Ubuntu Server Hardening

This document outlines basic steps to harden an Ubuntu server for better security.

• Update your system:

It's essential to update your system to ensure all packages are up to date and patched.

  ~~~
  sudo apt update && sudo apt upgrade -y
  ~~~

* **Set up a firewall:**
  Use `ufw` (Uncomplicated Firewall) to configure basic firewall rules.
  ~~~
  sudo ufw allow ssh
  sudo ufw enable
  sudo ufw status
  ~~~

• Change the default SSH port:

Changing the default SSH port (22) can help reduce automated attacks.

1. Edit the SSH config:

~~~

    sudo nano /etc/ssh/sshd_config
    ~~~
  - Change `Port 22` to a custom value (e.g., `Port 2222`).
  - Restart SSH:
    ~~~
    sudo systemctl restart ssh
    ~~~

• Disable root login:

Disabling direct root login adds an extra layer of protection.

1. Edit `/etc/ssh/sshd_config`:

~~~

    PermitRootLogin no
    ~~~
  - Restart SSH:
    ~~~
    sudo systemctl restart ssh
    ~~~

• Use SSH key authentication:

Set up SSH key pairs instead of using passwords.

1. On your local machine, generate a key pair:

~~~

    ssh-keygen -t rsa -b 4096
    ~~~
  - Copy the public key to the server:
    ~~~
    ssh-copy-id user@your-server-ip
    ~~~

• Create a separate user:

Avoid using the root account directly. Create a user with sudo privileges:

  ~~~
  sudo adduser username
  sudo usermod -aG sudo username
  ~~~

• Set strong passwords:

Enforce password complexity using `pam_pwquality.so` by editing `/etc/pam.d/common-password`.

  ~~~
  password requisite pam_pwquality.so retry=3 minlen=12 minclass=3
  ~~~

• Disable unused accounts:

Disable accounts that are not in use to minimize potential attack surfaces:

  ~~~
  sudo usermod -L username
  ~~~

• Enable automatic security updates:

Enable unattended-upgrades to automatically apply security patches.

  ~~~
  sudo apt install unattended-upgrades
  sudo dpkg-reconfigure --priority=low unattended-upgrades
  ~~~

• Install and configure Fail2Ban:

Fail2Ban helps protect SSH and other services by blocking repeated failed login attempts.

  ~~~
  sudo apt install fail2ban
  sudo systemctl enable fail2ban
  sudo systemctl start fail2ban
  ~~~

• Set up audit logging:

Install and configure the audit daemon to track login attempts and system changes.

  ~~~
  sudo apt install auditd
  sudo systemctl enable auditd
  sudo systemctl start auditd
  ~~~

• List running services:

Use `systemctl` to list active services:

  ~~~
  sudo systemctl list-units --type=service
  ~~~

• Disable unneeded services:

Disable unnecessary services to minimize potential vulnerabilities:

  ~~~
  sudo systemctl disable <service-name>
  sudo systemctl stop <service-name>
  ~~~

• Remove unnecessary packages:

Remove any software you don't need to reduce the attack surface:

  ~~~
  sudo apt autoremove
  sudo apt purge <package-name>
  ~~~

• Install Google Authenticator for SSH:

Install `libpam-google-authenticator` to enable 2FA on SSH logins.

  ~~~
  sudo apt install libpam-google-authenticator
  google-authenticator
  ~~~
  Follow the prompts to set up 2FA, then configure SSH:
  - Edit `/etc/pam.d/sshd` and add the line:
    ~~~
    auth required pam_google_authenticator.so
    ~~~
  - Edit `/etc/ssh/sshd_config` to ensure 2FA works:
    ~~~
    ChallengeResponseAuthentication yes
    ~~~
  - Restart SSH:
    ~~~
    sudo systemctl restart ssh
    ~~~

• Encrypt sensitive data:

Use `LUKS` (Linux Unified Key Setup) to encrypt sensitive data.

1. To encrypt a disk partition:

~~~

    sudo cryptsetup luksFormat /dev/sdX
    sudo cryptsetup luksOpen /dev/sdX my_encrypted_disk
    sudo mkfs.ext4 /dev/mapper/my_encrypted_disk
    ~~~

• Set up regular backups:

Use tools like `rsync`, `duplicity`, or `Deja Dup` to automate regular backups of important files.

1. Example using `rsync`: