How to setup and secure Ubuntu Server 18.04 in 6 steps
Setup secure Ubuntu 18.04
1. Login to the server
Login to your ubuntu instance as the root user
$ ssh [email protected]
2. Create a new user
If the only user on your Ubuntu instance is root then first create a sudo user to avoid doing all the work as root and making inadvertent mistakes. We will be using the adduser command to create the user, useradd can also be used but it is not that user friendly. Don’t forget to replace ubuntu with the user name that you want to create. It is recommended to use a non standard username that a hacker won’t be able to guess easily, as they generally try root, admin or even ubuntu , etc using automated attacks:
$ adduser ubuntu
You will be prompted to set and confirm the new user password. Make sure that the password for the new account is as strong as possible.
output:
Adding user `ubuntu' ...
Adding new group `ubuntu' (1001) ...
Adding new user `ubuntu' (1001) with group `ubuntu' ...
Creating home directory `/home/ubuntu' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Once you set the password, the command will create a home directory for the user, copy several configuration files in the home directory, and prompts you to set the new user’s information. If you want to leave all of this information blank just press ENTER to accept the defaults.
Changing the user information for ubuntu
Enter the new value, or press ENTER for the default
Full Name []: Ubuntu User
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
3. Give sudo privileges to user
On Ubuntu systems, members of the group sudo are granted with sudo access by default. To add the ubuntu user you created to the sudo group, use the usermod command:
$ usermod -aG sudo ubuntu
4. Password less SSH for security
SSHing in to the server using password authentication is cumbersome and inherently insecure, moreover you have to enter the password each time you want to login and thus people become lazy and start using simple passwords, which makes the system more insecure. A much better way is to login using public keys, which makes the whole login process simple, secure and convenient.
If you are logged in the server then first logout.
$ exit
Then assuming that you have already generated a public-private key pair on the machine that you are using to login to the server, copy your public key to the server. If you haven’t generated the key pair then search the internet on to generate it.
$ ssh-copy-id [email protected]
it will ask for your ubuntu user password, once provided, the public key will inserted in the server. From now on, anytime you want to login to the server, you can use
$ ssh [email protected]
and you will be able to login to the remote server without password with ssh
5. Allow Sudoers users to use sudo without password
Issue with password less SSH i.e. with ssh key login is that you still need to enter the user password when you want to run any command that requires sudo. To fix this use
$ sudo visudo
and then replace the line
%sudo ALL=(ALL:ALL) ALL
with
%sudo ALL=(ALL) NOPASSWD:ALL
in that file.
6. Disable root SSH login
To increase the security you should disable the ability of the root user to login using SSH as hackers often try to guess the root password using automated attacks that try many thousands of passwords in a very short time.
So edit /etc/ssh/sshd_config and disable root login and password authentication.
$ sudo nano /etc/ssh/sshd_config
and change the following
PasswordAuthentication yes
PermitRootLogin yes
to
PasswordAuthentication no
PermitRootLogin no
Save the file and restart the SSH service:
$ sudo service ssh restart
For extra security you can also change the port on which you connect to SSH. By default port 22 is used for SSH, but you can change this to something else in /etc/ssh/sshd_config
change
Port 22
to
Port 1022
or some other port that you prefer. Just make sure to open that new port in UFW as described next.
Important
Make sure your SSH port is below 1024 (but still not 22). Reason being if you are ever compromised, a bad user may be able to crash sshd and run their own rogue sshd as a non root user since your original port is configured >1024
Enable UFW
UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure.
- Normally UFW is distributed in the default Ubuntu distributing. But just in case it is not installed, you can install it by:
$ sudo apt install ufw
- Allow SSH services
$ sudo ufw allow ssh
- or the new ssh port if you changed it above
$ sudo ufw allow 1022
- You can also open any other ports that you need
$ sudo ufw allow http
$ sudo ufw allow https
- Enable the firewall
$ sudo ufw enable
- Check the status of the firewall.
sudo ufw status verbose
- Indivar Software Solutions Pvt Limited, India and New Zealand: Co-Founder and CTO
- Credence Medicure Corporation: Co-Founder & Director - IT
- Stakteck Limited: Co-Founder and CTO
