google.com, pub-7590763259720133, DIRECT, f08c47fec0942fa0
 

Basic Ubuntu Linux Hardening - Checklist for a Secure Server

Updated: Jan 24


Checklist for a secure Ubuntu Linux server
Basic Ubuntu Linux Hardening


While Linux is inherently more secure and less targeted than its Windows counterpart, there are still steps an administrator must take to enable or enhance the system's security. This checklist of hardening measures will guide you in your implementation of a secure server.


Checklist

  1. SSH Port Change

  2. New Privileged Account

  3. Disable Root Login

  4. Allow Specific Users

  5. Disable Empty Passwords

  6. Only Use SSH Protocol 2

  7. Enable the Firewall

  8. Auto-Update Server or Livepatch

  9. Configure SSH Key-Based Authentication

While making changes to your servers, remember to always open a secondary SSH connection. A simple mistake can permanently lock you out. Another connection running concurrently will allow you to flip over and revert your misconfiguration.
 

1. SSH Port Change


Since port 22 is so heavily targeted by automated attack scripts, it's best to migrate from port 22 to something more obscure.


First, let's check which ports are being used by your server by entering this netstat command:

netstat --inet -lnp

This will return a list of local addresses and their accompanying ports:

[email protected]:/root$ netstat --inet -lnp
State               Local Address           Foreign Address
tcp        0      0 127.0.0.53:53           0.0.0.0:*             LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      -
udp        0      0 127.0.0.53:53           0.0.0.0:*                          

Port are affixed to the ends of Local Addresses separated by a ':' This example shows that TCP ports 53, 22, 6010, and UDP 53 are being utilized. Please take note of these ports as we will want to avoid them.


Now let's modify the sshd_config file using nano:

sudo nano /etc/ssh/sshd_config file

Look for the following setting:

#Port 22

Let's remove the # as any configuration following a # will be ignored. Now we will change 22 to any number between 1024 and 32767. If we remember the ports to avoid, we can see that the only active port between those values is 6010. That gives us plenty of choices for port numbers. In this example, I've used port 27496.

Port 27496

Hit Ctrl+X, Y for Yes, and then Enter to confirm the File Name to Write (Save).


Now restart your SSHD service for the change to take effect:

sudo service sshd restart

Check on your VPS providers management portal if you need to open the same port from within the portal interface. Sometimes setting the custom port on the server is not enough, and you need to set this port with your VPS portal GUI.


Now that the port is configured on the server and VPS portal, keep one SSH session open (in case you made a mistake), adjust your SSH port, and connect to a new session with the adjusted port.




 

2. New Privileged Account


You should never log into your server as root. Instead, please create your own account user, give it sudo rights, and use it to log into your server.


First, let's create a new user:

adduser <username>

Give your new user account sudo rights by appending (-a) the sudo group (-G) to the user's group membership:

usermod -a -G sudo <username>

It's important to log in as your new user prior to completing 9. Configure SSH Key-Based Authentication.


 

3. Disable Root Login


Make sure you have completed step 2. New Privileged Account before disabling the root login.


One of the most dangerous security holes you can have on your Linux system is allowing direct logins with your root account through SSH. Any bad actors attempting a brute force on your root password can eventually gain access to your system.


To disable the root login, you will need to modify the sshd_config file using nano:

sudo nano /etc/ssh/sshd_config file

Look for the following setting:

PermitRootLogin yes

If there is a # symbol (comment), let's first remove that. Now change the value from yes to no.


Now restart your SSHD service for the change to take effect:

sudo service sshd restart

You are now safe from brute force root login attempts.


 

4. Allow Specific Users


To allow specific users or groups to log in to the server via SSH, AllowUsers or AllowGroups options can be used.


To configure these options, you will need to modify the sshd_config file using nano:

sudo nano /etc/ssh/sshd_config file

To allow users, add the following line, minus the <> (it can be anywhere in the sshd_config file, such as the bottom of the text):

AllowUsers <username>

For multiple users:

AllowUsers <username1> <username2>

To allow groups, add the following line (it can be anywhere in the sshd_config file, such as the bottom of the text):

AllowGroups <group>

For multiple groups:

AllowGroups <group1> <group2>

The group setting will allow all members of the group to SSH into the Linux server.


Now restart your SSHD service for the change to take effect:

sudo service sshd restart

You have now restricted SSH entry to a limited user(s) or groups(s).




 

5. Disable Empty Passwords


To prevent logins from accounts with an empty password for added security, you will need to modify the sshd_config file using nano:

sudo nano /etc/ssh/sshd_config file

Scroll down to PermitEmptyPassword and remove the # to activate the setting. If the setting does not exist add the following line (it can be anywhere in the sshd_config file, such as the bottom of the text):

PermitEmptyPasswords no

Now restart your SSHD service for the change to take effect:

sudo service sshd restart

Your server will no longer accept blank passwords.


 

6. Only Use SSH Protocol 2


SSH comes in two versions: SSH protocol 1 and protocol 2. SSH protocol 2 is more than protocol 1 as it uses strong cryptographic checks, bulk encryption, and robust algorithms.


By default, your server will use protocol 1. To change this to the more secure protocol 2, you will need to modify the sshd_config file using nano:

sudo nano /etc/ssh/sshd_config file

Add the following line (it can be anywhere in the sshd_config file, such as the bottom of the text):

Protocol 2

Now restart your SSHD service for the change to take effect:

sudo service sshd restart

Your server is now using the more secure protocol 2.


 

7. Enable the Firewall


The default firewall configuration in Ubuntu is ufw. ufw provides a user-friendly way to create an IPv4 or IPv6 host-based firewall. By default, ufw is disabled.


When you turn on ufw, it uses a default set of rules that should be fine for the average home user.


To check if ufw is enabled, type the following:

sudo ufw status

To enable ufw, type the following:

sudo ufw enable

Now let's add a rule to allow SSH from the custom port we configured in 1. SSH Port Change.

sudo ufw allow 27496

You can view your active rules by running the following command:

sudo ufw status numbered

To disable ufw, type the following:

sudo ufw disable

You have successfully enabled the ufw firewall and allowed SSH traffic to your custom port.


 

8. (Optional) Auto-Update Server via Livepatch


Ubuntu Advantage offers automated Livepatch free on up to 3 machines. This service applies critical kernel patches without rebooting your server. This reduces downtime and keeps your Ubuntu systems secure and compliant.


You can register for Ubuntu Advantage by simply creating an account. Once registered, click Get your free token.


Make sure you have the snap daemon installed on your Ubuntu system by typing the following:

sudo apt update
sudo apt install snapd

Now, attach your free token to your server:

sudo ua attach your-token

Next, install the canonical-livepatch daemon.

sudo snap install canonical-livepatch

Enable the service with the following command:

sudo ua enable livepatch

You can check livepatch status at any time with:

sudo ua status

Your Ubuntu server will now automate kernel updates.




 

9. Configure SSH Key-Based Authentication


Authentication using a public key is based on digital signatures, and it is more secure and convenient than traditional password authentication. Geekbyte has published a separate guide to walk you through a straightforward process of implementing SSH key-based authentication.

 

In this tutorial, you have learned how to harden the security of an Ubuntu Linux server. Implementing this checklist will give you peace of mind that your systems are better fortified against bad actors.


Feel free to comment below with any questions or comments.


If you found this article informative, please support my efforts by donating to my Ethereum ENS address: geekbyte.eth

606 views0 comments