of stuff (and if you're being paid to be a sysadmin, you have to be), then you need to spend most of your attention making sure that your various services are set up correctly (apache/php/mysql/postfix/dovecot/spamassassin/etc. in my case).

Why install fail2ban? You already have SSH password auth disabled, and you only allow SSH connections from your office. Won't this just risk banning your own office if someone's SSH client is misconfigured?

The first two things I prefer to do after I log in for the first time (on ubuntu):<p><pre><code> &#62; ufw enable &#62; ufw default deny </code></pre> This way, after I log in, I will not allow anyone else to connect to my machine (I've had instances when by the time I changed my root password "bad guys" had already tried to connect to my machine).<p>Of course after I do the server setup (which is usually a script that will change ssh ports, install packages, etc) I will allow other services in ufw.

<i>passwd<p>Change the root password to something long and complex.</i><p>And bam! Not even a full paragraph in and security fail. root login should be disabled completely, and all use of privileges should be through sudo. Debian sets this up for you automatically upon install if you supply an empty root password. Of course, disabling root is just the beginning (and the first user created needs to be locked down, as they are now essentially root).

We do something similar, though we have a script that sets up the box. We use linode as well, so the script deploys a new box with a complex root password and my id_dsa.pub file. It also sets up /etc/skel and the profile files so that useradd uses them later.<p>We don't use a single deploy user though, instead, each user with deploy perms is in the sudo group.

I think you're doing it wrong.<p>Having a _shared_ account, with sudo privileges and a common password doesn't look smart.<p>Also, you're forcing devs to copy their public keys around.<p>I think you underestimate the benefits brought in by a centralized system, like LDAP, which would also allow you to manage the permissions with some more granularity

Couple of related questions:<p>1) Many people seem to be recommending Puppet / Chef. How many servers or installs do you need before this is a good ROI? (Over using odd bash scripts or cPanel/WHM)<p>2) Am I right in thinking kernel updates don't get applied until the server is rebooted? If so, how / when do you manage this?

It may seem like a waste of $20 a month if you aren't doing anything big with it.<p>But you can setup a linux virtual server on linode and go through all of those steps on your own. Also test out your setup.<p><a href="http://library.linode.com/" rel="nofollow">http://library.linode.com/</a>

I do not recommend unattended upgrades. Every upgrade without any exceptions have the possibility to destroy any working system or your applications. Test and deploy would be wiser.<p>By the way, what the heck developers do on production systems?

Kinda concerned about the usage of ufw with fail2ban without the mention that you have to do a little more work for fail2ban to actually work with ufw (otherwise fail2ban causes interesting issues/clobbers ufw's rules)

I've never understood the point of fail2ban if you disable ssh password authentication. Yeah, it might eliminate some spam in the logs, but if you only allow key-based authentication that doesn't really matter.

This will get buried but I recently posted a line-by-line guide of my first time setting up a VPS server, maybe it will help someone! <a href="http://cbracco.me/vps/" rel="nofollow">http://cbracco.me/vps/</a>

Is there a web app that I can just have control my servers from? I'd like to do puppet/chef, but I read that its not 100% working for Windows yet (I need to manage both) and it sounds overly complicated.

What do you about all of those chinese hackers hitting your sshd server.<p>I have 30 different ips and fail2ban doesn't seem to ban them.

don't vim sudoers. the days of the password are not over. fail2ban is next to useless with key auth.

This is terrible. Never let developers log into servers. The output from your devs are commits.

How does UFW compare to the rhel firewall configuration utilities?

Is there a benefit of using ufw instead of iptables?

This is very useful

I also recommend changing the default SSH port.

My take on all this is that you should spend 0 minutes on a server and be using a PaaS solution. There might be cases where you can't, but increasingly I can't find them.

I honestly do not understand why you need a <i>deploy</i> account with sudo access.<p>I much prefer a <i>deploy</i> accound which DOES NOT have sudo access. I add firewall rules transparently redirecting 80/443 to non-privileged ports that the webapp is actually listening to. Hence no need to be <i>root</i> / sudo'ed for the <i>deploy</i> account.<p>You then could get a bit fancier and set the login shell for the <i>deploy</i> account to /bin/false or something fancy (like a fake honeypot shell) to add a bit of "defense in depth" in case someone exploiting a hole in your web server manages tries to drop down to a shell. You'd then use another account to do the (automated) deploy/start/stop/update/patch whatever.<p>I'd also say that during the first five minutes you should set the default firewalling rules to REJECT anything and then only whitelist what is actually allowed.