.Setting up a secure Ubuntu server

A Raspberry Pi running Ubuntu makes a great little server for the internet, with all the security trust you get from using Ubuntu. These instructions apply to any server running Ubuntu, not just a RPi of course.

Here’s our steps from fresh Ubunta server install, to secure and ready to use in 10 minutes. Here’s what we’ll do:

  • Change the default root password.
  • Change the user accounts for optimum security.
  • Setup SSH to use a keypair and password for login, for optimum security.
  • Setup the firewall to ensure Ubuntu isn’t listening on any unnecessary ports.

Log in via SSH

Your provider shoul have given you loging details to connect via SSH. You can use a program like PuTTY, MobaXterm, etcto connect to the Ubuntu command line over SSH.

Ensure everything is up to date

apt-get update && apt-get upgrade

Checking out your new server setup

Get operating system info
uname -a
View Linux system hardware information
sudo lshw
View Linux CPU Information
lscpu
View storage devices information
lsblk

Setting a new root password

You probably want to change the root password your provider has given you, so you can be sure only you can access it.

sudo passwd root

Account security checks

Ensure only root has UID set to 0 (highest access to the system)
awk -F: '($3=="0"){print}' /etc/passwd

You should only get the root account shown.

Check for Accounts With Empty Passwords
cat /etc/shadow | awk -F: '($2==""){print $1}'

You should get no accounts shown.

root user

It is recommended practice to create a different user account and disable root. However if you’re the only person logging into Ubuntu and you apply other security best practices, you may feel this is not necessary. For this guide we are using the root account.

Firewall (Iptables)

For security you should lock down your firewall ports so you’re only exposing the ones absolutly necessary to the internet.

Check your SSH configuration

You should lock down SSH as much as possible, You can edit the SSH configuration file with:

sudo nano /etc/ssh/sshd_config
Use a key pair for SSH login

Using a private key for SSH login is a great security step, much better than password alone.

Create a key pair, on Windows open the command prompt and enter:

ssh-keygen

Enter a filename for your keys with no extension (e.g. “server001”)
Enter a password if you want to use one (not required, but good security so that obtaining the keyfile alone won’t let a hacker in).

2 files are generated, they will have probably been written to: C:\Users\YOUR_USER_NAME\

The files:

server001 (the private key – rename it to “server001_private_key.pem”

server001.pub (the public key – rename it to “server001_public_key.pem”

So you should now have

server001_private_key.pem

server001_public_key.pem

Adding the public key to the ubuntu server

Open your “server001_public_key.pem” file and copy the entire string, e.g.

ssh-ed25519 AAAAC3NzaC15ZDI1NTE5AAAAIBjjwGQWHOrZQ44QgUdvxfSUOW20aeC7yxOzKVlXiNWi john@John-Dell7340

You will repalce “PASTE_YOUR_PUBLIC_KEY_STRING_HERE” with it below

Now on the server command line enter:

mkdir -p ~/.ssh

echo PASTE_YOUR_PUBLIC_KEY_STRING_HERE >> ~/.ssh/authorized_keys

Configure permissions for the ~/.ssh directory and the authorized_keys file.

chmod -R go= ~/.ssh

Now, disconnect and try connecting using your SSH application and your private keyfile “server001_private_key.pem” instead of the root account password.

If you are using MobaTerm, delete the root password if you let it save it and then in Session settings > Advanced SSH settings > User private key = Checked. Select your keyfile “server001_private_key.pem”

Now connect, you should be prompted for the password you used when creating the keyfile and you should then be back connmected to your Ubuntu server via SSH.

Disable the root password

Now that you’ve proved your keypair is working, ensure you have backed up your private keyfile “server001_private_key.pem” and its password (if you loose either you won’t be able to connect to the Ubuntu server again). Then in Ubuntu, open the SSH key settings

sudo nano /etc/ssh/sshd_config

Find the line containing “PasswordAuthentication”, remove the ‘#’ at the start of the line if its present and set it to no, so you should have:

PasswordAuthentication no

CTRL+X, Y , RETURN to exit and save the file.

Ubuntu/Debian distributions have the non-standard entry Include /etc/ssh/sshd_config.d/*.conf at the beginning of the distribution sshd_config, so you also need to do the same thing there:

sudo nano /etc/ssh/sshd_config.d/*.conf

Thats it. Restart the service to apply the configuration:

sudo service ssh restart
sudo service sshd restart

You will be unable to login without using your private key now

Restart after making changes to a service

service ssh restart

USEFUL?
We benefit hugely from resources on the web so we decided we should try and give back some of our knowledge and resources to the community by opening up many of our company’s internal notes and libraries through mini sites like this. We hope you find the site helpful.
Please feel free to comment if you can add help to this page or point out issues and solutions you have found, but please note that we do not provide support on this site. If you need help with a problem please use one of the many online forums.

Comments

Your email address will not be published. Required fields are marked *