The Ultimate Guide to Ubuntu Server Hardening
Linux distributions, such as Ubuntu, are known for their excellent architecture and extensive security features. So it’s no wonder that both developers and security experts choose Linux to keep their systems secure.
While Ubuntu is well-equipped with great security features right out of the box, some initial configurations are required to maximize their potential.
In this article, you will learn how to harden Ubuntu 20.04.
Importance of Linux Server Hardening
Linux server hardening is the process of securing a Linux server by applying the latest security standard and configurations, as well as installing the necessary software.
If you apply the right security measures, you can significantly reduce the chances of your Linux server ever getting compromised.
Here are some common threats that can affect Linux servers.
- Brute force attacks
- Open port exploits
- Outdated software exploits
- Weak passwords
- Suboptimal backup configurations
How To Harden Ubuntu 20.04
Since cybersecurity is a big and growing industry, it’s not really possible to cover all the security measures for an operating system in just one article. However, the large majority of server-hardening measures can be summed up in eight easy-to-digest chapters.
That’s why, by the time you finish reading this article, you’ll have a good grip on Ubuntu security hardening fundamentals. Read on to learn more.
Secure SSH Access
The first step in any Ubuntu server hardening guide should be to secure SSH access.
If a hacker can log into your server over SSH, they will have unlimited access to it. That’s why hardening SSH access is the number one security measure you should take.
Here’s how you can improve your SSH security in three steps.
1. Disable the root login.
On Ubuntu, the root account login is disabled by default. In case you enabled it, you should disable it by setting the PermitRootLogin value to no in the /etc/ssh/sshd_config file.
Now restart sshd to apply the changes.
sudo systemctl restart sshd
2. Change the default SSH port.
Setting a custom SSH port will filter out any non-targeted SSH attacks. To do this, you would uncomment and replace port 22 in /etc/ssh/sshd_config.
Remember to restart sshd to apply the changes.
sudo systemctl restart sshd
3. Replace password authentication with SSH keys.
Given enough time, any password can be cracked with a brute force attack. To prevent this, you should switch to using SSH keys instead.
First, create a new SSH key pair.
ssh-keygen
Then check the private SSH key and write it down or copy its file to another device.
Now disable password authentication by setting the PasswordAuthentication value to no in the /etc/ssh/sshd_config file.
Finally, restart sshd to apply the changes.
sudo systemctl restart sshd
In the future, when you need to log in to the server, use the -i flag with the ssh command to specify the key file.
ssh -i /path/to/key $username@hostname
Note: Remember to replace $username@hostname with a Linux username and a server hostname/IP
Enable AppArmor
Application Armor is a security module that allows you to set custom restrictions for every application on your system. You can use it to limit everything from network access to read and write permissions. It comes preinstalled on Ubuntu and supports the creation of individual application profiles.
1. Check if AppArmor is active and enabled.
sudo systemctl status apparmor
The example above shows that AppArmor is active and enabled. If it’s not, move on to step two.
2. Activate and enable AppArmor.
Start AppArmor and set it to load at boot.
sudo systemctl start apparmor
sudo systemctl enable apparmor
3. Check the currently active profiles.
AppArmor profiles support two different modes of operation: enforce and complain. While enforce mode prevents applications from taking restricted actions, complain mode only logs those actions.
sudo apparmor_status
There are many other useful instructions about AppArmor profiles and commands. To learn more about them, read the AppArmor manual pages.
Enable the Firewall
You should protect your server’s unused ports with a firewall solution such as Uncomplicated Firewall (UFW). This firewall comes preinstalled on Ubuntu but is disabled by default.
1. Configure the firewall to allow SSH connections.
sudo ufw allow ssh
Note: This step is critical. If you enable the firewall before allowing SSH connections, you risk getting permanently locked out of your system.
2. Activate and enable the firewall.
Start the firewall and set it to load at boot.
sudo ufw enable
3. Configure the firewall to allow HTTP and HTTPS connections.
By allowing HTTP and HTTPS connections, you are opening your website to visitors. This is an essential step for production environments.
sudo ufw allow http
sudo ufw allow https
4. Configure the firewall to allow all connections from specific IPs.
This step allows you to whitelist the IPs of any administrators or developers who frequently use the server. In turn, they never have to worry about getting blocked and losing access.
sudo ufw allow from #.#.#.#
There are many other useful firewall rules and commands that you can use for Ubuntu security hardening. To learn more about them, read the UFW manual pages.
Update Everything
To keep your Ubuntu system safe, make sure to run regular updates. This includes package repository information, installed packages, and all manually installed software.
You can install and update any element of your server stack, such as Apache, MySQL, and PHP, as a package. However, any software that you manually download, such as a CMS (content management system), will need to be updated manually.
1. Update the package information
sudo apt-get update
2. Simulate an upgrade of all packages
You should first simulate an upgrade of all packages to avoid making any unwanted changes or package removals.
sudo apt-get upgrade -s
3. Upgrade all packages
If you’re satisfied with the simulation output, you can proceed to upgrade all packages.
sudo apt-get upgrade
If not, you can upgrade any individual packages one by one. Remember to replace $packagename with the name of each package.
sudo apt-get install --only-upgrade $packagename
4. Update your CMS, plugins, and any other manually installed software.
Keeping your Linux system up to date is important, but don’t forget about your CMS.
CMS systems, such as WordPress or Magento, are made out of many moving parts developed by different companies. While their modular nature brings a whole host of benefits, it’s also what makes them vulnerable to various attacks.
To keep all manually installed software up to date, read its official documentation.
Remove Unused Packages
Unused packages unnecessarily increase your exposure to potential exploits. That’s why you should find and remove them to keep your system secure.
Instead of manually checking which packages you no longer need, there are some great tools you can use to find them quickly. In this guide, you will learn to use autoremove and Deborpham.
1. Find and remove unused packages with autoremove.
sudo apt autoremove
2. Find and remove unused packages with Deborphan.
First, install Deborphan.
sudo apt install deborphan
Then, list the unused packages.
deborphan
Finally, remove the unused packages. Remember to replace $packagename with the name of each package.
sudo apt-get remove $packagename
Run Regular Backups
Taking all security precautions is essential if you want to reduce the chances of getting hacked to a minimum. But you need to remember that no computer system is 100% secure.
Not to worry, that’s what backups are here for, and you can restore them as soon as you discover that a system is compromised. Just make sure to configure them properly.
Here are some things to keep in mind if you want to get the most out of your backup configuration.
1. Keep your backups in different physical locations.
While cybercriminals usually operate remotely, sometimes they can actually steal your physical backups. Furthermore, a data center where your server and backups are located could fall victim to a fire hazard.
That’s why you should always keep your backups in at least two physical locations.
2. Keep yearly, monthly, weekly, and daily backups.
You might get lucky and realize your system was compromised as soon as it happens. In such a case, the default daily or weekly backups are just what you need to get things back to normal.
However, it can sometimes take months before you finally realize your system was compromised. What’s even worse is that some malware infections are impossible to resolve without permanent data loss.
To prevent such issues from affecting you, make sure to keep older versions of your backups instead of just recent ones. That’s exactly what monthly and yearly backups are for.
3. Back up the whole system
In a lot of cases, people prioritize the /home or /var directories as that’s where their websites and applications are stored. But in fact, it’s almost as important to backup up your entire system as well.
Just think about it for a moment. How long will it take you or your administrators to install and configure all the necessary software on a new system once you get compromised? Not to mention how long it will take your firewalls to collect the same IPs and provide the same level of protection as before.
Use Strong Passwords
Setting strong passwords is a critical part of Linux server hardening. Strong passwords are made out of a long randomized string of upper case letters, lower case letters, numbers, and symbols. They shouldn’t include any words or dates.
Furthermore, you should also make sure that all users update their passwords frequently. Password policies significantly reduce the risk of brute force attacks by preventing users from reusing the same passwords for multiple services.
1. Use pwgen to generate a strong password.
Install pwgen.
sudo apt install pwgen
Generate a list of passwords using the -ys flag, where y means include symbols, and s is used to generate a highly secure password string.
pwgen -ys 20
2. Set a password expiration policy.
Use the /etc/login.defs file to set a shorter password expiration policy, such as 30 to 90 days.
- PASS_MAX_DAYS is the number of days after which a password will expire.
- PASS_MIN_DAYS is the number of days that need to pass before a password can be changed.
- PASS_WARN_AGE is the number of days warnings will be shown on log in before the password expires. This feature doesn’t extend the PASS_MAX_DAYS expiration.
3. Apply the new policy to existing users.
When you set a new policy, it only affects new users. To check the policy of an existing user, you would use chage -l command while replacing $username with the Linux user.
sudo chage -l $username
To apply it to existing ones, you need to use the chage command. The -M flag is for maximum days, -m for minimum, and -W for warnings. Don’t forget to replace $days and $username with the proper values, and check if the change was applied.
sudo chage -M $days $username
Install fail2ban
The final suggestion in hardening Ubuntu 20.04 is to install fail2ban intrusion prevention. This software protects your server from malicious login attempts by systematically blocking misbehaving IPs.
1. Install fail2ban.
sudo apt install fail2ban
2. Activate and enable fail2ban.
Start fail2ban and set it to load at boot.
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
3. Configure fail2ban.
Before you can configure fail2ban, you need to copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now add your IP to the ignoreip list and uncomment the line.
Then, configure how the system should treat suspicious IPs.
- bantime defines how long an IP will be blocked.
- maxretry is how many times an IP can fail to log in before getting blocked.
- findtime is the time period after which the maxretry counter is reset.
Finally, restart fail2ban to apply these changes.
sudo systemctl restart fail2ban
There are many other useful fail2ban features that you can use for Ubuntu hardening. To learn more about them, read the fail2ban manual pages.
That’s it. You’ve reached the end of this Ubuntu hardening guide.
Final Words
Hardening Ubuntu 20.04 is essential if you want to keep your business running smoothly. While Linux is inherently secure, there are still potential threats that can be mitigated through proper hardening techniques.
By following the eight steps outlined in this Ubuntu hardening guide, you can significantly reduce the risk of your server being compromised by brute force attacks, software exploits, and other vulnerabilities.
Make sure to keep your software up to date, remove unused packages, run regular backups, and use strong passwords. Finally, use fail2ban to prevent unauthorized access attempts.
Published version: thesecmaster.com/blog/guide-to-hardening-ubuntu
Task: Beginner’s tutorial about Ubuntu security basics, up to 2,000 words.
Client: TheSecMaster