Basic security advice for running your own server

shalocin · February 20, 2022, 5:19pm

This is a suggestion for a future Ubuntu Security Podcast episode, and hopefully one that will benefit a lot of people in a similar situation to me.

I thought this might be a good place to raise this as members of the community would have the opportunity to share their favoured approaches to keeping a system secure.

I run a couple of Ubuntu boxes that provide self-hosted services such as Matrix-synapse, WordPress, dokuwiki and basic network file sharing. Since these machines are accessible from the internet what steps should I be taking to make sure my data is safe?

How can I identify any weaknesses in my current setup? Can I turn hacker for the day and try to find any holes before the bad guys do?

I’ve heard whispers of log monitoring software that might be useful or ways of identifying suspicious system activity but ideally I would like some specific advice on what direction to go.

I guess it’s clear I’m not an infoSec person, so the emphasis here is on the solutions being accessible to an amateur system admin like me.

I look forward to hearing what you suggest.

Shalocin.

alexmurray · March 11, 2022, 6:58am

Thanks for the excellent topic suggestion @shalocin - in this weeks episode of the podcast @ccdm94 started the first of a 3 part series on hardening a Ubuntu server. This first part covers hardening at install time, the second will look at post-install steps and the third will then look at steps to take after that.

livewirebt · March 11, 2022, 10:06pm

That was a very good explanation, unfortunately you built a link loop where people like me would expect a transcript or links to wiki pages or standards to read up on.

I don’t want to get too far ahead but tools like OSCAP and Lynis seem to be what many people are using. RHEL has OSCAP integrated into the installer, but it looked quite intimidating at first sight when I began looking into this topic. As far as I know Ubuntu offers a remediation tool for Ubuntu Advantage customers, is that (still) correct?

After recently skimming through the OSCAP manual I found this repository which contains Bash scripts and Ansible playbooks for plenty of distributions and standards.

One thing I observe when it comes to hardening is that people around me come up with their own interpretation of the KISS principle, which usually results in Red Hat (sorry) virtual servers with no hardening plus a lot Wifi and other firmwares plus systemctl --failed reporting lm_sensors not working. Because people don’t read product manuals. The food comparison is very appropriate. Read the list of ingredients, best before date, preparation steps and acknowledge that it is a serious job that deserves to be done with care.

alexmurray · March 29, 2022, 6:47am

FYI I have added transcripts for each of @ccdm94’s parts to the podcast website for each relevant episode.