5 Must Have Security Checks For Your New Ubuntu Server

By September 5, 2017Technology

You have got your new Ubuntu Server up and running and you’re ready to enjoy all the security features that comes with Linux. However, there are still some security checks you need to do before you open it up for the world. You may think your server has got no sensitive data, but the fact is most of the website security breaches are not meant for data theft. They are intended to use your server for various malicious activities like sending spam mails, serving files of illegal nature, setting up a temporary web on your server etc. Hence securing the server is the most important step before you introduce it to the world. Though securing your server might sound like a daunting operation, below are the 5 Must Have Security Checks For Your New Ubuntu Server that will result in considerable security gains.

  1. Disable root login

“root” is default admin login, so it is easy target for SSH scanner. Also root is a dangerous account since it can literally do anything it wants on the system. It is advisable to login as normal user and the run “su” command in order to protect it from unauthorized access as much as possible.

By disallowing root logins via SSH, you require 2 passwords for someone to gain root, which doubles the workload or the hacker.

Before we disable root access, we need to create a sudo user which can perform all the critical tasks on the server. Please read my article http://www.anshumanpatro.com/blog/create-new-sudo-user-ubuntu-16-04/ to learn how to create a sudo user.

Once the sudo user is created, go ahead and open /etc/ssh/sshd_config with your favorite editor and change the below line

#PermitRootLogin yes

To

PermitRootLogin no

As you have just changed the config file for sshd, you need to restart this service.

sudo systemctl reload sshd

  1. Change ssh port

Remembering the non-standard ssh port can be annoying, but it is highly recommended to change the default port for ssh.

The Secure Shell (SSH) Protocol by default uses port 22.

Changing the default SSH port will stop many automated attacks and a bit harder to guess which port SSH is accessible from. Which in turn will help to reduce the impact on your log files as many brute force login attempts only use the default port, or some common alternates such as 222 or 2222, rather than scanning to see if SSH is listening elsewhere.

Before you change anything in the ssh_config, let’s take a backup of it to be on the safer side.

cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup

Now go ahead and open /etc/ssh/sshd_config with your favorite editor and replace the line

Port 22

To

Port 1234

N.B. Replace 1234 with the port you want to use. Just make sure the new SSH port does not conflict with any known or blocked ports.

As you have just changed the config file for sshd, you need to restart this service.

sudo systemctl reload sshd

Now logout and try login with the port

ssh [email protected] -p 1234

You should be able to login.

  1. Configure Firewall – ufw

UFW, or Uncomplicated Firewall comes preloaded with Ubuntu. It is an interface to iptables that is used for managing a Linux firewall and aims to provide an easy to use interface for the user. Apart from being simple, it also excels at filtering traffic, and has good documentation. In this section we will discuss about how to allow or deny connections.

To allow a port, you can use the following syntax:

sudo ufw allow <port>/<optional: protocol>

For example, to allow ssh on port 1234, use the below command

sudo ufw allow 1234/tcp

To block a port, you can use the below syntax:

sudo ufw deny <port>/<optional: protocol>

For example, to deny mysql on port 3306, use the below command

sudo ufw deny 3306

Now make sure ssh is allowed and go ahead and enable it.

sudo ufw enable

To learn more about UFW, you can read the official documentation on https://help.ubuntu.com/community/UFW

  1. Install SSL

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is essential for protecting your website, even if it doesn’t handle sensitive information like credit cards. It provides privacy, critical security and data integrity for both your websites and your users’ personal information.

Though there are various ssl certificate providers around, I prefer using Lets Encrypt. Let’s Encrypt is a free, automated, and open certificate authority brought to you by Internet Security Research Group (ISRG).

First, add the repository:

sudo add-apt-repository ppa:certbot/certbot

Update repository

sudo apt-get update

Install Certbot

sudo apt-get install python-certbot-apache

Allow https in firewall

sudo ufw allow https

Add ssl certificate

sudo certbot –apache -d yourdomain.com -d www.yourdomain.com

Once the installation is complete, you can test it at

https://www.ssllabs.com/ssltest/analyze.html?d=www.yourdomain.com&latest

Please visit https://letsencrypt.org/ to know more.

  1. Disable IPV6

Unless you have specific need for IPv6, better you should disable it. Disabling IPV6 increases network performance and reduces the vulnerability.

Before we begin, let’s take a backup of /etc/sysctl.conf

cp /etc/sysctl.conf /etc/sysctl.conf.backup

Add these 3 lines at the end in /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

net.ipv6.conf.lo.disable_ipv6 = 1

Now run sudo sysctl -p to update to reconfigure the kernel parameters

To check if IPV6 is disabled or not, run the below command. It should return 1

cat /proc/sys/net/ipv6/conf/all/disable_ipv6

Join the discussion 6 Comments

Leave a Reply

%d bloggers like this: