How to setup and secure Ubuntu Server 18.04 in 6 steps
Setup secure Ubuntu 18.04
1. Login to the server
Login to your ubuntu instance as the
$ ssh [email protected]
2. Create a new user
If the only user on your Ubuntu instance is
root then first create a sudo user to avoid doing all the work as
root and making inadvertent mistakes. We will be using the
adduser command to create the user,
useradd can also be used but it is not that user friendly. Don’t forget to replace
ubuntu with the user name that you want to create. It is recommended to use a non standard username that a hacker won’t be able to guess easily, as they generally try
admin or even
ubuntu , etc using automated attacks:
$ adduser ubuntu
You will be prompted to set and confirm the new user password. Make sure that the password for the new account is as strong as possible.
output: Adding user `ubuntu' ... Adding new group `ubuntu' (1001) ... Adding new user `ubuntu' (1001) with group `ubuntu' ... Creating home directory `/home/ubuntu' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully
Once you set the password, the command will create a home directory for the user, copy several configuration files in the home directory, and prompts you to set the new user’s information. If you want to leave all of this information blank just press
ENTER to accept the defaults.
Changing the user information for ubuntu Enter the new value, or press ENTER for the default Full Name : Ubuntu User Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n] y
sudo privileges to user
On Ubuntu systems, members of the group
sudo are granted with sudo access by default. To add the
ubuntu user you created to the sudo group, use the
$ usermod -aG sudo ubuntu
4. Password less SSH for security
SSHing in to the server using password authentication is cumbersome and inherently insecure, moreover you have to enter the password each time you want to login and thus people become lazy and start using simple passwords, which makes the system more insecure. A much better way is to login using public keys, which makes the whole login process simple, secure and convenient.
If you are logged in the server then first logout.
Then assuming that you have already generated a public-private key pair on the machine that you are using to login to the server, copy your public key to the server. If you haven’t generated the key pair then search the internet on to generate it.
$ ssh-copy-id [email protected]
it will ask for your
ubuntu user password, once provided, the public key will inserted in the server. From now on, anytime you want to login to the server, you can use
$ ssh [email protected]
and you will be able to login to the remote server without password with ssh
5. Allow Sudoers users to use sudo without password
Issue with password less SSH i.e. with ssh key login is that you still need to enter the user password when you want to run any command that requires sudo. To fix this use
$ sudo visudo
and then replace the line
%sudo ALL=(ALL:ALL) ALL
%sudo ALL=(ALL) NOPASSWD:ALL
in that file.
root SSH login
To increase the security you should disable the ability of the
root user to login using SSH as hackers often try to guess the
root password using automated attacks that try many thousands of passwords in a very short time.
/etc/ssh/sshd_config and disable root login and password authentication.
$ sudo nano /etc/ssh/sshd_config
and change the following
Save the file and restart the SSH service:
$ sudo service ssh restart
For extra security you can also change the port on which you connect to SSH. By default port 22 is used for SSH, but you can change this to something else in
or some other port that you prefer. Just make sure to open that new port in UFW as described next.
Make sure your SSH port is below 1024 (but still not 22). Reason being if you are ever compromised, a bad user may be able to crash
sshd and run their own rogue
sshd as a non root user since your original port is configured >1024
UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure.
- Normally UFW is distributed in the default Ubuntu distributing. But just in case it is not installed, you can install it by:
$ sudo apt install ufw
- Allow SSH services
$ sudo ufw allow ssh
- or the new ssh port if you changed it above
$ sudo ufw allow 1022
- You can also open any other ports that you need
$ sudo ufw allow http $ sudo ufw allow https
- Enable the firewall
$ sudo ufw enable
- Check the status of the firewall.
sudo ufw status verbose