DEV Community

Cover image for How to secure your server. Easy follow-up steps
Manuchehr
Manuchehr

Posted on

How to secure your server. Easy follow-up steps

Securing the server is crucial. At least these things must be setup in order to make your Ubuntu server more secure.

Updates

First thing you should do when you connect to your fresh new server is update/upgrade packages. Keeping system is up-to-date is probably one of the most important thing.

sudo apt update
sudo apt full-upgrade -y
# Remove unnecessary packages
sudo apt autoremove -y 

# One liner
sudo apt update && sudo apt dist-upgrade -y && sudo apt autoremove -y
Enter fullscreen mode Exit fullscreen mode

No root user!

You really shouldn't use default root user as it's always a bad practice. So let's create a normal user with super user privileges.

Create new user

# adduser <new user username>
adduser ops
Enter fullscreen mode Exit fullscreen mode

Make sure to replace ops with the username you want to create. Then you'll be prompted to create and verify a password for new user:

Output:
Changing the user information for ops
  Enter the new value, or press ENTER for the default

    Full Name []:

    Room Number []:

    Work Phone []:

    Home Phone []:

    Other []:

Is the information correct? [Y/n]
Enter fullscreen mode Exit fullscreen mode

Add the user to the sudo group

usermod -aG sudo ops
Enter fullscreen mode Exit fullscreen mode

Again, make sure to replace ops with the username you just created.

You can test new sudo permissions are working with su command to switch to the new user account.

su - ops
Enter fullscreen mode Exit fullscreen mode

As the new user, run any command with sudo:

sudo echo "Test"
Enter fullscreen mode Exit fullscreen mode

For the first time you use sudo in a session, you'll be prompted for the password of that user's account. Enter the password of the user not the root user's password to proceed.

Once you have done all of these above, you can logout/disconnect and be able connect to your server with new user you just created.

SSH & SSHD

Using passwords to connect/login server is vulnerable. We should connect server without passwords with ssh signing keys. First we need to generate ssh key from our local computer:

ssh-keygen -t ed25519
Enter fullscreen mode Exit fullscreen mode

then you'll be prompted with following question:

  • Where to save ssh key: You may want to provide specific path
  • Passphrase: You can just skip this step
Output:
> Generating public/private ed25519 key pair.
> Enter file in which to save the key (/Users/<username>/.ssh/id_ed25519):
> Enter passphrase for "/Users/<usernam>/.ssh/id_ed25519" (empty for no passphrase):
> Enter same passphrase again:
Enter fullscreen mode Exit fullscreen mode

Once you've completed all steps, there will be two ssh keys generated public (id_ed25519.pub) & private (id_ed25519). You should copy public <ssh_file_name>.pub file content and add that to ~/.ssh/authorized_keys file in server (create if it doesn't exist). Once you've added public key to server authorized_keys, you may want to reload sshd service:

sudo service sshd reload
Enter fullscreen mode Exit fullscreen mode

To connect server using ssh file:

ssh -i ~/.ssh/id_ed25519 ops@123.12.1.123
# ssh -i <path_to_ssh_private_file> <USER>@<IP>
Enter fullscreen mode Exit fullscreen mode

Now, we're going to change default SSH port (22) to something else, 714 for example. First of all, let's backup current sshd config file:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Enter fullscreen mode Exit fullscreen mode

Before editing configuration file, let's review current options are ok:

sudo ssh -T
Enter fullscreen mode Exit fullscreen mode

Now let's open sshd configuration file:

# Open with nano or vim
sudo nano /etc/ssh/sshd_config
# Edit with vim
# sudo vi /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

When editing your configuration file, some options may be commented out by default using a single hash character (#) at the start of the line. In order to edit these options, or have the commented option be recognized, you’ll need to uncomment them by removing the hash.

As mentioned above firstly change default ssh port:

Port 714
Enter fullscreen mode Exit fullscreen mode

You don't have to use this (714) specific port number. You may want to pick something else.

Save the file, reload sshd:

sudo service sshd reload
Enter fullscreen mode Exit fullscreen mode

Once you reload sshd, you should be disconnected from server since we've changed default ssh port from 22 to 714. Reconnect server with new ssh port:

ssh -p 714 -i ~/.ssh/id_ed25519 ops@123.12.1.123
# ssh -p <PORT> -i <path_to_ssh_private_file> <USER>@<IP>
Enter fullscreen mode Exit fullscreen mode

Now, let's back to sshd config and change followings:

PermitRootLogin no
MaxAuthTries 3
LoginGraceTime 20
PasswordAuthentication no
PermitEmptyPasswords no

ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
X11Forwarding no
PermitUserEnvironment no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
DebianBanner no
Enter fullscreen mode Exit fullscreen mode

You can find detailed explanation for each of these in DigitalOcean's article.

Now validate config file & restart sshd:

sudo sshd -T
sudo service sshd reload
Enter fullscreen mode Exit fullscreen mode

If you want to implement IP address allowlist, you can checkout DigitalOcean's article.

UFW (Firewall)

UFW is Ubuntu's default firewall which is really useful. But it's usually disabled by default. We're going to setup firewall for our server.

Enable IPV6

By default in most recent ubuntu servers, IPV6 is enabled. To enable this you need to open /etc/default/ufw and search/add IPV6=yes and save the file.

Setup default poicies

First of all we need to deny all incoming traffic while allowing all outgoing traffic.

sudo ufw default deny incoming
sudo ufw default allow outgoing
Enter fullscreen mode Exit fullscreen mode

We need to enable OpenSSH to being able to connect server using ssh:

sudo ufw allow OpenSSH
Enter fullscreen mode Exit fullscreen mode
Output:
OutputRule added
Rule added (v6)
Enter fullscreen mode Exit fullscreen mode

then we need to disallow 22 ssh port and allow 714 (that we've changed earlier):

sudo ufw allow 714
sudo ufw allow 714/tcp

sudo ufw deny 22
Enter fullscreen mode Exit fullscreen mode

⚠️ Be careful with these ports. You may loose being able to connect server if you specify wrong ports.

Allowing other connections

You may want to enable other connections (Nginx, Apache, etc...):

  • sudo ufw allow http - Allows http (unencrypted) connections
  • sudo ufw allow https - Allows https connection
  • sudo ufw allow 'Nginx Full' - Nginx with both http and https
  • sudo ufw allow 'Apache Full' - Apache with both http and https

You can check available application profiles with following command:

sudo ufw app list
Enter fullscreen mode Exit fullscreen mode

If you want to allow specific port ranges you can use following commands:

sudo ufw allow 3000:3005/tcp
sudo ufw allow 3000:3005/udp
Enter fullscreen mode Exit fullscreen mode

Also you can allow specific IP Addresses:

sudo ufw allow from 203.0.113.4
Enter fullscreen mode Exit fullscreen mode

You can read more about UFW Setup in DigitalOcean's article

Enable UFW

Before enabling firewall, verify which rules were added so far:

sudo ufw show added
Enter fullscreen mode Exit fullscreen mode

and to enable firewall run the following command:

sudo ufw enable
Enter fullscreen mode Exit fullscreen mode

sometimes firewall doesn't "enable" (take effect). You may just reboot the server and you're good to go.

Bonus

If you use nginx you may want to make it safer too. You can use DigitalOcean's handy tool here: https://www.digitalocean.com/community/tools/nginx

If you use docker, you always don't need to expose services (postgres, redis) to outside of server. Not exposing these outside of server is recommended.

Thanks for your attention. I'd be happy if this helps you somehow 😊

Written by manuchehr.me

Top comments (0)