1. Update + Auto-updates
เริ่มจากอัพเดท security patches ให้ครบ:
sudo apt update && sudo apt upgrade -y sudo apt install unattended-upgrades -y sudo dpkg-reconfigure -plow unattended-upgrades
ตั้ง auto-update ให้ติดตั้ง security patches อัตโนมัติทุกคืน
2. SSH Hardening
แก้ /etc/ssh/sshd_config:
Port 65535 # เปลี่ยนจาก 22 PermitRootLogin no PasswordAuthentication no # ใช้ key only PubkeyAuthentication yes MaxAuthTries 3 ClientAliveInterval 300 ClientAliveCountMax 2 AllowUsers john # จำกัด user Protocol 2
แล้ว restart: sudo systemctl restart sshd
3. Setup UFW Firewall
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 65535/tcp # SSH custom port sudo ufw allow 80/tcp # HTTP (ถ้าใช้) sudo ufw allow 443/tcp # HTTPS sudo ufw enable sudo ufw status verbose
4. Fail2ban — Block Brute Force
sudo apt install fail2ban -y sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
แก้ /etc/fail2ban/jail.local ในส่วน [sshd]:
[sshd] enabled = true port = 65535 maxretry = 3 bantime = 3600 findtime = 600
sudo systemctl enable --now fail2ban
5. Disable Unused Services
systemctl list-unit-files --state=enabled | grep service sudo systemctl disable --now bluetooth.service sudo systemctl disable --now cups.service sudo systemctl disable --now avahi-daemon.service
ลบ service ที่ไม่ได้ใช้ ลด attack surface
6. AppArmor Profile
sudo apt install apparmor-utils -y sudo aa-status sudo aa-enforce /etc/apparmor.d/*
Ubuntu 24.04 มาพร้อม AppArmor — เปิดใช้ทุก profile
7. Audit Log (auditd)
sudo apt install auditd audispd-plugins -y sudo systemctl enable --now auditd # ตั้ง audit rules พื้นฐาน echo "-w /etc/passwd -p wa -k passwd_changes" | sudo tee -a /etc/audit/rules.d/audit.rules echo "-w /etc/shadow -p wa -k shadow_changes" | sudo tee -a /etc/audit/rules.d/audit.rules sudo augenrules --load
8. Kernel Hardening (sysctl)
สร้าง /etc/sysctl.d/99-hardening.conf:
net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.all.log_martians = 1 kernel.randomize_va_space = 2 kernel.kptr_restrict = 2 kernel.dmesg_restrict = 1
Apply: sudo sysctl -p /etc/sysctl.d/99-hardening.conf
9. File Permissions
sudo chmod 700 /root sudo chmod 644 /etc/passwd sudo chmod 600 /etc/shadow sudo chmod 644 /etc/group sudo chmod 600 /boot/grub/grub.cfg # Find world-writable files sudo find / -xdev -type f -perm -0002 -ls 2>/dev/null
10. Setup Monitoring + Backup
ขั้นตอนสุดท้าย — มี monitoring + backup ก่อนเปิด production:
- Monitoring: Prometheus + Grafana, Netdata, หรือ Zabbix
- Backup: rsnapshot, restic, หรือ borgbackup
- Log aggregation: Loki, ELK, หรือ rsyslog ส่งไป central
- Alert: ตั้ง alert ผ่าน LINE Notify, Slack, หรือ email