Ubuntu Server Security
Introduction
Security is a critical aspect of server administration, especially for systems that are publicly accessible or host sensitive data. Ubuntu Server provides a robust foundation for building secure systems, but proper configuration and maintenance are essential to protect against threats. This guide will walk you through the fundamental security concepts and practical steps to secure your Ubuntu Server deployment.
Why Security Matters
An insecure server can be compromised, leading to:
- Data theft or loss
- Service disruptions
- Use of your server resources for malicious purposes (crypto mining, botnet participation, etc.)
- Damage to your reputation
- Potential legal and financial consequences
By implementing proper security measures from the beginning, you significantly reduce these risks.
Security Updates and Patching
Keeping Your System Updated
Regular updates are your first line of defense against security vulnerabilities. Ubuntu's package management system makes this process straightforward.
# Update package lists
sudo apt update
# Install available updates
sudo apt upgrade
# Alternative: combine both commands
sudo apt update && sudo apt upgrade -y
For kernel updates, you'll need to reboot your system:
sudo apt full-upgrade
sudo reboot
Enabling Automatic Security Updates
For servers where manual updates aren't always feasible, configure automatic security updates:
# Install the unattended-upgrades package
sudo apt install unattended-upgrades
# Enable automatic updates
sudo dpkg-reconfigure unattended-upgrades
You can customize the behavior by editing /etc/apt/apt.conf.d/50unattended-upgrades. For example, to automatically reboot when necessary:
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
User and Authentication Security
Password Policies
Enforce strong password policies to protect user accounts:
- Install the password quality checking library:
sudo apt install libpam-pwquality
- Edit the PAM configuration:
sudo nano /etc/pam.d/common-password
- Add or modify the password requirement line:
password requisite pam_pwquality.so retry=3 minlen=12 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 reject_username enforce_for_root
This configuration:
- Requires passwords to be at least 12 characters long
- Requires uppercase, lowercase, digit, and special characters
- Prevents using the username in the password
- Applies these rules to the root user as well
SSH Security
Secure Shell (SSH) is the primary method for remote administration. Securing it is crucial:
- Edit the SSH configuration:
sudo nano /etc/ssh/sshd_config
- Make these recommended changes:
# Use protocol 2 only
Protocol 2
# Disable root login
PermitRootLogin no
# Restrict access to specific users
AllowUsers your_username
# Use public key authentication instead of passwords
PasswordAuthentication no
# Change default port (optional but recommended)
Port 2222
# Disable empty passwords
PermitEmptyPasswords no
# Set idle timeout interval
ClientAliveInterval 300
ClientAliveCountMax 2
- Restart SSH to apply changes:
sudo systemctl restart sshd
Setting Up SSH Key Authentication
SSH keys provide stronger security than passwords:
- Generate an SSH key pair on your client machine:
ssh-keygen -t ed25519 -C "[email protected]"
- Copy your public key to the server:
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@server_ip
- After confirming key-based login works, disable password authentication as shown above.
Firewall Configuration
Configuring UFW (Uncomplicated Firewall)
Ubuntu includes UFW, a user-friendly interface for managing iptables:
- Install UFW if not already present:
sudo apt install ufw
- Set up basic rules:
# Deny all incoming traffic by default
sudo ufw default deny incoming
# Allow all outgoing traffic
sudo ufw default allow outgoing
# Allow SSH (adjust port if you changed it)
sudo ufw allow 22/tcp
# Allow other services as needed (examples)
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
- Enable the firewall:
sudo ufw enable
- Check status:
sudo ufw status verbose
Example output:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
Configuring Fail2Ban to Prevent Brute Force Attacks
Fail2Ban monitors log files and temporarily bans IP addresses that show malicious signs:
- Install Fail2Ban:
sudo apt install fail2ban
- Create a local configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
- Configure SSH protection:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
- Start the service:
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
- Check its status:
sudo fail2ban-client status sshd
Example output:
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
System Hardening
Secure Shared Memory
The /run/shm is a temporary file storage that can be used to access shared memory segments. Secure it by adding to /etc/fstab:
sudo nano /etc/fstab
Add this line:
tmpfs /run/shm tmpfs defaults,noexec,nosuid,nodev 0 0
Disable Unused Services
Minimize attack surface by disabling unnecessary services:
# List running services
systemctl list-units --type=service --state=running
# Disable an unused service
sudo systemctl stop service_name
sudo systemctl disable service_name
Restrict Access to Cron
Limit who can schedule tasks:
sudo nano /etc/cron.allow
Add only users who need cron access. All others will be automatically denied.
Set Up Process Accounting
Monitor user activities by enabling process accounting:
sudo apt install acct
sudo touch /var/log/wtmp
sudo accton /var/log/wtmp
View user activity:
sudo lastcomm username
File System Security
Implement Disk Quotas
Prevent disk space abuse by setting up quotas:
- Install quota tools:
sudo apt install quota
- Modify
/etc/fstabto enable quotas. Addusrquota,grpquotato the mount options:
UUID=xxxxx / ext4 defaults,usrquota,grpquota 0 1
- Remount and create quota database:
sudo mount -o remount /
sudo quotacheck -ugm /
sudo quotaon -v /
- Set quotas for users:
sudo setquota -u username 5000000 6000000 0 0 /
This sets a soft limit of approximately 5GB and a hard limit of 6GB.
Configure AppArmor
AppArmor provides Mandatory Access Control (MAC) for programs:
- Verify AppArmor is running:
sudo aa-status
- Install AppArmor utilities:
sudo apt install apparmor-utils
- List profiles:
sudo aa-status
- Set a profile to enforce mode:
sudo aa-enforce /path/to/profile
Network Security
TCP Wrappers
Control access to services based on hostname or IP address:
- Edit the hosts.allow file to specify allowed connections:
sudo nano /etc/hosts.allow
Add rules like:
sshd: 192.168.1.0/24 10.0.0.0/8
- Deny all other connections in hosts.deny:
sudo nano /etc/hosts.deny
Add:
ALL: ALL
IP Spoofing Protection
Edit /etc/host.conf:
sudo nano /etc/host.conf
Ensure it contains:
order bind,hosts
nospoof on
Security Monitoring and Intrusion Detection
Install and Configure Audit Daemon
Audit daemon logs system calls and file accesses:
sudo apt install auditd
sudo systemctl enable auditd
sudo systemctl start auditd
Create a basic audit rule:
sudo nano /etc/audit/rules.d/audit.rules
Add rules like:
# Monitor changes to authentication configuration
-w /etc/pam.d/ -p wa -k auth_changes
-w /etc/nsswitch.conf -p wa -k auth_changes
# Monitor system user/group changes
-w /etc/passwd -p wa -k user_changes
-w /etc/group -p wa -k group_changes
-w /etc/shadow -p wa -k shadow_changes
Restart the service:
sudo systemctl restart auditd
Install AIDE (Advanced Intrusion Detection Environment)
AIDE monitors file changes on your system:
sudo apt install aide
Initialize the database:
sudo aideinit
This will take some time as it creates checksums of files.
Configure daily checks by editing /etc/default/aide:
sudo nano /etc/default/aide
Set:
CRON_DAILY_RUN=yes
Set Up Logwatch for Log Monitoring
Logwatch summarizes log activity:
sudo apt install logwatch
Configure it to email daily reports:
sudo nano /etc/cron.daily/00logwatch
Modify the script to include:
/usr/sbin/logwatch --output mail --mailto [email protected] --detail high
Security Best Practices Visualization
Here's a visualization of the layered security approach:
Summary
Securing an Ubuntu Server involves multiple layers of protection:
- Keep your system updated to patch known vulnerabilities
- Implement strong authentication policies and SSH hardening
- Configure a firewall to control incoming and outgoing traffic
- Disable unnecessary services to reduce attack surface
- Monitor system activities and detect intrusions
- Regularly audit your security measures to ensure they remain effective
Remember that security is an ongoing process, not a one-time setup. Regular reviews and updates to your security posture are essential to maintain protection against evolving threats.
Additional Resources
- Ubuntu Server Guide - Security
- Center for Internet Security (CIS) Benchmarks
- NIST Special Publication 800-123: Guide to General Server Security
Exercises
- Set up SSH key-based authentication and disable password authentication.
- Configure UFW to allow only necessary services.
- Install and configure Fail2Ban with custom jails for services you're running.
- Create a security update schedule and documentation process.
- Perform a security audit using
lynis(install withsudo apt install lynis).
If you spot any mistakes on this website, please let me know at [email protected]. I’d greatly appreciate your feedback! :)