How to Implement a Security Policy on Ubuntu
Hosting types Reviews Comparisons Resources Hosting Coupons 313
$USD EN
Who we are Advertising disclosure

How to Implement a Security Policy on Ubuntu

JB Benjamin
JB Benjamin
Hosting Expert 3 min read

What Do I Need?

  • Any Dedicated or Virtual Server
  • Ubuntu

What is a Security Policy?

Linux-based operating systems are amazing; however, they’re not the most secure by default, and more configurations are required for a new web server installation in order to ensure it’s properly hardened and secure from bad actors. Making sure you’ve got a plan and strategy in place for the protection of your client’s systems, especially if the server is mission-critical, is absolutely paramount.

  1. User Management

    User management is one of the most important tasks of any security plan. Balancing your user’s access requirements against their everyday needs, versus the overall security of the server, requires a clear view of those objectives to ensure users have the tools they need to get the job done as well as protect the other users’ privacy and security. There are three different types or levels of user access:
    • Root – this is the main administrator of the server. The root account has full access to everything on the server. The root user can lock down or loosen user roles, set file permissions and ownership, limit folder access, install and remove services and applications, repartition drives, and essentially modify any area of the server’s infrastructure. Root users are effectively the gods of the server.
    • Super User – this is a user who’s been granted special access to a Linux application called sudo. The super user has elevated rights to run a function or program as another user. This user will be included in a specific group called the sudo group. The rules this user has access to are defined within the visudo file which outlines and limits their access and can only be initially modified by the root user.
    • A User – this is a regular user who’s been set up using the adduser command, given access, and the one that owns the files and folders within the user /home/user/ directory as defined by the basic settings in the /etc/skel/.profile file.
  1. Enforce Strong Passwords
    1. Because passwords are one of the mainstays in the user’s security arsenal, enforcing strong passwords is a must. We can modify the file responsible for this setting located in the /etc/pam.d/common-password file. To enable this we can modify the file responsible for this setting by using the chage command: 
      chage -m 90 username
    1. This command simply states that the user’s password must be changed every 90 days. 
      /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2
dcredit=-2 ocredit=-1

  1. Restrict Use of Old Passwords
    1. Open /etc/pam.d/common-password file: 
      sudo nano /etc/pam.d/common-password

    2. Add the following line to the auth section. 
      auth        sufficient  pam_unix.so likeauth nullok
    1. Add the following line to the password section to disallow a user from re-using the last five of his or her passwords. 
      sufficient    pam_unix.so nullok use_authtok md5 shadow remember=5
    1. Only the last five passwords are remembered by the server. If you tried to use any of five old passwords, you’d get an error like: 
      Password has been already used. Choose another.

  1. Checking Accounts for Empty Passwords

    Any account with an empty password means it’s opened for unauthorized access to anyone on the web; so, you must make sure all accounts have strong passwords, and no one has any authorized access. Empty password accounts are security risks and are easily hackable. To check if there were any accounts with an empty password, use the following command: 
    cat /etc/shadow | awk -F: '($2==""){print $1}'

Conclusion

Console security simply implies that limiting access to the physical server itself is key to ensuring that only those with the proper access can reach the server. Anyone who has access to the server can gain entry, reboot it, remove hard drives, disconnect cables, or even power it down. To obstruct malicious actors with harmful intent, make sure that servers are kept in a secure location. Another step we can take is to disable the Ctrl+Alt+Delete function. To accomplish this run the following commands:

systemctl mask ctrl-alt-del.target systemctl daemon-reload

Be sure to keep a lookout for more how-to guides in the future on setting policies to secure your systems effectively.

How To Set up a VSFTPD Server on an Ubuntu 16.04 VPS or Dedicated Server

Brief Description FTP data is usually insecure since information (usernames, pa
2 min read
Eliran Ouzan
Eliran Ouzan
Web Designer & Hosting Expert

How to Install the Django Web Framework on a Ubuntu 22.04 VPS

Brief description When building a website, similar components are required, and
3 min read
Michael Levanduski
Michael Levanduski
Expert Hosting Writer & Tester

How To Change the Hostname on an Ubuntu 18.04 VPS or Dedicated Server

Ubuntu 18.04 has been described as awesome by Mark Shuttleworth
3 min read
Vladimir Rakov
Vladimir Rakov
Hosting Expert

How to Add Swap Space on Your Ubuntu 16.04 Server

Step 1: First of all you need to see if there is some swap space availab
5 min read
Max Ostryzhko
Max Ostryzhko
Senior Web Developer, HostAdvice CTO
HostAdvice.com provides professional web hosting reviews fully independent of any other entity. Our reviews are unbiased, honest, and apply the same evaluation standards to all those reviewed. While monetary compensation is received from a few of the companies listed on this site, compensation of services and products have no influence on the direction or conclusions of our reviews. Nor does the compensation influence our rankings for certain host companies. This compensation covers account purchasing costs, testing costs and royalties paid to reviewers.
Click to go to the top of the page
Go To Top