Save 50% for your first year of web hosting!

How to Secure an Ubuntu Linux Server in 3 Simple Steps

We all know that security is important, but we are usually too lazy to add basic security. In this tutorial I will show you how to secure a Linux server in 3 simple steps, starting from basic to more advanced security.

This requires a VPS, if you do not already have a VPS, you can get one from HostUp starting from $3.00/mo – View plans, or visit our Swedish languaged site at hostup.se

1. Create a New Account

This is not really a security ‘feature’, but it is always a good idea to either move away from root or setup login with authorized keys since the most common username out there is root since it is the default. For this reason, most brute-force programs tend to try to use that username.

When you have logged into an SSH terminal with your specified username & password proceed with the following commands to create a new root privileged account. Change changeme with what username you want the account to have.

Create the new account:

adduser changeme

Give the account root privilege:

usermod -aG sudo changeme

Switch over to your newly created user account:

su – changeme

After you have created your new account you may start a new SSH session, only this time connect with your new username & password.

2. Replace Password Login With Authorized keys

Stop using passwords all together when logging into your Linux server, and replace it with public and private authentication keys instead!

Step 1.

Generate your 2048bit public and private keys via a generator such as PuttyGen. If you do not already have it you may download it from putty.org

Click the Generate button marked with red. You can open this window by simply searching PuttyGen in the Windows search box.

After you have clicked generate, follow the instructions on the screen until the loading bar is finished.
Proceed to saving the private and public keys in a safe place.

You are now ready to start using your newly generated keys. Open up the contents of your public key with an editing tool such as NotePad++. Back on your SSH client, run the following commands

Step 2.

First we want to make a new directory called ssh:

mkdir .ssh

After this we want to create a file called authorized_keys where we will be putting our public key inside

nano .ssh/authorized_keys

If you do not have nano install then please proceed to installing it by running the following command:

 sudo apt-get install nano

You should put your public key in like this:

ssh-rsa KEYHERE

Example of this being:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEApLqp8zeP5y/7GQ99ml6325WeSr+j+vpBxi/0YJzTgz1xkILXwjaikLaaNPP5dp7fAVyBAjl3XqlAnng7yh4KVqWSgga8drlfj1ljyzQHPeCib6pLlgyyZbh4L/YaWjvcKfj5YK13hCUuKiHMUa69QZHmX+tT+iKr9ax49xPILGHJK8n1/V0lYg+C+z35cS9EbHMJRP3Kx2vWFPaFkJr6OxN4N0HK3ZLYv4wdUHQbeG9Ahzj8c8iQGSgMy5lVIvlwZJAn4xE8XqjAKW7dVFwKeVciesR+HjQVvqdCq18z9fmSGN5i/YbPfSUOKgxgtBChswf/7BdV8XFby5Xk+hRUQ==

After this, save and exit by pressing CTRL + X and following the instructions presented on your screen. Then proceed by running the following commands to set the right privileges to the file.

chmod 600 .ssh/authorized_keys

Step 3.

Next we want to disable password authentication and only allow authentication using our newly created private and public key.

First we want to open your sshd_config configuration file:

nano /etc/ssh/sshd_config

FindPasswordAuthentication yes and replace it with PasswordAuthentication no to disable password logins

If you feel like disabling root logins:
Find PermitRootLogin yes and replace it with PermitRootLogin no

Again, save and exit by pressing CTRL + X and follow the instructions presented on the screen.

Restart SSH:

sudo service sshd restart

Congratulations, you have now disabled root & password logins. To login into the server in the future, you will need to use your private key. In Putty SSH client you can add this by going to:

Connection > SSH > Auth and selecting your private key in the browse tab.

3. Install a Firewall on Your Linux Server

It is highly recommended that you install a firewall and only allow for ports that you actually use.

sudo apt-get install ufw -y
sudo ufw allow ssh/tcp
sudo ufw limit ssh/tcp
sudo ufw logging on
sudo ufw enable

You can add additional ports by running the command:

sudo ufw allow PORTHERE/tcp

Remember to replace PORTHERE with your specified port.

Another good thing to install is Fail2ban. Fail2ban will monitor your firewall logs and ban any IPs that act suspiciously.

To install Fail2ban firstly:

sudo apt -y install fail2ban

After you have install your very own installation of Fail2ban, you want to make sure that it starts automaticly on restart:

sudo systemctl enable fail2ban

All you have got left to do is to start the program:

sudo systemctl start fail2ban

Congratulations! If you have made it this far you can be sure that your Ubuntu server is fully secured. Remember to share this tutorial to anyone who wants to have a more secure server and bookmark. It is better to be safe that sorry afterall :).