I have created a scripts that handle these tasks for you, available `here`_.

First thing we need to do is create an sources list specifically for security.

sudo grep "-security" /etc/apt/sources.list | sudo grep -v "#" > /etc/apt/security.sources.list

Now that this is done we can simply continue to use the command below to trigger security-only upgrades

sudo apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list

Note

This will work until you upgrade your distro (e.g. 10.04 -> 12.04), at which point you will need to re-run the first command to regenerate the security.sources.list file.

The command below no longer works, for an updated version that does work and should continue to work (until you upgrade to a new distro version e.g. 10.04 -> 12.04) please see `here`_.

Really simple, should work for most cases, I’ve not found anything wrong with it.

sudo aptitude update && sudo aptitude install '?and(~U,~Asecurity)'

Installation

Simple, if it’s not installed already then run the following commands

sudo apt-get install iptables
sudo /etc/init.d/iptables start

The safest and best way of configuring iptables, in my opinion, is to have two files. The first is a temporary/test set that you will save to first, the second is the actual rule set that will be loaded to iptables.

Configuration

So, first we’ll create an empty temp rules file

sudo touch /etc/iptables.temp.rules

Add some simple rules to it:

*filter
# Allows all loopback traffic and drop all traffic to 127/8 that doesn't use lo

-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
-A OUTPUT -j ACCEPT

#SSH
-A INPUT -p tcp -m …

Server security is something I’ve always tried to keep myself up-to-date on. I have at least a dozen RSS feeds that I read daily to learn about the latest flaws, holes releases etc. That being said I am by no means an “expert”, I’ve learned what I’ve needed to learn over time. I like to think that over the years I’ve gained enough knowledge to almost completely secure servers with all the programs installed that I generally use.

The aim of this article is to introduce you to some of the programs I use for security and some config changes that can be made to other programs to make them more secure. It is aimed at web servers but other changes work anywhere, like the SSH changes.

SSH

We’ll start with a very simple change that makes a very big difference, a change to the …