Write Review

What Do I Need?

  • Any Dedicated or Virtual Server
  • Ubuntu

What is a Security Policy?

Linux-based operating systems are amazing; however, they’re not the most secure by default, and more configurations are required for a new web server installation in order to ensure it’s properly hardened and secure from bad actors. Making sure you’ve got a plan and strategy in place for the protection of your client’s systems, especially if the server is mission-critical, is absolutely paramount.

  1. User Management

    User management is one of the most important tasks of any security plan. Balancing your user’s access requirements against their everyday needs, versus the overall security of the server, requires a clear view of those objectives to ensure users have the tools they need to get the job done as well as protect the other users’ privacy and security. There are three different types or levels of user access:

    • Root - this is the main administrator of the server. The root account has full access to everything on the server. The root user can lock down or loosen user roles, set file permissions and ownership, limit folder access, install and remove services and applications, repartition drives, and essentially modify any area of the server’s infrastructure. Root users are effectively the gods of the server.
    • Super User - this is a user who’s been granted special access to a Linux application called sudo. The super user has elevated rights to run a function or program as another user. This user will be included in a specific group called the sudo group. The rules this user has access to are defined within the visudo file which outlines and limits their access and can only be initially modified by the root user.
    • A User - this is a regular user who’s been set up using the adduser command, given access, and the one that owns the files and folders within the user /home/user/ directory as defined by the basic settings in the /etc/skel/.profile file.
  1. Enforce Strong Passwords
    1. Because passwords are one of the mainstays in the user’s security arsenal, enforcing strong passwords is a must. We can modify the file responsible for this setting located in the /etc/pam.d/common-password file. To enable this we can modify the file responsible for this setting by using the chage command:
      chage -m 90 username
    1. This command simply states that the user’s password must be changed every 90 days.
      /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2
      dcredit=-2 ocredit=-1

  1. Restrict Use of Old Passwords
    1. Open /etc/pam.d/common-password file:
      sudo nano /etc/pam.d/common-password

      How to Implement a Security Policy on Ubuntu

    2. Add the following line to the auth section.
      auth        sufficient  pam_unix.so likeauth nullok
    1. Add the following line to the password section to disallow a user from re-using the last five of his or her passwords.
      sufficient    pam_unix.so nullok use_authtok md5 shadow remember=5
    1. Only the last five passwords are remembered by the server. If you tried to use any of five old passwords, you’d get an error like:
      Password has been already used. Choose another.

  1. Checking Accounts for Empty Passwords

    Any account with an empty password means it's opened for unauthorized access to anyone on the web; so, you must make sure all accounts have strong passwords, and no one has any authorized access. Empty password accounts are security risks and are easily hackable. To check if there were any accounts with an empty password, use the following command:

    cat /etc/shadow | awk -F: '($2==""){print $1}'

    How to Implement a Security Policy on Ubuntu

Conclusion

Console security simply implies that limiting access to the physical server itself is key to ensuring that only those with the proper access can reach the server. Anyone who has access to the server can gain entry, reboot it, remove hard drives, disconnect cables, or even power it down. To obstruct malicious actors with harmful intent, make sure that servers are kept in a secure location. Another step we can take is to disable the Ctrl+Alt+Delete function. To accomplish this run the following commands:

systemctl mask ctrl-alt-del.target systemctl daemon-reload

Be sure to keep a lookout for more how-to guides in the future on setting policies to secure your systems effectively.

Was this article helpful?