Increase the security and usability of your Ubuntu server is very important and do at the same times you install it is the best way. There are few configuration/install that you should take early on as part of the basic setup.
Install
The install of Ubuntu Server is easy and not need a detailed how-to for this, the only point you need to take care is the manual partitioning of your hard drive (depend of your case). Suggest to follow ubuntuserverguide documentation or this one from ubuntu. The second thing to take care is to use a strong password scheme (Upper/Lower/Number/Special) who stay easy to remember (not have to write), to write (your fingers will say thanks)
Ubuntu Root Login
Never use directly the user root and prefer to create a new user (in our case we will use an account named admin with sudo power) and use a strong password scheme (Upper, Lower, Number, Special) who stay easy to remember for not have to write it.
As root
, run this command to add your new user to the sudo group
xxxx@xxxx:~$ usermod -aG sudo admin
Add Public Key Authentication (SSH)
Set up public key authentication for your new user. Setting this up will increase the security of your server by requiring a private SSH key to log in.
Generate The Key Pair for SSH
If you haven’t an SSH key pair already you can create it by following this process. To generate a new key pair, enter the following command (use the option -b 4096 for higher security) in your terminal.
xxxx@xxx:~$ ssh-keygen -b 4096
Assuming your local user is “admin”, you will see the following output:
admin@xxx:~$ ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/Users/admin/.ssh/id_rsa):
Hit return to accept
Created directory '/Users/admin/.ssh' Enter passphrase (empty for no passphrase): Enter same passphrase again:
Securing your keys with passphrases is more secure, but in this case you need to use it each time you connect. The choice depend of the level of security you want.
At the end you will have an output like this
Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub. The key fingerprint is: SHA256:XXXXXXXXXXXXXXXXXXX5GcBMBXXXXXXXXXXM admin@xxx The key's randomart image is: +---[RSA 4096]----+ |XXXX | |XX | |X X XX XXX | |XXX X XXX | |X XXXX X XX | | XX XX | | X | | X | | | +----[SHA256]-----+
You have now 2 files in the directory /home/admin/.ssh/ a private key id_rsa and a public key id_rsa.pub
Remember that the private key id_rsa should not be given to anyone who should not have the right to access to your server!
Rename the Public Key
if you generate the keys directly on the server rename the public key id_rsa.pub in authorized_keys like this
admin@xxx:~/.ssh$ sudo mv id_rsa.pub authorized_keys
And retrieve the private key id_rsa on your computer (not let it on the server!)
Putty case
Putty users, you need to load the private key id_rsa in PuTTYgen then save the private key for have it in .ppk format
Disabling Password Authentication
If you were able to login to your account using SSH with the private key then you have successfully configured SSH key-based authentication to your account. We can now remove the authentication with password only in the ssh config file (not hesitate to change also the port number 22 if you want).
admin@xxx:~/.ssh$ sudo vim /etc/ssh/sshd_config
Search for a directive called PasswordAuthentication
. This may be commented out. Uncomment the line and set the value to “no“. This will disable your ability to log in through SSH using account passwords.
# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no
Save and close the file when you are finished. To actually implement the changes we just made, you must restart the service.
admin@xxx:~/.ssh$ sudo service ssh restart
Basic Firewall
The default firewall configuration tool for Ubuntu is ufw. It’s an interface to iptables.
Allow an application or a TCP/UDP port
To add an application you can use the command below to list all application
admin@xxx:~/$ sudo ufw app list
You will have this in Output
Available applications: OpenSSH
To allow OpenSSH (ssh) use this command
admin@xxx:~/$ sudo ufw allow OpenSSH
You can also use directly the TCP or UDP port number
in standard case of port 22
admin@xxx:~/$ sudo ufw allow ssh
in case you change the port use this (where XX is the port number). keep always the port number below 1024 as these are privileged ports that can only be opened by root or processes running as root. A good link to find an available tcp port under 1024 : wikipedia
admin@xxx:~/$ sudo ufw allow XX
when you want specify a specific protocole add the proto tcp (exemple for TCP only)
Activate ufw
To enable ufw, use this command:
admin@xxx:~/$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Answer “y” to the question for proceed
To list the active rules you can use the command
admin@xxx:~/$ sudo ufw status
The output will be something like this
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6)
More commands on ufw in this excellent post of DigitalOcean : UFW Setup
You have now the base for a Secure Ubuntu Server, in part 2 we will see the usage of Fail2Ban to scan logs and ban suspicious hosts and scan open Ports with Nmap