In this tutorial, we've covered securing and hardening your dedicated server in Ubuntu 24.04.
When managing a dedicated server, it's critical to secure it against potential threats. This tutorial will guide you through essential steps to secure your dedicated server, including setting up firewalls, using SSH keys, and following best security practices to ensure the safety of your data.
Securing and Hardening Your Dedicated Server Ubuntu
Buy Dedicated Severs New Zealand
1. Keep Your Server Software Up to Date
One of the easiest ways to protect your server is to ensure all software is up to date. Vulnerabilities in outdated software can be exploited by attackers. Here's how to update your software packages:
sudo apt update && sudo apt upgrade -y
It’s recommended to automate this process by enabling automatic security updates.
sudo apt install unattended-upgrades
2. Set Up a Firewall
A firewall is the first layer of defense for controlling incoming and outgoing traffic on your server. Most servers come with a built-in firewall, such as ufw.
Install UFW:
sudo apt install ufw
Set default rules:
sudo ufw default deny incoming
sudo ufw default allow outgoing
Allow SSH (port 22):
sudo ufw allow ssh
Allow other necessary services (e.g., HTTP/HTTPS for web servers):
sudo ufw allow http
sudo ufw allow https
Enable UFW:
sudo ufw enable
3. Disable Root Login via SSH
Directly logging in as root is risky, as it gives full access to your server. To reduce this risk, disable root login over SSH.
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Find the line:
PermitRootLogin yes
Change it to:
PermitRootLogin no
Save the file and restart SSH:
sudo systemctl restart sshd
4. Use SSH Keys for Authentication
SSH keys provide a more secure method of logging into your server than password authentication.
On the Client Machine:
Generate an SSH key pair:
ssh-keygen -t rsa -b 4096
Copy the public key to your server:
ssh-copy-id user@server_ip_address
On the Server:
Verify that the key was added:
cat ~/.ssh/authorized_keys
Disable password authentication by editing the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Find and change the following line:
PasswordAuthentication yes
to:
PasswordAuthentication no
Save the file and restart the SSH service:
sudo systemctl restart sshd
5. Change the Default SSH Port
Changing the default SSH port (22) can help reduce the chances of automated attacks.
Open the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Find the line:
#Port 22
Change it to a custom port, for example:
Port 2222
Save the file and restart SSH:
sudo systemctl restart sshd
Update your firewall to allow the new port:
sudo ufw allow 2222/tcp
6. Install and Configure Fail2ban
Fail2ban is a service that scans log files and bans IP addresses showing malicious signs such as too many failed login attempts.
Install Fail2ban:
sudo apt install fail2ban
Start and enable Fail2ban:
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
To configure Fail2ban, create a local configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
You can now edit /etc/fail2ban/jail.local to configure settings like banning time, retry limits, and more.
7. Regular Backups
Data loss can occur due to security incidents, so regularly back up your server. You can automate backups using tools like rsnapshot, rsync, or cloud-based backup services.
Set up rsnapshot for backups:
sudo apt install rsnapshot
sudo nano /etc/rsnapshot.conf
Modify the backup intervals, directories to back up, and destination.
Automate backups using cron jobs:
sudo crontab -e
Add a cron entry, for example, to perform a daily backup:
0 2 * * * /usr/bin/rsnapshot daily
8. Monitor Server Logs
Monitoring your logs helps identify potential security threats and attacks. Use logwatch or GoAccess for log monitoring.
Installing logwatch
sudo apt install logwatch
Configure it to send daily log summaries via email.
9. Use Intrusion Detection Systems (IDS)
Implement an Intrusion Detection System like AIDE or Tripwire to monitor changes on your system.
sudo apt install aide
sudo aideinit
Regularly scan the system:
sudo aide --check
10. Disable Unnecessary Services
Keep your server lean by disabling services that aren’t necessary for your setup.
List active services:
sudo systemctl list-unit-files --type=service
Disable unnecessary services:
sudo systemctl disable service_name
sudo systemctl stop service_name
11. Enforce Two-Factor Authentication (2FA) for SSH Access
Two-factor authentication (2FA) adds an extra layer of security by requiring both your password (or SSH key) and a one-time code generated by an authenticator app (such as Google Authenticator) to access your server.
Steps to Install and Configure 2FA:
Install the libpam-google-authenticator package:
sudo apt install libpam-google-authenticator
Set up 2FA for the server by running the following command as the user you log in with (usually root or another sudo user):
google-authenticator
Follow the prompts to configure 2FA. Make sure to save the backup codes, as they will allow access if you lose your device.
Enable 2FA in the PAM configuration for SSH: Edit /etc/pam.d/sshd and add the following line at the top:
auth required pam_google_authenticator.so
Edit the SSH configuration file:
sudo vi /etc/ssh/sshd_config
Ensure the following lines are set:
ChallengeResponseAuthentication yes
Restart the SSH service:
sudo systemctl restart sshd
Now, when logging into your server, you'll be required to provide both your password (or SSH key) and the verification code from the Google Authenticator app.
12. Implement Mandatory Access Control (MAC) with SELinux or AppArmor
Mandatory Access Control (MAC) enhances security by enforcing policies that restrict the actions that programs or users can perform.
Using AppArmor
AppArmor is a security module similar to SELinux, but it's easier to configure and is often installed by default on Ubuntu.
Check if AppArmor is enabled:
sudo apparmor_status
Install AppArmor if not installed:
sudo apt install apparmor
Start and enable AppArmor:
sudo systemctl start apparmor
sudo systemctl enable apparmor
Configuring AppArmor Profiles: AppArmor profiles define what resources specific applications can access. You can enforce a restrictive profile for sensitive services like nginx:
sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx
Audit and Tune AppArmor: Use the following commands to identify processes that violate their security policies and adjust profiles as necessary:
sudo dmesg | grep "apparmor"
13. Encrypted File System and Data-at-Rest Encryption
Encrypting your server’s storage ensures that even if an attacker gains physical access to your hard drive, they won’t be able to read its contents.
Using LUKS (Linux Unified Key Setup) for Full Disk Encryption:
Install LUKS on your server:
sudo apt install cryptsetup
Encrypt an unused disk or partition: This example shows how to encrypt /dev/sdb:
sudo cryptsetup luksFormat /dev/sdb
Open the LUKS volume:
sudo cryptsetup luksOpen /dev/sdb encrypted_volume
Format the volume with a filesystem:
sudo mkfs.ext4 /dev/mapper/encrypted_volume
Mount the encrypted volume:
sudo mount /dev/mapper/encrypted_volume /mnt
To automatically open the encrypted volume on boot, add it to /etc/crypttab:
encrypted_volume /dev/sdb none luks
Encrypt Sensitive Files Using GPG:
GPG (GNU Privacy Guard) can be used to encrypt sensitive files on your server.
Install GPG:
sudo apt install gnupg
Encrypt a file:
gpg -c sensitive_file.txt
Decrypt the file:
gpg sensitive_file.txt.gpg
14. Implement Network Security Using VPN and Port Knocking
Setting Up a VPN for Secure Remote Access
Using a VPN ensures that all communication between your client and the server is encrypted and secure.
Example: Install OpenVPN
Install OpenVPN:
sudo apt install openvpn
Configure OpenVPN using a secure server certificate by generating keys and certificates, or using prebuilt solutions such as EasyRSA for simpler setup.
Open the VPN port on your firewall:
sudo ufw allow 1194/udp
Port Knocking for SSH
Port knocking is a technique where the server opens a specific port (like SSH) only after a secret sequence of network packets is received. This makes it harder for attackers to identify which ports are open.
Install knockd:
sudo apt install knockd
Configure port knocking by editing /etc/knockd.conf: Define a sequence of ports and actions:
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
Start and enable the service:
sudo systemctl start knockd
sudo systemctl enable knockd
To access your server, "knock" the ports from your client:
knock <server_ip> 7000 8000 9000
This technique helps hide your SSH port from automated scanners and attackers.
15. Implement DDoS Protection
Dedicated servers are often targets for Distributed Denial-of-Service (DDoS) attacks. You can mitigate this risk by setting up tools like Fail2Ban, rate-limiting with iptables, or employing cloud-based services such as Cloudflare.
Setting Up iptables Rate Limiting:
Rate-limit incoming connections: This rule allows only 10 SSH connections every minute from a single IP address:
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
Persist the iptables rules:
sudo apt install iptables-persistent
sudo service iptables-persistent save
Conclusion
In this guide, we've covered securing and hardening your dedicated server in Ubuntu 24.04. By following these essential steps, you’ll significantly improve the security of your dedicated server. Regularly monitoring your system and staying up to date with security practices is key to maintaining the safety and integrity of your data.
These advanced topics further enhance the security of your dedicated server by implementing strong authentication, encryption, network security, and proactive defense mechanisms. By combining these methods, you greatly reduce the risk of unauthorized access and ensure the security of your data and applications.
