Security Checklist

Dec 18, 2024 4 min

1. Update the System

  • How:
    • For Debian/Ubuntu: 
      sudo apt update && sudo apt upgrade -y
    • For CentOS/RHEL: 
      sudo yum update -y
  • Tip: Consider enabling automatic security updates, but test updates on non-production servers first to avoid unexpected issues.

2. Secure SSH Access

  • Change the Default SSH Port:
    • Edit /etc/ssh/sshd_config and change Port 22 to a custom port (e.g., Port 2222).
    • Restart SSH: sudo systemctl restart sshd.
  • Disable Root Login:
    • In /etc/ssh/sshd_config, set PermitRootLogin no.
    • Create a non-root user with sudo privileges: 
      adduser username
usermod -aG sudo username  # Ubuntu/Debian
usermod -aG wheel username  # CentOS/RHEL
  • Use Key-Based Authentication:
    • Generate an SSH key pair on your local machine: 
      ssh-keygen -t rsa -b 4096
    • Copy the public key to the server: 
      ssh-copy-id username@your_server_ip
    • Disable password authentication in /etc/ssh/sshd_config: 
      PasswordAuthentication no
    • Restart SSH: sudo systemctl restart sshd.

3. Set Up a Firewall

  • Tools:
    • UFW (Uncomplicated Firewall) for Ubuntu/Debian:
      • Install: sudo apt install ufw.
      • Allow SSH (custom port if changed): sudo ufw allow 2222/tcp.
      • Allow HTTP/HTTPS: sudo ufw allow 80/tcp and sudo ufw allow 443/tcp.
      • Deny all other incoming traffic: sudo ufw default deny incoming.
      • Enable UFW: sudo ufw enable.
    • FirewallD for CentOS/RHEL:
      • Install: sudo yum install firewalld.
      • Start and enable: sudo systemctl start firewalld && sudo systemctl enable firewalld.
      • Allow SSH (custom port): sudo firewall-cmd --add-port=2222/tcp --permanent.
      • Allow HTTP/HTTPS: sudo firewall-cmd --add-service=http --permanent and sudo firewall-cmd --add-service=https --permanent.
      • Reload firewall: sudo firewall-cmd --reload.

4. Install and Configure Fail2Ban

  • How:
    • Install:
      • Ubuntu/Debian: sudo apt install fail2ban.
      • CentOS/RHEL: sudo yum install fail2ban.
    • Configure:
      • Copy the default config: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local.
      • Edit /etc/fail2ban/jail.local to enable SSH protection: 
        [sshd]
enabled = true
port = ssh  # or your custom port, e.g., 2222
filter = sshd
logpath = /var/log/auth.log  # Ubuntu/Debian
# logpath = /var/log/secure  # CentOS/RHEL
maxretry = 3
bantime = 3600
      • Restart Fail2Ban: sudo systemctl restart fail2ban.

5. Monitor and Log Server Activity

  • Tools:
    • Logwatch: Install (sudo apt install logwatch) and configure for daily email reports.
  • Tip: Check logs regularly (e.g., /var/log/auth.log for SSH activity).

6. Keep Software Updated

  • How:
    • Run updates regularly: sudo apt update && sudo apt upgrade (Ubuntu) or sudo yum update (CentOS).
    • Enable unattended security updates (Ubuntu): sudo apt install unattended-upgrades and configure /etc/apt/apt.conf.d/50unattended-upgrades.