Server Security – Production-Ready Hardened Edition of Ubuntu Server

productionSecurityserver

By default, Ubuntu Server is not very secure:

Automatic security updates are not enabled
The 'ufw' firewall is not enabled
SSH key-based logins have to be explicitly created
and so on…

For my own personal use, I have followed guides such as http://hardenubuntu.com/ to turn on unattended-upgrades, install fail2ban, etc. But now I am running a business in the cloud and don't want to repeat all these steps manually every time I spin up a new instance. Is there an Ubuntu distro/variant that comes with "production-ready" security and doesn't need to be manually hardened? Solutions using configuration management tools (Chef, Puppet, Ansible, etc) will also work.

And if there is NOT such a thing, why not?

Best Answer

If you're looking for these features you need to use the Ubuntu Cloud image instead of the traditional server image.

Security updates are turned on by default and new images are published every few weeks with the updates rolled in.
In cloud environments the networking is usually restricted out of the box, but if you want to use ufw you can turn it on.
The cloud images only accept login via ssh, you can use cloud-init to create/use whatever keys as well as user data if you'd like: https://help.ubuntu.com/community/CloudInit

From your comments it looks like you want to automate your deployment with Ansible. Ansible and cloud-init is a popular pattern in the cloud, there are lots of guides on how to do that, here's one as a start:

https://www.cloudsigma.com/an-introduction-to-server-provisioning-with-cloudinit/

Here are a bunch of examples of configuration for cloud-init that you can use to derive custom configs of your own:

http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/files/head:/doc/examples/

Best Answer

Related Solutions

Ubuntu – Updating a thesql production server without having problems

Ubuntu – Script/tool to clone a ubuntu server

Related Question