DEV Community

Cover image for How to completely secure an Ubuntu server
Alejandro Akbal
Alejandro Akbal

Posted on • Updated on • Originally published at blog.akbal.dev

How to completely secure an Ubuntu server

Introduction

This tutorial will help you to set up a secure Ubuntu server from scratch.

Keep in mind that this is not a common tutorial, this is the culmination of all the knowledge I have gathered from managing my own servers for more than three years.


Before we start

Preface

While this tutorial is focused on Ubuntu 20.04, it can be used for many other versions, like 18.04 and 16.04. As they are very similar.

Requisites

  • An Ubuntu server
  • Access to your server

It doesn't matter if your server is hosted on DigitalOcean, Google Cloud Engine or Amazon Web Services, Ubuntu should be the same.

Requisite info

If you don't have a server you might want to look at the Useful resources step.


Updates

The first and probably most important step is to always keep the system up-to-date. To do so just open the terminal to update and upgrade the packages via apt.

sudo apt update           # Update package information
sudo apt full-upgrade -y  # Upgrade packages
sudo apt autoremove -y    # Remove unnecessary packages

# One liner
sudo apt update && sudo apt dist-upgrade -y && sudo apt autoremove -y
Enter fullscreen mode Exit fullscreen mode

Automatic updates

Now that the packages are updated, we should install an automated solution to keep the system always up-to-date.

This tutorial on Linuxize will help you install and configure the unattended-upgrades package, which is exactly what is needed.


New user

Using the default super user root is always bad practice, it does everything with the maximum level of permissions, allowing you to break anything; and more critically... Access to anything on the system.

Instead, we should use a normal user with super user privileges. This tutorial on DigitalOcean will guide you to do that.


SSH credentials

Now that you have a new user with super user privileges, you might want to SSH in your server with it, but might find that you can't.

This is because the credentials were stored on the user you were using before, most likely root. Just SSH again with the previous user and copy the credentials to the new user with the rsync utility package.

Follow the 5th step of this tutorial on DigitalOcean to do so.


SSHD

SSHD manages the SSH connections to the server. Its default configuration is good but some changes must be made, like disabling the root user login and changing the default SSH port.

Follow the first step of this tutorial on DigitalOcean to learn how to configure SSHD.

It is recommended that you change the default SSH port


UFW

UFW is Ubuntu's default firewall and is extremely useful. By default it allows http and ssh connections, depending of your use case you might not need some of those rules.

Check out this tutorial on DigitalOcean to learn how to configure UFW.

If you changed the SSH port on an earlier step, you might want to create a new UFW rule for that port.


Fail2Ban

Fail2Ban protects you from brute-force attacks. It bans bad actors from accessing the server for a specified quantity of time.

Learn how to install and configure Fail2Ban with this tutorial on Linuxize.


Miscellaneous

These are some quick specific guides that you should keep in mind if you use any of this software.

Nginx

Nginx has various configuration files, its defaults are pretty good but you might want to take a look at it.

Use this tutorial on Acunetix as a starting point.

There is also this pretty nifty tool by DigitalOcean that allows you to configure Nginx in a visual manner. It includes popular presets, for example for NodeJS and PHP applications.

Apache2

Apache might require more work, as its defaults leak some information about your system.

Start your configuration journey with this tutorial by Tecmint.

PHP

Database

I have used MySQL and MariaDB on the past, by default their ports are opened externally, that shouldn't be allowed, as it is a security risk.

The database should only be allowed from local connections; or if ran externally, by whitelisted IPs.


Recommendations

Dokku

Now that you have your own secure infrastructure, you might want to create applications and services.

Dokku is perfect for that. It allows you to containerize, build and run your applications with a simple git push.

Check out my own tutorial to learn how to set up and use Dokku.

There are some parts that you might want to skip, as they are similar to this tutorial.


End

Useful resources

Self promotion

If you have found this tutorial useful then you should follow me, I will be posting more interesting content! :')

Or support me financially. <3

Credit

Thanks to

  • Any linked website and community for their wonderful tutorials and help

Top comments (2)

Collapse
 
stephendhill profile image
stephen-d-hill

Would be worth using a security auditing tool like cisofy.com/lynis/. You'll be surprised how insecure Ubuntu is just out-of-the-box.

Collapse
 
alejandroakbal profile image
Alejandro Akbal

Lynis sounds like a wonderful tool, I'll try it!

Thank you!