Posted on • Edited on • Originally published atblog.akbal.dev
How to completely secure an Ubuntu server
Introduction
This tutorial will help you to set up a secure Ubuntu server from scratch.
Keep in mind that this is not a common tutorial,this is the culmination of all the knowledge I have gathered from managing my own servers for more than three years.
Before we start
Preface
While this tutorial is focused onUbuntu 20.04, it can be used for many other versions, like 18.04 and 16.04. As they are very similar.
Requisites
- An Ubuntu server
- Access to your server
It doesn't matter if your server is hosted on DigitalOcean, Google Cloud Engine or Amazon Web Services, Ubuntu should be the same.
Requisite info
If you don't have a server you might want to look at theUseful resources step.
Updates
The first and probably most important step is toalways keep the system up-to-date. To do so just open the terminal to update and upgrade the packages viaapt.
sudoapt update# Update package informationsudoapt full-upgrade-y# Upgrade packagessudoapt autoremove-y# Remove unnecessary packages# One linersudoapt update&&sudoapt dist-upgrade-y&&sudoapt autoremove-yAutomatic updates
Now that the packages are updated, we should install an automated solution to keep the system always up-to-date.
This tutorial on Linuxize will help you install and configure theunattended-upgrades package, which is exactly what is needed.
New user
Using the default super userroot is alwaysbad practice, it does everything with the maximum level of permissions, allowing you to break anything; and more critically...Access to anything on the system.
Instead, we should use a normal user with super userprivileges.This tutorial on DigitalOcean will guide you to do that.
SSH credentials
Now that you have a new user with super user privileges, you might want to SSH in your server with it,but might find that you can't.
This is because the credentials were stored on the user you were using before, most likelyroot. Just SSH again with the previous user and copy the credentials to the new user with thersync utility package.
Follow the5th step ofthis tutorial on DigitalOcean to do so.
SSHD
SSHD manages the SSH connections to the server. Its default configuration is good but some changes must be made, like disabling theroot user login and changing the defaultSSH port.
Follow thefirst stepof this tutorial on DigitalOcean to learn how to configure SSHD.
It is recommended that you change the default
SSHport
UFW
UFW is Ubuntu's default firewall and is extremely useful. By default it allowshttp andssh connections, depending of your use case you might not need some of those rules.
Check outthis tutorial on DigitalOcean to learn how to configure UFW.
If you changed the
SSHport on an earlier step, you might want to create a new UFW rule for that port.
Fail2Ban
Fail2Ban protects you from brute-force attacks. It bans bad actors from accessing the server for a specified quantity of time.
Learn how to install and configure Fail2Banwith this tutorial on Linuxize.
Miscellaneous
These are somequick specific guides that you should keep in mind if you use any of this software.
Nginx
Nginx has various configuration files, its defaults are pretty good but you might want to take a look at it.
Usethis tutorial on Acunetix as a starting point.
There is alsothis pretty nifty tool by DigitalOcean that allows you to configure Nginx in a visual manner. It includes popular presets, for example for NodeJS and PHP applications.
Apache2
Apache might require more work, as its defaults leak some information about your system.
Start your configuration journey withthis tutorial by Tecmint.
PHP
Database
I have used MySQL and MariaDB on the past, by default their ports are opened externally, that shouldn't be allowed, as it is a security risk.
The database should only be allowed from local connections; or if ran externally, by whitelisted IPs.
- Learn how to configure MySQL withthis tutorial on DigitalOcean.
- Learn how to configure MariaDB withthis tutorial on DigitalOcean.
Recommendations
Dokku
Now that you have your own secure infrastructure, you might want to create applications and services.
Dokku is perfect for that. It allows you to containerize, build and run your applications with a simplegit push.
Check outmy own tutorial to learn how to set up and use Dokku.
There are some parts that you might want to skip, as they are similar to this tutorial.
End
Useful resources
- How to get a free Google server forever, a perfect test environment for this tutorial.
- How to get 2x Oracle Cloud servers free forever, a more powerful alternative to the free GCE server.
- Create your own Heroku with Dokku on DigitalOcean, a guide to deploy your applications to your now-secure server.
Self promotion
If you have found this tutorial useful then you should follow me, I will be posting more interesting content! :')
Or support me financially. <3
Credit
Thanks to
- Any linked website and community for their wonderful tutorials and help
Top comments(2)
Would be worth using a security auditing tool likecisofy.com/lynis/. You'll be surprised how insecure Ubuntu is just out-of-the-box.
For further actions, you may consider blocking this person and/orreporting abuse
