Hi guys,

First time post here. I'm in the process of porting over a web site I run on a dedicated box to a newer version of that box.
Here's a brief outline of the security conf on the new box. I'm trying to keep it as simple as possible but don't want to miss any gaping hole.

Ubuntu 12.04 server.
LAMP stack.
Postfix / Dovcot / Spamassassin

1. No human users (other than myself) are allowed on this box. Thus, there are only two human users: egan and root.

2. Ports open: (nmap results)
open port 22/tcp
open port 995/tcp
open port 143/tcp
open port 80/tcp
open port 110/tcp
open port 443/tcp
open port 993/tcp
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
110/tcp open pop3
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp filtered microsoft-ds
646/tcp filtered ldp
993/tcp open imaps
995/tcp open pop3s
1434/tcp filtered ms-sql-m

ssh is accessible only with key-cert (no password access allowed).
This server runs an ubuntu lamp stack with postfix/dovcot/spamassassin etc combo.
Nothing else runs on it.

Question:
==========
Since users cannot log in except through an ssh session for which they would need a key and the key is well protected, do I need to harden the system further?

If so, I am wondering if Apparmor is sufficient or if I need to use Grsecurity combo?

I do want a secure system but I don't want to go overboard with the admin
side of thing.

Any comments would be greatly appreciated.

Thanks

Egan

I think, Apparmor and GrSecurity both providing MAC.
So you can use only one of them, not both.

I wouldn't put mail and web on the same box- the kinds of firewall rules you want for them are quite different. Why so many ports open? Have you removed unnecessary packages?
You haven't posted anything about the application configs.

While you have posted useful information what's missing is an overview of what steps you took. The easiest way to start is to read your distributions' documentation wrt security and hardening, turn it into a checklist and compare it with what you have done. That should address anything ranging from install time issues like package selection, post-install cleanup, account settings like password strength checking, aging, quota, ulimits, login access and process restrictions, service configuration, network configuration, access restrictions and traffic limiting, maintenance, updating, verifying integrity and making backups. A basic distro-agnostic tool to help compare certain local aspects is GNU/Tiger. Run it on a pristine setup, make changes, then run again to check the effect. After that you could try the "Securing Debian Manual" for any issues your distributions' documentation doesn't address, followed by a check against the Cisecurity.org Debian Benchmark and then address issues from the OWASP top ten. That should cover anything including LAMP stack and other network-related issues. A tool to help you assess the machines security stance from a remote POV is OpenVAS as it focuses on services rather than "simply" checking if a port is accessible or not like nmap does.

Some things to be mindful of no matter what you do:
- Know what you do: ignorance and negligence are the two most common causes for compromises.
- Allow (install, run, grant access to) only that what is strictly needed.
- Be vigilant always: security is not a one-off but a continuous process of auditing and adjusting.