Ubuntu server's latest version gives you a lot of security. When you take a fresh Ubuntu server, it provides the best facilities and a powerful defense system, but if you open your ports and scan unauthorized data, there is a chance of weakening your Ubuntu server. A single breach in your Ubuntu server can cost you your data and business.
In this guide, we will help you understand how to secure your Ubuntu server from crashes. Here, we give you a detailed step-by-step guide to Ubuntu server hardening. Whether you use an Ubuntu server for a home lab or managing a large enterprise business, it will give you stability against any attack or damage to your server.
Keep Your System Update & Upgrade
For any Linux server, the first step is to always keep your system updated and upgraded. In Ubuntu server, the first thing we manage is keeping our system up to date. We manually check, update, and upgrade our Ubuntu server periodically using the below command.
sudo apt update && sudo apt upgrade -y
If you don't want to update the system manually, then install the unattended-upgrade package and let the server handle routine security patches on its own.
Stop using passwords for SSH
SSH is the primary gateway to enter an Ubuntu server, so hackers target it first. So we must first make it powerful for login. Never log in as root directly. To do that, change PasswordAuthentication.
To edit, first open the /etc/ssh/sshd_config file and change PasswordAuthentication to NO. After this change, root should never be allowed to log in directly over the internet. If we change the default SSH port 22, then our server will be 99 percent safer.
Implement Two-Factor Authentication (2FA)
A 2FA code is a powerful security code. If your SSH key or password is hacked by hackers, they still cannot log in without your physical device. A powerful 2FA code changes every 30 seconds.
It is ideally best to install the PAM Module for more security. If you want to install PAM, then follow the below command.
sudo apt install libpam-google-authenticator
Then you add a time-based one-time password (TOTP). For both your standard credentials and the 2FA code, you must configure your PAM settings in /etc/pam.d/sshd and update /etc/ssh/sshd_config. After making these changes, both of the above will be required every login.
Configure the Firewall (UFW)
Ubuntu server comes with the Firewall (UFW) pre-installed, but it's disabled by default. Now let's understand how the firewall works.
Deny all incoming traffic and allow all outgoing traffic. Then explicitly allow only the traffic you need, i.e., 22/tcp for SSH. If you are hosting web services, then add rules for HTTP and HTTPS.
sudo ufw
Run the above command and enable it. Always ensure your SSH port is allowed before enabling it to avoid locking yourself out.
Install and Configure Fail2Ban
Fail2Ban stops hackers from trying to break into your server. Even with secure keys and custom ports, attackers will still try to connect. Fail2Ban watches your server logs for these bad connection attempts and blocks the attackers' IP addresses using your firewall.
First, we install Fail2Ban using the below command.
sudo apt install fail2ban
Just run the above command and set it up to watch your SSH port. It's the best set-it-and-forget-it tool out there.
Kill what you don't need
First, run the below command and look at what's actually listening on your network.
ss -tunlp
Every open port is dangerous for your system. If you do not need any services, you must close or uninstall them. The less code you have running, the smaller your attack surface.
Set Up Auditing and Monitoring
You can use a program called Auditd to track system activities and see who opens your files. For log tracking, regularly check the /var/log/auth.log file to find unusual login attempts. Alternatively, you can use central tracking tools like Promtail and Loki to collect all your logs in one place.
Conclusion
Securing an Ubuntu server isn't a one-time set-and-done task, but something that requires regular checking. If you take some serious steps, your server will be set up more powerfully than others. You must do five main things for Ubuntu Server Hardening: lock down SSH access, require 2FA code authentication, turn on firewall rules, update your software regularly, and check your logs often. If you set up these five main things, your defense strategy will deter almost any attack.
