secure lock binary
|

Setting up a secure Ubuntu 20.04 server

ByJ.Crawford

For the purpose of this tutorial we will assume that this is a brand new server which only has one root/super user. We will first install all the programs needed using root but once the needed programs are all installed we will no longer use the root user but instead create a second user with a lot less permissions. This will help greatly with security.

Timezone and Time Setting

To ensure that your server is in the correct timezone and that the time remains synced type:

dpkg-reconfigure tzdata

A pop-up should appear. Simply choose your “Geographic area” and then select the city whose time you wish to use. Once that is done we need to keep out server clock in sync with the rest of the world. This is very important if your timezone changes.

timedatectl set-ntp on

Updating Software

To ensure that your server is running the latest software updates we need to do the following:

  • Download package lists to get information on the newest versions
  • Actually fetch and install these newest versions
  • Remove any outdated packages that might not be needed after the update
apt-get update
apt-get upgrade
apt-get autoremove

Add new user and setting up SSH

We need to create a new user for two reasons. First because we will actually be disabling the root login altogether as it is a security issue to keep it open. And the second reason is that the root user has too many privileges which will allow you to execute potentially destructive commands. This is why we will create a user with less access rights so that if this account gets compromised only limited damage can be done. Therefore it’s advised to create a new user account with more limited permissions for day-to-day use. This new user will be added to the sudo group so that you can execute commands which require heightened permissions, but only when required.

adduser john

You will be asked for some details. Just fill them out and choose a good password. Once that is done open a new tab on your local PC (not your server) and create yourself a public and private key. Then make sure to copy your public key on your local PC to your server using your new server user and not root user.

ssh-keygen -t ecdsa -b 521
ssh-copy-id user@host

You will now be able to log into your server using ssh.

Disable root password login

Back on your server using the root user type in the following:

vim /etc/ssh/sshd_config

Then search for PasswordAuthentication yes and change it to be PasswordAuthentication no instead. Save your changes and exit vim. Then restart the SSH service to reload your changes. This will block the root user from logging in remotely using a password.

Setting up Firewall

A firewall provides extra security by blocking certain inbound and outbound traffic to your server. We will for now only allow port 80 (used for HTTP), port 22 (used for SSH) and port 443 (used for HTTPS)

apt-get -y install ufw
ufw allow ssh
ufw allow http
ufw allow https

If you want to double check the rules simply use:  ufw show added and you should see all three being allowed.  If all are showing then you can commit these changes:

ufw enable

Fail2ban

Fail2ban is great tool that blocks remote users from signing in for a set period of time if they’ve failed to enter the correct password 6 times. By default they will be blocked for 10 minutes which should be enough time to stop a brute force attack.

apt-get -y install fail2ban
service fail2ban start

Conclusion

Setting up a secure server is a vital first step to ensuring that you minimise any potential future security breaches. The next blog post will deal with setting up a LEMP (Linxu Nginx MySql and PHP) environment on your new server. I’ll include a list of the commands I’ve used at the top for some quick “copy n paste” reference.

dpkg-reconfigure tzdata
timedatectl set-ntp on
apt-get update
apt-get upgrade
apt-get autoremove
adduser john
#copy public key from local pc to your remote server using "john's" user credentials.
vim /etc/ssh/sshd_config #replace 'PasswordAuthentication yes' with 'PasswordAuthentication yes'
apt-get -y install ufw
ufw allow ssh
ufw allow http
ufw allow https
ufw enable
apt-get -y install fail2ban
service fail2ban start
<?php
class Fruit {
  // Properties
  public $name;
  public $color;

  // Methods
  function set_name($name) {
    $this->name = $name;
  }
  function get_name() {
    return $this->name;
  }
}
?>