Basic Ubuntu Linux Hardening - Checklist for a Secure Server
Updated: Jan 24, 2022
While Linux is inherently more secure and less targeted than its Windows counterpart, there are still steps an administrator must take to enable or enhance the system's security. This checklist of hardening measures will guide you in your implementation of a secure server.
Checklist
While making changes to your servers, remember to always open a secondary SSH connection. A simple mistake can permanently lock you out. Another connection running concurrently will allow you to flip over and revert your misconfiguration.
1. SSH Port Change
Since port 22 is so heavily targeted by automated attack scripts, it's best to migrate from port 22 to something more obscure.
First, let's check which ports are being used by your server by entering this netstat command:
netstat --inet -lnpThis will return a list of local addresses and their accompanying ports:
[email protected]:/root$ netstat --inet -lnp
State Local Address Foreign Address
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* Port are affixed to the ends of Local Addresses separated by a ':' This example shows that TCP ports 53, 22, 6010, and UDP 53 are being utilized. Please take note of these ports as we will want to avoid them.
Now let's modify the sshd_config file using nano:
sudo nano /etc/ssh/sshd_config fileLook for the following setting:
#Port 22Let's remove the # as any configuration following a # will be ignored. Now we will change 22 to any number between 1024 and 32767. If we remember the ports to avoid, we can see that the only active port between those values is 6010. That gives us plenty of choices for port numbers. In this example, I've used port 27496.
Port 27496Hit Ctrl+X, Y for Yes, and then Enter to confirm the File Name to Write (Save).
Now restart your SSHD service for the change to take effect:
sudo service sshd restartCheck on your VPS providers management portal if you need to open the same port from within the portal interface. Sometimes setting the custom port on the server is not enough, and you need to set this port with your VPS portal GUI.
Now that the port is configured on the server and VPS portal, keep one SSH session open (in case you made a mistake), adjust your SSH port, and connect to a new session with the adjusted port.
2. New Privileged Account
You should never log into your server as root. Instead, please create your own account user, give it sudo rights, and use it to log into your server.
First, let's create a new user:
adduser <username>Give your new user account sudo rights by appending (-a) the sudo group (-G) to the user's group membership:
usermod -a -G sudo <username>It's important to log in as your new user prior to completing 9. Configure SSH Key-Based Authentication.
3. Disable Root Login
Make sure you have completed step 2. New Privileged Account before disabling the root login.
One of the most dangerous security holes you can have on your Linux system is allowing direct logins with your root account through SSH. Any bad actors attempting a brute force on your root password can eventually gain access to your system.
To disable the root login, you will need to modify the sshd_config file using nano:
sudo nano /etc/ssh/sshd_config fileLook for the following setting:
PermitRootLogin yesIf there is a # symbol (comment), let's first remove that. Now change the value from yes to no.
Now restart your SSHD service for the change to take effect:
sudo service sshd restartYou are now safe from brute force root login attempts.
4. Allow Specific Users
To allow specific users or groups to log in to the server via SSH, AllowUsers or AllowGroups options can be used.
To configure these options, you will need to modify the sshd_config file using nano:
sudo nano /etc/ssh/sshd_config fileTo allow users, add the following line, minus the <> (it can be anywhere in the sshd_config file, such as the bottom of the text):
AllowUsers <username>For multiple users:
AllowUsers <username1> <username2>To allow groups, add the following line (it can be anywhere in the sshd_config file, such as the bottom of the text):
AllowGroups <group>For multiple groups:
AllowGroups <group1> <group2>The group setting will allow all members of the group to SSH into the Linux server.
Now restart your SSHD service for the change to take effect:
sudo service sshd restartYou have now restricted SSH entry to a limited user(s) or groups(s).
5. Disable Empty Passwords
To prevent logins from accounts with an empty password for added security, you will need to modify the sshd_config file using nano:
sudo nano /etc/ssh/sshd_config fileScroll down to PermitEmptyPassword and remove the # to activate the setting. If the setting does not exist add the following line (it can be anywhere in the sshd_config file, such as the bottom of the text):
PermitEmptyPasswords noNow restart your SSHD service for the change to take effect:
sudo service sshd restartYour server will no longer accept blank passwords.
6. Only Use SSH Protocol 2
SSH comes in two versions: SSH protocol 1 and protocol 2. SSH protocol 2 is more than protocol 1 as it uses strong cryptographic checks, bulk encryption, and robust algorithms.
By default, your server will use protocol 1. To change this to the more secure protocol 2, you will need to modify the sshd_config file using nano:
sudo nano /etc/ssh/sshd_config fileAdd the following line (it can be anywhere in the sshd_config file, such as the bottom of the text):
Protocol 2Now restart your SSHD service for the change to take effect:
sudo service sshd restartYour server is now using the more secure protocol 2.
7. Enable the Firewall
The default firewall configuration in Ubuntu is ufw. ufw provides a user-friendly way to create an IPv4 or IPv6 host-based firewall. By default, ufw is disabled.
When you turn on ufw, it uses a default set of rules that should be fine for the average home user.
To check if ufw is enabled, type the following:
sudo ufw statusTo enable ufw, type the following:
sudo ufw enableNow let's add a rule to allow SSH from the custom port we configured in 1. SSH Port Change.
sudo ufw allow 27496You can view your active rules by running the following command:
sudo ufw status numberedTo disable ufw, type the following:
sudo ufw disableYou have successfully enabled the ufw firewall and allowed SSH traffic to your custom port.
8. (Optional) Auto-Update Server via Livepatch
Ubuntu Advantage offers automated Livepatch free on up to 3 machines. This service applies critical kernel patches without rebooting your server. This reduces downtime and keeps your Ubuntu systems secure and compliant.
You can register for Ubuntu Advantage by simply creating an account. Once registered, click Get your free token.
Make sure you have the snap daemon installed on your Ubuntu system by typing the following:
sudo apt update
sudo apt install snapdNow, attach your free token to your server:
sudo ua attach your-tokenNext, install the canonical-livepatch daemon.
sudo snap install canonical-livepatchEnable the service with the following command:
sudo ua enable livepatchYou can check livepatch status at any time with:
sudo ua statusYour Ubuntu server will now automate kernel updates.
9. Configure SSH Key-Based Authentication
Authentication using a public key is based on digital signatures, and it is more secure and convenient than traditional password authentication. Geekbyte has published a separate guide to walk you through a straightforward process of implementing SSH key-based authentication.
In this tutorial, you have learned how to harden the security of an Ubuntu Linux server. Implementing this checklist will give you peace of mind that your systems are better fortified against bad actors.
Feel free to comment below with any questions or comments.
If you found this article informative, please support my efforts by donating to my Ethereum ENS address: geekbyte.eth
