Say I've got a fresh install of Ubuntu, what steps should I take to secure it for use as a Rails application server?
- 
                    there is a similar question here, it may help; http://serverfault.com/questions/11659 – hayalci Jun 07 '09 at 21:45
10 Answers
I can't think of any Ubuntu-specific tweaks, but here's a few that apply to all distributions:
- Uninstall all unnecessary packages
- Use public-key only authentication in SSH
- Disable root logins via SSH (doesn't apply to Ubuntu)
- Use the production settings for PHP (php.ini-recommended)
- Configure MySQL to use sockets only
Of course this list isn't complete, and you'll never be completely safe, but it covers all the exploits I have seen in real life.
Also, the exploits I have seen were almost always related to unsecure user code, not unsecure configuration. The default configurations in minimal, server distributions tend to be pretty secure.
 
    
    - 711
- 7
- 6
- 
                    1Change the port for services like MySQL (useless if to configure it to use sockets only), FTP (although, if you are being secure you shouldnt use FTP at all), SSH and all sorts. – Josh Hunt Apr 30 '09 at 11:52
- 
                    4"Uninstall all unnecessary packages". OK. Thats pretty vague. What 'unnecessary' packages? – Luke Jun 13 '09 at 05:18
- 
                    2@Luke: Anything you're not using is unnecessary. More specific, running services that you don't need put machines in unnecessary risk. – Andrioid Jul 11 '09 at 15:23
- 
                    
One quick thing that I do early on is install DenyHosts. It will regularly look through the /var/log/secure, looking for failed logins, and after a couple of failures, block the IP. I set it to block after the first no-such-user, on the second attempt at root, and after a couple of tries for real users (in case you mess up, but you should be using a SSH public key to login).
 
    
    - 1,624
- 13
- 13
- 
                    3as you link to the sourceforge homepage - denyhosts is also available in the repository (universe) via "sudo aptitude install denyhosts" – Olaf May 11 '09 at 20:12
- 
                    good point @olaf. Most of the servers I installed it on were RHEL, where it's also in DAG's repo. – Alister Bulman May 11 '09 at 21:55
- 
                    3DenyHosts seems to only detect and block ssh brute force attacks. A better choice would be fail2ban (it is available in the repos as well), which monitors a variety of things, including the apache logs among other things. Check out the community wiki at https://help.ubuntu.com/community/Fail2ban – jeshurun Nov 14 '11 at 06:01
Ubuntu is based off Debian and I've found the Securing Debian Manual to be very useful in Debian-based distributions in completely walking you through your system and checking every part. It's basically a really, really comprehensive answer to your question.
 
    
    - 315
- 2
- 6
- 
                    
- 
                    1Sorry, thought the link was in the post. It's at: http://www.debian.org/doc/manuals/securing-debian-howto/ – Mike McQuaid May 06 '09 at 13:32
I usually install RKHunter, which scans for rootkits and does integrity checks of various important system binaries. It's in the standard repo, and will run daily from cron. It's not perfect, securitywise, but it's a low-effort item to add, and it provides a measure of protection.
 
    
    - 4,678
- 2
- 26
- 21
Install logcheck, but tweak so that you never receive messages from regular events, otherwise you'll get in the habit of ignoring the emails.
Check which processes are listening using netstat, and make sure nothing's running that doesn't need to run. Many daemons can be configured only to listen on the internal IP (or localhost) instead of all interfaces.
 
    
    - 2,731
- 6
- 26
- 37
Do what Can suggests...
Nmap the host and disable all non-essential services. Use iptables if necessary.
 
    
    - 5,337
- 2
- 18
- 17
- 
                    2On any server that is accessible via the Internet, iptables is *always* necessary. ;-) – Christopher Cashell May 27 '09 at 18:28
If you're going anywhere near the Internet with the server, install an intrusion detection system like snort.
 
    
    - 458
- 1
- 4
- 9
Some firewall suggestions.
Learn to use a firewall and the concepts of properly locking a box down. Changing default ports is largely a useless thing; proper application and firewall configuration are much more important.
Both are in the Ubuntu repos:
FireHOL
has terrific documentation and very easy to learn syntax. I was able to set up a gateway/firewall in twenty minutes. The only reason I've moved away from this is that it doesn't seem to be maintained (last release 2 yrs ago). Doesn't mean it doesn't work, but...
Ferm
is another one. More iptables-like syntax, but same concept. More community maintained than FireHOL, but takes longer to pick up.
Shorewall
is what I currently use. Its documentation is extensive, and its configuration format is tabular. It took me about an hour and a half to understand all the files needed (6) to get a working firewall/gateway configuration running. It's quite powerful. TIP: The man pages for the different config files are REALLY helpful!
All of these load firewall configurations from a config file. Very effective, easier to use than iptables straight up, and (in my opinion) easier to use and manage than ufw.
Other:
- I second the recommendations for SSH key use. 
- Set up an IDS. 
- Learn about AppArmor. It restricts the file access of executables to only specified directories and files it needs. Similar to SELinux in the RHEL world. It's installed and enabled with pre-configured 'profiles' for many well-used programs. 
 
    
    - 1,219
- 1
- 12
- 14
Use separate partitions for various directories like /tmp or /var and mount them with nosuid, nodev and noexec if possible.
 
    
    - 6,226
- 2
- 41
- 55
As well as other suggestions here I'll mention three that are obvious but perhaps worth mentioning for completeness:
- If you don't think you need a firewall, think again. ufw is simple but designed for Ubuntu and based on iptables
- Update the packages: as a minimum apply all the security patches
- Document what you've done to secure the server and why. Include configuring (automated) processes to monitor logs, test the configuration and report security updates that are needed.
 
    
    - 639
- 5
- 9
 
    