Skip to content

Secure Ubuntu Server

PATCH!

Always patch your applications and operating systems to the latest versions. Don't run end of life software.

Accounts and access

SSH keys

Create SSH keys, if you already have SSH keys you can skip this step. This is done on your local machine, not the server. Note that some older systems doesn't work with ED25519 keys and in that case you need to create a RSA key instead with ssh-keygen -t rsa -b 4096. But try with the ED25519 keys first. 

ssh-keygen -t ed25519
It will ask where to save the key and what to name it. Press enter to accept the defaults.
Enter a passphrase (optional), you will need to enter this passphrase every time you use the SSH key. It's more secure but less conventient.
Now you have id_ed25519 and id_ed25519.pub in ~/.ssh/.
id_ed25519 is your private key, keep it safe and never give it to anyone.
id_ed25519.pub is your public key which you add to servers etc.

Accounts

Set a long and complex password for the root user and store that in your password manager. The root user will never be used or logged in with. Therefore we will create a new user called newuser.

First set the password for your root account. 

passwd

Create a new user that we will use as the daily admin user. 

sudo useradd -m -s /bin/bash newuser

Create the user ssh catalog. 

sudo mkdir /home/newuser/.ssh

Set permissions for the user ssh catalog. 

sudo chmod 700 /home/newuser/.ssh

Give the new user a password. 

sudo passwd newuser

Create and edit the authorized_keys file for the new user. Paste the contents of the public key file ed25519.pub we created earlier. 

sudo nano /home/newuser/.ssh/authorized_keys

Set permissions for the user authorized_keys file. 

sudo chmod 400 /home/newuser/.ssh/authorized_keys

Give the new user ownership of their user catalog. 

sudo chown newuser:newuser /home/newuser -R

Give the new user sudo permissions. 

sudo visudo

Add the line newuser ALL=(ALL:ALL) ALL so it looks like this. 

root    ALL=(ALL:ALL) ALL
newuser    ALL=(ALL:ALL) ALL

Now start a new SSH session, login with your newly created user and make sure it works.

Install updates and auto install security updates

Start with getting you server up to date. 

sudo apt update && sudo apt upgrade

Install the unattended-upgrade package. 

sudo apt-get install unattended-upgrades

Edit the /etc/apt/apt.conf.d/10periodic file 

sudo nano /etc/apt/apt.conf.d/10periodic

Update the file so it looks like this 

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Edit the file /etc/apt/apt.conf.d/50unattended-upgrades 

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Optional - Not recommended: Enable application updates.
Remove the comment. Replace 

//             "${distro_id}:${distro_codename}-updates";
with 
               "${distro_id}:${distro_codename}-updates";

Optional - Recommended: Automatic reboot if the update requires it - a bit further down this file you will find

//Unattended-Upgrade::Automatic-Reboot "false";
replace it with

Unattended-Upgrade::Automatic-Reboot "true";

Then replace

//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
with this, and replace 02:00 with the time of your choice. 
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Lock down SSH

sudo nano /etc/ssh/sshd_config

Add these lines to the file. They will deny root login over SSH and disable password authentication since you now use SSH keys. 

PermitRootLogin no
PasswordAuthentication no
Optionally add this to restrict the logins to certain users from specific IP addresses. 
AllowUsers [email protected]

Make sure to only use secure ciphers, so add this to /etc/ssh/sshd_config as well. 

KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected]

Change the default SSH port from 22 to something else like 2275.
Replace 

#Port 22
with 
Port 2275

Restart SSH 

sudo service ssh restart

Setup a firewall

You will probably already have a firewall externally. For example if this is a VPS you need to open the ports at your provider. If you host it at home you will have to open the ports in your firewall.

Enabling UFW (Uncomplicated Firewall)
For example, to allow port 2275 from x.x.x.x you would run.

sudo ufw allow from x.x.x.x to any port 2275
sudo ufw enable

Install Fail2ban

This is a software running in the background and block suspicious acivity. You might want to take a look at CrowdSec instead. Fail2ban only blocks brute force attempts, CrowdSec is a IDS/IPS solution. 

sudo apt install fail2ban

IDS/IPS - Intrusion Detection/Prevention System

If you have a decent firewall there's free and open source IDS/IPS like Snort.
Otherwise you can use CrowdSec, an open source IDS/IPS that's free for consumers. This makes Fail2ban redundant so pick one of them.

Backups

Backups! Do them and do them well. The 3-2-1 method is a good start. I explain more about it here.

Anti virus

Yes, it's needed. See this section here.

Todo

  • Add DNS and NTP.
  • Add MFA.
  • Auditing