3

By default, Ubuntu Server is not very secure:

  1. Automatic security updates are not enabled
  2. The 'ufw' firewall is not enabled
  3. SSH key-based logins have to be explicitly created
  4. and so on...

For my own personal use, I have followed guides such as http://hardenubuntu.com/ to turn on unattended-upgrades, install fail2ban, etc. But now I am running a business in the cloud and don't want to repeat all these steps manually every time I spin up a new instance. Is there an Ubuntu distro/variant that comes with "production-ready" security and doesn't need to be manually hardened? Solutions using configuration management tools (Chef, Puppet, Ansible, etc) will also work.

And if there is NOT such a thing, why not?

William Hilton
  • 380

4 Answers4

5

If you're looking for these features you need to use the Ubuntu Cloud image instead of the traditional server image.

  1. Security updates are turned on by default and new images are published every few weeks with the updates rolled in.
  2. In cloud environments the networking is usually restricted out of the box, but if you want to use ufw you can turn it on.
  3. The cloud images only accept login via ssh, you can use cloud-init to create/use whatever keys as well as user data if you'd like: https://help.ubuntu.com/community/CloudInit

From your comments it looks like you want to automate your deployment with Ansible. Ansible and cloud-init is a popular pattern in the cloud, there are lots of guides on how to do that, here's one as a start:

Here are a bunch of examples of configuration for cloud-init that you can use to derive custom configs of your own:

Jorge Castro
  • 73,717
2

There is no such version of the Server installer, nor the Desktop installers, because it would be detrimental to administration to have something 'completely locked down' upon installation.

As I understand it, this is because the delicate balance of "Ease of Setup/Use" and "Lock It All Down" is a very delicate one.

As I understand it...

  • The system doesn't enable automatic updates automatically because to do so could compromise stability.
  • Enabling ufw automatically is annoying to sysadmins who want things to 'work out of the box' and then want to lock down the firewall rules after things work the way they want (this is MOST security-centric server administrators, by thew ay).
  • Forcing keys to be generated immediately upon installation is a no-no, because setting up such keys usually needs the other system to generate them first. To enforce key auth immediately would likely block the ability to set up that type of key authentication.

Consider also that Security is an ongoing process - starting with a relatively 'okay' setup and then locking down things accordingly with your security policy needs and such is a better approach than having something totally locked down and then having to 'remove' security constraints as time goes forward.

There is also a configuration process - consider that if we as sysadmins have to break down security on a machine just to set it up and then re-secure it, it saves time to go the opposite direction - configure the systems first, then lock it down. This is the typical approach to administration/security...

Note that I am not a member of the Ubuntu Security Team, but this is the most likely reason for the approach in place now, using your specific examples here.

Thomas Ward
  • 78,878
1

Automatic security updates are not enabled

Automatic security updates are not generally seen as a good practice for a production environment because they can result in unexpected downtime. In a production environment you'd schedule updates so you can notify users/clients and deal with the rare scenario where an update breaks configuration.

The 'ufw' firewall is not enabled

In most cases you need to manually set up a firewall like ufw; it is not usually possible to have an "automatically" configured firewall that provides significant benefit.

The benefit from a system level firewall like ufw is to limit the ability of rogue processes, or even known processes, to communicate with the outside world. Each person's definition of which processes should be able to communicate with the outside world will be different. If an automatically configured firewall was too conservative, this would create headaches when users install software and want that software to be able to access the internet.

SSH key-based logins have to be explicitly created

I can't think of a mechanism where the remote user (client) could be securely given a private key by an automated process. Also, it would need to somehow verify that the client machine received the private key before turning off password based login.

thomasrutter
  • 37,804
1

Server environments are not for out of box deployment as they can vary greatly. The base settings that Ubuntu server comes with need to be customized for different environments. So disabling or enabling services, firewalls etc. are all subject to the need of the deployment. UFW and Key based logins are one such aspect that need to be created as per needs.

Arup Roy Chowdhury
  • 1,580
  • 9
  • 12