In this tutorial, we'll learn Linux Server Hardening. Firewalls, SSH security, and user management.
In today's online environment, securing your Linux server is crucial to prevent unauthorized access, safeguard sensitive data, and protect against various cyber threats. This tutorial covers fundamental server hardening steps, including setting up a firewall, securing SSH access, and managing users and permissions effectively.
Prerequisites
Before proceeding, make sure you have the following in place:
- A Linux dedicated server or KVM VPS.
- Root or Sudo Privileges: You should have sudo privileges to install packages and make system-wide changes.
1. Securing Your Server with a Firewall
Firewalls help protect your server by allowing or blocking network traffic based on defined rules. Ubuntu offers two commonly used firewall options: iptables and UFW (Uncomplicated Firewall).
Why UFW?
UFW provides a simpler frontend interface to iptables, making it ideal for beginners.
Install and Enable UFW
Update your package manager and install UFW:
sudo apt update
sudo apt install ufw -y
Check Current UFW Status
Initially, UFW is disabled. Verify the status:
sudo ufw status
Set Default Firewall Policies
Define strict default rules to deny incoming traffic and allow outgoing traffic by default:
sudo ufw default deny incoming
sudo ufw default allow outgoing
Allow Essential Services
Allow SSH (port 22) and HTTP/HTTPS (if hosting websites):
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
Alternatively, specify ports explicitly:
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Enable UFW
Activate your firewall:
sudo ufw enable
Confirm with y when prompted.
Verify Firewall Status and Rules
Check configured firewall rules again:
sudo ufw status verbose
You should see the allowed ports and status displayed clearly.
2. Securing SSH Access
SSH is the primary method for managing Linux servers remotely. Securing SSH is crucial to protect from unauthorized attempts.
Step 1: Update and Configure SSH
Update OpenSSH to latest security patches first:
sudo apt update && sudo apt upgrade openssh-server -y
Open SSH configuration file with a text editor (e.g., nano):
sudo nano /etc/ssh/sshd_config
Step 2: Disable Root Login and Change Default Port (Recommended)
Change these lines as follows to enhance security:
Disable root logins:
PermitRootLogin no
Change default SSH port (optional but recommended):
Port 2222
Save file (Ctrl+O, Enter) and exit (Ctrl+X).
Step 3: Set Up Key-Based Authentication
Key-based authentication greatly enhances security compared to passwords alone.
Generate SSH Keys
From your local system (Linux/macOS terminal or Windows PowerShell):
ssh-keygen -t ed25519 -C "your_email@example.com"
Press Enter to accept default path (~/.ssh/id_ed25519).
Optionally, add a strong passphrase for extra security.
Copy Public Key to Server
Replace your_user and your_server_ip:
ssh-copy-id -i ~/.ssh/id_ed25519.pub your_user@your_server_ip -p 2222
After this, your public key is copied to the server.
Step 4: Disable SSH Password Authentication
Once key-based authentication works smoothly, disable passwords entirely:
sudo nano /etc/ssh/sshd_config
Set:
PasswordAuthentication no
ChallengeResponseAuthentication no
Save and exit the editor. Restart SSH service:
sudo systemctl restart sshd
Now your server only accepts key-based SSH login, significantly improving your security posture.
3. User and Permission Management
Proper management of users, groups, and permissions enhances security by limiting access to resources and restricting user privileges appropriately.
Creating New Users
Create a new user (replace username):
sudo adduser username
Enter password and details as prompted.
Granting Sudo Privileges
To grant administrative privileges securely:
sudo usermod -aG sudo username
Verify user groups:
groups username
Managing File Permissions
Linux permissions follow a simple format:
- Owner, Group, Others
- Permissions: read (r), write (w), execute (x)
Check file permissions with ls -l:
ls -l /path/to/file
Output example:
-rw-r--r-- 1 user group 1024 Mar 25 10:00 file.txt
Permission explanation:
- First character indicates file type (- for regular file, d for directory).
- Next three chars: owner’s permissions (rw-).
- Next three chars: group's permissions (r--).
- Last three chars: others' permissions (r--).
Modifying Permissions
Use chmod to alter permissions. Example:
sudo chmod 640 /path/to/file.txt
Explanation of 640:
- Owner (6 = rw-): read, write
- Group (4 = r--): read-only
- Others (0 = ---): no access
File Ownership Management
Change file ownership using chown. Example:
sudo chown username:groupname /path/to/file.txt
Verify changes with:
ls -l /path/to/file.txt
User Removal
Remove unused user accounts to reduce vulnerabilities:
To remove user (without deleting home directory):
sudo deluser username
To remove user along with home directory and files:
sudo deluser --remove-home username
Advanced Linux Server Hardening Tips
1. Configure SSH Two-Factor Authentication (2FA)
Adding two-factor authentication significantly strengthens SSH access security.
Step 1: Install Google Authenticator PAM Module
sudo apt install libpam-google-authenticator -y
Step 2: Configure Google Authenticator for your user:
google-authenticator
Follow the interactive prompts:
Generate a secret key.
Scan the QR code with your mobile Authenticator app (Google Authenticator, Authy, etc.).
Answer prompts carefully:
- Yes to time-based authentication (recommended).
- Yes to disallow multiple uses of same token.
- Yes to restrict rate-limiting and enhance security.
Step 3: Edit SSH configuration
sudo nano /etc/ssh/sshd_config
Add or change these lines:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
Save and close (Ctrl+O, then Ctrl+X).
Step 4: Enable PAM module
Edit the PAM file:
sudo nano /etc/pam.d/sshd
Add this line at the bottom:
auth required pam_google_authenticator.so nullok
Restart SSH service:
sudo systemctl restart sshd
Now, SSH logins require SSH key + 2FA token.
2. Advanced Firewall Rules (UFW)
Implement rate limiting to protect against brute-force attacks:
sudo ufw limit ssh
This sets a maximum number of connections per minute to SSH, reducing brute-force login attempts.
GeoIP Blocking with UFW (optional advanced step)
You can block specific countries using GeoIP and iptables (advanced scenario):
Install geoip dependencies:
sudo apt install geoip-bin geoip-database libgeoip1 -y
Create iptables rules to block countries (example):
sudo iptables -I INPUT -m geoip --src-cc CN,RU,KP -j DROP
This example blocks China (CN), Russia (RU), and North Korea (KP).
Note: You must maintain these rules and periodically update the GeoIP database.
3. Kernel and sysctl Hardening
Kernel-level security enhancements help protect against exploits.
Edit sysctl configuration:
sudo nano /etc/sysctl.conf
Add these parameters to strengthen kernel-level security:
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests (prevent Smurf attacks)
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
# Log suspicious packets
net.ipv4.conf.all.log_martians = 1
# Restrict SYN flood attacks
net.ipv4.tcp_syncookies = 1
# Disable IPv6 if not used
net.ipv6.conf.all.disable_ipv6 = 1
Apply immediately:
sudo sysctl -p
4. SELinux or AppArmor Enforcement
AppArmor is installed by default in Ubuntu and provides mandatory access control (MAC).
Check AppArmor status:
sudo aa-status
Enable AppArmor profiles for critical applications (example with Nginx):
sudo apt install apparmor-utils -y
sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx
This confines applications within strict limits, significantly enhancing security.
5. Audit Logging and Intrusion Detection (Auditd & AIDE)
Monitoring critical system changes can help identify breaches.
Install Auditd (audit logs):
sudo apt install auditd -y
sudo systemctl enable auditd
View audit logs:
sudo ausearch -i -m USER_LOGIN,USER_AUTH
AIDE (Advanced Intrusion Detection Environment) monitors file changes:
sudo apt install aide -y
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Run regular checks (via cron job):
sudo aide --check
AIDE reports unexpected file changes (permissions, hashes, timestamps), signaling potential compromise.
6. Fail2Ban Advanced Configuration
Customize Fail2Ban rules to protect other services (like SSH, Nginx, Apache):
Example: SSH brute-force protection:
Edit jail config:
sudo nano /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600
Restart Fail2Ban:
sudo systemctl restart fail2ban
Fail2Ban will now block IPs failing SSH login attempts more aggressively.
7. Secure /tmp Directory
The /tmp directory is writable by everyone and can be misused for malicious activity. Secure it by mounting with restricted permissions:
Edit /etc/fstab:
sudo nano /etc/fstab
Add this line:
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0
Mount immediately without reboot:
sudo mount -o remount /tmp
Now, scripts cannot execute directly from /tmp.
8. Use VPN or Private Network for Server Management
Instead of exposing SSH directly, consider limiting SSH access through a VPN or private network. WireGuard is a simple yet secure VPN solution:
Install WireGuard:
sudo apt install wireguard -y
Configure WireGuard to allow SSH only from VPN-assigned IP addresses. Then block public SSH entirely, adding an additional strong layer of security.
Conclusion
By following these foundational steps—firewall configuration (UFW), secure SSH management, and disciplined user and permission practices—you significantly increase your Ubuntu server's security. Consistently apply updates, monitor logs, and maintain regular backups to ensure ongoing resilience and security.
Implementing these advanced security steps, along with consistent monitoring and proactive threat management, creates robust defense layers. Combined with basic security practices, these advanced hardening tips significantly reduce vulnerabilities and protect your Ubuntu-based Linux server against sophisticated and emerging threats.
