====== Ubuntu Server Hardening ====== This document outlines basic steps to harden an Ubuntu server for better security. ==== 1. Initial Setup ==== * **Update your system:** It's essential to update your system to ensure all packages are up to date and patched. ~~~ sudo apt update && sudo apt upgrade -y ~~~ * **Set up a firewall:** Use `ufw` (Uncomplicated Firewall) to configure basic firewall rules. ~~~ sudo ufw allow ssh sudo ufw enable sudo ufw status ~~~ ==== 2. Secure SSH Access ==== * **Change the default SSH port:** Changing the default SSH port (22) can help reduce automated attacks. - Edit the SSH config: ~~~ sudo nano /etc/ssh/sshd_config ~~~ - Change `Port 22` to a custom value (e.g., `Port 2222`). - Restart SSH: ~~~ sudo systemctl restart ssh ~~~ * **Disable root login:** Disabling direct root login adds an extra layer of protection. - Edit `/etc/ssh/sshd_config`: ~~~ PermitRootLogin no ~~~ - Restart SSH: ~~~ sudo systemctl restart ssh ~~~ * **Use SSH key authentication:** Set up SSH key pairs instead of using passwords. - On your local machine, generate a key pair: ~~~ ssh-keygen -t rsa -b 4096 ~~~ - Copy the public key to the server: ~~~ ssh-copy-id user@your-server-ip ~~~ ==== 3. User and Permissions Management ==== * **Create a separate user:** Avoid using the root account directly. Create a user with sudo privileges: ~~~ sudo adduser username sudo usermod -aG sudo username ~~~ * **Set strong passwords:** Enforce password complexity using `pam_pwquality.so` by editing `/etc/pam.d/common-password`. ~~~ password requisite pam_pwquality.so retry=3 minlen=12 minclass=3 ~~~ * **Disable unused accounts:** Disable accounts that are not in use to minimize potential attack surfaces: ~~~ sudo usermod -L username ~~~ ==== 4. Security Updates and Monitoring ==== * **Enable automatic security updates:** Enable unattended-upgrades to automatically apply security patches. ~~~ sudo apt install unattended-upgrades sudo dpkg-reconfigure --priority=low unattended-upgrades ~~~ * **Install and configure Fail2Ban:** Fail2Ban helps protect SSH and other services by blocking repeated failed login attempts. ~~~ sudo apt install fail2ban sudo systemctl enable fail2ban sudo systemctl start fail2ban ~~~ * **Set up audit logging:** Install and configure the audit daemon to track login attempts and system changes. ~~~ sudo apt install auditd sudo systemctl enable auditd sudo systemctl start auditd ~~~ ==== 5. Disable Unnecessary Services ==== * **List running services:** Use `systemctl` to list active services: ~~~ sudo systemctl list-units --type=service ~~~ * **Disable unneeded services:** Disable unnecessary services to minimize potential vulnerabilities: ~~~ sudo systemctl disable sudo systemctl stop ~~~ * **Remove unnecessary packages:** Remove any software you don't need to reduce the attack surface: ~~~ sudo apt autoremove sudo apt purge ~~~ ==== 6. Enable Two-Factor Authentication (2FA) ==== * **Install Google Authenticator for SSH:** Install `libpam-google-authenticator` to enable 2FA on SSH logins. ~~~ sudo apt install libpam-google-authenticator google-authenticator ~~~ Follow the prompts to set up 2FA, then configure SSH: - Edit `/etc/pam.d/sshd` and add the line: ~~~ auth required pam_google_authenticator.so ~~~ - Edit `/etc/ssh/sshd_config` to ensure 2FA works: ~~~ ChallengeResponseAuthentication yes ~~~ - Restart SSH: ~~~ sudo systemctl restart ssh ~~~ ==== 7. Disk Encryption ==== * **Encrypt sensitive data:** Use `LUKS` (Linux Unified Key Setup) to encrypt sensitive data. - To encrypt a disk partition: ~~~ sudo cryptsetup luksFormat /dev/sdX sudo cryptsetup luksOpen /dev/sdX my_encrypted_disk sudo mkfs.ext4 /dev/mapper/my_encrypted_disk ~~~ ==== 8. Backup and Recovery ==== * **Set up regular backups:** Use tools like `rsync`, `duplicity`, or `Deja Dup` to automate regular backups of important files. - Example using `rsync`: