×
Community Blog Alibaba Cloud ECS Instance Security Checklist for Ubuntu 16.04

Alibaba Cloud ECS Instance Security Checklist for Ubuntu 16.04

In this guide, we will go over the best practices of safeguarding your Alibaba Cloud ECS Ubuntu 16.04 server.

By Francis Ndungu, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Security should be a first priority when deploying an Ubuntu 16.04 server on Alibaba Cloud. While Linux is considered secure out of the box, there is a lot more you can do to achieve adequate level of security on your system.

Ubuntu is built by Canonical with unrivaled security in mind. Every version of their operating system is vigorously tested to ensure it meets high levels of security. Security updates are also availed on demand to patch the system.

Alibaba Cloud offers Ubuntu 16.04 as one of the operating systems when deploying Elastic Compute Service (ECS) instances. This Ubuntu version is stable and ideal for running mission critical applications like web servers, email servers and database servers.

In this guide, we will quickly go over the Alibaba Cloud ECS instance security checklist to show you how to safeguard your Ubuntu 16.04 server.

Prerequisites

  1. An active Alibaba Cloud account. Sign up now to get up to $1200 worth of credit to test over 40 Alibaba Cloud products.
  2. An ECS instance running Ubuntu 16.04 server.
  3. A non-root user that can perform sudo tasks.

User Management and Passwords

Security on your Linux server starts from the user management level. In this section, we will show you how to define a good password policy and expiration limits. We will also show you how to create a non-root user and discuss about multi-factor authentication.

Password Policy

Your password length should be long and complex to avoid brute-force and dictionary attacks. Use a strong password and ensure it includes lowercase, uppercase, numbers and symbols.

Before you start creating users on your system, consider modifying the password policy by editing the configuration file located at /etc/pam.d/common-password.

$ sudo nano /etc/pam.d/common-password

Find the line:

password  requisite  pam_cracklib.so retry=3 minlen=8 difok=3 enforce_for_root

Change this value to:

password  requisite  pam_cracklib.so retry=3 minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=4 reject_username enforce_for_root

Let's go over each parameter and see what it does to secure your password:

minlen: This represents the minimum score of the acceptable password. It is a measure of the complexity of the password.

retry: The number of times a user is prompted to retry a password before getting an error.

lcredit: Determines the number of lowercase characters that must be set.

ucredit: The parameter sets the number of uppercase characters required in a password.

dcredit: Sets the number of digits in a password.

ocredit: Password must at least contain the number of symbols set on this parameter.

Difok: This represents the number of characters in a new password that are different from the old password.

reject_username: This option restricts users from using their username as the password.

enforce_for_root: This option restricts the root user from setting weak passwords for other users.

Password Expiry

Even with a good password policy, you must force passwords to expire after a specific time. However, in these days, the threat model has significantly changed to social engineering techniques, phishing, keyloggers, etc.

But it is a good practice to always check and configure password expiry period.

First, check the expiry status of a username:

$ sudo chage -l [username]

Example:

$ sudo chage -l francis

Output:

Last password change                                    : Oct 30, 2018
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

To change the default password aging behaviour, run the command below:

$ sudo chage -M 60 -m 7 -W 7 user_name

Parameters

-M: Sets the maximum number of days between password changes.

-m: Sets the minimum number of days between password changes.

-W: Sets the number of days a user will get a warning message before the password expires

So, to set the expiry parameters for user francis, we can use the command below:

$ sudo chage -M 60 -m 7 -W 5 francis

We can confirm the changes by running the chage command one more time:

$ sudo chage -l francis

Output:

Last password change                                    : Oct 30, 2018
Password expires                                        : Dec 29, 2018
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 7
Maximum number of days between password change          : 60
Number of days of warning before password expires       : 5

Check Accounts with Empty Passwords

You should also check accounts with empty passwords on your system and either remove them or set a password for them.

To do this, run the command below:

$ sudo cat /etc/shadow | awk -F: '($2==""){print $1}'

Create a Non-root User with Sudo Privileges

When running commands on your server, make sure you are using a non-root user and only elevate privileges with sudo command when needed.

This prevents you from accidentally running a command that may adversely affect your server.

To create the user, use the command below:

$ sudo adduser [username]

Then, add the user to the sudoers group:

$ sudo adduser [username]

Lock Inactive Users

If you no longer want a user to access your server but you don't want to delete them from the system, you can lock their accounts:

$ sudo passwd -l [username]

Example:

$ sudo passwd -l james

Enable MFA(Multiple Factor Authentication)

Enable multi-factor authentication on your system. This prevents hackers from gaining access to your system even if your password or private key is compromised.

To be on the safe side, make sure you are using at least 2 forms of authentication.

You can refer to our quick and comprehensive guide on setting up and configuring MFA on Ubuntu 16.04

Disallow root Login over SSH and Disable Password Authentication

Another great security measure you can take on your Ubuntu 16.04 server is disallowing root login over SSH. Also, if you want users to log in using private/public key files as opposed to passwords, you can disable password authentication.

$ sudo nano /etc/ssh/sshd_config

Look for the lines PermitRootLogin and PasswordAuthentication. Then, change their values to no.

PermitRootLogin no
PasswordAuthentication no

Then, restart the SSH service:

$ sudo service ssh restart

Install Firewall and Fail2Ban

Consider installing a form of firewall to restrict unwanted and malicious traffic coming into your server. Also to prevent automated bots from brute-forcing your server, consider installing Fail2Ban.

You can check our guide on how to set up your first Ubuntu 16.04 server on Alibaba Cloud to get the basics of configuring UFW and Fail2Ban.

If you are an advanced system administrator, you may use iptables to setup firewall directly on the Linux kernel without using an interface like UFW.

Disable IPV6 Address

If you don't have any service that requires IPV6 address, disable it to reduce the attack surface on your system:

$ sudo nano /etc/sysctl.d/99-sysctl.conf

Add the below 3 lines at the bottom of the file:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Save the file and run the command below to effect the changes:

$ sudo sysctl -p

To confirm the changes, run the command below:

$ cat /proc/sys/net/ipv6/conf/all/disable_ipv6

Output:

1

If you get 1 as the output, this shows ipv6 is completely disabled.

Prevent IP Spoofing

IP Spoofing is a technique used by hackers to gain access to a server by manipulating IP packets headers. An attacker would first identify the IP addresses that your system trusts.

During the attack, a hacker will send data packets from a different server but your system would see the packets as if they are originating from a trusted source. The end result can be a man-in-the-middle attack or denial of service.

To prevent IP spoofing on your system, edit the /etc/host.conf file:

$ sudo nano /etc/host.conf

Look for the line multi on and change its value to nospoof on

# The "order" line is only used by old versions of the C library.
order hosts,bind
multi on

Change the content of this file to:

# The "order" line is only used by old versions of the C library.
order bind,hosts
nospoof on

Then, save the file.

Update your System Regularly

Ensure the system is always up to date by running the commands:

$ sudo apt-get update
$ sudo apt-get dist-upgrade

The commands above will update the package information index and upgrade packages on your system. This will keep your server free from known bugs/vulnerabilities and ensure you have the latest security features.

Package Level Security

After securing the operating system, make sure running services on your system are also secured.

Securing Apache

If you are running Apache web server, consider taking the following security measures:

Hide Apache Information and Version Number

$ sudo nano /etc/apache2/apache2.conf

Add the below information at the end of the file:

ServerTokens Prod
ServerSignature Off

Save and close the file when done and restart Apache server:

$ sudo service apache2 restart

Install Mod_Evasive

This module secures your server against DDoS(Distributed Denial of Service). You can read our guide about securing Apache web server with Mod_Evasive on Ubuntu 16.04 to get more details.

Install Mod_Security

This is a web application firewall that secures your Apache web server against malicious attacks. Visit our guide to learn more about setting up and configuring Mod_Security on Apache

Install SSL Certificates

SSL(Secure Sockets Layer) is the standard protocol for establishing encrypted communications between your server and clients such as browsers. This prevents hackers from intercepting or modifying confidential information as it travels on your server.

If you are running a mission critical application and you are collecting sensitive information, consider installing SSL. You can use a free SSL certificate from Let's Encrypt.

Disable Directory Browsing

To ensure the security of your files on Apache web server, you must disable directory browsing. When enabled, directory browsing returns an index of files when users requests a directory. This can be very harmful to your server as sensitive files can be viewed and downloaded.

To disable directory browsing, edit the /etc/apache2/sites-available/000-default.conf file:

$ sudo nano /etc/apache2/sites-available/000-default.conf

Then add the the information below between the VirtualHost tags. The -Indexes option disables directory browsing:

<VirtualHost *:80>
...

<Directory /var/www/>
        Options -Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>
...
</VirtualHost>

You can also run the command:

$ sudo a2dismod autoindex

Then restart Apache for the changes to take effect:

$ sudo service apache2 restart

Securing MySQL

If you are deploying a VPS server, there are high chances that you will be running MySQL/MariaDB. Remember to secure the database server by running the command below:

$ sudo mysql_secure_installation

The command above prompts you to set strong password rules for the MySQL server and remove anonymous users as well as test databases. You will also get an option to disable remote root login.

Also, restrict external access to your MySQL server by whitelisting the trusted IP addresses that you want to use on your server if you must remotely access the database.

Also when running a database administration tool like phpMyAdmin, ensure that you are running it over SSL protocol especially if you are in a cyber or in a Wi-Fi network.

The phpMyadmin page should also be secured by Apache's authentication and authorization functionalities.

Securing PHP

Install a stable PHP version. Your coding scheme should be written in a way it can prevent SQL injection and session hijacking. Always use the latest hashing Algorithms such as SHA-1. MD5 is secure but very fast when it comes to brute-force attacks and can be compromised.

You can read more about web application security on the OWASP Top Ten Project.

Secure Email Servers

If you have set up an email server on your Ubuntu 16.04 VPS, consider securing it with SpamAssassin, SPF(Sender Policy Framework), DKIM(DomainKeys Identified Mail), and DMARC(Domain-based Message Authentication, Reporting and Conformance) protocols.

Remove Unnecessary Packages and Disable Unwanted Services

Keep your server lean and mean. Only install and run the packages that you need on your system. This minimizes the attack services by keeping vulnerabilities to a minimal level.

If you no longer need a package, run the command below to remove it:

$ sudo apt-get remove package-name

To turn off or disable unwanted services, use the below command:

$ sudo chkconfig service_name off

Monitor Log Files and Setup Intrusion Detection Mechanism

There are different tools that you can use to monitor user activities such as psacct or acct. If you are working as a team, you can use these applications that run in the background to keep an eye on user activities and the resources being consumed on your server.

In addition to this, examine log files to see what is going on in your system. You can consider installing a tool like LogWatch.

Also, here are some of the log files that you should examine regularly:

/var/log/auth.log
/var/log/kern.log
/var/log/apache2/error.log

Intrusion Detection

Consider configuring a form of intrusion detection mechanism on your system. You can use packages like OSSEC or PSAD.

Check for Rootkits

Scan your server to detect rootkits using packages such as RKHunter.

To install this tool, run the command below:

$ sudo apt-get -y install rkhunter

Then, edit rkhunter configuration file :

$ sudo nano /etc/default/rkhunter

Change the following two parameters to true:

CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"

Save the file by pressing CTRL+X, Y and Enter.

To check your system for known rootkits, run the command below:

$ sudo rkhunter --check --sk

The results of the scan is written on the log file /var/log/rkhunter.log:

Backups

Make sure you have a backup for your important files. You can store the backups on a different server and have an offsite copy of your data in case there is a disaster.

For MySQL server, consider configuring group replication, Master slave replication and clustered NDB(Network Database) . We also have a detailed guide about how to backup MySQL database on Alibaba Cloud ECS instance running Ubuntu 16.04.

Conclusion

In this article, we have gone through Ubuntu 16.04 security checklist. This may not be an exhaustive list of all Linux security measures that you should put in your system. However, it covers the important aspects of safeguarding your system from known attacks.

We believe, you will use this checklist to safeguard your Ubuntu 16.04 server on Alibaba Cloud. Alibaba Cloud utilizes world's fastest RAMs and latest Intel CPUs for accelerated VPS performance. If you are new to Alibaba Cloud, you can sign up now to get up to $1200 worth of credit to test over 40 Cloud products.

0 0 0
Share on

francisndungu

25 posts | 4 followers

You may also like

Comments

francisndungu

25 posts | 4 followers

Related Products