How to Harden and Secure Your Linux Server (Ubuntu/Debian)20 January 2017
Don’t let your server get hacked and lose all your hard work. Here’s a step by step way to harden and secure your Linux server - from networking, to permissions. For simple deployments and tests, check out Digital Ocean, my favorite platforms. Can’t beat $5/mo servers that deploy in less than a minute! By signing up through my link, you are helping extend the life of my servers. Thank you.
Set Your Domain Name Server
First, check out your domain settings from your registrar (Godaddy, Namecheap, etc) and see if the Domain Name Server options are correct. If not, change it to point to your server. For example, if your servers are in Digital Ocean, change the domain servers to: ns1.digitalocean.com, ns2.digitalocean.com, ns3.digitalocean.com. Note that you still have to configure the network settings in your server provider so that connections will direct to your server IP.
Once you are done, run
whois example.com to see if the “Name Server” key matches the ones you entered. If not, wait an hour or two for the changes to propagate. But don’t worry about that for now - we can do the rest of the process without that.
Configure Your Domain
Note that these options must be done through your server provider. First, add a domain by entering a valid fully qualified domain name that you own, ie:
example.com. Then, add A record to set a host name and CNAME records to add aliases like if you want to prepend “www”. If you need to set up a mail server, add MX Records. Your server provider should have detailed documentations on this.
Login to your Server from your Local Machine
Let’s get to the good stuff. If you are using accessing your server from a web terminal provided by your server provider, you don’t need to do this. If you are going to be accessing your server from your local machine, do this step.
Let’s update Apt-Get
Once you’re in, update apt-get.
Install Fail2Ban to Prevent Active Attacks
fail2ban. The default configurations are enough to cover you, so we’ll just install it. Read more about it if you’d like to customize the service.
apt-get install fail2ban
Installing it should automatically make it run. If not, run
sudo service fail2ban start
Create a New User
Never work under the root user. It is not secure to do so, and you may cause more damage than you would want - if not now, most likely later. So, let’s create a new user with regular privileges. Make sure you enter a strong password.
Add Root Privileges
Let’s add root privileges, or “superuser” privileges to our regular account. This will allow us to run administrative privileges by prepending the word
sudo before each command.
We need to add
jancarloviray to the sudo group. Users who belong to the sudo group are allowed to use the
usermod -aG sudo jancarloviray
An alternative command that does this is
gpasswd -a jancarloviray sudo. They both accomplish the same thing.
If you are not able to add the user to the group immediately, you may have to edit the
/etc/sudoers file to uncomment the group name. Do this by running
Add Public Key Authentication
Set up public key authentication for your new user. This allows us to restrict access by requiring a private SSH key to log in. To do this, you must enter these commands at your local machine
Running that command generates the following files:
Do not share the private key! Now, copy the public key to your new server.
ssh-copy-id -i ~/.ssh/id_rsa.pub jancarloviray@your_server_ip
If you have a mac and you don’t have that command installed, run
brew install ssh-copy-id. If that doesn’t work, then you have to do things manually. It’s a little bit more work, but you’ll be grateful for it. Let’s manually install the key (not recommended!):
# in your local computer, print the contents of your public key cat ~/.ssh/id_rsa.pub # copy that in your clipboard # on your server, switch to the new user # this will bring your to your new user's home directory su - jancarloviray # create .ssh directory and restrict its permission mkdir -p ~/.ssh chmod 700 ~/.ssh # open the authorized_keys file and insert your public key there vim ~/.ssh/authorized_keys # restricts the permission of the authorized_keys chmod 600 ~/.ssh/authorized_keys # exit and go back to the root user exit
Disable Password Authentication
Let’s make sure no one can really enter in your server - except yourself of course! Well, technically, only to those who have access to your local computer. Here, we will disable logging in by password. This means that the only way to enter your server is if you have the private key that pairs with the public key you copied in authorized_keys. We created that in the previous step.
It is very important to note to only do this AFTER you have completed the previous step, otherwise you are forever locked out from the server.
Let’s now edit ssh config:
sudo vim /etc/ssh/sshd_config
Change the line
# PasswordAuthentication yes to
PasswordAuthentication no. Notice that it is now “no” and is uncommented.
Reload the SSH daemon:
sudo systemctl reload sshd
You should now be able to log in without entering password, as long as you have the key.
If you need to troubleshoot:
Run this in server
tail -f /var/log/auth.log and run this in client as you connect
ssh -vvv -i .ssh/id_rsa user@server_ip_or_hostname
Set Up a Basic Firewall
sudo apt-get install ufw
Set up some defaults. These are out-of-the-box settings, but let’s just make sure:
sudo ufw default deny incoming
sudo ufw default allow outgoing
Check out your current services:
sudo ufw app list
Enable the services that you’ll need to have connections on:
sudo ufw allow OpenSSH sudo ufw allow http sudo ufw allow https
If you need to enable certain ports explicitly:
# if you want to allow mail, for example: sudo ufw allow 25 #smtp sudo ufw allow 143 #imap sudo ufw allow 993 #imaps sudo ufw allow 110 #incoming pop3 sudo ufw allow 995 #incoming pop3s
Enable Rate Limiting
sudo ufw limit ssh/tcp
Enable the firewall:
sudo ufw enable
Check the current status of your firewall:
sudo ufw status
That’s all for the basics! Let me know if the comments below if you would like to learn more steps! There is always another step to secure and harden your server!If you have any questions or comments, please post them below. If you liked this post, you can share it with your followers or follow me on Twitter!