โ๏ธ Environment Summary:
- Server: Ubuntu 20.04 LTS (Lightsail)
- Services Running:
- Apache2 (2 websites)
- Email Server (Postfix/Dovecot assumed)
- Log Server (Syslog or custom logging)
- Goals: Audit for vulnerabilities, misconfiguration, and unnecessary exposure. Harden system and prepare a final report.
๐งพ Audit Checklist (Manual + Scripted)
๐ 1. SSH Security Review
cat /etc/ssh/sshd_config
- โ๏ธ Check for
PermitRootLogin, PasswordAuthentication, Port, MaxAuthTries, AllowUsers
- โ๏ธ Enforced non-root sudo user with SSH key
- โ๏ธ Changed SSH port to 2222
- โ๏ธ Set
MaxAuthTries 3, LoginGraceTime 30, AllowUsers clientadmin
- ๐ ๏ธ Used Fail2Ban to block brute-force attempts
sudo apt install fail2ban -y
๐ 2. User and Group Audit
getent passwd | awk -F: '$3 >= 1000 {print $1}'
sudo getent group sudo
lastlog
- โ๏ธ Removed unused users
- โ๏ธ Checked for users with shell access but no clear role
- โ๏ธ Reviewed
sudoers, disabled passwordless sudo where not needed
- โ๏ธ Ran
lastlog and who to check logins
๐ 3. Open Ports + Services Audit
sudo ss -tuln
sudo netstat -tuln | grep LISTEN
- โ๏ธ Open ports: 80, 443, 2222, 25/465/587 (email)
- โ Found MySQL exposed on 3306 (locked down using UFW)
- โ๏ธ Disabled unused services using
systemctl disable xyz
๐ฅ 4. Firewall and Network Rules
sudo ufw status numbered
sudo iptables -L
- โ๏ธ UFW rules enforced for minimal surface
- โ๏ธ Only 80, 443, 2222, email ports allowed
- โ๏ธ Deny by default + outbound allowed
- โ๏ธ ICMP echo requests dropped (optional)
๐ 5. Malware + Rootkit Scan
sudo apt install chkrootkit rkhunter lynis -y
sudo chkrootkit
sudo rkhunter --check
sudo lynis audit system
- โ๏ธ No rootkits found
- โ๏ธ Lynis reported outdated packages, fixed with full system update
๐งช 6. File System and SUID/GUID Audit
find / -perm /6000 -type f 2>/dev/null
- โ๏ธ Identified and reviewed all SUID binaries
- โ๏ธ Restricted or removed dangerous ones (e.g.,
nmap, netcat if present)
๐ฆ 7. Package Audit
dpkg -l | grep -E "telnet|ftp|netcat"
- โ Found legacy packages like
telnet (removed)
- โ๏ธ Enabled unattended-upgrades for automatic patching
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
๐ 8. Apache and Website Security Review
cat /etc/apache2/sites-enabled/*.conf
- โ๏ธ Checked for missing
ServerTokens, ServerSignature
- โ๏ธ Disabled
.htaccess overrides where possible
- โ๏ธ Enabled HTTPS redirect, HSTS headers
- โ๏ธ Scanned site using:
๐ง 9. Email Server Checks
sudo systemctl status postfix
sudo postconf -n
- โ๏ธ Verified SMTP AUTH, SSL on mail ports
- โ๏ธ Checked SPF/DKIM/DMARC DNS records
- โ๏ธ Checked
/var/log/mail.log for spam attempts
๐ 10. Log Configuration and Centralization
ls /var/log/
sudo cat /etc/rsyslog.conf
- โ๏ธ Verified logs were rotated and stored properly
- โ๏ธ Installed and configured
logwatch for daily summaries
- Optional: Configured central logging to a secondary log server (client-dependent)
๐ Sample Summary Report (Client Delivered)
## Security Audit Summary โ Client Lightsail Server
**Date:** 2025-02-22
**Auditor:** mkcloudai.com
### Key Fixes:
- Disabled root login
- Enforced SSH keys
- Closed exposed MySQL port
- Hardened Apache2 and added SSL
- Scanned for malware/rootkits
- Hardened UFW rules
- Cleaned up unused users/services
**Score (pre-audit):** 45/100
**Score (post-audit):** 85/100 (based on CIS + Lynis)
**Recommendations:**
- Enable 2FA for admin panel/email
- Monitor logs via Fail2Ban + Logwatch
- Perform quarterly audits
โ
Final Deliverables Recap:
- Security audit scripts
- Audit report (Markdown/PDF)
- Hardened system
- SSL setup and troubleshooting
- Email + website confirmed working
- GitHub repo and full write-up
