Basic Ubuntu server security
Published June 6th, 2020After setting up an Ubuntu server, there are many steps you can take to lock it down and discourage attacks. We'll go over some of the basic steps you can do to improve your server's security.
Contents
Introduction
This tutorial is for those who want to secure their Ubuntu servers after setting them up, perhaps coming from my previous tutorial on setting up an Ubuntu server. Security is incredibly important for obvious reasons, but we acknowledge that there is no such thing as impenetrable security. Nevertheless, we strive to improve security by making it more difficult for attackers to infiltrate our server. Keep in mind, these are only some of the basic first-steps you can take to secure your server. There are plenty of more advanced procedures and techniques to further secure your server.
Prerequisites
- An Ubuntu server that you have SSH access to
Update and Upgrade
An important part of security is to keep your server up to date with the latest security patches. Commonly used software on your server and even Linux and Ubuntu themselves have bugs and vulnerabilities that get patched out through software updates.
We want to update the list of available packages and their versions in apt, and then install those
newer versions of the packages that you already have installed. We can accomplish this with a single command:
This is something you want to do regularly. In fact, you could automate this process if you'd like using crontab, which we won't go over here.
User Management
Separating users from each other is incredibly important for distinguishing permissions and leaving a
papertrail. Additionally, it is bad practice to use the root user. Here, we'll discuss how to
create a new user, give them sudo permissions, changing users, and allowing SSHing into a user
account.
Creating a new user
To create a new user, run the following command and respond to the prompts.
Giving a user sudo perms
To add a user to the group of sudo-ers, run the following:
Switching Users
To switch to a user, run the following and enter the password if prompted:
If you are a sudo-er, you may also switch to the root user:
To switch back from a user:
Allowing SSH into user accounts
If you're still accessing your server by SSH'ing into root, we want to change that. Allowing root SSH is like leaving the your safe open at home. Sure, a burglar needs to break into the home first, but once they do, the stuff in your safe is as good as gone.
The solution is to directly ssh into your user, rather than into root and switching users. To do this, we need
to add your local machine's public key to the ~/.ssh/authorized_keys of the given user.
First, switch to the given user.
Create the ~/.ssh directory if it doesn't exist.
Create/open the file authorized_keys and paste in your machine's SSH public key.
Your public key should look something like this (my public key):
For a refresher on how to get your local machine's public key, visit my previous tutorial.
Firewall
Back in the olden days, server administrators had to worry about 2 primary vectors of attack: physical attacks and network attacks. Physical attacks involve directly accessing server hardware, injecting software using thumb drives, etc. With the advent of cloud computing, most attacks have shifted towards network-based infiltrations. Therefore, we must pay special attention to what Internet traffic we allow in and out of our server. We can control this with a firewall, which has configurable rules on what traffic to block.
You need to be a sudo-er to perform these steps. We will use ufw; iptables is another
program that suits this purpose, but it is more complex.
By default, ufw denies traffic through ports. You specify what ports you allow traffic through:
We must allow port 22 (the port that SSH runs on). Depending on what else your server is performing, you may want to open other ports as well, such as 80 for HTTP.
Finally, you must enable the firewall for it to take effect:
WARNING: make sure that you are allowing SSH port (22 by default) before you enable the firewall, or else you may lock yourself out and make life very difficult!
Locking Down SSH
Following the theme of the previous section, we must also secure SSH access. This involves disallowing SSH into root and password authentication SSH
This takes you into the SSH config file. Find the following configuration lines and set them as such:
...
PasswordAuthentication no
Also make sure to remove the "#" in front of the lines if they exist to uncomment the lines. Finally, restart the SSH service:
Conclusion
By no means is this a comprehensive list of things you can do to secure your server. You can continue by securing shared memory, installing fail2ban, and so on. These are simply some of the most important first steps to take. Happy sysadmin-ing!