Basic Ubuntu server security

Published June 6th, 2020

After setting up an Ubuntu server, there are many steps you can take to lock it down and discourage attacks. We'll go over some of the basic steps you can do to improve your server's security.

Contents

  1. Introduction
  2. Prerequisites
  3. Update and Upgrade
  4. User Management
  5. Firewall
  6. Locking Down SSH
  7. Conclusion

Introduction

This tutorial is for those who want to secure their Ubuntu servers after setting them up, perhaps coming from my previous tutorial on setting up an Ubuntu server. Security is incredibly important for obvious reasons, but we acknowledge that there is no such thing as impenetrable security. Nevertheless, we strive to improve security by making it more difficult for attackers to infiltrate our server. Keep in mind, these are only some of the basic first-steps you can take to secure your server. There are plenty of more advanced procedures and techniques to further secure your server.

Prerequisites

Update and Upgrade

An important part of security is to keep your server up to date with the latest security patches. Commonly used software on your server and even Linux and Ubuntu themselves have bugs and vulnerabilities that get patched out through software updates.

We want to update the list of available packages and their versions in apt, and then install those newer versions of the packages that you already have installed. We can accomplish this with a single command:

$ sudo apt update && sudo apt upgrade

This is something you want to do regularly. In fact, you could automate this process if you'd like using crontab, which we won't go over here.

User Management

Separating users from each other is incredibly important for distinguishing permissions and leaving a papertrail. Additionally, it is bad practice to use the root user. Here, we'll discuss how to create a new user, give them sudo permissions, changing users, and allowing SSHing into a user account.

Creating a new user

To create a new user, run the following command and respond to the prompts.

$ sudo adduser [USERNAME]

Giving a user sudo perms

To add a user to the group of sudo-ers, run the following:

$ sudo usermod -aG sudo [USERNAME]

Switching Users

To switch to a user, run the following and enter the password if prompted:

$ su [USERNAME]

If you are a sudo-er, you may also switch to the root user:

$ sudo -i

To switch back from a user:

$ exit

Allowing SSH into user accounts

If you're still accessing your server by SSH'ing into root, we want to change that. Allowing root SSH is like leaving the your safe open at home. Sure, a burglar needs to break into the home first, but once they do, the stuff in your safe is as good as gone.

The solution is to directly ssh into your user, rather than into root and switching users. To do this, we need to add your local machine's public key to the ~/.ssh/authorized_keys of the given user.

First, switch to the given user.

$ su [USERNAME]

Create the ~/.ssh directory if it doesn't exist.

cd && mkdir .ssh

Create/open the file authorized_keys and paste in your machine's SSH public key.

$ nano authorized_keys

Your public key should look something like this (my public key):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsAXPEhsmJbFefXWjisKDAS/FLfZiXU7Ptkn3QlsAJ1tJoY5VCLdjRUUAEyEpKy5kXGrzn0aOBKnUNWkPgkySzbstWoF5KQJG4cLT3z4wxbv62gABlBii7RXfjdqCajGLGHweJMePN6Sf2/LUbmJIbrjxBIr5VDufhuRVtcwpAwY8b3v/1ZknfQJRmJb8eAGOT15nwtasUeNauK+YEf2WV9/EKnVyum/2HbgSH2gb9myrDs4uv79ME5GzReXkPJSyJ2PZjihKUll39vZYddzl2Ub2OoUS6h14mNX7EuxR06nt7ROnk+h4R7iHxIwFJ8nImLprziDQy9+0FkNOaIu0x Terrance [email protected]

For a refresher on how to get your local machine's public key, visit my previous tutorial.

Firewall

Back in the olden days, server administrators had to worry about 2 primary vectors of attack: physical attacks and network attacks. Physical attacks involve directly accessing server hardware, injecting software using thumb drives, etc. With the advent of cloud computing, most attacks have shifted towards network-based infiltrations. Therefore, we must pay special attention to what Internet traffic we allow in and out of our server. We can control this with a firewall, which has configurable rules on what traffic to block.

You need to be a sudo-er to perform these steps. We will use ufw; iptables is another program that suits this purpose, but it is more complex.

By default, ufw denies traffic through ports. You specify what ports you allow traffic through:

$ sudo ufw allow [PORT]

We must allow port 22 (the port that SSH runs on). Depending on what else your server is performing, you may want to open other ports as well, such as 80 for HTTP.

Finally, you must enable the firewall for it to take effect:

$ sudo ufw enable

WARNING: make sure that you are allowing SSH port (22 by default) before you enable the firewall, or else you may lock yourself out and make life very difficult!

Locking Down SSH

Following the theme of the previous section, we must also secure SSH access. This involves disallowing SSH into root and password authentication SSH

$ nano /etc/ssh/sshd_config

This takes you into the SSH config file. Find the following configuration lines and set them as such:

PermitRootLogin no
...
PasswordAuthentication no

Also make sure to remove the "#" in front of the lines if they exist to uncomment the lines. Finally, restart the SSH service:

$ sudo service ssh restart

Conclusion

By no means is this a comprehensive list of things you can do to secure your server. You can continue by securing shared memory, installing fail2ban, and so on. These are simply some of the most important first steps to take. Happy sysadmin-ing!