Are you looking for ways to secure an Ubuntu Server?
This guide is for you.
A key concept in security is ensuring that your server's operating system is adequately secured, or "hardened". All too often server administrators will focus on security at their application layer such as a webserver with dynamic content.
While this is absolutely important, one must not forget to harden their server's operating system to prevent against initial exploitation and consequently post-exploitation attacks such as privilege escalation.
Operating system hardening should be implemented before any services are hosted, whether the system be in a production or development environment.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Ubuntu related queries.
In this context, we shall look into how to harden an Ubuntu server.
Here, you will learn some ways to secure your Ubuntu Server via User Management, Console Security, Firewall, AppArmor, Certificates, eCryptfs, Encrypted LVM and so on.
While users have the tools to get a job done, we also need to protect other user's privacy and confidentiality.
Ubuntu has three types or levels of user access:
a) Root
The main administrator of the server, the root account has full access to everything on the server. The root user can lock down or, limit folder access, install and remove services or applications, repartitions drives, etc. and essentially modify any area of the server’s infrastructure.
b) A sudoer (user)
This user has sudo access. The “sudoer” user has elevated rights to run a function or program as another user. The rules this user has access to are defined within the “visudo” file.
c) A user
This is a regular user, set up using the adduser command, given access to and, who owns the files and folders within the user /home/user/ directory as defined by the basic settings in the /etc/skel/.profile file.
All of us can agree on the importance of passwords. Hence, enforcing a strong password is a must. In order to do this, we can modify the file responsible for this setting using the ‘change’ command:
/etc/pam.d/common-password
$ chage -m 90 username
This command states that the user must change the password every 90 days.
/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1
Another important step is to restrict the use of old passwords.
For this, open '/etc/pam.d/common-password' file under Ubuntu/Debian/Linux Mint:
$ vi /etc/pam.d/common-password
Then add the following line to the 'auth' section:
auth sufficient pam_unix.so likeauth nullok
In addition, add the following line to the 'password' section to disallow a user from re-using the last five of his or her passwords:
sufficient pam_unix.so nullok use_authtok md5 shadow remember=5
Accounts with an empty password mean it is open for unauthorized access to anyone on the web.
Thus it is important that we make sure all accounts have strong passwords.
To check for accounts with an empty password, run:
$ cat /etc/shadow | awk -F: '($2==""){print $1}'
Ubuntu provides a default firewall frontend, UFW (Uncomplicated firewall). This is another line of defense to keep unwanted or malicious traffic from actually breaching the internal processes of the server.
The firewall log creates and stores information about attempts and other connections to the server.
Monitoring these logs for unusual activities will aid in securing the server.
When using UFW, we can enable logging by running the following command:
$ ufw logging on
To disable logging, we simply run the following command:
$ ufw logging off
An extremely crucial part of hardening any system is to ensure that it is always kept up-to-date.
Doing this will keep any known bugs or vulnerabilities patched if one exists. The following commands are ways to update an Ubuntu system:
$ apt-get update && apt-get upgrade
In addition, you can use the command below to lock any accounts (prepends a ! to the user's password hash):
$ passwd -l accountName
It is best practice to keep the use of the root account to a minimum.
To do this, add a new account that will be primarily used with the command below:
$ adduser accountName
This will automatically create a user with the default configuration defined in '/etc/skel'.
It goes without saying that all services hosted on your server should be adequately configured and locked down; however since SSH is almost always going to be running on your server, it is essential to lock it down as much as possible.
The SSH service configuration file can be found at '/etc/ssh/sshd_config'.
This configuration will limit SSH only to users other than root.
Find and ensure the line for “PermitRootLogin” exists and looks like the one below:
PermitRootLogin no
This line will specify which port to host the SSH service on.
It is recommended to change this to a non-default high port number. (Remember to fix your IpTables accordingly!):
Port 22222
As always, after making changes to a service be sure to restart it!
$ service ssh restart
This article covers the the importance of passwords, user roles, console security, and #firewalls all of which are imperative to protecting Linux servers.
Hardening an #Ubuntu server is a critical step in any server setup procedure.
Any time that a new server is being brought up to host services, whether production, development, internal or external, the server's operating system must be made as secure as possible.
To make your Ubuntu #Linux server secure:
1. Secure Server Connectivity
2. Establish and Use a Secure Connection.
3. Use SSH Keys Authentication.
4. Secure File Transfer Protocol.
5. Secure Sockets Layer Certificates.
6. Use Private Networks and VPNs.
7. Monitor Login Attempts.
8. Manage Users.
9. Establish Password Requirements.