It's probably worth mentioning Ubuntu server uses ufw for firewall related things & 'app armor' replaces SELinux.
I too have a Ubuntu VPS running on a digital ocean droplet (it's running Wordpress, so security is... a concern!). So long as you only permit certain services through firewall & harden SSH you have at least the basics nailed.
If you want to go further, Tripwire can keep track of file changes & fail2ban can block IP addresses that fail to login too often. You could also set up a script that emails you whenever someone logs in so if you're the only one administrating the server you know if there's an unauthorised login.
However, if security is the paramount issue I'd go with CentOS or FreeBSD. I'm using the former for two digital ocean VPSs - one runs self-hosted mail (using iRed Mail), the other runs OwnCloud.
Regards,
Bob
On 22 Apr 2015, at 10:27, Steve Engledow steve@offend.me.uk wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 17/04, Paul Grenyer wrote: It seams that Digital Ocean droplets don't have any security, which obviously isn't great for production. I'd like to secure my server ready for production, but I'm not really sure where to start.
I'm hosted with linode and they have a fairly useful guide that covers a few things: https://www.linode.com/docs/security/securing-your-server/
I'm sure most of that would apply to Digital Ocean.
Also, here's a good guide to iptables: https://wiki.archlinux.org/index.php/Iptables
In general, if you've got all ports shut down except those you need and ssh is restricted to key-only login (and definitely disallow root login!) then you'll be in a good place.
Obviously, you can take security to the nth degree but the main attack points will be through the software you're intentionally exposing (web applications) and for that... good luck :)
btw, I'm not a security expert ;) Others on the list might be. I take my cue from the IRC channel: "advice given here generally isn't".
Steve -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBCAAGBQJVN2ltAAoJEL/3HArzwYbRwNUP/iMTrBLk5fZFO5iMNsGmBV26 vnvXnsQE3EdqwrByo8X+kADQrsAmrmo/Wk3fQJvqogemSb8pNbV7szcBED7f0Jt1 nUfC6ZsnJeTdxiRxwcw/GpxDhR8+bXrmq76+t7KKxy3isHeWipFaN/jO+Ib8BBIc 7uhIjP506WcUVzgNkisYaKYeclFa6793haI00lLN4RUfYN+blzYWhlOFiJ8mx9Nb YcVJDyb/PPXTwMniKikD9CjjDUn5DEMG7B5JzQOEfCfBVSW+JyOyCXDNKwzliBeg yXbQT7YwvPMw9rXk8rVt8k3a/fkh1VkUQx9FfaBFYfDlL35U5WaSjX+qWh11EnJP ZRZKAwKNVy6SnDKpxRr6EJvh8BrkM31e6NRwlrzsxiTziluxaGJF3xKmYESuN3VC G2L3+jVYMI+mVbFhVLHkNDMLc9ux1SXMUtedQE4+bnZcQT8fkCiPZgOL0oZwiv+t Se70nlvdGY3ub4yPURDz+MpGI3IfcxLoGdaafMwGWMzt8XpXGXCFmBGr3Iblj7vV qKkLgYmRsHOCfZGUYuA9ySekrb55HF5A9Cubz0bFSaI2mpM00tcg2A4PKfI2D+jk K2KdZWLXNqPFYJuQWx7wxp1RKj/RrwwkfQJZdBXd8eKV0xMCP39eE09mpITo1C4R jTebccJqQrorCGaTCsEU =ZGRb -----END PGP SIGNATURE-----
main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!