After a fresh Ubuntu installation, these initial steps create your security foundation:
# Update package indexes and upgrade all packages
sudo apt update && sudo apt upgrade -y
# Enable automatic security updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
UFW (Uncomplicated Firewall) provides simple management for iptables:
# Install UFW if not present
sudo apt install ufw
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow essential ports
sudo ufw allow ssh
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw enable
Secure your primary remote access method:
# Edit SSH configuration
sudo nano /etc/ssh/sshd_config
# Recommended changes:
Port 2222 # Change default port
PermitRootLogin no # Disable root login
PasswordAuthentication no # Require key-based auth
MaxAuthTries 3 # Limit login attempts
ClientAliveInterval 300 # Set timeout
Proper user setup minimizes privilege escalation risks:
# Create deployment user
sudo adduser deployer
sudo usermod -aG sudo deployer
# Set up SSH keys
mkdir -p /home/deployer/.ssh
chmod 700 /home/deployer/.ssh
nano /home/deployer/.ssh/authorized_keys
chmod 600 /home/deployer/.ssh/authorized_keys
chown -R deployer:deployer /home/deployer/.ssh
Environment configuration for your application:
# Database credentials in environment variables
echo 'export DATABASE_URL="postgresql://user:password@localhost/db_name"' | sudo tee -a /etc/environment
# Secret key base
echo 'export SECRET_KEY_BASE=rake secret' | sudo tee -a /etc/environment
source /etc/environment
Essential tools for maintaining security posture:
# Install fail2ban for brute force protection
sudo apt install fail2ban
# Basic log monitoring setup
sudo apt install logwatch
sudo nano /etc/logwatch/conf/logwatch.conf
Restrict access to sensitive directories:
# Set proper permissions for Rails
chmod -R 750 /var/www/your_app
chown -R deployer:www-data /var/www/your_app
# Protect configuration files
chmod 600 /etc/nginx/sites-available/your_app
Schedule these for ongoing security:
# Add to crontab -e
0 3 * * * apt update && apt upgrade -y
0 4 * * * /usr/sbin/aide --check
30 4 * * 0 /usr/bin/certbot renew
Remember to test all changes in a staging environment before applying to production. Security is an ongoing process, not a one-time setup.
Before anything else, ensure your package repositories are up-to-date:
sudo apt update
sudo apt upgrade -y
sudo apt dist-upgrade -y
Never run applications as root. Create a deployment user with restricted privileges:
sudo adduser deployer
sudo usermod -aG sudo deployer
Set up SSH keys for secure authentication:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Edit /etc/ssh/sshd_config with these crucial settings:
Port 2222 # Change default port
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
MaxAuthTries 3
LoginGraceTime 60
Remember to restart SSH:
sudo systemctl restart sshdSet up Uncomplicated Firewall with minimal rules:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp # Your custom SSH port
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enableEnable unattended security updates:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgradesProtect against brute force attacks:
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localCustomize the jail.local file with stricter settings.
For your Rails application:
# In config/environments/production.rb
config.force_ssl = true
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'DENY',
'X-Content-Type-Options' => 'nosniff',
'X-XSS-Protection' => '1; mode=block'
}PostgreSQL example (common with Rails):
# In /etc/postgresql/version/main/pg_hba.conf
# Replace peer/md5 with scram-sha-256
local all all scram-sha-256
host all all 127.0.0.1/32 scram-sha-256Consider running your Rails app with:
- Systemd for process management
- Docker containers for isolation
- AppArmor/SELinux for mandatory access control
Install and configure logwatch:
sudo apt install logwatch
sudo nano /etc/cron.daily/00logwatchSet up regular log audits and monitoring scripts.