Server Security Checklist

For all public-facing servers, e.g. Quiver:

• Login:
  • Add our public key to /root/.ssh/authorized_keys.
  • Disable password-based login by adding this line to /etc/ssh/sshd_config:

  PasswordAuthentication no
  

  • Restart the SSH server:

  /etc/init.d/ssh restart
  

• Automatic security updates (this advice from https://help.ubuntu.com/community/AutomaticSecurityUpdates#Using_the_.22unattended-upgrades.22_package):
  • Install these packages:

  apt-get install unattended-upgrades update-notifier-common
  

  • Run this command, answering "yes" (it will create /etc/apt/apt.conf.d/20auto-upgrades):

  dpkg-reconfigure --priority=low unattended-upgrades
  

  • Uncomment this line in /etc/apt/apt.conf.d/50unattended-upgrades:

  //Unattended-Upgrade::Automatic-Reboot "false";
  

  • Note: you can trigger an update with this command:

  unattended-upgrade -d
  

• Have designated admin(s) who are responsible
• Set up fail2ban or other automated penetration detection and response
• Set up automated monitoring of system resources and alerts when significant thresholds are reached
• Make sure alerts (e.g. unattended-upgrade's "reboot required" emails) are delivered to admin(s) reliably (e.g. forward root's local Unix mail to their Gmail inbox)
  • https://cloud.google.com/compute/docs/tutorials/sending-mail/using-mailgun
  • http://blog.bobbyallen.me/2013/02/03/how-to-redirect-local-root-mail-to-an-external-email-address-on-linux/
• Disable password-based SSH login
• Drop packets originating from unrecognized networks, e.g. anything that isn't Google (so we can SSH in), and for Quiver anything that doesn't come from the CDN whose domain is being fronted
• Set up mitigations for denial of service attacks
• Set up a tool like https://github.com/google/grr
• Make sure anyone whose DigitalOcean/AWS/etc account has access to the server has 2FA set up (or at least a strong password)