1. Update the system:
sudo apt update
sudo apt upgrade
2. Secure SSH:
sudo nano /etc/ssh/sshd_config
Edit the following line:
PermitRootLogin no
PasswordAuthentication yes
Restart SSH:
sudo service ssh restart
3. Configure Firewall (UFW):
sudo ufw allow OpenSSH
sudo ufw enable
4. Fail2Ban (prevent brute-force attacks):
sudo apt install fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
5. Disable unnecessary services:
sudo systemctl list-unit-files
sudo systemctl stop <service_name>
sudo systemctl disable <service_name>
6. Disable IPv6:
echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
7. Install and configure a firewall (for ex iptables):
sudo apt install iptables
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -j DROP
8. Secure shared memory:
sudo nano /etc/fstab
9. Enable automatic security updates:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
10. Check for rootkits:
sudo apt install rkhunter
sudo rkhunter --update
sudo rkhunter --check
11. Install and configure AppArmor:
sudo apt install apparmor
sudo aa-status
12. Enable and configure SELinux:
sudo apt install selinux
sudo setenforce 1
13. Secure Apache (if applicable):
sudo nano /etc/apache2/conf-available/security.conf
set appropriate values for ServerTokens and ServerSignature.
14. Install and configure ModSecurity (if using Apache):
sudo apt install libapache2-mod-security2
15. Disable unused modules in Apache or Nginx:
For Apache:
sudo a2dismod <module_name>
For Nginx:
sudo nano /etc/nginx/nginx.conf
16. Disable directory listing in web server:
For Apache:
sudo nano /etc/apache2/apache2.conf
Add or modify:
<Directory /var/www/>
Options -Indexes
</Directory>
17. Harden PHP settings:
sudo nano /etc/php/7.4/apache2/php.ini
Adjust settings like a expose_php, allow_url_fopen, etc.
18. Secure MySQL/MariaDB:
sudo mysql_secure_installation
19. Use strong passwords:
sudo passwd <username>
20. Configure sudo access:
sudo nano /etc/sudoers
Add user privileges:
<username> ALL=(ALL:ALL) ALL
21. Set file permissions:
sudo find /var/www/html -type d -exec chmod 755 {} \;
sudo find /var/www/html -type f -exec chmod 644 {} \;
22. Monitor system logs:
tail -f /var/log/auth.log
tail -f /var/log/syslog
23. Install and configure logwatch:
sudo apt install logwatch
24. Use AIDE for file integrity checking:
sudo apt install aide
sudo aideinit
25. Secure GRUB bootloader:
sudo nano /etc/default/grub