Hi Guys,

I'm really getting into Linux - whenever I have spare time I try to learn something new about the OS.
I've finally reached the stage where I feel somewhat confidence to host a Linux server - this is more for learning purposes, but also providing some useful functionality to myself by also running Nextcloud.

So I recently created an Ubuntu 17.04 VM in Azure, running Nextcloud 11.

Question 1. How can I harden the security on this server?

I know little on this topic, and here is what I've done so far:
Azure
Open ports include HTTPS inbound and outbound, and ssh inbound.

UFW
I recently enabled Uncomplicated Firewall.
- IPv6 is enabled, ufw is supporting IPv6

Rules:
- sudo ufw default deny incoming
- sudo ufw default allow outgoing
- sudo ufw allow ssh
- sudo ufw allow https
(I would like to do this via IP tables, but I'm not there yet. I have a lot to read up on and learn.)

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)


Question 2. Can I do more to secure the server, i.e. a friend mentioned to use Snort? Any good guides to follow?

Question 3. I ran the server without ufw (firewall) enabled for 24 hours, should I be worried? Would the Azure rules have protected my server?

Thanks heaps for any advice. I'm really enjoying reading up on this topic and learning.

The first thing that I would do is to install OpenVPN, with certificates and tls-auth, and put sshd, in particular, behind it, with firewall rules making it impossible for that daemon to reach-out or to be-reached except through the tunnel.

Don't expose any "shell" to the outside world.

That's like leaving a terminal connected to your company's innermost network outside in the parking lot, with a big sign taped over it: "HACK ME!"

Obviously, such a terminal should be on the inside, such that you have to have a b-a-d-g-e to even reach it. And, that's exactly what OpenVPN does.

When deployed in this way, OpenVPN's presence cannot be detected, and it is impossible to enter unless you possess two(!) digital certificates – one of them being "one of a kind," with-or-without password encryption. Your certificate is individually issued to you and can be individually revoked.

Your computer will appear to have exactly one open port (TCP/IP socket): "HTTPS." (And you should periodically scan it to be sure that this is so.)

My LQ blog now contains several entries relating to this.

I would download/use all this

Samhain (HIDS)
Psad+FWSnort (NIDS; considered a light-weight alternative to Snort)
AppArmor (mandatory access control)
OpenVPN
Suricata (supplemental security)
Fail2Ban (blocks unauthorized access attempts)
Linux Malware Detect
ClamAV
Elk-Stack
KeepassX
Duplicity (encrypted backups)
Chrootkit
Rkhunter
IPFire (a modular GRsecurity enhanced firewall distro)
OpenDNS
Firejail (application sandboxing)
Macchanger

the first thing that I would do would be to use an LTS version of ubuntu.
https://wiki.ubuntu.com/Releases

If it's anything like AWS...
I'm not sure enabling UFW on an Azure Server is even effective, or necessary.

"To my way of thinking," most of the preceding suggestions seem to presume that "that terminal (somehow) must remain out there in the parking lot, complete with that 'HACK ME!' sign!"

Think outside the box!

When you walk into the front-door of your employer's place of business, "what happens?" Is there really someone sitting there, demanding that each one of you must "say 'the magic word?'" ...?

"Hell N-O!" To get even one step beyond the front door, you must (swipe | scan | present): ... ... "your (one of a kind ...) b-a-d-g-e!!"

- - -

"Therefore, 'go and do likewise!!'"

OpenVPN allows you to "issue one-of-a-kind badges" to each-and-every person who should be permitted to access your systems.

Furthermore, it is able to conceal(!) itself from any potential supplicant who cannot pro-actively(!) demonstrate ... by their apparent possession of(!!) a tls-auth digital certificate ... that "they actually might be an authorized user."

Without that pro-active evidence, the OpenVPN server does not even deign to reply. It remains "anonymous." ... "Invisible!!"

Uh huh ... "hundreds of thousands of 'script kiddies,' worldwide ..." ... ... are screwed. So far as they can ever perceive, "there is nothing there(!)" ...

Thanks guys for your advice - I have been evaluating each software mentioned above one by one, and installing when it meets my use case.

Also from what I've read here and elsewhere, it seems using a VPN is the most important must-have when running a server online. There should be a VPN on the front line.
There seems to be two approaches to implementing a VPN solution:

1. Use the cloud provided VPN.
E.g. in Azure it's called a Point-to-Site connection to a VNet
Unfortunately Azure VPN currently only allow Windows clients to connect. This is very limiting if your client is Linux, Android, Mac...
I will look into Amazon AWS or Google Cloud Platform.

2. DIY your own VPN solution
E.g. Spin up a linux VM in the cloud, install OpenVPN and run your own VPN server. Your other servers would be sitting behind this server.
A friend advised against this. Using linux (or any OS actually) to run VPN software has disadvantages. The OS would have vulnerabilities, and it would also have a large attack surface when compared to a dedicated VPN solution.

So I'm still reading up. Any thoughts on which way to go for a VPN solution? Am I incorrect somewhere or have I missed something?

Those dedicated VPN solutions you talk about are also running Linux, but they are a just more trimmed down version of it.. You can if you like make your own "trimmed down" version of Linux, which means you make it less capable (which reduces the attack surface) by having it only contain the drivers, software, etc that you need and nothing else..

A tool I use for compliance is called "lynis". It is not an end all solution, but it's a great security audit tool, similar to rkhunter and chkrootkit. It gives you a great starting point for hardening your systems. It is configurable for different environments and security thresholds.

Thanks. I've gone with a Ubuntu 17.04 running OpenVPN on Azure. With unattended security updates, reboots.
And applying most of the security tools and techniques mentioned in this thread, e.g. securing shared memory, preventing IP spoofing, AppArmor, UFW, ClamAV, 2 factor (Google) auth...

I will check this tool out next, thanks!

I'm now running my VPN server (on Azure, an Ubuntu VM, running OpenVPN), should I be worried that the shell is exposed to the outside world via the SSH port?

I'm using SSH public/private key rather than username/password.

Also, the Azure and Ubuntu server firewall rules (which are the same) are: Allow UDP/1194, TCP/22

The whole point of openvpn is so you can run services like openssh on the subnet provided by the vpn. Set openssh to listen on the gateway internal ip of your vpn service. You can have openvpn listen on both interfaces while you test the vpn connection and ssh works. Once you are certain you can connect without issue, turn off the public interface in the openssh config. To test if it works, connect to OpenVPN and then ssh into your box.

Be careful though, since you could get locked out of your server.

https://www.cyberciti.biz/tips/howto...p-address.html

You tell us if this is secure enough for you. If you are still receiving brute force attempts and other bot attacks, then this may not be the solution. Check your logs.

I'm new to this, thanks.

mralk3 - thank you I now understand and have put the sshd behind the VPN.

sundialsvcs - thanks for your blog on Dwarvish Doors. Love it!