What else can I do to secure my Linux server?

I want to put a web application on my Linux server: I will first explain to you what the web app will do and then I will tell you what I did so far to secure my brand new Linux system.

The app will be a classified ads website (like gumtree.co.uk) where users can sell their items, upload images, send to and receive emails from the admin. It will use SSL for some pages. I will need SSH.

So far, what I did to secure my stock Ubuntu (latest version) is the following:

NOTE: I probably did some things that will prevent the application from doing all its tasks, so please let me know of that. My machine’s sole purpose will be hosting the website.

(I put numbers as bullet points so you can refer to them more easily)

1) Firewall

I installed Uncomplicated Firewall.
Deny IN & OUT by default

Rules:
Allow IN & OUT: HTTP, IMAP, POP3, SMTP, SSH, UDP port 53 (DNS), UDP port 123 (SNTP), SSL, port 443

(the ones I didn’t allow were FTP, NFS, Samba, VNC, CUPS)

When I install MySQL & Apache, I will open up Port 3306 IN & OUT.

2) Secure the partition

in /etc/fstab, I added the following line at the end:

tmpfs /dev/shm tmpfs defaults,rw 0 0

Then in console: mount -o remount /dev/shm

3) Secure the kernel

In the file /etc/sysctl.conf, there are a few different filters to uncomment. I didn’t know which one was relevant to web app hosting. Which one should I activate? They are the following:

A) Turn on Source Address Verification in all interfaces to prevent spoofing attacks
B) Uncomment the next line to enable packet forwarding for IPv4
C) Uncomment the next line to enable packet forwarding for IPv6
D) Do no accept ICMP redirects (we are not a router)
E) Accept ICMP redirects only for gateways listed in our default gateway list
F) Do not send ICMP redirects
G) Do not accept IP source route packets (we are not a router)
H) Log Martian Packets

4) Configure the passwd file

Replace “sh” by “false” for all accounts except user account and root.
I also did it for the account called sshd. I am not sure whether it will prevent SSH connection (which I want to use) or if it’s something else.

5) Configure the shadow file

In the console: passwd -l to lock all accounts except user account.

6) Install rkhunter and chkrootkit

7) Install Bum

Disabled those services: “High performance mail server”, “unreadable (kerneloops)”,”unreadable (speech-dispatcher)”,”Restores DNS” (should this one stay on?)

8) Install Apparmor_profiles

9) Install clamav & freshclam (antivirus and update)

What did I do wrong and what should I do more to secure this Linux machine?

Thanks a lot in advance

You say that

My machine’s sole purpose will be hosting the website

But you open ports for “IMAP, POP3″. Are those necessary for running the website? or is this also a mailserver.

Forget tools like rkhunter, they are full of both false positives and false negatives. They look for things like “a file was changed unexpectedly to contain some small subset of known rootkits”, when “a file was changed unexpectedly” should be enough for an alarm. samhain Is a nice tool for being alerted when files change.

How are you going to be alerted when you should be upgrading a package for a security patch? Don’t rely on a human here to either be watching a mailing list, or to be periodically checking. You want something that is going to actively bug people until the security updates are performed. icinga or nagios or something similar can help here.

Disallow password logins via ssh. Make people use keys. If you let them use passwords, they will choose poor passwords.

Besides helping in the security of the box by detecting ssh bruteforce attempts, fail2ban can be configured to help with the security of your application. It can catch if someone is trying to bruteforce some other user’s password.

You can probably go farther with “securing fstab”. Does /home need exec? Does user need to be readrwite? or readonly until you are doing upgrades.

Consider using something like logwatch or logcheck to scrub system logfiles and email administrators with interesting log events. Both require heavy tuning so that they don’t just become emails that everying is quickly trained to ignore, because they are usualy just full of banal messages.

Check more discussion of this question.

Related posts:

1. How to secure your Linux server from pass-the-hash attacks
2. When I have to administrate an existing Linux server what’s the best way to check if it is secure?
3. Is my VPS server secure? Steps needed to make it secure, if not?
4. Secure Network Filesystems for Linux: What are people doing?
5. Secure, automatic tunnelling dæmon on Linux server?