Securing the server is crucial. At least these things must be setup in order to make your Ubuntu server more secure.
Updates
First thing you should do when you connect to your fresh new server is update/upgrade packages. Keeping system is up-to-date is probably one of the most important thing.
sudo apt update
sudo apt full-upgrade -y
# Remove unnecessary packages
sudo apt autoremove -y
# One liner
sudo apt update && sudo apt dist-upgrade -y && sudo apt autoremove -y
No root user!
You really shouldn't use default root
user as it's always a bad practice. So let's create a normal user with super user privileges.
Create new user
# adduser <new user username>
adduser ops
Make sure to replace ops
with the username you want to create. Then you'll be prompted to create and verify a password for new user:
Output:
Changing the user information for ops
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
Add the user to the sudo
group
usermod -aG sudo ops
Again, make sure to replace ops
with the username you just created.
You can test new sudo
permissions are working with su
command to switch to the new user account.
su - ops
As the new user, run any command with sudo
:
sudo echo "Test"
For the first time you use sudo
in a session, you'll be prompted for the password of that user's account. Enter the password of the user not the root user's password to proceed.
Once you have done all of these above, you can logout/disconnect and be able connect to your server with new user you just created.
SSH & SSHD
Using passwords to connect/login server is vulnerable. We should connect server without passwords with ssh signing keys. First we need to generate ssh key from our local computer:
ssh-keygen -t ed25519
then you'll be prompted with following question:
- Where to save ssh key: You may want to provide specific path
- Passphrase: You can just skip this step
Output:
> Generating public/private ed25519 key pair.
> Enter file in which to save the key (/Users/<username>/.ssh/id_ed25519):
> Enter passphrase for "/Users/<usernam>/.ssh/id_ed25519" (empty for no passphrase):
> Enter same passphrase again:
Once you've completed all steps, there will be two ssh keys generated public (id_ed25519.pub
) & private (id_ed25519
). You should copy public <ssh_file_name>.pub
file content and add that to ~/.ssh/authorized_keys
file in server (create if it doesn't exist). Once you've added public key to server authorized_keys
, you may want to reload sshd service:
sudo service sshd reload
To connect server using ssh file:
ssh -i ~/.ssh/id_ed25519 ops@123.12.1.123
# ssh -i <path_to_ssh_private_file> <USER>@<IP>
Now, we're going to change default SSH port (22
) to something else, 714
for example. First of all, let's backup current sshd config file:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Before editing configuration file, let's review current options are ok:
sudo ssh -T
Now let's open sshd configuration file:
# Open with nano or vim
sudo nano /etc/ssh/sshd_config
# Edit with vim
# sudo vi /etc/ssh/sshd_config
When editing your configuration file, some options may be commented out by default using a single hash character (
#
) at the start of the line. In order to edit these options, or have the commented option be recognized, you’ll need to uncomment them by removing the hash.
As mentioned above firstly change default ssh port:
Port 714
You don't have to use this (714) specific port number. You may want to pick something else.
Save the file, reload sshd:
sudo service sshd reload
Once you reload sshd, you should be disconnected from server since we've changed default ssh port from 22
to 714
. Reconnect server with new ssh port:
ssh -p 714 -i ~/.ssh/id_ed25519 ops@123.12.1.123
# ssh -p <PORT> -i <path_to_ssh_private_file> <USER>@<IP>
Now, let's back to sshd config and change followings:
PermitRootLogin no
MaxAuthTries 3
LoginGraceTime 20
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
X11Forwarding no
PermitUserEnvironment no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
DebianBanner no
You can find detailed explanation for each of these in DigitalOcean's article.
Now validate config file & restart sshd:
sudo sshd -T
sudo service sshd reload
If you want to implement IP address allowlist, you can checkout DigitalOcean's article.
UFW (Firewall)
UFW is Ubuntu's default firewall which is really useful. But it's usually disabled by default. We're going to setup firewall for our server.
Enable IPV6
By default in most recent ubuntu servers, IPV6 is enabled. To enable this you need to open /etc/default/ufw
and search/add IPV6=yes
and save the file.
Setup default poicies
First of all we need to deny all incoming traffic while allowing all outgoing traffic.
sudo ufw default deny incoming
sudo ufw default allow outgoing
We need to enable OpenSSH to being able to connect server using ssh:
sudo ufw allow OpenSSH
Output:
OutputRule added
Rule added (v6)
then we need to disallow 22
ssh port and allow 714
(that we've changed earlier):
sudo ufw allow 714
sudo ufw allow 714/tcp
sudo ufw deny 22
⚠️ Be careful with these ports. You may loose being able to connect server if you specify wrong ports.
Allowing other connections
You may want to enable other connections (Nginx, Apache, etc...):
-
sudo ufw allow http
- Allows http (unencrypted) connections -
sudo ufw allow https
- Allows https connection -
sudo ufw allow 'Nginx Full'
- Nginx with both http and https -
sudo ufw allow 'Apache Full'
- Apache with both http and https
You can check available application profiles with following command:
sudo ufw app list
If you want to allow specific port ranges you can use following commands:
sudo ufw allow 3000:3005/tcp
sudo ufw allow 3000:3005/udp
Also you can allow specific IP Addresses:
sudo ufw allow from 203.0.113.4
You can read more about UFW Setup in DigitalOcean's article
Enable UFW
Before enabling firewall, verify which rules were added so far:
sudo ufw show added
and to enable firewall run the following command:
sudo ufw enable
sometimes firewall doesn't "enable" (take effect). You may just reboot the server and you're good to go.
Bonus
If you use nginx you may want to make it safer too. You can use DigitalOcean's handy tool here: https://www.digitalocean.com/community/tools/nginx
If you use docker, you always don't need to expose services (postgres, redis) to outside of server. Not exposing these outside of server is recommended.
Thanks for your attention. I'd be happy if this helps you somehow 😊
Written by manuchehr.me
Top comments (0)