How to Protect Your Ubuntu Server

How to Protect Your Ubuntu Server

Comprehensive Strategies to Secure Your Ubuntu Server

Ubuntu, one of the most popular Linux distributions, is widely used for server environments due to its stability, ease of use, and strong security features. However, like any server, Ubuntu requires proper configuration and regular maintenance to ensure it remains secure. This blog will guide you through essential steps to protect your Ubuntu server from potential threats.

1. Keep Your System Updated

The first line of defense against vulnerabilities is keeping your system updated. Ubuntu releases updates regularly, including security patches and bug fixes.

How to Update Your System:

  • Update Package List and Upgrade Packages:

      sudo apt update
      sudo apt upgrade
  • Upgrade Distribution:

    To upgrade to a new release of Ubuntu, use:

      sudo apt dist-upgrade
  • Automate Updates:

    For critical security updates, you can enable automatic updates:

      sudo apt install unattended-upgrades
      sudo dpkg-reconfigure --priority=low unattended-upgrades

2. Secure SSH Access

SSH (Secure Shell) is commonly used to access your server remotely. Securing SSH is crucial to protect your server from unauthorized access.

Steps to Secure SSH:

  • Change Default SSH Port:

    Edit the SSH configuration file to use a non-standard port.

      sudo nano /etc/ssh/sshd_config

    Change the Port line to a number other than 22 (e.g., Port 2222).

  • Disable Root Login:

    Prevent direct root login via SSH by setting PermitRootLogin to no.

      PermitRootLogin no
  • Use Key-Based Authentication:

    Generate SSH keys and copy the public key to your server.

      ssh-copy-id user@server_ip
  • Install Fail2Ban:

    Protect against brute-force attacks by installing Fail2Ban.

      sudo apt install fail2ban

    Configure Fail2Ban by editing the jail configuration file:

      sudo nano /etc/fail2ban/jail.local

3. Configure a Firewall

A firewall helps block unauthorized access to your server while allowing legitimate traffic.

Using UFW (Uncomplicated Firewall):

  • Install UFW:

      sudo apt install ufw
  • Enable UFW:

      sudo ufw enable
  • Allow Essential Services:

    For example, allow SSH and HTTP/HTTPS:

      sudo ufw allow ssh
      sudo ufw allow http
      sudo ufw allow https
  • Check UFW Status:

      sudo ufw status

4. Manage User Permissions

Limiting user permissions reduces the risk of accidental or malicious changes to your server.

Steps to Manage Permissions:

  • Create Non-Root Users:

    Instead of using the root account, create separate user accounts for different tasks.

      sudo adduser username
  • Grant Sudo Access Carefully:

    Only grant sudo access to users who need it. Edit the sudoers file with:

      sudo visudo
  • Add a user with specific privileges:

      username ALL=(ALL) NOPASSWD: /usr/bin/command

5. Use Strong Passwords

Ensure all user accounts, especially those with sudo privileges, use strong, unique passwords.

Steps to Enforce Strong Passwords:

  • Install and Configure pam_pwquality:

      sudo apt install libpam-pwquality
  • Edit the configuration file:

      sudo nano /etc/security/pwquality.conf
  • Set parameters to enforce strong passwords:

      minlen = 12
      minclass = 4

6. Regular Backups

Regular backups are essential for recovering from data loss or corruption.

Backup Solutions:

  • Use rsync for File Backups:

      rsync -av /source/directory /destination/directory
  • Automate Backups with cron:

    Set up cron jobs to automate backups.

      crontab -e
  • Add a cron job for daily backups:

      0 2 * * * rsync -av /source/directory /destination/directory

7. Monitor System Logs

Monitoring system logs helps detect and respond to suspicious activity.

Log Management Tools:

  • Use logwatch:

      sudo apt install logwatch

    Configure logwatch to get daily summaries of log activity.

  • Install fail2ban for Log Monitoring:

    Fail2Ban also helps monitor logs for suspicious activity and block offending IPs.

8. Security Audits

Regular security audits help identify and address vulnerabilities.

Audit Tools:

  • Use Lynis for Security Audits:

      sudo apt install lynis
      sudo lynis audit system

    Lynis will provide recommendations for hardening your system.

9. Use Security Tools

Enhance your server's security with additional tools.

  • rkhunter for Rootkit Detection:

      sudo apt install rkhunter
      sudo rkhunter --update
      sudo rkhunter --check
  • chkrootkit for Rootkit Detection:

      sudo apt install chkrootkit
      sudo chkrootkit

10. Set Up a VPN

A VPN (Virtual Private Network) encrypts your internet traffic and allows secure remote access to your server. Setting up a VPN adds an additional layer of security by ensuring that only authorized users can access your server remotely.

Setting Up OpenVPN on Ubuntu:

  1. Install OpenVPN and Easy-RSA:

     sudo apt update
     sudo apt install openvpn easy-rsa
  2. Configure Easy-RSA:

    Create a directory for Easy-RSA and copy the necessary files.

     make-cadir ~/openvpn-ca
     cd ~/openvpn-ca
  3. Edit the Variables File:

    Edit the vars file to set up the certificate authority.

     nano vars

    Update the settings (e.g., KEY_COUNTRY, KEY_PROVINCE, etc.) as needed.

  4. Build the CA and Server Certificates:

    Initialize the PKI and build the CA.

     source vars

    Build the server certificate and key.

     ./build-key-server server

    Generate Diffie-Hellman parameters.


    Generate an HMAC signature to strengthen the server's TLS integrity.

     openvpn --genkey --secret keys/ta.key
  5. Configure the OpenVPN Server:

    Copy the sample server configuration and edit it.

     sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
     sudo gzip -d /etc/openvpn/server.conf.gz
     sudo nano /etc/openvpn/server.conf

    Adjust the configuration as needed (e.g., update paths to certificates and keys).

  6. Start and Enable OpenVPN Service:

     sudo systemctl start openvpn@server
     sudo systemctl enable openvpn@server
  7. Configure Firewall Rules:

    Allow VPN traffic through the firewall.

     sudo ufw allow 1194/udp

    Enable IP forwarding by editing /etc/sysctl.conf.

     sudo nano /etc/sysctl.conf

    Uncomment the line net.ipv4.ip_forward=1 and apply the changes.

     sudo sysctl -p
  8. Create Client Configuration:

    Generate client certificates and configure client files.

    Copy the necessary files to your client machine and configure the OpenVPN client to use them.

Connect to the VPN:

To connect to the VPN from a client machine, import the client configuration file into the OpenVPN client software and connect.

Protecting your Ubuntu server involves a combination of keeping your system updated, securing access, managing user permissions, enforcing strong passwords, regularly backing up data, and adding a VPN for secure remote access. By following these best practices and utilizing the recommended tools, you can significantly enhance the security of your Ubuntu server and safeguard it against potential threats.

Regularly review and update your security practices to stay ahead of evolving threats. With a proactive approach, you can maintain a secure and reliable Ubuntu server environment.