This repository contains scripts, configuration templates, and documentation used for the initial setup of a hardened Ubuntu 22.04 LTS server using the Dokku service to host websites in a secure production environment. This project aims to achieve the following goals:
- π©π»βπ³ Key-Based SSH with TOTP 2FA
- βοΈ CIS Level 2 Compliance
- π Dokku PaaS with automated SSL
- π§ Providing hardened NGINX and Firewall configurations
- π§ Open-Appsec WAF
To create a new user called "host," use the adduser command:
adduser hostadd to sudo group:
usermod -aG sudo hostcopy root ssh keys:
rsync --archive --chown=host:host /root/.ssh /home/hostLogin as the newly created "host" user now.
"Clone" this repo into the "host" user home:
git init
git remote add origin https://github.com/34N0/ubuntu-server-dokku
git fetch
git checkout origin/main -ftrun the setup script:
sudo bash scripts/setup.shFollow the Steps in the Hardening document.
download the installation script:
wget -NP . https://dokku.com/bootstrap.shget the repo key:
wget -qO - https://packagecloud.io/dokku/dokku/gpgkey | sudo apt-key add -run the installer:
sudo DOKKU_TAG=v0.32.0 bash bootstrap.shconfigure your server domain
dokku domains:set-global <server domain>and your ssh key to the dokku user:
PUBLIC_KEY="your-public-key-contents-here"
echo "$PUBLIC_KEY" | dokku ssh-keys:add adminFor automatic SSL use dokku-letsencrypt
This Repository provides a hardened NGINX configuration. It configures basic DOS protection through reqeuest timeout and size constraints. Additionally it sets security headers according to OWASP recommendations.
Content-Security-Policy and Content-Type headers should be set at application level and are not configured.
The CIS Standard creates a file in /etc/nftables.rules. Load the file with:
nft -f /etc/nftables.rulesThis repository contains an updated configuration file allowing a specified SSH port, Http & Https.
We welcome contributions from the community to improve and enhance this project.