HostUp

How to Secure a Ubuntu Linux Server in 3 Simple Steps

We all know that security is important, but we are usually too lazy to add basic security. In this tutorial I will show you how to secure a Linux server in 3 simple steps, starting from basic to more advanced security.

1. Create a New Account

This is not really a security ‘feature’, but it is always a good idea to either move away from root or setup login with authorized keys since the most common username out there is root since it is the default. For this reason, most brute-force programs tend to try to use that username.

When you have logged into an SSH terminal with your specified username & password proceed with the following commands. Change ‘changeme’ with what username you want the account to have.

adduser changeme
usermod -aG sudo changeme
su – changeme
sudo apt-get update

After you have created your new account you may start a new SSH session, only this time connect with your new username & password.

2. Replace Password Login With Authorized keys

Stop using passwords all together when logging into your Linux server, and replace it with public and private authentication keys instead!

Step 1.
Generate your 2048bit public and private keys via a generator such as PuttyGen. (If you do not already have it you may download it from putty.org

Click the ‘Generate button’ marked with red. You can open this window by simply searching ‘PuttyGen’ in the Windows search box.

After you have clicked generate, follow the instructions on the screen until the loading bar is finished.
Proceed to saving the private and public keys in a safe place.

You are now ready to start using your newly generated keys. Open up the contents of your public key with an editing tool such as NotePad++. Back on your SSH client, run the following commands

Step 2.

mkdir .ssh
nano .ssh/authorized_key

If you do not have nano install then please proceed to installing it by running the following command:

 sudo apt-get install nano

You should put your public key in like this:

ssh-rsa KEYHERE

Example of this being:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEApLqp8zeP5y/7GQ99ml6325WeSr+j+vpBxi/0YJzTgz1xkILXwjaikLaaNPP5dp7fAVyBAjl3XqlAnng7yh4KVqWSgga8drlfj1ljyzQHPeCib6pLlgyyZbh4L/YaWjvcKfj5YK13hCUuKiHMUa69QZHmX+tT+iKr9ax49xPILGHJK8n1/V0lYg+C+z35cS9EbHMJRP3Kx2vWFPaFkJr6OxN4N0HK3ZLYv4wdUHQbeG9Ahzj8c8iQGSgMy5lVIvlwZJAn4xE8XqjAKW7dVFwKeVciesR+HjQVvqdCq18z9fmSGN5i/YbPfSUOKgxgtBChswf/7BdV8XFby5Xk+hRUQ==

After this, save and exit by pressing CTRL + X and following the instructions presented on your screen. Then proceed by running the following commands

chmod 600 .ssh/authorized_keys
nano /etc/ssh/sshd_config

Find PasswordAuthentication yes and replace it with PasswordAuthentication no

If you feel like disabling root login:
Find PermitRootLogin yes and replace it with PermitRootLogin no

Again, save and exit by pressing CTRL + X and follow the instructions presented on the screen.

Restart SSH:

sudo service sshd restart

Congratulations, you have now disabled root & password logins. To login into the server in the future, you will need to use your private key. In Putty SSH client you can add this by going to:

Connection > SSH > Auth and selecting your private key in the browse tab.

Extra Security Feature

Optionally you may also restrict it to only allows for logins from a specific location. This could be anything from your local LAN network to your computers IP address. I will show you a way that you can add this to your server.

To add this feature you need to edit /etc/hosts.allow by running the following command:

sudo nano /etc/hosts.allow

Once there you have some different options depending on what you want to be allowed.

  • Allow logins from localhost: sshd : localhost
  • Allow logins from your LAN network: sshd : 192.168.0.
  • Allow logins from a specific IP: sshd : 80.80.80.80
  • Allow logins from a domain. This is great if your IP address ever changes since you can change it without being logged into the server: sshd : mydomainhere.com

Save and exit by pressing CTRL + X and follow the instructions presented on the screen.

Next we need to deny all other connections that we have not specified to be allowed.

To add this feature you need to edit /etc/hosts.deny by running the following command:

sudo nano /etc/hosts.deny
  • In here you need to add: sshd : ALL

Save and exit by pressing CTRL + X and follow the instructions presented on the screen.

3. Install a Firewall on Your Linux Server

It is highly recommended that you install a firewall and only allow for ports that you actually use. Here is a list of common ports

sudo apt-get install ufw -y
sudo ufw allow ssh/tcp
sudo ufw limit ssh/tcp
sudo ufw logging on
sudo ufw enable

You can add additional ports by running the command:

sudo ufw allow PORTHERE/tcp

Remember to replace ‘PORTHERE’ with your specified port.

Another good thing to install is fail2ban. Fail2ban will monitor your firewall logs and ban any IPs that act suspiciously.

sudo apt -y install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Add comment