After spinning up a new Ubuntu server you may find yourself looking for a guide of what to do next. Many times the default setting do not provide the top security that your server should have. Throughout this article we provide you security tips and pose questions to help determine the best kind of setup for your environment.
1. Secure the Root User
This should be the very first thing you do when setting up a fresh install of Ubuntu server. Typically setting up a password for the root user is done during the installation process. However, if you should ever find yourself in a position where you have assumed the responsibility of a Ubuntu server, it’s best to reset the password keeping in mind the best practices for passwords.
- Don’t use English words
- Use a mixture of symbols and alphanumeric characters
- Length – based on probability and odds of guessing or cracking a password you can provide the best security after a password gets to a certain length. More than ten characters long is good practice, but even longer passwords with complex characters is a safer way to go.
You can also lock the root user password to effectively keep anything from running as root.
Depending on your version of Ubuntu the root account may be disabled, simply setting or changing the password for root will enable it with the following.
sudo passwd root
Now we can lock the root account by locking the password with the “-l” flag like the following. This will prevent the root user from being used.
sudo passwd -l root
To unlock the root account, again, just change the password for root to enable it.
sudo passwd root
2. Secure SSH Access
Many times, once a server is up and running the default configuration for SSH remote logins are set to allow root to log in. We can make the server more secure than this.
You only need to use the root user to run root or administration level commands on the server. This can still be accomplished by logging into a server over SSH with a regular user, and then switching to the root user after you are already logged into the server.
Once logged in you can switch from the user “spartacus” to the root user.
You can disable SSH login for the root user by making some adjustments in the sshd_config file. Be sure to run all of the following commands as root or with a user with sudo privileges.
Within this file find the Authentication section and look for the following line:
Just change that to:
For the changes to take effect you will need to restart the SSH service with:
You can now test this by logging out of the server and then log in again over SSH with the root user and password. It should deny your attempts to do so. This provides a lot more security as it requires a different user (one that others won’t know and probably cannot guess) to log in to the server over SSH. This provides two values that an attacker would need to know, instead of one vaule, as most hackers know that the root user exists on a Linux server.
Also, the following can also be changed to make SSH access more secure.
Make sure that directive is set to “no” so that users without a password can’t log in. Otherwise, the attacker would need only one piece of information while also giving them the ability to get in with just knowledge of a user. This, of course, would also mean they could keep attempting guesses at users as well and very easily log in.
A final caution is to adjust any router or firewall settings to make sure that remote SSH access is forwarded to port 22 and does not directly access port 22. This will eliminate a lot of bots or scripts that will try to log in over SSH directly on port 22 with random usernames and passwords. You may need to refer to your router or server firewall documentation on making sure you forward a higher port than port 22.
3. Install a Firewall
By default, later versions of Ubuntu should come with Uncomplicated Firewall or UFW. You can check to see if UFW is installed with the following:
sudo ufw status
That will return a status of active or inactive. If it is not installed you can install it with:
sudo apt-get install ufw
It’s a good idea to think through a list of components that will require access to your server. Is SSH access needed? Is web traffic needed? You will want to enable the services through the firewall that are needed so that incoming traffic can access the server in the way you want it to.
In our example let’s allow SSH and web access.
sudo ufw allow ssh
sudo ufw allow http
Those commands will also open up the ports. You can alternatively use the port method to allow services through that specific port.
sudo ufw allow 80/tcp
That will essentially be the same as allowing the HTTP service. Once you have the services you want listed you can enable the firewall with this.
sudo ufw enable
This may interrupt the current SSH connection if that is how you are logged in so be sure your information is correct, so you don’t get logged out.
Also, ensure you have a good grasp on who really needs access to the server and only add users to the Linux operating system that really need access.
4. Understand What You Are Trying to Accomplish
It’s important to think through what you will be using your server for. Is it going to be just a file server? Or a web server? Or a web server that needs to send an email out through forms?
You will want to make a clear outline of what you will be using the server for so you can build it to suit those specific needs. It’s best to only build the server with the services that it will require. When you end up putting extra services that are not needed you run the risk of having outdated software which will only add more vulnerability to the server.
Every component and service you run will need to be secured to it’s best practices. For example, if you’re strictly running a static site, you don’t want to expose vulnerabilities due to an outdated email service.
5. Keep the File System Up-To-Date
You will want to make sure your server stays up to date with the latest security patches. While a server can run for a while without much maintenance and things will “just work” you will want to be sure not to adapt a “set it and forget it” mentality.
Regular updates on a Ubuntu server can make sure the system stays secure and up to date. You can use the following to do that.
sudo apt-get update
While installing an Ubuntu server is a great way to learn how to work with a Linux it’s a good idea to learn in an environment that is safe. Furthermore, it’s best not to expose the server to the Internet until you are ready.
A great way to get started is at home where you can access the server from your own network without allowing access to the server through the Internet or your home router.
If and when you do deploy a Ubuntu server you’ll want to keep the above five things in mind. It’s important to know the configuration of the server once it’s deployed so you know what type of access the public can get to and what yet needs to be hardened.
Enjoy learning and don’t be afraid to break something in your safe environment, as the experience can be a great teacher when it’s time to go live.