SOP for Setting up Base Ubuntu Servers
Please follow the procedures outlined below when setting up any Ubuntu server in the Netspective Operations Unit. Please follow the instructions in the order given and note any discrepancies or deviations meticulously.
Server Configuration Management Setup
Be sure that the server starts with the latest upgrades, packages, etc.
sudo apt-get update && apt-get -y upgrade
We use etckeeper to revision control all of our configuration changes in /etc/* because it’s crucial to know what’s changing and how.
sudo apt-get install -y etckeeper && sudo etckeeper uninit -f sudo vi /etc/etckeeper/etckeeper.conf
Change “VCS” to git instead of mercurial so it looks like this:
Save the etckeeper.conf file and then commit the initial /etc files into Git:
sudo apt-get install -y git-core sudo etckeeper init sudo etckeeper commit -am "Initial commit"
From this point on, if you ever change any files in /etc/ be sure to commit early and often. Whenever you install packages commits will be automatic between installations.
Now we need to configure Ubuntu server as LDAP client
We need to install LDAP NSS module first issue the follow command
apt-get install libnss-ldap
It will ask you for few configuration settings, answer all questions with our LDAP server settings (Give below is the netspective ldap server settings)
Netspective LDAP server settings:
ldap server : ldap://10.180.156.157 Base Distinguished Name(Base DN): dc=prime,dc=ds,dc=netspective,dc=com
LDAP Version to Use : 3 Make Local Root Database Admin: Yes Does the LDAP database require login: No LDAP account for root : cn=admin,dc=ds,dc=netspective,dc=com Password:
If you need to reconfigure ldap settings again run the following command
To configure LDAP profile for NSS
auth-client-config -t nss -p lac_ldap
Reconfigure Ubuntu servers to use LDAP authentication as well as local authentication
You need to enable both profiles
For LDAP user to have home directory created automatically upon first time logged in, edit /etc/pam.d/common-session file and insert following above “pam_ldap.so” line.
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
For allowing user to change their LDAP password from this system. Edit /etc/pam.d/common-password file.
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
and is change to
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
Log out of the root user and log in with LDAP User
Disable root ssh login
sudo apt-get install -y ssh sudo vi /etc/ssh/sshd_config
Modify PermitRootLogin as shown below:
PermitRootLogin no sudo /etc/init.d/ssh restart
Installing Mail Server
sudo apt-get install postfix
Please make sure that if there exists sendmail then packages that were automatically installed with sendmail should be removed with the following command:
sudo apt-get autoremove sendmail
Prevent repeated login attempts with Fail2Ban
Fail2Ban is a security tool to prevent dictionary attacks. It works by monitoring important services (like SSH) and blocking IP addresses which appear to be malicious (i.e. they are failing too many login attempts because they are guessing passwords).
sudo aptitude install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo vi /etc/fail2ban/jail.local Set “enabled” to “true” in [ssh-ddos] section Set “port” to proper port in [ssh] and [ssh-ddos] sections
Restart to put new Fail2Ban rules into effect:
sudo service fail2ban restart
Remove whoopsie package from all Ubuntu 12.04 servers
sudo apt-get purge whoopsie
Follow Shahid’s Linux and UNIX Configuration Instructions.
Other tools: http://www.ubuntugeek.com/list-of-security-tools-available-in-ubuntu.html
Secure shared memory https://help.ubuntu.com/community/StricterDefaults.
Disallow source routing of incoming packets http://www.cromwell-intl.com/security/security-stack-hardening.html
Netspective VLAN Implementation
Turn on Uncomplicated Firewall:
sudo apt-get install -y ufw
If this is a production server running in our cloud, make sure SSH is only allowed from our “jumpbox”. We have a server called home.netspective.com (IP 184.108.40.206) which is considered the “jumping” off point for all SSH.
sudo ufw allow proto tcp from 220.127.116.11 to any port 22 sudo ufw allow proto tcp from 10.180.144.66 to any port 22 sudo ufw enable
If this is not a production server (just a development box or something):
sudo ufw allow ssh && sudo ufw enable
Avoid SSH attacks:
sudo apt-get -y install denyhosts
Add a system security scanner:
sudo apt-get -y install tiger
Add intrusion detection tool:
sudo apt-get -y install psad
Modify psad settings to e-mail the admin in the event of intrusion detection
sudo vi psad.conf
Add email address in EMAIL_ADDRESSES
Add port scanning tool:
sudo apt-get -y install nmap
Add log watcher:
sudo apt-get install -y logwatch
Following these too
- getting an email alert when server reboot/shutdown