A Raspberry Pi running Ubuntu makes a great little server for the internet. You could use Raspberry Pi OS, but Ubuntu has become a pretty standard choice for Linux servers on the internet so arguably better to use that to maximise chances of avoiding security vulnerabilities.
These instructions apply to any server running Ubuntu, not just a RPi of course.
These are our steps to take from fresh Ubuntu server OS install, to secure and ready to use in 10 minutes. Here’s what we’ll do:
- Use our normal Windows desktop operating system to access the Ubuntu server and perform all the setup.
- Change the default root password.
- Change the user account setup to optimise security.
- Setup SSH to use a keypair and password for login, for optimum security.
- Setup the firewall to ensure Ubuntu isn’t listening on any unnecessary ports.
Once all that is done you’ll have a super secure ready to go Linux server.
Log in via SSH
Your Ubuntu server can be connected to using SSH. This is the standard protocol used to give you command line access to the Linux OS, as if you had a keyboard and monitor plugged into it directly.
You’ll need to use a program to connect using SSH. PuTTY is a great open source tool for it. We use MobaXterm as it gives us a few nice features, but any decent SSH software will do.
Note, to paste text into the SSH terminal: CTRL+right mouse click usually works.
Connect to your Ubuntu server using SSH, port 22, username (likely root) and password.
You should get a welcome message. All of the instructions below assume you have connected and have the Linux command line showing ready to take an instruction.
Ensure everything is up to date
Update the Linux OS and all the installed applications. (You want to always do this before making software changes to the server).
apt-get update && apt-get upgradeChecking out your new server setup
Optional, if you want to have a look and make sure you’ve got what you were expecting…
Get operating system info
uname -aView Linux system hardware information
sudo lshwView Linux CPU Information
lscpuView storage devices information
lsblkSetting a new root password
If you didn’t create it (install the OS yourself) you want to change the root users password, ensuring you use something nice and secure:
sudo passwd rootAccount security checks
Ensure only root has UID set to 0 (highest access to the system)
awk -F: '($3=="0"){print}' /etc/passwdYou should only get the root account shown.
Check for accounts with empty passwords
cat /etc/shadow | awk -F: '($2==""){print $1}'You should get no accounts shown.
root user
It’s best practice to keep use of the root account to a minimum. So we will create a new account that we’re going to use day to day. In our example we’re going to give it the name: admin
adduser adminEnter a good password.
Full name etc, you can just press enter to leave these bank.
The sudo command allows a regular user to run commands in an elevated context. This means our regular admin user can run commands normally restricted to the root account. This is the ideal way of making system configurations or running elevated commands, instead of using the root account itself.
The configuration file for sudo is in /etc/sudoers. However, it can only be edited by using the “visudo” command. There are many different configuration options that limit the use of sudo to certain users, groups, IPs, and commands. The general configuration format is below:
Set user admin to be a sudo user:
usermod -aG sudo adminVerify it using:
id adminDisable root login
Close the SSH connection and reconnect using the new admin account you created, instead of root (apart from anything else, to check it works before we disable root login).
We’re going to edit the SSH configuration file:
sudo nano /etc/ssh/sshd_configFind the line with “PermitRootLogin”, remove the ‘#’ character at the start of the line if present and change it to no:
PermitRootLogin noAllow user admin
Find the line with AllowUsers to set it to allow our new admin user, or if its missing add it like this:
AllowUsers adminSave and exit the config file (CTRL+X, Y, Return)
Restart the SSH service to apply the changes:
sudo service ssh restartUse a key pair for SSH login
Using a public and private key pair for SSH login is a hightly recomended security step, much more secure than using password login.
Create a key pair, on Windows open the command prompt and enter:
ssh-keygenEnter a filename for your keys with no extension (e.g. “server001”)
Enter a password if you want to use one (not required, but good security to use one, so that obtaining the keyfile alone won’t let a hacker in).
2 files are generated, they will have probably been written to: C:\Users\YOUR_USER_NAME\
The files:
server001 (the private key – rename it to “server001_private_key.pem”
server001.pub (the public key – rename it to “server001_public_key.pem”
So you should now have
server001_private_key.pem
server001_public_key.pem
Adding the public key to the Ubuntu server
Open your “server001_public_key.pem” file and copy the entire string, e.g.
ssh-ed25519 AAAAC3NzaC15ZDI1NTE5AAAAIBjjwGQWHOrZQ44QgUdvxfSUOW20aeC7yxOzKVlXiNWi john@John-Dell7340You will repalce “PASTE_YOUR_PUBLIC_KEY_STRING_HERE” with it below
Now on the server command line enter:
mkdir -p ~/.ssh
echo PASTE_YOUR_PUBLIC_KEY_STRING_HERE >> ~/.ssh/authorized_keysConfigure permissions for the ~/.ssh directory and the authorized_keys file.
chmod -R go= ~/.sshNow, disconnect and try connecting setting your SSH application to use your private keyfile “server001_private_key.pem”, instead of the admin account password. If you are using MobaTerm, delete the root password if you let it save it and then in Session settings > Advanced SSH settings > User private key = Checked. Select your keyfile “server001_private_key.pem”
Now connect, you should be prompted for the password you used when creating the keyfile and you should then be back connected to your Ubuntu server via SSH.
Disable password login
Now that you’ve proved your keypair is working, ensure you have backed up your private keyfile “server001_private_key.pem” and its password (if you loose either you won’t be able to connect to the Ubuntu server again). Then in Ubuntu, open the SSH key settings
sudo nano /etc/ssh/sshd_configFind the line containing “PasswordAuthentication”, remove the ‘#’ at the start of the line if its present and set it to no, so you should have:
PasswordAuthentication noSave and exit the config file (CTRL+X, Y, Return)
For Ubuntu/Debian you also need to do the same thing in this file:
sudo nano /etc/ssh/sshd_config.d/*.confThats it. Restart the service to apply the configuration:
sudo service ssh restart
sudo service sshd restartYou will be unable to login without using your private key now.
Thats the user account and SSH loging securioty steps complete. You’re server is now really well protected from someone unauthorised getting in via SSH.
Firewall (Iptables)
To make the servers Ethernet conneciton as secure as possible, you should lock down your firewall ports so you’re only exposing the ones absolutly necessary to the internet.
Only allowing incoming connecitons on ports 22 (SSH), 80 (HTTP), 443 (HTTPS) and the loopback interface
You’ll need the iptables-persistent package installed:
apt-get install iptables-persistentConfigure rules for IPv4
Warning – if you do this and don’t add the port 22 SSH rule you’ll lock yourself out of your server!
sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -P INPUT DROP
sudo -i
iptables-save > /etc/iptables/rules.v4
exitViewing the current Iptable rules toconfirm your changes
sudo iptables -LConfigure rules for IPv6
We’re just going to block all incoming IPv6 connections
sudo ip6tables -P INPUT DROP
sudo -i
iptables-save > /etc/iptables/rules.v6
exitThats it!
Your Ubuntu server is locked down using all the standard best practices. The firewall is setup ready for you to use with whatever web server you’re going to instal, e.g. Apache.