DevOps Security: Best Practices for Linux Instance Hardening
Hemant Sawant
AWS ?? | Docker ?? | Kubernetes ?? | Terraform ?? | Jenkins ??? | Ansible ?? | Prometheus ?? | CI/CD Automation ?? | VMware & Windows Server Expert ?? | IT Support & Operations ??| ITIL Certified ?
In today’s fast-paced DevOps environments, ensuring the security of your Linux instances is critical. With continuous deployment and automation, a misconfigured server can quickly become a vulnerability.
This guide will walk you through: ? Provisioning an Ubuntu instance in AWS using Terraform ? Implementing security best practices such as:
By the end, you'll have a hardened, CIS-compliant Ubuntu instance in AWS, fully secured for enterprise DevOps pipelines.
1. Prerequisites
Before you start, ensure you have: ?? An AWS account with permissions to create instances. ?? Terraform installed on your local machine. ?? AWS CLI configured (aws configure). ?? An SSH key pair (e.g., ~/.ssh/id_rsa.pub).
Step 1: Create an AWS Account (If You Don’t Have One)
If you don’t have an AWS account yet, follow these steps: 1?? Go to AWS Sign-Up Page: AWS Console 2?? Click "Create an AWS Account." 3?? Provide your email, password, and payment details (AWS Free Tier is available). 4?? Follow the identity verification process. 5?? Log in to the AWS Management Console.
?? Tip: AWS Free Tier allows you to use services like EC2 (t2.micro instance) for free for 12 months.
Step 2: Install Terraform
Terraform is an Infrastructure as Code (IaC) tool that helps automate AWS instance creation. To install Terraform on your system:
?? For Linux/macOS:
sudo apt update && sudo apt install -y terraform
?? For Windows: 1?? Download Terraform from the Terraform website. 2?? Extract and add Terraform to your system PATH. 3?? Open Command Prompt and run:
terraform --version
?? Tip: If Terraform is installed correctly, you should see the version number.
Step 3: Install AWS CLI
The AWS CLI (Command Line Interface) allows you to interact with AWS services from your terminal.
?? For Linux/macOS:
curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
sudo installer -pkg AWSCLIV2.pkg -target /
?? For Windows: 1?? Download the AWS CLI installer. 2?? Run the installer and follow the setup instructions.
?? Verify Installation:
aws --version
?? Tip: You should see something like aws-cli/2.x.x in the output.
Step 4: Configure AWS CLI with Your Credentials
Once AWS CLI is installed, configure it using:
aws configure
You'll be asked to provide:
?? Tip: You can find your Access Key ID and Secret Access Key in the AWS IAM Console under "Users" → Security Credentials.
Step 5: Generate an SSH Key Pair
An SSH key pair is needed to securely connect to your AWS instance.
To generate a key pair:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
1?? Press Enter when asked for a file location (~/.ssh/id_rsa). 2?? Set a passphrase for extra security (optional). 3?? Your keys will be stored in ~/.ssh/.
?? Tip: The public key (id_rsa.pub) will be added to your AWS instance, and the private key (id_rsa) stays secure on your local machine.
Step 6: Verify Everything Before Proceeding
? AWS CLI is installed and configured (aws --version) ? Terraform is installed (terraform --version) ? SSH key pair is generated (ls ~/.ssh/id_rsa.pub) ? You have AWS IAM permissions to create EC2 instances
?? Now you're ready to deploy a secure Linux instance!
2. Setting Up Terraform for AWS Ubuntu Instance
A. Create Your Working Directory
mkdir ubuntu-hardening && cd ubuntu-hardening
B. Terraform Configuration (main.tf)
Instead of hardcoding an AMI, we use a lookup function to fetch the latest Ubuntu AMI dynamically:
provider "aws" {
region = "us-east-1" # Change to your preferred region
}
# Fetch latest Ubuntu AMI dynamically
data "aws_ami" "ubuntu" {
most_recent = true
owners = ["099720109477"] # Canonical's AWS account ID
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
}
}
# AWS Key Pair
resource "aws_key_pair" "deployer" {
key_name = "deployer-key"
public_key = file("~/.ssh/id_rsa.pub")
}
# Security Group - Restrict SSH to Your IP
resource "aws_security_group" "ubuntu_hardening" {
name = "ubuntu_hardening_sg"
description = "Security group for hardened Ubuntu instance"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["YOUR_IP/32"] # Replace with your actual public IP
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# Launch Ubuntu Instance with Security Hardening
resource "aws_instance" "ubuntu_instance" {
ami = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
key_name = aws_key_pair.deployer.key_name
security_groups = [aws_security_group.ubuntu_hardening.name]
user_data = file("hardening.sh")
tags = {
Name = "HardenedUbuntuInstance"
}
}
C. Create the Hardening Script (hardening.sh)
#!/bin/bash
set -e
echo "[INFO] Updating System Packages..."
apt-get update -y && apt-get upgrade -y
echo "[INFO] Enabling UFW Firewall..."
apt-get install ufw -y
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw --force enable
echo "[INFO] Securing SSH..."
sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config
systemctl restart sshd
echo "[INFO] Installing Fail2ban..."
apt-get install fail2ban -y
systemctl enable fail2ban && systemctl start fail2ban
echo "[INFO] Enforcing Password Policies..."
sed -i 's/PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
sed -i 's/PASS_MIN_DAYS.*/PASS_MIN_DAYS 7/' /etc/login.defs
sed -i 's/PASS_WARN_AGE.*/PASS_WARN_AGE 14/' /etc/login.defs
echo "[INFO] Installing Unattended Security Updates..."
apt-get install unattended-upgrades -y
dpkg-reconfigure -plow unattended-upgrades
echo "[INFO] Initial Hardening Completed."
D. Deploy the Instance
terraform init
terraform apply -auto-approve
3. Detailed Hardening Steps Explained
? Firewall Protection (UFW)
? SSH Hardening
? Fail2ban - Intrusion Prevention
? Enforcing Strong Password Policies
? Automated Security Updates
4. Implementing CIS Benchmark Security Compliance
To fully align with CIS benchmarks, integrate automated compliance checks:
A. Scanning for Compliance Using OpenSCAP
Install OpenSCAP and run a security scan:
sudo apt-get install scap-security-guide -y
sudo oscap xccdf eval --profile cis_level2_server --report report.html /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml
?? This generates a detailed security compliance report.
B. Automating CIS Compliance in CI/CD Pipelines
Integrate Chef InSpec for DevOps automation:
inspec exec path/to/your/profile --reporter json:/path/to/report.json
5. Post-Provisioning Security & Monitoring
?? Creating a Secure Non-Root User
sudo adduser devopsuser
sudo usermod -aG sudo devopsuser
? Enables least-privilege access for security.
?? Continuous Security Monitoring
6. Final Security Checklist
? UFW firewall enabled ? SSH hardened (root login disabled, key-based auth) ? Fail2ban active ? Password policies enforced ? Automatic security updates configured ? CIS Benchmark compliance checks integrated
Final Thoughts
By following this DevSecOps approach, you: ?? Automate security using Terraform. ?? Enforce a layered security model (firewall, SSH hardening, intrusion detection). ?? Ensure continuous compliance with CIS benchmarks.
Once you’ve hardened your Ubuntu instance, security doesn't stop there! Cyber threats evolve, so continuous monitoring and automation are key.
1?? Regularly Update Your System
Keep your server updated with the latest security patches:
sudo apt update && sudo apt upgrade -y
?? Tip: Use unattended-upgrades to apply security updates automatically.
2?? Monitor Unauthorized Access
Enable AWS CloudTrail and AWS GuardDuty to track suspicious activities.
aws cloudtrail create-trail --name SecurityTrail --s3-bucket-name my-security-logs
aws guardduty create-detector --enable
?? Tip: GuardDuty helps detect brute force attacks, compromised keys, and unusual traffic.
3?? Use a Configuration Management Tool (Ansible, Chef, or Puppet)
Instead of manually hardening every server, automate security policies with Ansible:
- name: Harden Ubuntu Server
hosts: all
tasks:
- name: Ensure UFW is enabled
ufw:
state: enabled
?? Tip: Automating security ensures consistency across multiple servers.
4?? Run Security Audits Regularly
Use CIS Benchmarks and OpenSCAP to scan for security compliance:
oscap xccdf eval --profile cis_level2_server --report report.html /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml
?? Tip: This will generate a detailed security report. Fix any critical vulnerabilities found.
5?? Backup and Disaster Recovery Plan
?? Always keep backups of important files using AWS Backup:
aws backup create-backup-plan --backup-plan file://backup-plan.json
?? Tip: Store backups in a different AWS region for extra protection.
??? Security is an ongoing process! Regular audits and automation keep your infrastructure safe against evolving threats.
Follow me on LinkedIn: www.dhirubhai.net/comm/mynetwork/discovery-see-all?usecase=PEOPLE_FOLLOWS&followMember=hemantsawant26012019