Table of Contents
Ubuntu Server Hardening
This document outlines basic steps to harden an Ubuntu server for better security.
1. Initial Setup
- Update your system:
It's essential to update your system to ensure all packages are up to date and patched.
~~~ sudo apt update && sudo apt upgrade -y ~~~ * **Set up a firewall:** Use `ufw` (Uncomplicated Firewall) to configure basic firewall rules. ~~~ sudo ufw allow ssh sudo ufw enable sudo ufw status ~~~
2. Secure SSH Access
- Change the default SSH port:
Changing the default SSH port (22) can help reduce automated attacks.
- Edit the SSH config:
~~~
sudo nano /etc/ssh/sshd_config
~~~
- Change `Port 22` to a custom value (e.g., `Port 2222`).
- Restart SSH:
~~~
sudo systemctl restart ssh
~~~
- Disable root login:
Disabling direct root login adds an extra layer of protection.
- Edit `/etc/ssh/sshd_config`:
~~~
PermitRootLogin no
~~~
- Restart SSH:
~~~
sudo systemctl restart ssh
~~~
- Use SSH key authentication:
Set up SSH key pairs instead of using passwords.
- On your local machine, generate a key pair:
~~~
ssh-keygen -t rsa -b 4096
~~~
- Copy the public key to the server:
~~~
ssh-copy-id user@your-server-ip
~~~
3. User and Permissions Management
- Create a separate user:
Avoid using the root account directly. Create a user with sudo privileges:
~~~ sudo adduser username sudo usermod -aG sudo username ~~~
- Set strong passwords:
Enforce password complexity using `pam_pwquality.so` by editing `/etc/pam.d/common-password`.
~~~ password requisite pam_pwquality.so retry=3 minlen=12 minclass=3 ~~~
- Disable unused accounts:
Disable accounts that are not in use to minimize potential attack surfaces:
~~~ sudo usermod -L username ~~~
4. Security Updates and Monitoring
- Enable automatic security updates:
Enable unattended-upgrades to automatically apply security patches.
~~~ sudo apt install unattended-upgrades sudo dpkg-reconfigure --priority=low unattended-upgrades ~~~
- Install and configure Fail2Ban:
Fail2Ban helps protect SSH and other services by blocking repeated failed login attempts.
~~~ sudo apt install fail2ban sudo systemctl enable fail2ban sudo systemctl start fail2ban ~~~
- Set up audit logging:
Install and configure the audit daemon to track login attempts and system changes.
~~~ sudo apt install auditd sudo systemctl enable auditd sudo systemctl start auditd ~~~
5. Disable Unnecessary Services
- List running services:
Use `systemctl` to list active services:
~~~ sudo systemctl list-units --type=service ~~~
- Disable unneeded services:
Disable unnecessary services to minimize potential vulnerabilities:
~~~ sudo systemctl disable <service-name> sudo systemctl stop <service-name> ~~~
- Remove unnecessary packages:
Remove any software you don't need to reduce the attack surface:
~~~ sudo apt autoremove sudo apt purge <package-name> ~~~
6. Enable Two-Factor Authentication (2FA)
- Install Google Authenticator for SSH:
Install `libpam-google-authenticator` to enable 2FA on SSH logins.
~~~
sudo apt install libpam-google-authenticator
google-authenticator
~~~
Follow the prompts to set up 2FA, then configure SSH:
- Edit `/etc/pam.d/sshd` and add the line:
~~~
auth required pam_google_authenticator.so
~~~
- Edit `/etc/ssh/sshd_config` to ensure 2FA works:
~~~
ChallengeResponseAuthentication yes
~~~
- Restart SSH:
~~~
sudo systemctl restart ssh
~~~
7. Disk Encryption
- Encrypt sensitive data:
Use `LUKS` (Linux Unified Key Setup) to encrypt sensitive data.
- To encrypt a disk partition:
~~~
sudo cryptsetup luksFormat /dev/sdX
sudo cryptsetup luksOpen /dev/sdX my_encrypted_disk
sudo mkfs.ext4 /dev/mapper/my_encrypted_disk
~~~
8. Backup and Recovery
- Set up regular backups:
Use tools like `rsync`, `duplicity`, or `Deja Dup` to automate regular backups of important files.
- Example using `rsync`: