How to secure Ubuntu server

Question

Is there any complete Ubuntu server hardening document which will suffice ISO 27001 or PCI DSS or any other security standard.

Answer 1

I don't know of any official ubuntu server hardening document, but hopefully the following will give you a good starting point:

NIST (National Institute of Standards and Technology) publishes guidelines on how to secure *nix systems. This is what the big boys use as a starting point (DOD, Army, Etc.).

Also check out this SANS institute paper. This list is also a good rule of thumb.

You can use tools like Nessus, OpenVAS, and other vulnerability scanners to give you an idea of what ports and services need to be shut down, as well.

The National Vulernability Database is a good site to cross reference your software configuration against, as well.

If you are trying for compliance with ISO 27001, Then ISO should have documentation and checklist for this sort of thing (although it's a B*tch to look through).

Sorry if this is too general, I hope it helps.

Answer 2

The above answer is a great one, but my only personal preference is the CIS Debian Hardening Guide that can be found at: http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.debian.100

Answer 3

There are a number of hardening guides out there that are utilized, the industry standard that many frameworks look, specifically PCI-DSS is the CIS Benchmarks put out by the Center for Internet Security (CIS). The CIS guidelines not only provide guidance for the operating systems such as Windows, Linux, AIX they also have hardening guidelines for many of the services they run such as Apache, MySQL, Oracle, Weblogic,SQL Server, IIS etc. Commercialized tools also utilize their plugins when doing vulnerability and security checks with scanning products. There are also security specific items to load for varying tasks such as IDS/IPS at the network, or HIDS at the host. Tools installed to detect configuration and unauthorized change, parse and review logs for un-normal activity etc. I have been building and hardening servers for the past 20+ years so if you have any more detailed questions I would be happy to try and answer them.