1

I am about to publish a python web application. The server is an Ubuntu remote machine hosted by 1&1.

For now I start remotly the python server app with a console command.

Concerning the security, what are the must-do procedures with my Ubuntu machine, before making it public with a domain name ?

Thank you

Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26
Guilhem Fry
  • 111
  • 1
  • If it's on a public, cloud-hosted server, it may already be too late, regardless of whether it has a domain or not. People have likely been scanning and prodding already, and may have gained access. – multithr3at3d Sep 11 '17 at 15:32
  • Are you using 1&1 shared hosting or a VPS? Also what version of Ubuntu? – TrickyDupes Sep 12 '17 at 13:00

3 Answers3

1

Create a non root user run your app under that user.

Set up ufw (uncomplicated firewall) block all apart from SSH, http and HTTPS. This is much easier than iptables (imo).

Disable SSH password auth. Set up keys, use them only.

Additionally set up Fail 2 Ban to monitor logs and take any additional actions you might want (IP blacklisting etc).

There are lots of guides online for hardening Ubuntu, these would be my 'must do' steps. I would recommend the Linode guides they are generally good quality (https://www.linode.com/docs/security/securing-your-server).

Also bear in mind that even without a domain name, if your app was running on the remote chances are it has already been found and probed based on IP:port alone. I would do all these steps as soon as the server is provisioned.

TrickyDupes
  • 2,809
  • 1
  • 13
  • 27
0

Assuming your application itself is secure, and that you trust your server host, the easiest ways to secure the system are:

  1. Keep your system / packages updated and patched (sudo apt upgrade)
  2. Run only what you need to run. Remove unnecessary server packages that listen on ports or keep them stopped (chkconfig <service> stop && chkconfig <service> off)
  3. Use a firewall. If your server host provides a firewall system, use it. If not, configure IPTables to restrict traffic to your server.

Knowing what services to stop might be non-trivial if you don't have experience with setting up a server. Generally, hosted servers are pretty minimal and run only the bare essential programs to be as resource efficient as possible, so you might not have to do much there.

edit: Just perused the website of your server host. They do provide firewall management tools and intrusion protection systems that you can configure to only allow traffic to your application port. If you can afford their backup / snapshot offer, you should take it and make it a point to take frequent snapshots (backups) of your server just in case. It's good practice.

eternaltyro
  • 817
  • 7
  • 16
0

I'd certainly say routing all traffic through CloudFlare is essential in web applications. Not only is their DNS very fast, but they provide a free SSL certificate (shared, you can upgrade to dedicated) that will, without any setup on your side (apart from the updating of your nameservers) allow you to use https and thus, a secure connection (make sure if you do choose Cloudflare to go into the Crypto module and enable "Always use HTTPS" so all traffic must be routed through an encrypted connection). Many would argue that something like Letsencrypt could offer such a service, but Cloudflare also hides the origin IP address (of the web server) so that users can't find the IP via pinging the domain or such. And, as well as all of this offers a variety of other tools such as DDoS protection, IP Blacklisting and a variety of other useful modules that will help in regard to security without a doubt.

Many large companies utilize CloudFlare as they are extremely good.

m1screant
  • 1