5 Tips to Secure a Linux Server Running Ubuntu 16.04

Linux is considered to be the most secure Operating System(OS). The open-source OS was built with unrivaled security in mind. Security experts from different Linux distributions react very fast to fix discovered threats and vulnerabilities.

Unlike Windows, Linux was built as a multi-user system from the beginning. Security best practices were followed since its innovation to segregate user files. Most applications run very far from the Kernel that controls the server.

However, no system is 100% secure. If you are using a Linux distribution such as Ubuntu 16.04, you need to follow the industry’s best practices to keep your system up to date and tighten your server’s security.

Here is a Linux server security checklist that you can use on your Ubuntu 16.04 virtual private server to protect your system if you are wondering how to secure your Linux server.

Prerequisites

  • A Virtual Private server running Ubuntu 16.04 .

Tip 1: Update your System Frequently

Hackers take advantage of non-patched operating systems. To avoid becoming a victim; update your Linux system frequently using the command below.

sudo apt update && sudo apt upgrade

Tip 2: Create a Non-root User with sudo Privileges

Login on your Ubuntu server with super-user privileges can cause a lot of harm to your VPS server. It is always recommended to login to a system with limited privileges and only elevate the privileges when a task requires administrative rights.

To create a non-root user with sudo privileges, type the command below on your terminal. Replace the example_user with your preferred username

# adduser example_user

You will be prompted to enter the full details of the user including a password.

Next, you need to add the newly created user to the sudo group. Replace the example_user with your preferred username

# adduser example_user sudo

Tip 3: Create an Authentication Key Pair

Due to increased modern computing power, malicious attackers with unlimited access to your servers SSH port may try to brute-force your password to gain access to your system.

Using a public/private key pair for logging on your system is one of the best Linux server hardening tricks.

You can simply create the key pair using a tool like Puttygen. Then, upload the public key on your server and save the private key on your local computer.

You will use your private key every time you want to connect to your server. You can add another layer of security by securing your private key with a passphrase.

So, even if your private key ends in the wrong hands, a malicious user won’t be in a position to use your private key without the passphrase.

To copy a public key on your server,  log in with the user that you want to create the key pair for then type the command below:

mkdir ~/.ssh; nano ~/.ssh/authorized_keys

Then, copy the public key that you created from Putty key generator directly on the text editor

Press CTRL + X then Y and Enter to save the changes

Another Linux security best practices is to change the permission of the authorized key directory and file to make sure other users on the system cannot see the public key.

 

sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys

Tip 4: Disable SSH Password Authentication

Once you are able to log in on your Linux server with the private/public key pair, you need to disable password login.

To do this, you need to edit the SSH configuration file using nano text editor. Type the command below:

sudo nano /etc/ssh/sshd_config

Then, look for the line PasswordAuthentication and change to no

PasswordAuthentication no

Tip 5: Disallow root Login Over SSH

Even with the private/public key pair, log in on your system over SSH as the root does not go well with Linux server security best practices. To disable this, you need to edit the SSH configuration file using nano text editor.

Type the command below:

sudo nano /etc/ssh/sshd_config

Then, look for the PermitRootLogin directive and change it to no.

PermitRootLogin no

Restart the SSH daemon for the changes to take effect by typing the command below:

sudo service ssh restart

Tip 6: Install Uncomplicated Firewall (UFW) 

Linux server security best practices recommend UFW. It is installed by default in a fresh Ubuntu 16.04 installation but you can install it by running the command below if it was uninstalled.

sudo apt-get install ufw

By default, the general UFW rule is to deny all incoming traffic and allow all outgoing traffic. With the default settings, your virtual private server will run smoothly but it can’t allow external communications.

You need to allow the necessary ports otherwise you might completely lock yourself from your system.

Enabling SSH or Secure FTP server for Linux on UFW

Since logging on the server via SSH is essential, we need to allow port 22 by typing the command below. You might change the port if you had configured a different port for SSH.

The SSH port is the same if you want to log in on your system using a secure FTP server for Linux using a tool like Filezilla.

sudo ufw allow ssh

or

sudo ufw allow 22

Next, we need to allow port 80 and port 443 because they are specifically used for internet traffic. If you don’t want users to access your server on the un-encrypted channel(HTTP), you may skip the step of allowing port 80 and only allow port 443 for https traffic only.

Enable HTTP traffic on UFW

sudo ufw allow 80

or

sudo ufw allow 80

Enable HTTPs Traffic on UFW

sudo ufw allow 443

or

sudo ufw allow https

Enabling UFW

Once you have made the necessary changes, you can enable the UFW by typing the command below

sudo ufw enable

Disable UFW

You can also disable UFW by typing the command below

sudo ufw disable

Checking the UFW rules

You can always check the enabled UFW rules by typing the command below:

sudo ufw status verbose

Deleting  UFW rules

To delete a UFW rule, you need to check its number by running the command

sudo ufw status numbered

Then, once you get the number, just run the command below e.g. to delete rule number 2

sudo ufw delete 2

Resetting UFW

You can always run the command below to reset UFW and start all over again

sudo ufw reset
Ads by Google

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.