Our last article on Ubuntu security suggestions touched on the importance of passwords, user roles, console security, and firewalls. We continue with our last article and while the recommendations below are not unique to Ubuntu specifically (nearly all discussed are considered best practice for any Linux server) but they should be an important consideration in securing your server.
1) Ensure your Server is Up-To-Date
As soon as you can access the server as root, make sure it is up to date.
apt-get update && apt-get upgrade
2) Create a Secondary User and Disable Root Logins
To decrease the possibility of unauthorized access, create a primary user with limited permissions to accomplish specific tasks.
adduser bobAdd this new user to the sudo’ers file so he can temporarily increase his rights and permissions as needed to accomplish root level tasks.
echo 'Bob ALL=(ALL) ALL' >> /etc/sudoerNext, log out and then SSH back into the server as the new user to ensure that their login works as expected. Once in, confirm they can ‘su’ up to root. Next, login into the server in a second terminal. This is important!
Now, let’s disable the root users SSH login. To accomplish this we’re going to edit the /etc/ssh/sshd_config file:
vim /etc/ssh/sshd_configChange this line:
#PermitRootLogin yesTo this:
PermitRootLogin noand then restart the SSH service.
Stopping sshd: [ OK ] Starting sshd: [ OK ]
3) Setup SSH Keys
SSH Keys allow for you to connect to the server securely with a stored key pair.
This would be an extra step in securing the server to disallow additional access.
SSH into your server as the root user. Next, run:
ssh-keygen -t rsa -C "firstname.lastname@example.org"Press <Enter> to accept the default locations and file names, then enter, and then re-enter a passphrase for your user.
Next, we’ll add your public key to the local authorized_keys file.
cd ~/.sshNext, copy the new public key to the root user’s SSH directory on the server.
cp id_rsa.pub authorized_keys
cd ~/.sshNow you can simply connect with:
scp authorized_keys email@example.com:/root/.ssh/
4) Check and Configure the Firewall
root@server:~# ufw app list
root@server:~# ufw status
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22 ALLOW Anywhere
8080/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
Anywhere DENY 18.104.22.168
80 DENY 22.214.171.124
22 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
8080/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
5) Limit Open Ports
Most installations of Ubuntu usually have no network services that are listening after the initial install (some hosts may vary). After the server is started, the root user or administrator can define specific services and/or ports to open beyond the defaults.
Testing for open ports can be accomplished using the command netstat -tulpn:
root@server:~# /home# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 69941/sshd
tcp6 0 0 :::22 :::* LISTEN 69941/ss
6) Canonical Kernel Livepatches
The Canonical Livepatch service provides security fixes for most major kernel security issues without requiring a reboot. Ubuntu users can take advantage of the service on up to three nodes for free. All machines covered by an Ubuntu Advantage support subscription can receive Livepatches. More info can be found here: https://auth.livepatch.canonical.com/ or here https://buy.ubuntu.com/
7) Kernel Hardening
The Ubuntu kernel itself has multiple built-in protections enabled to make it more difficult to compromise.
SELinux is a kernel enhancement scheme which implements a Mandatory Access Control (MAC) system to confine applications to a defined set of resources. To install the SELinux package:
apt-get install selinux-basics selinux-policy-default auditdNext, download the load_SELinux_policy script (which is a slightly modified version of the script included in the Ubuntu ‘SELinux’ package), and place it in the folder.
Afterward run the command below to configure GRUB, PAM and for /.autorelabel creation.
Next, reboot the server for the changes to take effect. (it will take some time to label the filesystems on boot, then the system will automatically reboot a second time when that task has completed)
Finally, run the command to verify everything has been set up correctly. This will also catch many common SELinux problems.
For further info, see https://wiki.debian.org/SELinux.
9) Userspace Hardening
There are multiple hardening features available via Ubuntu’s default compiler flags which when building applications utilized via the kernel will provide additional security features.
10) UEFI Secure Boot (amd64)
Beginning with Ubuntu 12.04, UEFI Secure Boot’s “enforcing mode” was added to the bootloader and “non-enforcing mode” to the kernel. With this setup, later Ubuntu’s versions in which the kernel fail to authenticate will not boot and, kernel modules which fail to validate will not be loaded.
11) Setup 2FA (Two Factor Authentication)
For an additional layer of protection, you can also setup Two Factor Authentication in Ubuntu
Step 1: SSH into the server and run this command to install the Google Authenticator app from the Ubuntu repo.
apt-get install libpam-google-authenticator
Step 2: Next, run the google-authenticator command to create a new secret key in your home directory.
Do you want authentication tokens to be time-based (y/n) y
Your new secret key is: 73GRSXVJNUXZWN2T
Your verification code is 389485
Your emergency scratch codes are:
Do you want me to update your "/root/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Step 3: Next, we edit our sshd_config file:
vim /etc/ssh/sshd_configTo use PAM eable with yes (PAM stands for pluggable authentication module).
UsePAM yesWe then save and close the file ( using :wq in VIM) and then restart SSH.
systemctl restart ssh
Step 4: Next, we need to edit the file where the PAM rules reside for the SSH daemon.
vim /etc/pam.d/sshdAdd the following entry at the end of the file:
auth required pam_google_authenticator.so
Step 5: We then can save and close that file. From now on SSH daemon will use Google Authenticator.
12) Turn Off IPv6
If you are not using IPv6, you can go to the network configuration file and add the following lines to disable it.
13) Be Aware/Cautious of All Applications You Install
Each time you install an application, it can add new software alongside that app which may put the server at risk if it allows openings in the server ports.
14) Check and Disable Unneeded Startup Processes
Ubuntu by default will use these run level equivalents in systemd (called targets)
Again, be very sure of the exact settings you need to modify before attempting a change here. Liquid Web servers are already set to have the minimum number of services enabled at startup.
15) Review Logs Regularly
All of Ubuntu’s log files are located in /var/log directory. In that location are specific files for each type of log. Review the logs there to ensure nothing untoward the server is occuring.
To look at a file use the command below.
Use the arrow keys to scroll up or down. You can also use the head (get the first 10 lines), tail (get the last 10 lines) or, use the grep commands to search through a file.
Overall, Ubuntu is a mature Linux system in which to securely host your websites. Its unparalleled ability to set up and adapt to many varied configurations remains the best option for those who choose to use a secure, self-managed server option that is fast and stable. If you have further security questions, please do not hesitate to reach out and contact our support via a ticket, call or chat! With Liquid Web servers, you are secure! Not Quite Sure about your options? We’re Here to Help! Talk With a Dedicated Hosting Advisor today at 800.580.4985.