We all know that security is important, but we are usually too lazy to add basic security. In this tutorial I will show you how to secure a Linux server in 3 simple steps, starting from basic to more advanced security.
1. Create a New Account
This is not really a security ‘feature’, but it is always a good idea to either move away from root or setup login with authorized keys since the most common username out there is root since it is the default. For this reason, most brute-force programs tend to try to use that username.
When you have logged into an SSH terminal with your specified username & password proceed with the following commands to create a new root privileged account. Change changeme with what username you want the account to have.
Create the new account:
Give the account root privilege:
usermod -aG sudo changeme
Switch over to your newly created user account:
su – changeme
After you have created your new account you may start a new SSH session, only this time connect with your new username & password.
2. Replace Password Login With Authorized keys
Stop using passwords all together when logging into your Linux server, and replace it with public and private authentication keys instead!
Click the Generate button marked with red. You can open this window by simply searching PuttyGen in the Windows search box.
You are now ready to start using your newly generated keys. Open up the contents of your public key with an editing tool such as NotePad++. Back on your SSH client, run the following commands
First we want to make a new directory called ssh:
After this we want to create a file called authorized_key where we will be putting our public key inside
If you do not have nano install then please proceed to installing it by running the following command:
sudo apt-get install nano
You should put your public key in like this:
Example of this being:
After this, save and exit by pressing
chmod 600 .ssh/authorized_keys
Next we want to disable password authentication and only allow authentication using our newly created private and public key.
First we want to open your sshd_config configuration file:
PasswordAuthentication yes and replace it with ‘
PasswordAuthentication no‘ to disable password logins
If you feel like disabling root logins:
PermitRootLogin yes and replace it with
Again, save and exit by pressing
sudo service sshd restart
Congratulations, you have now disabled root & password logins. To login into the server in the future, you will need to use your private key. In Putty SSH client you can add this by going to:
Connection > SSH > Auth and selecting your private key in the browse tab.
Extra Security Feature
Optionally you may also restrict it to only allows for logins from a specific location. This could be anything from your local LAN network to your computers IP address. I will show you a way that you can add this to your server.
To add this feature you need to edit /etc/hosts.allow by running the following command:
sudo nano /etc/hosts.allow
Once there you have some different options depending on what you want to be allowed.
- Allow logins from localhost:
sshd : localhost
- Allow logins from your LAN network:
sshd : 192.168.0.
- Allow logins from a specific IP:
sshd : 126.96.36.199
- Allow logins from a domain. This is great if your IP address ever changes since you can change it without being logged into the server:
sshd : mydomainhere.com
Save and exit by pressing
Next we need to deny all other connections that we have not specified to be allowed.
To add this feature you need to edit /etc/hosts.deny by running the following command:
sudo nano /etc/hosts.deny
In here you need to add:
sshd : ALL
Save and exit by pressing
3. Install a Firewall on Your Linux Server
It is highly recommended that you install a firewall and only allow for ports that you actually use.
sudo apt-get install ufw -y
sudo ufw allow ssh/tcp
sudo ufw limit ssh/tcp
sudo ufw logging on
sudo ufw enable
You can add additional ports by running the command:
sudo ufw allow PORTHERE/tcp
Remember to replace PORTHERE with your specified port.
Another good thing to install is Fail2ban. Fail2ban will monitor your firewall logs and ban any IPs that act suspiciously.
To install Fail2ban firstly:
sudo apt -y install fail2ban
After you have install your very own installation of Fail2ban, you want to make sure that it starts automaticly on restart:
sudo systemctl enable fail2ban
All you have got left to do is to start the program:
sudo systemctl start fail2ban
Congratulations! If you have made it this far you can be sure that your Ubuntu server is fully secured. Remember to share this tutorial to anyone who wants to have a more secure server and bookmark. It is better to be safe that sorry afterall :).