I recently decided that it was time to put all my projects that required web hosting together on a single server. A server that it would allow me to have a level of control that normal hosting plans do not.
Sure that means I am the one who has to take care of things that were previously the responsibility of my provider. For example, security and updates.
Table of Contents
Making an Ubuntu server secure. Configuring the firewall
A firewall or firewall is a software tool that monitors network traffic paying attention to data packets trying to enter or exit. It does so by applying pre-established security rules and determines which ones can do it.
In practice, it is a kind of border guard between the server and the Internet and makes sure to prevent the entry of unauthorized persons or malicious software.
In virtual private servers (Depending on the provider) we will have two options; an external firewall whose rules are managed from the control panel or an internal firewall. Those in the know recommend whenever possible to work with the outsider.
Ubuntu uses a program called Uncomplicated Firewall as its internal firewall by default. We can see if it is working with the command
sudo ufw status
If it is not installed, we can do it with the command:
sudo apt install ufw
You can start the firewall with this instruction:
sudo ufw enable
LivePatch is a service from Canonical, the company that develops Ubuntu and is exclusive to this distribution. I remind you that for these articles we are based on a virtual private server running the server version of Ubuntu 20.04.
The great advantage of LivePatch is that Allows application of security patches to the Linux kernel without the need to restart the server. Let's make it clear. LivePatch applies patches to the current kernel. If you upgrade to a new kernel, you will have to reboot.
The service is available free of charge for Ubuntu extended support versions.
To activate it you will need a token what can you get going to this page. Make sure the Ubuntu user option is selected (unless you want to pay for commercial support) and click on Get your LivePatch token.
The next screen asks you if you have an Ubuntu One account, if you don't, it gives you the option to create one.
When you log in, it shows you the token for your account and tells you which commands you have to type. The commands are:
sudo apt install snapd
sudo snap install canonical-livepatch
sudo canonical-livepatch enable tu_token
Please note that the token can only be used for free on three machines.
Use this instruction to check the status of the tool:
sudo canonical-livepatch status
To force check for new updates, type:
sudo canonical-livepatch refresh
Making a server secure with unattended automatic updates
When I started making websites, I was using an open source content manager that was just beginning to develop, and a hosting provider that I later learned was an adventurer. One day when I had slept badly, I did what I never do. Nap. In those two hours someone took advantage of a vulnerability in the project, my lack of experience and the lack of seriousness of the hosting provider to iInserting a fake page on my site to steal data from Bank Of America customers. I assure you that the BOA does not take such things very well.
The moral of that is that Either you have someone all day monitoring the server, notices of security problems and the availability of new versions of the applications or you are looking for a way to automate the issue.
Luckily, the Ubuntu developers included a fix
The steps to configure it are as follows.
We make sure the system is up to date with:
sudo apt update
sudo apt upgrade
We install the necessary programs
sudo apt install unattended-upgrades apt-listchanges bsd-mailx
In the window that opens select No configuration
We launch the application with
sudo dpkg-reconfigure -plow unattended-upgrades
In the window that opens, click to accept the automatic updates.
Now we have to configure some things.
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Pressing CTRL + W searches for this line Unattended-Upgrade :: Mail
And complete with your email address.
Then look for this line Unattended-Upgrade :: Automatic-Reboot
And verify that it is true. This allows the system to restart automatically if necessary.
Press CTRL + X and agree to save the changes.
sudo nano /etc/apt/listchanges.conf
With CTRL + W search for email_address and repeat the address you put before.
Save with CTRL + X and accept that I do it with the changes.
Test the configuration with
sudo unattended-upgrades --dry-run