Server Security Checklist

Introduction

Guidelines for our public-facing, Ubuntu-like servers.

TODO: create a Docker baseimage with all this stuff baked in and switch to a cloud provider that lets us "run Docker containers as the host".

Add our public key to /root/.ssh/authorized_keys.

Disable password-based login by adding this line to /etc/ssh/sshd_config:

PasswordAuthentication no

Restart the SSH server:

/etc/init.d/ssh restart

Install:

apt-get install unattended-upgrades update-notifier-common

Run this, answering "yes" (it will create /etc/apt/apt.conf.d/20auto-upgrades):

dpkg-reconfigure --priority=low unattended-upgrades

Add this line to /etc/apt/apt.conf.d/50unattended-upgrades:

Unattended-Upgrade::Automatic-Reboot "true";

Tip: to trigger an update run:

unattended-upgrade -d

Have designated admin(s) who are responsible
Set up fail2ban or other automated penetration detection and response
Set up automated monitoring of system resources and alerts when significant thresholds are reached
Make sure alerts (e.g. unattended-upgrade's "reboot required" emails) are delivered to admin(s) reliably (e.g. forward root's local Unix mail to their Gmail inbox)
- https://cloud.google.com/compute/docs/tutorials/sending-mail/using-mailgun - except in step 13, can install much lighter-weight heirloom-mailx package instead of mailutils
- http://blog.bobbyallen.me/2013/02/03/how-to-redirect-local-root-mail-to-an-external-email-address-on-linux/
Drop packets originating from unrecognized networks, e.g. anything that isn't Google (so we can SSH in), and for Quiver anything that doesn't come from the CDN whose domain is being fronted
Set up mitigations for denial of service attacks
Set up a tool like https://github.com/google/grr
Make sure anyone whose DigitalOcean/AWS/etc account has access to the server has 2FA set up (or at least a strong password)