{"id":59,"date":"2025-05-31T10:03:27","date_gmt":"2025-05-31T09:03:27","guid":{"rendered":"https:\/\/blog.mkcloudai.com\/?p=59"},"modified":"2025-05-31T10:06:09","modified_gmt":"2025-05-31T09:06:09","slug":"deep-security-audit-of-ubuntu-lightsail-server","status":"publish","type":"post","link":"https:\/\/blog.mkcloudai.com\/?p=59","title":{"rendered":"Deep Security Audit of Ubuntu Lightsail Server"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">\u2699\ufe0f Environment Summary:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Server:<\/strong> Ubuntu 20.04 LTS (Lightsail)<\/li>\n\n\n\n<li><strong>Services Running:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Apache2 (2 websites)<\/li>\n\n\n\n<li>Email Server (Postfix\/Dovecot assumed)<\/li>\n\n\n\n<li>Log Server (Syslog or custom logging)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Goals:<\/strong> Audit for vulnerabilities, misconfiguration, and unnecessary exposure. Harden system and prepare a final report.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\uddfe Audit Checklist (Manual + Scripted)<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\ud83d\udd10 1. SSH Security Review<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cat \/etc\/ssh\/sshd_config<br><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2714\ufe0f Check for <code>PermitRootLogin<\/code>, <code>PasswordAuthentication<\/code>, <code>Port<\/code>, <code>MaxAuthTries<\/code>, <code>AllowUsers<\/code><\/li>\n\n\n\n<li>\u2714\ufe0f Enforced <strong>non-root<\/strong> sudo user with SSH key<\/li>\n\n\n\n<li>\u2714\ufe0f Changed SSH port to 2222<\/li>\n\n\n\n<li>\u2714\ufe0f Set <code>MaxAuthTries 3<\/code>, <code>LoginGraceTime 30<\/code>, <code>AllowUsers clientadmin<\/code><\/li>\n\n\n\n<li>\ud83d\udee0\ufe0f Used Fail2Ban to block brute-force attempts<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo apt install fail2ban -y<br><\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">\ud83d\udd10 2. User and Group Audit<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>getent passwd | awk -F: '$3 &gt;= 1000 {print $1}'<br>sudo getent group sudo<br>lastlog<br><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2714\ufe0f Removed unused users<\/li>\n\n\n\n<li>\u2714\ufe0f Checked for users with shell access but no clear role<\/li>\n\n\n\n<li>\u2714\ufe0f Reviewed <code>sudoers<\/code>, disabled passwordless sudo where not needed<\/li>\n\n\n\n<li>\u2714\ufe0f Ran <code>lastlog<\/code> and <code>who<\/code> to check logins<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">\ud83d\udd10 3. Open Ports + Services Audit<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo ss -tuln<br>sudo netstat -tuln | grep LISTEN<br><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2714\ufe0f Open ports: 80, 443, 2222, 25\/465\/587 (email)<\/li>\n\n\n\n<li>\u274c Found MySQL exposed on 3306 (locked down using UFW)<\/li>\n\n\n\n<li>\u2714\ufe0f Disabled unused services using <code>systemctl disable xyz<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">\ud83d\udd25 4. Firewall and Network Rules<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo ufw status numbered<br>sudo iptables -L<br><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2714\ufe0f UFW rules enforced for minimal surface<\/li>\n\n\n\n<li>\u2714\ufe0f Only 80, 443, 2222, email ports allowed<\/li>\n\n\n\n<li>\u2714\ufe0f Deny by default + outbound allowed<\/li>\n\n\n\n<li>\u2714\ufe0f ICMP echo requests dropped (optional)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">\ud83d\udc0d 5. Malware + Rootkit Scan<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo apt install chkrootkit rkhunter lynis -y<br>sudo chkrootkit<br>sudo rkhunter --check<br>sudo lynis audit system<br><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2714\ufe0f No rootkits found<\/li>\n\n\n\n<li>\u2714\ufe0f Lynis reported outdated packages, fixed with full system update<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">\ud83e\uddea 6. File System and SUID\/GUID Audit<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>find \/ -perm \/6000 -type f 2&gt;\/dev\/null<br><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2714\ufe0f Identified and reviewed all SUID binaries<\/li>\n\n\n\n<li>\u2714\ufe0f Restricted or removed dangerous ones (e.g., <code>nmap<\/code>, <code>netcat<\/code> if present)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">\ud83d\udce6 7. Package Audit<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dpkg -l | grep -E \"telnet|ftp|netcat\"<br><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u274c Found legacy packages like <code>telnet<\/code> (removed)<\/li>\n\n\n\n<li>\u2714\ufe0f Enabled unattended-upgrades for automatic patching<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo apt install unattended-upgrades<br>sudo dpkg-reconfigure unattended-upgrades<br><\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">\ud83d\udd10 8. Apache and Website Security Review<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cat \/etc\/apache2\/sites-enabled\/*.conf<br><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2714\ufe0f Checked for missing <code>ServerTokens<\/code>, <code>ServerSignature<\/code><\/li>\n\n\n\n<li>\u2714\ufe0f Disabled <code>.htaccess<\/code> overrides where possible<\/li>\n\n\n\n<li>\u2714\ufe0f Enabled HTTPS redirect, HSTS headers<\/li>\n\n\n\n<li>\u2714\ufe0f Scanned site using:\n<ul class=\"wp-block-list\">\n<li><a>SSL Labs<\/a><\/li>\n\n\n\n<li><a class=\"\" href=\"https:\/\/securityheaders.com\/\">SecurityHeaders.com<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">\ud83d\udce7 9. Email Server Checks<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo systemctl status postfix<br>sudo postconf -n<br><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2714\ufe0f Verified SMTP AUTH, SSL on mail ports<\/li>\n\n\n\n<li>\u2714\ufe0f Checked SPF\/DKIM\/DMARC DNS records<\/li>\n\n\n\n<li>\u2714\ufe0f Checked <code>\/var\/log\/mail.log<\/code> for spam attempts<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">\ud83d\udcc2 10. Log Configuration and Centralization<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ls \/var\/log\/<br>sudo cat \/etc\/rsyslog.conf<br><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2714\ufe0f Verified logs were rotated and stored properly<\/li>\n\n\n\n<li>\u2714\ufe0f Installed and configured <code>logwatch<\/code> for daily summaries<\/li>\n\n\n\n<li>Optional: Configured central logging to a secondary log server (client-dependent)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udccb Sample Summary Report (Client Delivered)<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>## Security Audit Summary \u2013 Client Lightsail Server<br><br>**Date:** 2025-02-22  <br>**Auditor:** mkcloudai.com  <br><br>### Key Fixes:<br>- Disabled root login<br>- Enforced SSH keys<br>- Closed exposed MySQL port<br>- Hardened Apache2 and added SSL<br>- Scanned for malware\/rootkits<br>- Hardened UFW rules<br>- Cleaned up unused users\/services<br><br>**Score (pre-audit):** 45\/100  <br>**Score (post-audit):** 85\/100 (based on CIS + Lynis)<br><br>**Recommendations:**<br>- Enable 2FA for admin panel\/email<br>- Monitor logs via Fail2Ban + Logwatch<br>- Perform quarterly audits<br><\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Final Deliverables Recap:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security audit scripts<\/li>\n\n\n\n<li>Audit report (Markdown\/PDF)<\/li>\n\n\n\n<li>Hardened system<\/li>\n\n\n\n<li>SSL setup and troubleshooting<\/li>\n\n\n\n<li>Email + website confirmed working<\/li>\n\n\n\n<li>GitHub repo and full write-up <\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u2699\ufe0f Environment Summary: \ud83e\uddfe Audit Checklist (Manual + Scripted) \ud83d\udd10 1. SSH Security Review cat \/etc\/ssh\/sshd_config sudo apt install fail2ban [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"normal-width-container","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[8,4,9],"tags":[],"class_list":["post-59","post","type-post","status-publish","format-standard","hentry","category-how-to","category-linux","category-tutorial"],"_links":{"self":[{"href":"https:\/\/blog.mkcloudai.com\/index.php?rest_route=\/wp\/v2\/posts\/59","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mkcloudai.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mkcloudai.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mkcloudai.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mkcloudai.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=59"}],"version-history":[{"count":3,"href":"https:\/\/blog.mkcloudai.com\/index.php?rest_route=\/wp\/v2\/posts\/59\/revisions"}],"predecessor-version":[{"id":62,"href":"https:\/\/blog.mkcloudai.com\/index.php?rest_route=\/wp\/v2\/posts\/59\/revisions\/62"}],"wp:attachment":[{"href":"https:\/\/blog.mkcloudai.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=59"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mkcloudai.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=59"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mkcloudai.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=59"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}