All Linux servers are locked down to the highest security standards possible. All services are off by default and all ports shut. Only the required services started.
To lock down a server:-
sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install openssh-server denyhosts vim oracle-java7-installer postgresql landscape-client htop lynx-cur
Ubuntu has a simple firewall configuration tool called ufw which is really just a simplified iptables interface.
sudo ufw allow ssh sudo ufw allow imap sudo ufw allow http sudo ufw allow https sudo ufw disable sudo ufw enable
Redirect the high permission ports 80 (http) and 443 (https) up to a port range that can accessed by the low permission user running the web service. Redirection of the ports can be done by the following iptable rules
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
Avoid running any custom code or the web server as a high permission user. A security floor in either the web server or your code will be run as the user that runs the web server.
sudo groupadd www-data
sudo useradd -g www-data -m -s /bin/bash webapps
Never allow direct ssh access to the ROOT account or any other functional account such as webapps. Each admistrator that should have access to these accounts must login under their own user accont and then sudo to the correct functional account.
To block all SSH access to ROOT add the option "PermitRootLogin no" to /etc/ssh/sshd_config
sudo vi /etc/ssh/sshd_config <--- PermitRootLogin no
This will help handle DOS attacks, and cope with a large number of slow clients.
Set the system wide maximum file handles:-
sudo vi /etc/sysctl.conf
fs.file-max=65535
Set the low permission user 'webapps' to allow the maximum possible files open.
sudo vi /etc/security/limits.conf
@www-data soft nofile 65535
@www-data hard nofile 65535
After rebooting check the max number of files have been increased.
sudo -u webapps -i "ulimit -a"
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 386171
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 65535
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 386171
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited