How To Secure Your Ubuntu 16.04 Server

Photo by rawpixel on Unsplash

There are a lot of great guides out there explaining how to do this — such as this, from Linode — but I find it helpful to write out the process myself, along with anything that typically confuses me, so I can reference it in the future.

The below assumes you’ve already created an authentication key-pair. For more details about this see this section of the Linode Documentation.

Update and Upgrade

Once you’ve booted your server and logged in as the root user, you’ll want to update and upgrade Ubuntu:

apt-get update && apt-get upgrade

Set Your Hostname

Replace your_hostname_here with your hostname:

hostnamectl set-hostname your_hostname_here

To see if your hostname stuck, run:

hostname

You should see the name of your hostname output to the terminal window.

Update /etc/hosts file

You can do this using the nano text editor:

nano /etc/hosts

You should see the below, but 123.45.67.890 will be your IPv4 address, and your_hostname will be the hostname you set above.

127.0.0.1       localhost
123.45.67.890 your_hostname
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

To exit the nano editor, press ctrl + x, then y (to save), then Enter (to exit the editor).

Set your timezone:

dpkg-reconfigure tzdata

You’ll see a screen prompting you to set up your timezone. Run through the prompts.

Enter the date command to check that your date and time are accurate:

Mon Aug 20 05:46:18 EDT 2018

Next, you’ll want to secure your server. This step is very important for preventing unauthorized access to your server.

Up till this point you’ve been entering commands as the root user. To help secure your server you’ll want to create a limited user account, give this limited user sudo privileges, then remove root login access, so that only your limited sudo user can login.

Replace your_limited_user with the name of your user:

adduser your_limited_user

You will be prompted to enter a password twice for this user. Make it a good one!

You will also be prompted to enter values for this user’s name, etc., but you can leave these blank. Press ENTER for the defaults.

Enter the new value, or press ENTER for the default
 Full Name []:
 Room Number []:
 Work Phone []:
 Home Phone []:
 Other []:
Is the information correct? [Y/n]

Give this user sudo privileges:

adduser your_limited_user sudo

You should see confirmation that your_limited_user was added to group sudo.

Adding user 'your_limited_user' to group 'sudo' ...
Adding user your_limited_user to group sudo
Done.

Now switch to this limited user and we will start to execute commands as the limited sudo user. Enter the below command, replacing your_limited_user with the name of your sudo user. (su stands for ‘switch user’.)

su your_limited_user

If you’re prompted to enter your password for your_limited_user go ahead. You should now see your command prompt change to reflect your limited user:

your_limited_user@hostname:/root$

Type cd and your will be brought to your home directory. The ~ represents your home directory:

your_limited_user@hostname:~$

Now that your logged in as your_limited_user your can create the directory where your pub key will go. chmod -R 700 gives you — the limited user — permission to read, write and execute in this directory.

mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/

From your local computer, you can copy your pub key to the .ssh directory using the following command. scp stands for secure copy. And again, replace your_limited_user and the IP address with yours.

scp ~/.ssh/id_rsa.pub your_limited_user@123.45.67.890:~/.ssh/authorized_keys

Enter your limited user’s password. You should see confirmation in your local computer’s terminal:

id_rsa.pub                             100%  763    16.2KB/s   00:00

To confirm, on your server’s terminal window, if you type ls ~/.ssh you should see that it created your authorized_keys file. If you cd into your .ssh directory and cat authorized_keys you should see the output of your pub key in the terminal window. Once confirmed you’re good to proceed.

This next step is where you will actually disable root login access. Before doing this you want to make sure you did the previous steps properly. Otherwise, you won’t be able to login later with your limited sudo user.

sudo nano /etc/ssh/sshd_config

Change this line:

PermitRootLogin yes

To:

PermitRootLogin no

And this line:

#PasswordAuthentication yes

To:

PasswordAuthentication no

(You’ll need to remove the # to uncomment the line.)

Restart ssh for the new configuration to take effect:

sudo systemctl restart sshd

Your server is now secure.