Secure your Linux Server [ Applicable to Ubuntu / Debian in particular but can be adopted for other distributions as well by just replacing commands related to packages ]
1. Install minimum version of the operating system using latest iso.
2. On first boot as either sudo user or root — [ Update the system ]
apt update && sudo apt upgrade -y
Note for : Ubuntu – you will have to provide sudo password. For Debian you will have to provide root password.
3. Install a few very essential packages
apt install net-tools vim openssh-server ufw curl sudo logwatch
// for Debian
sudo apt install net-tools vim openssh-server ufw curl logwatch
// for Ubuntu
4. Add admin user of the system
sudo adduser vmadmin // it can be any other name of your choice.
usermod -aG sudo vmadmin // give the user sudo permission.
5. Add regular user to the system.
sudo adduser vmuser
6. Add ssh key
To create an SSH key on your local device, please open your CLI.
Mathematically, Ed25519 is probably one of the strongest keys.
Ed25519 is considered to be very secure. It is supported by OpenSSH 6.5 (2014) and all versions that followed. If your device does support this key, we recommend using it. The key size is fixed and cannot be changed.
$ ssh-keygen -t ed25519
[ Do not use standard RSA, ECDSA, DSA keys for security reasons ]
7. Copy your public key to remote server.
ssh-copy-id vmuser@ip-of-remote-system
8. Test your login usin ssh key.
ssh vmuser@ip-of-remote-system
9. Allow internal firewall to accept ssh connection.
sudo ufw allow OpenSSH
10. Deactivate root login using ssh
sudo nano /etc/ssh/sshd_config
Look for the PermitRootLogin line and change it to
PermitRootLogin no
11. Deactivating password authentication
If you are using an SSH key for authentication, you can now also disable password authentication. Look for the PasswordAuthentication line:
PasswordAuthentication no
Remove the hash symbol (#) if the line begins with one and replace the yes with a no.
12. Change the default SSH port
By just changing that, we can eliminate most of the automated bot attacks because most of them are dummy bots and will try to access SSH via port 22.
Find the line “#Port 22” and change it to something like “Port 2222” (or change 2222 to anything you want).
13. Install Fail2Ban
We changed our SSH port and set up our firewall. But what happens if a bot finds our port and still tries to access our server via SSH? That would be a brute force attack, and we can protect our server with Fail2Ban. This software will ban IPs that show malicious signs or attempts. You need to run these three commands to install and enable Fail2Ban:
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
You can also customize the settings for Fail2Ban by editing the configuration files in the /etc/fail2ban/ folder.
14. Monitor Logs
You need to regularly review your system logs to detect unusual activities.
Logwatch can help you automate this process.
You can watch the logs by typing command sudo logwatch
Configuration parameters for logwatch.
https://ubuntu.com/server/docs/how-to-install-and-configure-logwatch
15. Check for Rootkits and Malware
To make quick scans on your server, you can use tools like “rkhunter” and “chkrootkit.” These tools help you check for rootkits, backdoors, and possible local exploits, ensuring everything is okay. Run these commands to make sure rkhunter is installed and run a check:
sudo apt install rkhunter
sudo rkhunter –check
16. Install more security tools
Enable Two-Factor Authentication (2FA)
You can also set up 2FA (Two-Factor Authentication) for logging in to your server via SSH. This adds an extra layer of protection and reduces the risk of unauthorized access. You can install it with this command:
sudo apt install libpam-google-authenticator
And run this command to setup:
google-authenticator
Use Intrusion Detection Systems
You can use tools like “AIDE” (Advanced Intrusion Detection Environment) to monitor changes to your system. It generates a database for your files and folders and compares your system against that database to ensure file integrity. For basic usage, you can install it with this command:
sudo apt install aide
Start and generate the database with these commands:
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
And compare your system with the database using this command:
sudo aide –config /etc/aide/aide.conf –check