1. Use fail2ban to protect yourself from SSH brute force login attempts. My firewall logs always show activity from IPs in China and Eastern Europe. 2. Create system accounts to run your services. groupadd apache useradd apache -g apache -d /dev/null -s /sbin/nologin 3. For apache deploy mod_security and mod_evasive modules 3. Use MySQL secure installation /usr/bin/mysql_secure_installation 4. Deploy SSL * Unless you are running a file or mail server, I do not see the need to deploy anti virus. -- keybase.io/kipyegonmark On 9 Mar 2016, at 19:16, skunkworks-request@lists.my.co.ke wrote:
Message: 4 Date: Wed, 9 Mar 2016 19:12:51 +0300 From: "Alex Watila" <awatila@yahoo.co.uk> To: "'Peter Karunyu'" <pkarunyu@gmail.com>, "'Skunkworks Mailing List'" <skunkworks@lists.my.co.ke> Subject: Re: [Skunkworks] Peer review: Linux server setup checklist Message-ID: <009501d17a1e$8ae4e800$a0aeb800$@yahoo.co.uk> Content-Type: text/plain; charset="utf-8"
REPOS (for Ubuntu 14. Adjust for the version you are using)
* if needed
* nano /etc/apt/sources.list
* # kenya specific (add at the top)
* deb http://ubuntu.mirror.ac.ke/ubuntu/ <http://ubuntu.mirror.ac.ke/ubuntu/> trusty main * deb-src http://ubuntu.mirror.ac.ke/ubuntu/ <http://ubuntu.mirror.ac.ke/ubuntu/> trusty main * deb http://ubuntu-archive.mirror.liquidtelecom.com/ubuntu/ <http://ubuntu-archive.mirror.liquidtelecom.com/ubuntu/> trusty main * deb-src http://ubuntu-archive.mirror.liquidtelecom.com/ubuntu/ <http://ubuntu-archive.mirror.liquidtelecom.com/ubuntu/> trusty main
* # generic (add at the top)
* deb mirror://mirrors.ubuntu.com/mirrors.txt trusty main restricted universe multiverse deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-updates main restricted universe multiverse deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-backports main restricted universe multiverse deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-security main restricted universe multiverse
* locate http://us.archive.ubuntu.com/ubuntu and replace it withhttp://archive.ubuntu.com/ubuntu
update the server
* setup automatic updates
* dpkg-reconfigure -plow unattended-upgrades
* apt-get update * repo keys
* add-apt-repository ppa:nilarimogard/webupd8 * apt-get update * apt-get install launchpad-getkeys
* apt-get upgrade * apt-get dist-upgrade
clamav antivirus
* apt-get install clamav clamav-daemon * freshclam * /etc/init.d/clamav-daemon start
clamav antivirus scan and update
* crontab –e
* 47 * * * * freshclam * 00 00 * * * clamscan -r --bell -i /
From: Peter Karunyu via skunkworks [mailto:skunkworks@lists.my.co.ke] Sent: Wednesday, March 9, 2016 4:01 PM To: Skunkworks forum <skunkworks@lists.my.co.ke> Subject: [Skunkworks] Peer review: Linux server setup checklist
Dear members,
Every so often I get asked to setup a Linux server on some cloud provider, usually a LAMP stack, so normally I create one server to run Apache and PHP, and another server to run MySQL only.
I am NOT a sys admin. So I picked up the TODO list below from the interwebs.
Could someone please tell me if the items below are okay, or if there is anything new i should be doing, or not doing; for a simple, medium security, medium performance web or database server.
Thanks in advance!