1

I create application that will be served on Ubuntu 20.04 VPS server. Nginx, Python, Postgresql, nodejs, nothing special.

Unfortunately, all my knowledge about server security ends after ufw enable and fail2ban. (Because most tutorials ends after it too.)

Can you please recommend me some good modern manual on securing server in Internet? If there is some automated security-test service or anything that can help audit/monitor server - please tell me, paid is ok.

Deromanenko
  • 67
  • 6

1 Answers1

2

The principles of keeping your servers secure are quite simple.

In no order of priority:

  • Keep your software up-to-date. (Related: run only supported/maintained versions.)
  • Run only the services you need.
  • Install only the software you need.
  • Configure your software correctly.
  • Grant access based on the principle of least privilege.
  • Add monitoring.
    Establish a base line and alert on deviations.

The specifics depend quite a lot on the actual software, the services that you need to run and your requirements.

For external validation of your configuration: There are numerous vulnerability scanners and/or penetration testing toolkits as you can see on lists such as this one: https://owasp.org/www-community/Vulnerability_Scanning_Tools

Be aware that often such scans rely on determining the version numbers of your installed software and they don't test if known vulnerabilities can successfully be exploited. That can result in many false positives on Linux distributions that do security back porting, as for example explained in this Q&A PCI Compliance: install Apache 2.4.17 on Ubuntu 14.04.3?

Authenticated scans can help against that by checking the version of the package, rather than the version string an application reports.

Another approach is more from the system management perspective with centralised server management including release and patch management.
For example Ubuntu's Landscape , Red Hat Satellite and Microsoft SCCM

Bob
  • 5,335
  • 5
  • 24