Secure the Server

Install sudo package:

# apt-get -y install sudo

Add user for logging in, instead of using root account (you can choose another name for better security):

# adduser --gecos "" admin

Allow admin to use sudo by adding admin to the sudo group:

# usermod -a -G sudo admin

Create group for users that can connect remotely:

# addgroup ssh-clients

Before configuring ssh restrictions add the admin user to the ssh group:

# usermod -a -G ssh-clients admin

Configure allowed group and disable root access via ssh. To do this edit the /etc/ssh/sshd_config file as follows:

# vi /etc/ssh/sshd_config
...
PermitRootLogin no
...
AllowGroups ssh-clients

or execute the following commands from the command prompt:

# sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# echo "AllowGroups ssh-clients" >> /etc/ssh/sshd_config

Optionally, change the default port for ssh connections by editing /etc/ssh/sshd_config again

# vi /etc/ssh/sshd_config
...
Port 5678

or by executing the following command:

# sed -i 's/Port 22/Port 5678/' /etc/ssh/sshd_config

Use some another port number in real configuration for better secutiry. It should be greater then 1024 and does not match any frequently used port number, such as 3306 (MySQL) or 5432 (PgSQL).

Apply changes:

# /etc/init.d/ssh reload

And reconnect to the machine with the new user credentials.

Optionally, setup key-based authentification by following the corresponding section in the Adding user instruction.

Firewall

Drop all packets with tcp flags NONE:

# iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP -m comment --comment "Flags: NONE"

Drop all packets with undefined state:

# iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -m comment --comment "Flags: ALL"

Drop XMAS packets:

# iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP -m comment --comment "XMAS"

Allow all types of packets for loopback interface (lo):

# iptables -A INPUT -i lo -j ACCEPT -m comment --comment "LO"

Allow HTTP, HTTPS, SMTP, POP3, IMAP, and SSH ports:

# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "HTTP"
# iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "HTTPS"
# iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT  -m comment --comment "SMTP"
# iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT -m comment --comment "SMTPS"
# iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -m comment --comment "POP3"
# iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT -m comment --comment "POP3S"
# iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -m comment --comment "IMAP"
# iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -m comment --comment "IMAPS"
# iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "SSH"

Allow PING requests:

# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "ECHO"

Allow packets if the connection is successful:

# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Connected"

Block everything else and allow all outgoing connections:

# iptables -P OUTPUT ACCEPT
# iptables -P INPUT DROP

Create firewall configuration file:

# iptables-save > /etc/firewall.conf

Load firewall rules on network interface starup:

# tee /etc/network/if-up.d/iptables << EOF
#!/bin/sh
iptables-restore < /etc/firewall.conf
EOF
# chmod +x /etc/network/if-up.d/iptables

The following set of instructions creates the same rules for IP6:


# ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP -m comment --comment "Flags: NONE"
# ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -m comment --comment "Flags: ALL"
# ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP -m comment --comment "XMAS"
# ip6tables -A INPUT -i lo -j ACCEPT -m comment --comment "LO"
# ip6tables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "HTTP"
# ip6tables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "HTTPS"
# ip6tables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT  -m comment --comment "SMTP"
# ip6tables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT -m comment --comment "SMTPS"
# ip6tables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -m comment --comment "POP3"
# ip6tables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT -m comment --comment "POP3S"
# ip6tables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -m comment --comment "IMAP"
# ip6tables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -m comment --comment "IMAPS"
# ip6tables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "SSH"
# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT -m comment --comment "ECHO"
# ip6tables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Connected"
# ip6tables -P OUTPUT ACCEPT
# ip6tables -P INPUT DROP
# ip6tables-save > /etc/firewall6.conf
# tee /etc/network/if-up.d/ip6tables << EOF
#!/bin/sh
ip6tables-restore < /etc/firewall6.conf
EOF
# chmod +x /etc/network/if-up.d/ip6tables

Based on:

Auditing

From Security-HOWTO:

Find SUID/SGID programs:

# find / -type f \( -perm -04000 -o -perm -02000 \)

Find world-writable files:

# find / -perm -2 ! -type l -ls

Find unowned files:

# find / \( -nouser -o -nogroup \) -print

Further reading