Although Linux is considered to be secure out of the box, it is advisable to follow the industry’s best method to secure your server. For instance, you need to update the software applications regularly, use strong passwords and install a strong firewall to safeguard your system from hackers.
If you are running Ubuntu 18.04 LTS (Bionic Beaver), on a Linux VPS, you can take advantage of different known configuration settings and tools to harden it against malicious attacks.
This is a step-by-step guide on enhancing the security of your Ubuntu 18.04 VPS server.
- An Ubuntu 18.04 server
- Root access to your server
Tip 1: Use authentication Key pair to log to your server
Accessing your Linux server using a username/password combination can open doors to hackers if you haven’t set a strong password. Remember malicious people use bots that try to brute-force your passwords and this can be extremely dangerous.
Using a private/public key is considered safe because the keys are very hard to guess. You can generate the authentication keys using an application like PuTTY Key Generator.
Then, upload the public key on your Ubuntu server on the ‘<user>/.ssh/authorized_keys’ file.
You can use a text editor like nano to do so. First create the .ssh directory if it does not exist:
$ mkdir ~/.ssh $ nano ~/.ssh/authorized_keys
Tip 2: Create a non-root user with sudo privileges
Make a habit of logging to your Ubuntu 18.04 server using a non-root account. This will prevent accidental deletion of files if you make a mistake. For instance, the command rm can wipe your entire server if run incorrectly using by a root user.
To create a non-root user with sudo privileges, run the commands below one after the other;
$ sudo adduser <username>
Remember to replace the <username> with the correct value of the username that you want to create
Tip 3: Disable remote root login
You can disable root login over SSH to make your Ubuntu 18.04 more secure. You will have to edit the SSH configuration file to make the change using the command below:
$ sudo nano /etc/ssh/sshd_config
Then, find the text ‘PermitRootLogin’ and change its value to no
Tip 4: Disallow SSH password authentication
The directive for disabling password authentication is still under the /etc/ssh/sshd_config file. You need to check for the entry PasswordAuthentication and change its value to no
Press CTRL + X and Y to save the changes. You also need to restart the SSH daemon by running the command below:
$ sudo service ssh restart
Tip 5: Install a firewall
Linux comes with a very flexibility utility that you can use to configure firewalls rules. This is called UFW (Uncomplicated Firewall)
UFW simply allows you to whitelist the ports that you want to use on your server. Since you will be accessing your Linux server over SSH, you should whitelist port 22 first using the command below:
$ sudo ufw allow ssh
To enable your sites to be accessible via http and https protocols, run the two commands below:
$ sudo ufw allow http
$ sudo ufw allow https
Then enable the firewall by typing the command below on your console:
$ sudo ufw enable
In case you want to check the status of UFW, run:
$ sudo ufw status verbose
Tip 6: Secure Shared Memory
To get the best security from your Ubuntu 18.04 server, consider enabling secure shared memory. Shared memory allows data to be passed between applications. Sometimes, multiple processes can share the same memory space and this can lead to exploitation.
There is a way to avoid this kind of exploit and this should be done by mounting /run/shm in read only mode. To do this, open
$ sudo nano /etc/fstab
Then just copy paste the below text the very bottom of the file:
none /run/shm tmpfs defaults,ro 0 0
Tip 7: Install Fail2ban
Any server exposed to the public can become a potential target to hackers. They can try to do all kinds of attacks on your server and the only way to make their attempts futile is to install Fail2Ban.
Fail2ban simply mitigates hacking attempts by utilizing IP tables to ban users trying to connect to your server depending on the failed login attempts.
To install Fail2ban run:
$ sudo apt-get install fail2ban
Although the default settings for Fail2ban may work depending on your server needs, you may edit Fail2Ban configuration file. The .conf files are read first followed by .local files hence you should make changes to .local files and leave .conf files untouched.
To edit the jail.conf file copy it to jail.local using the command below:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Then edit the new file by typing:
$ sudo nano /etc/fail2ban/jail.local
On this file, you can set the ban time, max retries, ban find time etc depending on the level of security that you need.
Although this is not a conclusive list of all security tools and configurations that you should have on your Ubuntu 18.04 server, it can safeguard your machine from hackers. Also, remember to check the best practices for hardening different applications running on your Linux server. For instance, you might consider hardening PHP, Apache and MySQl if these software applications are installed on your Ubuntu system.
Check out the top 3 Linux hosting services: