Introduction
This tutorial will help you to set up a secure Ubuntu server from scratch.
Keep in mind that this is not a common tutorial, this is the culmination of all the knowledge I have gathered from managing my own servers for more than three years.
Before we start
Preface
While this tutorial is focused on Ubuntu 20.04, it can be used for many other versions, like 18.04 and 16.04. As they are very similar.
Requisites
- An Ubuntu server
- Access to your server
It doesn't matter if your server is hosted on DigitalOcean, Google Cloud Engine or Amazon Web Services, Ubuntu should be the same.
Requisite info
If you don't have a server you might want to look at the Useful resources step.
Updates
The first and probably most important step is to always keep the system up-to-date. To do so just open the terminal to update and upgrade the packages via apt.
sudo apt update # Update package information
sudo apt full-upgrade -y # Upgrade packages
sudo apt autoremove -y # Remove unnecessary packages
# One liner
sudo apt update && sudo apt dist-upgrade -y && sudo apt autoremove -y
Automatic updates
Now that the packages are updated, we should install an automated solution to keep the system always up-to-date.
This tutorial on Linuxize will help you install and configure the unattended-upgrades package, which is exactly what is needed.
New user
Using the default super user root is always bad practice, it does everything with the maximum level of permissions, allowing you to break anything; and more critically... Access to anything on the system.
Instead, we should use a normal user with super user privileges. This tutorial on DigitalOcean will guide you to do that.
SSH credentials
Now that you have a new user with super user privileges, you might want to SSH in your server with it, but might find that you can't.
This is because the credentials were stored on the user you were using before, most likely root. Just SSH again with the previous user and copy the credentials to the new user with the rsync utility package.
Follow the 5th step of this tutorial on DigitalOcean to do so.
SSHD
SSHD manages the SSH connections to the server. Its default configuration is good but some changes must be made, like disabling the root user login and changing the default SSH port.
Follow the first step of this tutorial on DigitalOcean to learn how to configure SSHD.
It is recommended that you change the default
SSHport
UFW
UFW is Ubuntu's default firewall and is extremely useful. By default it allows http and ssh connections, depending of your use case you might not need some of those rules.
Check out this tutorial on DigitalOcean to learn how to configure UFW.
If you changed the
SSHport on an earlier step, you might want to create a new UFW rule for that port.
Fail2Ban
Fail2Ban protects you from brute-force attacks. It bans bad actors from accessing the server for a specified quantity of time.
Learn how to install and configure Fail2Ban with this tutorial on Linuxize.
Miscellaneous
These are some quick specific guides that you should keep in mind if you use any of this software.
Nginx
Nginx has various configuration files, its defaults are pretty good but you might want to take a look at it.
Use this tutorial on Acunetix as a starting point.
There is also this pretty nifty tool by DigitalOcean that allows you to configure Nginx in a visual manner. It includes popular presets, for example for NodeJS and PHP applications.
Apache2
Apache might require more work, as its defaults leak some information about your system.
Start your configuration journey with this tutorial by Tecmint.
PHP
Database
I have used MySQL and MariaDB on the past, by default their ports are opened externally, that shouldn't be allowed, as it is a security risk.
The database should only be allowed from local connections; or if ran externally, by whitelisted IPs.
- Learn how to configure MySQL with this tutorial on DigitalOcean.
- Learn how to configure MariaDB with this tutorial on DigitalOcean.
Recommendations
Dokku
Now that you have your own secure infrastructure, you might want to create applications and services.
Dokku is perfect for that. It allows you to containerize, build and run your applications with a simple git push.
Check out my own tutorial to learn how to set up and use Dokku.
There are some parts that you might want to skip, as they are similar to this tutorial.
End
Useful resources
- How to get a free Google server forever, a perfect test environment for this tutorial.
- How to get 2x Oracle Cloud servers free forever, a more powerful alternative to the free GCE server.
- Create your own Heroku with Dokku on DigitalOcean, a guide to deploy your applications to your now-secure server.
Self promotion
If you have found this tutorial useful then you should follow me, I will be posting more interesting content! :')
Or support me financially. <3
Credit
Thanks to
- Any linked website and community for their wonderful tutorials and help
Top comments (2)
Would be worth using a security auditing tool like cisofy.com/lynis/. You'll be surprised how insecure Ubuntu is just out-of-the-box.
Lynis sounds like a wonderful tool, I'll try it!
Thank you!