By Francis Ndungu, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.
Security should be a first priority when deploying an Ubuntu 16.04 server on Alibaba Cloud. While Linux is considered secure out of the box, there is a lot more you can do to achieve adequate level of security on your system.
Ubuntu is built by Canonical with unrivaled security in mind. Every version of their operating system is vigorously tested to ensure it meets high levels of security. Security updates are also availed on demand to patch the system.
Alibaba Cloud offers Ubuntu 16.04 as one of the operating systems when deploying Elastic Compute Service (ECS) instances. This Ubuntu version is stable and ideal for running mission critical applications like web servers, email servers and database servers.
In this guide, we will quickly go over the Alibaba Cloud ECS instance security checklist to show you how to safeguard your Ubuntu 16.04 server.
Security on your Linux server starts from the user management level. In this section, we will show you how to define a good password policy and expiration limits. We will also show you how to create a non-root user and discuss about multi-factor authentication.
Your password length should be long and complex to avoid brute-force and dictionary attacks. Use a strong password and ensure it includes lowercase, uppercase, numbers and symbols.
Before you start creating users on your system, consider modifying the password policy by editing the configuration file located at /etc/pam.d/common-password.
$ sudo nano /etc/pam.d/common-passwordFind the line:
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 enforce_for_rootChange this value to:
password requisite pam_cracklib.so retry=3 minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=4 reject_username enforce_for_rootLet's go over each parameter and see what it does to secure your password:
minlen: This represents the minimum score of the acceptable password. It is a measure of the complexity of the password.
retry: The number of times a user is prompted to retry a password before getting an error.
lcredit: Determines the number of lowercase characters that must be set.
ucredit: The parameter sets the number of uppercase characters required in a password.
dcredit: Sets the number of digits in a password.
ocredit: Password must at least contain the number of symbols set on this parameter.
Difok: This represents the number of characters in a new password that are different from the old password.
reject_username: This option restricts users from using their username as the password.
enforce_for_root: This option restricts the root user from setting weak passwords for other users.
Even with a good password policy, you must force passwords to expire after a specific time. However, in these days, the threat model has significantly changed to social engineering techniques, phishing, keyloggers, etc.
But it is a good practice to always check and configure password expiry period.
First, check the expiry status of a username:
$ sudo chage -l [username]Example:
$ sudo chage -l francisOutput:
Last password change : Oct 30, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7To change the default password aging behaviour, run the command below:
$ sudo chage -M 60 -m 7 -W 7 user_nameParameters
-M: Sets the maximum number of days between password changes.
-m: Sets the minimum number of days between password changes.
-W: Sets the number of days a user will get a warning message before the password expires
So, to set the expiry parameters for user francis, we can use the command below:
$ sudo chage -M 60 -m 7 -W 5 francisWe can confirm the changes by running the chage command one more time:
$ sudo chage -l francisOutput:
Last password change : Oct 30, 2018
Password expires : Dec 29, 2018
Password inactive : never
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 60
Number of days of warning before password expires : 5You should also check accounts with empty passwords on your system and either remove them or set a password for them.
To do this, run the command below:
$ sudo cat /etc/shadow | awk -F: '($2==""){print $1}'When running commands on your server, make sure you are using a non-root user and only elevate privileges with sudo command when needed.
This prevents you from accidentally running a command that may adversely affect your server.
To create the user, use the command below:
$ sudo adduser [username]Then, add the user to the sudoers group:
$ sudo adduser [username]If you no longer want a user to access your server but you don't want to delete them from the system, you can lock their accounts:
$ sudo passwd -l [username]Example:
$ sudo passwd -l jamesEnable multi-factor authentication on your system. This prevents hackers from gaining access to your system even if your password or private key is compromised.
To be on the safe side, make sure you are using at least 2 forms of authentication.
You can refer to our quick and comprehensive guide on setting up and configuring MFA on Ubuntu 16.04
Another great security measure you can take on your Ubuntu 16.04 server is disallowing root login over SSH. Also, if you want users to log in using private/public key files as opposed to passwords, you can disable password authentication.
$ sudo nano /etc/ssh/sshd_configLook for the lines PermitRootLogin and PasswordAuthentication. Then, change their values to no.
PermitRootLogin no
PasswordAuthentication noThen, restart the SSH service:
$ sudo service ssh restartConsider installing a form of firewall to restrict unwanted and malicious traffic coming into your server. Also to prevent automated bots from brute-forcing your server, consider installing Fail2Ban.
You can check our guide on how to set up your first Ubuntu 16.04 server on Alibaba Cloud to get the basics of configuring UFW and Fail2Ban.
If you are an advanced system administrator, you may use iptables to setup firewall directly on the Linux kernel without using an interface like UFW.
If you don't have any service that requires IPV6 address, disable it to reduce the attack surface on your system:
$ sudo nano /etc/sysctl.d/99-sysctl.confAdd the below 3 lines at the bottom of the file:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1Save the file and run the command below to effect the changes:
$ sudo sysctl -pTo confirm the changes, run the command below:
$ cat /proc/sys/net/ipv6/conf/all/disable_ipv6Output:
1If you get 1 as the output, this shows ipv6 is completely disabled.
IP Spoofing is a technique used by hackers to gain access to a server by manipulating IP packets headers. An attacker would first identify the IP addresses that your system trusts.
During the attack, a hacker will send data packets from a different server but your system would see the packets as if they are originating from a trusted source. The end result can be a man-in-the-middle attack or denial of service.
To prevent IP spoofing on your system, edit the /etc/host.conf file:
$ sudo nano /etc/host.confLook for the line multi on and change its value to nospoof on
# The "order" line is only used by old versions of the C library.
order hosts,bind
multi onChange the content of this file to:
# The "order" line is only used by old versions of the C library.
order bind,hosts
nospoof onThen, save the file.
Ensure the system is always up to date by running the commands:
$ sudo apt-get update
$ sudo apt-get dist-upgradeThe commands above will update the package information index and upgrade packages on your system. This will keep your server free from known bugs/vulnerabilities and ensure you have the latest security features.
After securing the operating system, make sure running services on your system are also secured.
If you are running Apache web server, consider taking the following security measures:
$ sudo nano /etc/apache2/apache2.confAdd the below information at the end of the file:
ServerTokens Prod
ServerSignature OffSave and close the file when done and restart Apache server:
$ sudo service apache2 restartThis module secures your server against DDoS(Distributed Denial of Service). You can read our guide about securing Apache web server with Mod_Evasive on Ubuntu 16.04 to get more details.
This is a web application firewall that secures your Apache web server against malicious attacks. Visit our guide to learn more about setting up and configuring Mod_Security on Apache
SSL(Secure Sockets Layer) is the standard protocol for establishing encrypted communications between your server and clients such as browsers. This prevents hackers from intercepting or modifying confidential information as it travels on your server.
If you are running a mission critical application and you are collecting sensitive information, consider installing SSL. You can use a free SSL certificate from Let's Encrypt.
To ensure the security of your files on Apache web server, you must disable directory browsing. When enabled, directory browsing returns an index of files when users requests a directory. This can be very harmful to your server as sensitive files can be viewed and downloaded.
To disable directory browsing, edit the /etc/apache2/sites-available/000-default.conf file:
$ sudo nano /etc/apache2/sites-available/000-default.confThen add the the information below between the VirtualHost tags. The -Indexes option disables directory browsing:
<VirtualHost *:80>
...
<Directory /var/www/>
Options -Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
...
</VirtualHost>You can also run the command:
$ sudo a2dismod autoindexThen restart Apache for the changes to take effect:
$ sudo service apache2 restartIf you are deploying a VPS server, there are high chances that you will be running MySQL/MariaDB. Remember to secure the database server by running the command below:
$ sudo mysql_secure_installationThe command above prompts you to set strong password rules for the MySQL server and remove anonymous users as well as test databases. You will also get an option to disable remote root login.
Also, restrict external access to your MySQL server by whitelisting the trusted IP addresses that you want to use on your server if you must remotely access the database.
Also when running a database administration tool like phpMyAdmin, ensure that you are running it over SSL protocol especially if you are in a cyber or in a Wi-Fi network.
The phpMyadmin page should also be secured by Apache's authentication and authorization functionalities.
Install a stable PHP version. Your coding scheme should be written in a way it can prevent SQL injection and session hijacking. Always use the latest hashing Algorithms such as SHA-1. MD5 is secure but very fast when it comes to brute-force attacks and can be compromised.
You can read more about web application security on the OWASP Top Ten Project.
If you have set up an email server on your Ubuntu 16.04 VPS, consider securing it with SpamAssassin, SPF(Sender Policy Framework), DKIM(DomainKeys Identified Mail), and DMARC(Domain-based Message Authentication, Reporting and Conformance) protocols.
Keep your server lean and mean. Only install and run the packages that you need on your system. This minimizes the attack services by keeping vulnerabilities to a minimal level.
If you no longer need a package, run the command below to remove it:
$ sudo apt-get remove package-nameTo turn off or disable unwanted services, use the below command:
$ sudo chkconfig service_name offThere are different tools that you can use to monitor user activities such as psacct or acct. If you are working as a team, you can use these applications that run in the background to keep an eye on user activities and the resources being consumed on your server.
In addition to this, examine log files to see what is going on in your system. You can consider installing a tool like LogWatch.
Also, here are some of the log files that you should examine regularly:
/var/log/auth.log
/var/log/kern.log
/var/log/apache2/error.logConsider configuring a form of intrusion detection mechanism on your system. You can use packages like OSSEC or PSAD.
Scan your server to detect rootkits using packages such as RKHunter.
To install this tool, run the command below:
$ sudo apt-get -y install rkhunterThen, edit rkhunter configuration file :
$ sudo nano /etc/default/rkhunterChange the following two parameters to true:
CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"Save the file by pressing CTRL+X, Y and Enter.
To check your system for known rootkits, run the command below:
$ sudo rkhunter --check --skThe results of the scan is written on the log file /var/log/rkhunter.log:
Make sure you have a backup for your important files. You can store the backups on a different server and have an offsite copy of your data in case there is a disaster.
For MySQL server, consider configuring group replication, Master slave replication and clustered NDB(Network Database) . We also have a detailed guide about how to backup MySQL database on Alibaba Cloud ECS instance running Ubuntu 16.04.
In this article, we have gone through Ubuntu 16.04 security checklist. This may not be an exhaustive list of all Linux security measures that you should put in your system. However, it covers the important aspects of safeguarding your system from known attacks.
We believe, you will use this checklist to safeguard your Ubuntu 16.04 server on Alibaba Cloud. Alibaba Cloud utilizes world's fastest RAMs and latest Intel CPUs for accelerated VPS performance. If you are new to Alibaba Cloud, you can sign up now to get up to $1200 worth of credit to test over 40 Cloud products.
31 posts | 8 followers
FollowAlibaba Clouder - July 15, 2019
Alibaba Clouder - September 1, 2020
Alibaba Clouder - May 23, 2018
Alibaba Clouder - June 11, 2018
Alibaba Clouder - April 26, 2019
francisndungu - October 19, 2018
31 posts | 8 followers
Follow
ApsaraDB RDS for MySQL
An on-demand database hosting service for MySQL with automated monitoring, backup and disaster recovery capabilities
Learn More
ApsaraDB RDS for PostgreSQL
An on-demand database hosting service for PostgreSQL with automated monitoring, backup and disaster recovery capabilities
Learn More
ApsaraDB RDS for MariaDB
ApsaraDB RDS for MariaDB supports multiple storage engines, including MySQL InnoDB to meet different user requirements.
Learn More
ApsaraDB RDS for SQL Server
An on-demand database hosting service for SQL Server with automated monitoring, backup and disaster recovery capabilities
Learn MoreMore Posts by francisndungu