Setting up a secure Ubuntu 24.04 server
For the purpose of this tutorial we will assume that this is a brand new server which only has one root/super user. We will first install all the programs needed using root but once the needed programs are all installed we will no longer use the root user but instead create a second user with a lot less permissions. This will help greatly with security.
Timezone and Time Setting
To ensure that your server is in the correct timezone and that the time remains synced type:
sudo dpkg-reconfigure tzdata
A pop-up should appear. Simply choose your “Geographic area” and then select the city whose time you wish to use. Once that is done we need to keep out server clock in sync with the rest of the world. This is very important if your timezone changes.
sudo timedatectl set-ntp on
Updating Software
To ensure that your server is running the latest software updates we need to do the following:
- Download package lists to get information on the newest versions
- Actually fetch and install these newest versions
- Remove any outdated packages that might not be needed after the update
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
sudo apt-get autoremove
sudo reboot
Adding zsh and oh-my-zsh
Install Zsh, which is a way better shell than the default, and Oh My Zsh, which takes Zsh to the next level with awesome themes, plugins, and cool features.
sudo apt install zsh
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
Edit the ~/.zshrc file and try something like below:
# Path to your oh-my-zsh installation.
export ZSH="$HOME/.oh-my-zsh"
ZSH_THEME="robbyrussell"
# Add wisely, as too many plugins slow down shell startup.
plugins=(git)
source $ZSH/oh-my-zsh.sh
# aliases
if [ $UID -eq 0 ]; then NCOLOR="red"; else NCOLOR="green"; fi
local return_code="%(?..%{$fg[red]%}%? ↵%{$reset_color%})"
PROMPT='%{$fg[$NCOLOR]%}%n%{$reset_color%}@%{$fg[cyan]%}%m\
%{$reset_color%}:%{$fg[magenta]%}%~\
$(git_prompt_info) \
%{$fg[red]%}%(!.#.»)%{$reset_color%} '
PROMPT2='%{$fg[red]%}\ %{$reset_color%}'
RPS1='${return_code}'
ZSH_THEME_GIT_PROMPT_PREFIX="%{$fg[yellow]%}("
ZSH_THEME_GIT_PROMPT_CLEAN="%{$fg[green]%}○%{$reset_color%}"
ZSH_THEME_GIT_PROMPT_DIRTY="%{$fg[red]%}⚡%{$reset_color%}"
ZSH_THEME_GIT_PROMPT_SUFFIX="%{$fg[yellow]%})%{$reset_color%}"
Add new user and setting up SSH
We need to create a new user for two reasons. First because we will actually be disabling the root login altogether as it is a security issue to keep it open. And the second reason is that the root user has too many privileges which will allow you to execute potentially destructive commands. This is why we will create a user with less access rights so that if this account gets compromised only limited damage can be done. Therefore it’s advised to create a new user account with more limited permissions for day-to-day use. This new user will be added to the sudo group so that you can execute commands which require heightened permissions, but only when required.
sudo adduser john
You will be asked for some details. Just fill them out and choose a good password. Once that is done open a new tab on your local PC (not your server) and create yourself a public and private key. Then make sure to copy your public key on your local PC to your server using your new server user and not root user.
ssh-keygen -t ed25519
ssh-copy-id user@host
You will now be able to log into your server using ssh.
Disable root password login
Back on your server using the root user type in the following:
vim /etc/ssh/sshd_config
Then search for PasswordAuthentication yes
and change it to be PasswordAuthentication no
instead. Save your changes and exit vim. Then restart the SSH service to reload your changes. This will block the root user from logging in remotely using a password.
Setting up Firewall
A firewall provides extra security by blocking certain inbound and outbound traffic to your server. We will for now only allow port 80 (used for HTTP), port 22 (used for SSH) and port 443 (used for HTTPS)
apt-get -y install ufw
ufw allow ssh
ufw allow http
ufw allow https
If you want to double check the rules simply use: ufw show added
and you should see all three being allowed. If all are showing then you can commit these changes:
ufw enable
Fail2ban
Fail2ban is great tool that blocks remote users from signing in for a set period of time if they’ve failed to enter the correct password 6 times. By default they will be blocked for 10 minutes which should be enough time to stop a brute force attack.
sudo apt-get -y install fail2ban
sudo service fail2ban start
Conclusion
Setting up a secure server is a vital first step to ensuring that you minimise any potential future security breaches. The next blog post will deal with setting up a LEMP (Linxu Nginx MySql and PHP) environment on your new server. I’ll include a list of the commands I’ve used at the top for some quick “copy n paste” reference.