Linux is considered to be the most secure Operating System(OS). The open-source OS was built with unrivaled security in mind. Security experts from different Linux distributions react very fast to fix discovered threats and vulnerabilities.
Unlike Windows, Linux was built as a multi-user system from the beginning. Security best practices were followed since its innovation to segregate user files. Most applications run very far from the Kernel that controls the server.
However, no system is 100% secure. If you are using a Linux distribution such as Ubuntu 16.04, you need to follow the industry’s best practices to keep your system up to date and tighten your server’s security.
Here is a Linux server security checklist that you can use on your Ubuntu 16.04 virtual private server to protect your system if you are wondering how to secure your Linux server.
- A Virtual Private server running Ubuntu 16.04 .
Tip 1: Update your System Frequently
Hackers take advantage of non-patched operating systems. To avoid becoming a victim; update your Linux system frequently using the command below.
sudo apt update && sudo apt upgrade
Tip 2: Create a Non-root User with sudo Privileges
Login on your Ubuntu server with super-user privileges can cause a lot of harm to your VPS server. It is always recommended to login to a system with limited privileges and only elevate the privileges when a task requires administrative rights.
To create a non-root user with sudo privileges, type the command below on your terminal. Replace the example_user with your preferred username
# adduser example_user
You will be prompted to enter the full details of the user including a password.
Next, you need to add the newly created user to the sudo group. Replace the example_user with your preferred username
# adduser example_user sudo
Tip 3: Create an Authentication Key Pair
Due to increased modern computing power, malicious attackers with unlimited access to your servers SSH port may try to brute-force your password to gain access to your system.
Using a public/private key pair for logging on your system is one of the best Linux server hardening tricks.
You can simply create the key pair using a tool like Puttygen. Then, upload the public key on your server and save the private key on your local computer.
You will use your private key every time you want to connect to your server. You can add another layer of security by securing your private key with a passphrase.
So, even if your private key ends in the wrong hands, a malicious user won’t be in a position to use your private key without the passphrase.
To copy a public key on your server, log in with the user that you want to create the key pair for then type the command below:
mkdir ~/.ssh; nano ~/.ssh/authorized_keys
Then, copy the public key that you created from Putty key generator directly on the text editor
Press CTRL + X then Y and Enter to save the changes
Another Linux security best practices is to change the permission of the authorized key directory and file to make sure other users on the system cannot see the public key.
sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys
Tip 4: Disable SSH Password Authentication
Once you are able to log in on your Linux server with the private/public key pair, you need to disable password login.
To do this, you need to edit the SSH configuration file using nano text editor. Type the command below:
sudo nano /etc/ssh/sshd_config
Then, look for the line PasswordAuthentication and change to no
Tip 5: Disallow root Login Over SSH
Even with the private/public key pair, log in on your system over SSH as the root does not go well with Linux server security best practices. To disable this, you need to edit the SSH configuration file using nano text editor.
Type the command below:
sudo nano /etc/ssh/sshd_config
Then, look for the PermitRootLogin directive and change it to no.
Restart the SSH daemon for the changes to take effect by typing the command below:
sudo service ssh restart
Tip 6: Install Uncomplicated Firewall (UFW)
Linux server security best practices recommend UFW. It is installed by default in a fresh Ubuntu 16.04 installation but you can install it by running the command below if it was uninstalled.
sudo apt-get install ufw
By default, the general UFW rule is to deny all incoming traffic and allow all outgoing traffic. With the default settings, your virtual private server will run smoothly but it can’t allow external communications.
You need to allow the necessary ports otherwise you might completely lock yourself from your system.
Enabling SSH or Secure FTP server for Linux on UFW
Since logging on the server via SSH is essential, we need to allow port 22 by typing the command below. You might change the port if you had configured a different port for SSH.
The SSH port is the same if you want to log in on your system using a secure FTP server for Linux using a tool like Filezilla.
sudo ufw allow ssh
sudo ufw allow 22
Next, we need to allow port 80 and port 443 because they are specifically used for internet traffic. If you don’t want users to access your server on the un-encrypted channel(HTTP), you may skip the step of allowing port 80 and only allow port 443 for https traffic only.
Enable HTTP traffic on UFW
sudo ufw allow 80
sudo ufw allow 80
Enable HTTPs Traffic on UFW
sudo ufw allow 443
sudo ufw allow https
Once you have made the necessary changes, you can enable the UFW by typing the command below
sudo ufw enable
You can also disable UFW by typing the command below
sudo ufw disable
Checking the UFW rules
You can always check the enabled UFW rules by typing the command below:
sudo ufw status verbose
Deleting UFW rules
To delete a UFW rule, you need to check its number by running the command
sudo ufw status numbered
Then, once you get the number, just run the command below e.g. to delete rule number 2
sudo ufw delete 2
You can always run the command below to reset UFW and start all over again
sudo ufw reset