6

Is there any complete Ubuntu server hardening document which will suffice ISO 27001 or PCI DSS or any other security standard.

Jorge Castro
  • 70,934
  • 124
  • 466
  • 653
Tapas
  • 69
  • 1
  • 3
  • Is https://help.ubuntu.com/11.10/serverguide/C/security.html what you are looking for, or do you need something more advanced? – htorque Jan 09 '12 at 13:05
  • A little more research in the question would be appreciated. – viyyer Jan 09 '12 at 14:56
  • "server security" is a broad topic, is sort of depends on which server. Whole books have been written about apache security, mod_security, apparmor, etc. It is overwhelming at first, but you need to start and keep on reading. – Panther Jan 09 '12 at 17:05
  • Thanks for the response. I m looking for production server security hardening which will suffice ISO 27001 or PCI DSS or any other security standard. – Tapas Jan 10 '12 at 06:39
  • 1
    @Tapas Please edit your question to provide a better scope. Saying "how do I secure my server" is too vague to be answerable. Use the Edit button to include actionable items, links and references to any ideas you're looking to implement, etc – Marco Ceppi Jan 10 '12 at 20:04

3 Answers3

4

I don't know of any official ubuntu server hardening document, but hopefully the following will give you a good starting point:

NIST (National Institute of Standards and Technology) publishes guidelines on how to secure *nix systems. This is what the big boys use as a starting point (DOD, Army, Etc.).

Also check out this SANS institute paper. This list is also a good rule of thumb.

You can use tools like Nessus, OpenVAS, and other vulnerability scanners to give you an idea of what ports and services need to be shut down, as well.

The National Vulernability Database is a good site to cross reference your software configuration against, as well.

If you are trying for compliance with ISO 27001, Then ISO should have documentation and checklist for this sort of thing (although it's a B*tch to look through).

Sorry if this is too general, I hope it helps.

Community
  • 1
kill-9
  • 156
  • 1
  • 1
  • 6
1

The above answer is a great one, but my only personal preference is the CIS Debian Hardening Guide that can be found at: http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.debian.100

Justin Andrusk
  • 4,036
  • 2
  • 19
  • 19
1

There are a number of hardening guides out there that are utilized, the industry standard that many frameworks look, specifically PCI-DSS is the CIS Benchmarks put out by the Center for Internet Security (CIS). The CIS guidelines not only provide guidance for the operating systems such as Windows, Linux, AIX they also have hardening guidelines for many of the services they run such as Apache, MySQL, Oracle, Weblogic,SQL Server, IIS etc. Commercialized tools also utilize their plugins when doing vulnerability and security checks with scanning products. There are also security specific items to load for varying tasks such as IDS/IPS at the network, or HIDS at the host. Tools installed to detect configuration and unauthorized change, parse and review logs for un-normal activity etc. I have been building and hardening servers for the past 20+ years so if you have any more detailed questions I would be happy to try and answer them.

cmbnetworks
  • 11
  • 2