HostUp

How to Secure an Ubuntu Linux Server in 3 Simple Steps

We all know that security is important, but we are usually too lazy to add basic security. In this tutorial I will show you how to secure a Linux server in 3 simple steps, starting from basic to more advanced security.

1. Create a New Account

This is not really a security ‘feature’, but it is always a good idea to either move away from root or setup login with authorized keys since the most common username out there is root since it is the default. For this reason, most brute-force programs tend to try to use that username.

When you have logged into an SSH terminal with your specified username & password proceed with the following commands to create a new root privileged account. Change changeme with what username you want the account to have.

Create the new account:

adduser changeme

Give the account root privilege:

usermod -aG sudo changeme

Switch over to your newly created user account:

su – changeme

After you have created your new account you may start a new SSH session, only this time connect with your new username & password.

2. Replace Password Login With Authorized keys

Stop using passwords all together when logging into your Linux server, and replace it with public and private authentication keys instead!

Step 1.

Generate your 2048bit public and private keys via a generator such as PuttyGen. If you do not already have it you may download it from putty.org

Click the Generate button marked with red. You can open this window by simply searching PuttyGen in the Windows search box.

After you have clicked generate, follow the instructions on the screen until the loading bar is finished.
Proceed to saving the private and public keys in a safe place.

You are now ready to start using your newly generated keys. Open up the contents of your public key with an editing tool such as NotePad++. Back on your SSH client, run the following commands

Step 2.

First we want to make a new directory called ssh:

mkdir .ssh

After this we want to create a file called authorized_key where we will be putting our public key inside

nano .ssh/authorized_key

If you do not have nano install then please proceed to installing it by running the following command:

 sudo apt-get install nano

You should put your public key in like this:

ssh-rsa KEYHERE

Example of this being:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEApLqp8zeP5y/7GQ99ml6325WeSr+j+vpBxi/0YJzTgz1xkILXwjaikLaaNPP5dp7fAVyBAjl3XqlAnng7yh4KVqWSgga8drlfj1ljyzQHPeCib6pLlgyyZbh4L/YaWjvcKfj5YK13hCUuKiHMUa69QZHmX+tT+iKr9ax49xPILGHJK8n1/V0lYg+C+z35cS9EbHMJRP3Kx2vWFPaFkJr6OxN4N0HK3ZLYv4wdUHQbeG9Ahzj8c8iQGSgMy5lVIvlwZJAn4xE8XqjAKW7dVFwKeVciesR+HjQVvqdCq18z9fmSGN5i/YbPfSUOKgxgtBChswf/7BdV8XFby5Xk+hRUQ==

After this, save and exit by pressing CTRL + X and following the instructions presented on your screen. Then proceed by running the following commands to set the right privileges to the file.

chmod 600 .ssh/authorized_keys

Step 3.

Next we want to disable password authentication and only allow authentication using our newly created private and public key.

First we want to open your sshd_config configuration file:

nano /etc/ssh/sshd_config

FindPasswordAuthentication yes and replace it with PasswordAuthentication no to disable password logins

If you feel like disabling root logins:
Find PermitRootLogin yes and replace it with PermitRootLogin no

Again, save and exit by pressing CTRL + X and follow the instructions presented on the screen.

Restart SSH:

sudo service sshd restart

Congratulations, you have now disabled root & password logins. To login into the server in the future, you will need to use your private key. In Putty SSH client you can add this by going to:

Connection > SSH > Auth and selecting your private key in the browse tab.

Extra Security Feature

Optionally you may also restrict it to only allows for logins from a specific location. This could be anything from your local LAN network to your computers IP address. I will show you a way that you can add this to your server.

To add this feature you need to edit /etc/hosts.allow by running the following command:

sudo nano /etc/hosts.allow

Once there you have some different options depending on what you want to be allowed.

  • Allow logins from localhost: sshd : localhost
  • Allow logins from your LAN network: sshd : 192.168.0.
  • Allow logins from a specific IP: sshd : 80.80.80.80
  • Allow logins from a domain. This is great if your IP address ever changes since you can change it without being logged into the server: sshd : mydomainhere.com

Save and exit by pressing CTRL + X and follow the instructions presented on the screen.

Next we need to deny all other connections that we have not specified to be allowed.

To add this feature you need to edit /etc/hosts.deny by running the following command:

sudo nano /etc/hosts.deny

In here you need to add: sshd : ALL

Save and exit by pressing CTRL + X and follow the instructions presented on the screen.

3. Install a Firewall on Your Linux Server

It is highly recommended that you install a firewall and only allow for ports that you actually use.

sudo apt-get install ufw -y
sudo ufw allow ssh/tcp
sudo ufw limit ssh/tcp
sudo ufw logging on
sudo ufw enable

You can add additional ports by running the command:

sudo ufw allow PORTHERE/tcp

Remember to replace PORTHERE with your specified port.

Another good thing to install is Fail2ban. Fail2ban will monitor your firewall logs and ban any IPs that act suspiciously.

To install Fail2ban firstly:

sudo apt -y install fail2ban

After you have install your very own installation of Fail2ban, you want to make sure that it starts automaticly on restart:

sudo systemctl enable fail2ban

All you have got left to do is to start the program:

sudo systemctl start fail2ban

Congratulations! If you have made it this far you can be sure that your Ubuntu server is fully secured. Remember to share this tutorial to anyone who wants to have a more secure server and bookmark. It is better to be safe that sorry afterall :).

Add comment