This video is going to cover securing your Ubuntu 14.04 Web Server in order to get it production ready. Before allowing access to your self-hosted website you want to make sure security is the top priority.
I’ve outlined a ton of configuration that will help.
My next video will go over how to forward ports using webmin for those of you that have requested that.
Here’s the lines of code that were added to the sysctl.conf and the 10-network-security.conf files during the video…
I tried to add some lines from the apache2.conf and the modsecurity exclusions but Youtube doesn’t allow brackets within the description, so you’ll just have to keep up with the video and maybe pause it if you need to.
Please remember to watch the entire video for proper implementation of all these rules and directives..don’t just simply copy and paste these as there are many steps you may miss. I only added these to the description to make these steps easier to implement since there are so many lines. Also in case anyone was having trouble reading the screen on the video.
# ———HARDENING——–
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
—————————-
These lines of code were added to sysctl.conf later to disable ipv6 protocol and to increase server stability.
# Disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# Server Stability Panic Reboot Kernal
vm.panic_on_oom=1
kernel.panic=10
If you have any questions please leave them in the comments and I will try to assist you if I can.
Hope this video is helpful and remember to check out http://oddrandomthoughts.com if you want a daily dose of the strange and unusual.
