What is the recommended configuration for a Linux server?

Overview

All Linux servers are locked down to the highest security standards possible. All services are off by default and all ports shut. Only the required services started. 

To lock down a server:-

• • Install and run only the services you require.
  • Block all ports by default and open only those that are required
  • Run servers as low permission user
  • Disable direct login to ROOT completely.
  • Block SSH login attempts from unknown locations and machines.
  • Set up tripwire to detect intrusions
  • Increase file handles

Install only the required packages

sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install openssh-server denyhosts vim oracle-java7-installer postgresql landscape-client htop lynx-cur

Firewalll close all ports and open as required, this reduces the attack vector.

Ubuntu has a simple firewall configuration tool called ufw which is really just a simplified iptables interface.

sudo ufw allow ssh
sudo ufw allow imap
sudo ufw allow http
sudo ufw allow https
sudo ufw disable
sudo ufw enable

Redirect the high permission ports 80 (http) and 443 (https) up to a port range that can accessed by the low permission user running the web service. Redirection of the ports can be done by the following iptable rules

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

Create low permission user to run the web server

Avoid running any custom code or the web server as a high permission user. A security floor in either the web server or your code will be run as the user that runs the web server.

sudo groupadd www-data

sudo useradd -g www-data -m -s /bin/bash webapps

Prevent direct access to functional accounts including ROOT

Never allow direct ssh access to the ROOT account or any other functional account such as webapps. Each admistrator that should have access to these accounts must login under their own user accont and then sudo to the correct functional account.

To block all SSH access to ROOT add the option "PermitRootLogin no" to /etc/ssh/sshd_config

sudo vi /etc/ssh/sshd_config <--- PermitRootLogin no

Increase the file handles for the user that runs the web server

This will help handle DOS attacks, and cope with a large number of slow clients.

Set the system wide maximum file handles:-

sudo vi /etc/sysctl.conf 

fs.file-max=65535

Set the low permission user 'webapps' to allow the maximum possible files open.

sudo vi /etc/security/limits.conf

@www-data          soft     nofile         65535
@www-data          hard     nofile        65535

After rebooting check the max number of files have been increased.

sudo -u webapps -i "ulimit -a" 

core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 386171
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 65535
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 386171
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited