How to Harden the Ubuntu Server in 2022

As we spun out more virtual machines on the cloud for web and application hosting and started managing this environment ourselves, we began compiling our own guide on how to harden an Ubuntu server for better protection from hackers.

Here is the setup:

Enabling Automatic Updates

Most servers get hacked due to they were not being patched and security updates. Surely, we can update manually but we usually forget this.

To update the server manually:

sudo apt update

To install the update:

sudo apt dist-upgrade

To install the automatic update utility:

sudo apt install unattended-upgrades

To setup:

sudo dpkg-reconfigure --priority=low unattended-upgrades

The GUI pops up. For the Automatically download and stable updates option, select the Yes button.

What do you think about this section? Please feel free to comment into our Dewachat and let us know if you have any questions we can answer. We welcome all feedback!

Creating Login Other than Root in SSH

Login SSH using root is something that you need to avoid.

To do this, create another user called let say anotherroot and give this is administrator access (sudo group).

adduser anotherroot

Enter the password. Enter the profile questions.

Add the user to the sudo group:

usermod -aG  sudo anotherroot

Logged out from the terminal.

Try login the new user:

ssh [email protected]

To test the without a sudo:

adduser anotherroot2

This will show the command not found!!!

To try with a sudo:

sudo adduser anotherroot2

This should prompt a password and the test user will get created.

We would love to know what you think about the section. Do you like it? Please feel free to comment into our Dewachat and let us know if you have any questions we can answer. We welcome all feedback!

Removing the Use of Password in SSH

Password can be brute-forced. So to avoid this, we use the authentication key-pair instead (the public and private keys). On the server, we will give the public key while on the client (laptop/desktop) we use the private key. The analogy will be the public key is a padlock while the private key is a key.

Log in to the anotherroot user on the terminal (Powershell or any)

ssh [email protected]

Create a folder:

mkdir ~/.ssh && chmod 700 ~/.ssh

NOTE: Do not use sudo as the owner needs to be anotheruser/anotheruser

This command will create a folder called .ssh under the home directory – /home/anotherroot where the public key will be stored and give the right permission.

Log out:

logout

Back to the terminal (Powershell / Linux Shell) and create the pair:

ssh-keygen -b 4096

Note: 4096 is how big the key is. The bigger is better.

The question pops up. Enter file in which to save the key (C:\Users\[your_windows_user]/.ssh/id_rsa):

Leave the default and press enter.

Note: If it’s prompt to overwrite, it means that the key has been generated previously that being used to access other servers. Be careful with this! Please backup first or cancel this action give another name.

Enter a passphrase or you can leave it blank.

The 2 keys should be created under C:\Users\[your_windows_user]\.ssh\id_rsa and C:\Users\[your_windows_user]\.ssh\id_rsa.pub

To verify the key-pair, still under the terminal:

sudo cd .ssh
sudo ls

Back up these key-pairs to somewhere save ie. your password library.

The next step is to upload the public key into the server, still on the terminal:

scp -P XXX $env:USERPROFILE/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys

Note: The command above is only for Powershell.

Try now the login and this should not prompt a password:

ssh [email protected]

Straight in without a password!!!

Would you like to edit this section because it looks a little incomplete? Please feel free to comment into our Dewachat and let us know if you have any questions we can answer. We welcome all feedback!

Lockdown SSH Logins with No Password

Before doing this, ensure you have VPN access from your host provider to the machine just in case.

Log in to the server using anotherroot:

sudo nano /etc/ssh/sshd_config

Go to the line and replace the line:

PermitRootLogin yes

with
PermitRootLogin no

Go to the line and replace the line:

PasswordAuthentication yes
PasswordAuthentication no

To save the document, press Ctrl + X and press Y and enter.

Restart the ssh server:

sudo systemctl restart sshd

To test it, leave the current terminal, just in case.

Open another terminal to test with root account:

ssh [email protected]

This account should not be logged in – permission denied (public key).

Would you mind commenting on the section? Do you find it useful? Please feel free to comment into our Dewachat and let us know if you have any questions we can answer. We welcome all feedback!

Changing the SSH Port

Log in to the server using anotherroot:

sudo nano /etc/ssh/sshd_config

Replace the line:

#Port 22

with something other than 22 and in this case 222 for instance

Port 222

Replace the line:

#AddressFamily any

with allowing IPv4 only:

AddressFamily inet

To save the document, press Ctrl + X and press Y and enter.

Restart the ssh server:

sudo systemctl restart sshd

To test it, leave the current terminal open, just in case.

Open another terminal to test:

ssh [email protected] 

This account should be a connection timeout.

Test again with custom port – 222:

ssh [email protected] -p 222
Do you find this section useful? Please feel free to comment into our Dewachat and let us know if you have any questions we can answer. We welcome all feedback!

Activating the Firewall

Putting a firewall or a fence up around the perimeter, it will make the server more secure.

Start the terminal (Powershell) and login to the server

ssh [email protected] -p 222

To see what port is being open (listened to):

sudo ss -tupln

There should be a list and check out the Local Address.Port heading.

If your current server has a long list, please document and do some research about the port.

To install the firewall:

sudo apt install ufw

Note: By default, this is not going to be activated.

To see the status:

sudo ufw status

This should be inactive.

Before activating this, the first requirement is to allow the SSH with a custom port first.

sudo ufw allow 222

The rules should be updated (ipv4 and ipv6)

The following command will activate the firewall. This will block everything except the custom port.

To activate the firewall, enter:

sudo ufw enable

Press Y and the firewall should be active and enabled.

To check the status:

sudo ufw status

You should be to see To / Action / From only for that port 222

To test it, leave the current terminal open, just in case.

Open another terminal to test:

ssh [email protected] -p 222

If you are in, that means good!

Add more ports if necessary such as port 80/443 (web)

What do you think about this section? Please feel free to comment into our Dewachat and let us know if you have any questions we can answer. We welcome all feedback!

Blocking the Ping

We want the machine to be hidden and to do this by blocking the ICMP ping request on the UFW firewall.

Start the terminal (Powershell) and login to the server

ssh [email protected] -p 222

To edit the config:

sudo nano /etc/ufw/before.rules

Add a new line under the #ok icmp codes for input section:

-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

To save the document, press Ctrl + X and press Y and enter.

Restart the firewall:

sudo ufw reload

Reboot the machine:

sudo reboot

Run the terminal to see if it’s rebooted successfully:

ssh [email protected]

To test it, open up another terminal.

Ping the IP address:

ping xxx.xxx.xxx.xxx

This should display the request timeout.

We would love to know what you think about the section. Do you like it? Please feel free to comment into our Dewachat and let us know if you have any questions we can answer. We welcome all feedback!

Changing the Webmin Port

Webmin tool is used for managing the admin easily. Changing the port is the way to make it secure.

Open up the browser and access the Webmin via IP address and the default port.

Webmin

Click the Webmin Configuration link.

Select the Ports and Addresses link.

Under the Listen on the port, select a specific port to 10001 for instance.

Under IPv6 connection, select the No option.

Under Listen for broadcast on UDP port, type in 10001.

Click the Save button.

Under the Web Configuration, click the Restart Webmin button.

Would you like to edit this section because it looks a little incomplete? Please feel free to comment into our Dewachat and let us know if you have any questions we can answer. We welcome all feedback!

Starting the Webmin Service if only Needed

Open up the browser and access the Webmin via IP address and the default port.

Webmin

Click the Webmin Configuration link.

Under a Start a boot time, select No option.

Click the Start at boot time button.

To start manually:

sudo /etc/webmin/start

To stop again:

sudo /etc/webmin/stop
Would you mind commenting on the section? Do you find it useful? Please feel free to comment into our Dewachat and let us know if you have any questions we can answer. We welcome all feedback!

Setting up Two-Factor Authentication in Webmin

Open up the browser and access the Webmin via IP address and the default port.

Webmin

Click the Webmin Configuration link.

Click the Two-Factor Authentication link.

Select the Google Authenticator as the Authentication provider.

Click the Save button.

Go back and go to Webmin Users link.

Select the User and activate the Two-Factor Authentication by scanning the QR code.

Test by logging out of the Webmin.

Log in again and it should ask for the password as well as the token.

That’s it! The action above will at least protect the server. It does not mean not hackable though but it at least makes the hacker harder to attack the machine and we want to the safe side.

Do you find this section useful? Please feel free to comment into our Dewachat and let us know if you have any questions we can answer. We welcome all feedback!

The End

If you have reached the end of this article, congratulation. Hopefully, we have been able to shed some light on outlining what you need to know to harden Ubuntu Server.

We write this in such a way that this is not a fixed article. Like in this journey, we learn as we go and we re-write some parts of the article so please keep pinging with this article or any tech posts.

If you have a question or anything, please drop us a comment below or you can chat with us on Dewachat.

If you like our content and would like to say thank you, you can support us by buying me a coffee.

We also would love to hear about how you deal with the situation and what IT-related challenges you might be facing. You can contact us on the Dewacorp website for your IT support, application integration, application development, or other IT-related. Let us know if you have any questions that we can help with. Thanks again!

If you want to boost your product and service to the wider web community, you can visit our Dewalist classified website – home to 25,000+ active users and 10,000+ active advertising so far. Check it out!

If you love this article or any tech posts and you would like to receive an update of this article or our latest post, please sign up for the form below:

Newsletter signup

This is a newsletter for tech, creative, gadgets, games and crypto.

Please wait...

Thank you for sign up!