Skip to content

Security: tantoniazi/linux-server-bootstrap

Security

docs/security.md

Security Configuration

This document describes the security measures applied by the bootstrap.

Automatic security updates

  • unattended-upgrades is installed and configured.
  • Configuration: /etc/apt/apt.conf.d/20auto-upgrades
  • Security updates are applied automatically; package lists are updated daily.

Firewall (UFW)

  • Default policy: deny incoming, allow outgoing.
  • Allowed incoming: SSH (22), HTTP (80), HTTPS (443).
  • UFW is enabled. Custom rules can be added in config/ufw/rules.sh (executable).

Fail2ban

  • Jail configuration: config/fail2ban/jail.local/etc/fail2ban/jail.local
  • Default settings: maxretry = 5, bantime = 1h, findtime = 10m
  • Jails:
    • sshd — protects SSH
    • nginx-http-auth — protects Nginx auth (e.g. login pages)

Commands:

  • Status: sudo fail2ban-client status
  • Unban: sudo fail2ban-client set sshd unbanip <IP>

SSH hardening

  • Applied via /etc/ssh/sshd_config.d/99-bootstrap-hardening.conf (drop-in).
  • PermitRootLogin — set to no (use the deploy user and sudo).
  • MaxAuthTries — 3.
  • PubkeyAuthentication — yes.
  • PermitEmptyPasswords — no.
  • X11Forwarding — no.
  • PasswordAuthentication — left as yes by default; set to no only after the deploy user has key-based access.

Kernel hardening (sysctl)

  • Configuration: config/sysctl/hardening.conf/etc/sysctl.d/99-hardening.conf
  • RP filter — IP spoofing protection (reverse path filtering).
  • ICMP redirects — disabled.
  • TCP SYN cookies — enabled.
  • Source routing — disabled.
  • Log martians — enabled (logs suspicious packets).

Nginx

  • Server tokens — disabled (hides Nginx version).
  • Security headers (via snippet):
    • X-Frame-Options: SAMEORIGIN
    • X-Content-Type-Options: nosniff
    • X-XSS-Protection: 1; mode=block
    • Referrer-Policy: strict-origin-when-cross-origin

Deploy user

  • Dedicated unprivileged user for deployments.
  • Sudo access (NOPASSWD by default; restrict in /etc/sudoers.d/deploy if required).
  • Member of the docker group for running containers.
  • Root SSH login disabled; use this user and sudo for administration.

Checklist

  • SSH key in place for deploy before disabling root/password login
  • Firewall allows only required ports; custom app ports added in config/ufw/rules.sh if needed
  • SSL/TLS via Certbot for any public HTTP(S) sites
  • Fail2ban jails and bantime reviewed for your environment
  • Sudo and deploy user permissions reviewed (e.g. restrict NOPASSWD if needed)

There aren't any published security advisories