As a Linux expert, your first tasks when setting up a new Ubuntu VPS server are crucial, as the default settings may not provide the optimal security required for your server. In this guide, we’ll focus on security recommendations and questions to assist you in configuring the most suitable setup for your environment.
1. Enhance Root User Security
Securing the root user should be your foremost priority when configuring a fresh Ubuntu server. Typically, setting a password for the root user is part of the installation process. However, if you ever inherit an Ubuntu server, it’s advisable to reset the root password while adhering to best practices for password security:
– Avoid using common English words.
– Utilize a combination of symbols and alphanumeric characters.
– Consider the length of the password. Longer passwords with complex characters provide superior security. A password exceeding ten characters is a good practice, but opting for even longer passwords with intricate elements is a safer approach.
Another proactive step you can take is to lock the root user password to prevent any processes from running with root privileges. However, please proceed with caution:
Warning: Before locking the root user, ensure that you already have an alternative administrative user on the system with root or “sudo” privileges. This will prevent any accidental lockout from the system.
The method to enable or disable the root account varies depending on your Ubuntu version. If the root account is disabled and you wish to enable it, you can do so by setting or changing the root password with the following command:
sudo passwd root
Conversely, you can lock the root account by using the “-l” flag, effectively preventing its usage:
sudo passwd -l root
Should you need to unlock the root account in the future, you can enable it once more by changing the root password:
sudo passwd root
2. Securing SSH Access Like a Linux Pro
When you launch a new server, default SSH configurations often allow root logins, which isn’t the best security practice. Let’s explore how to strengthen the server’s security.
Use Root Sparingly: Always minimize the use of the root user. It’s best practice to employ it only for executing critical administrative commands. Instead of logging in directly as root, log in as a regular user and then switch to root after connecting to the server.
Once logged in, switch to the root user:
ssh spartacus@myawesomeserver.com
After logging in as your user, switch to root with:
su -
Disable SSH Login for Root: For additional security, disable SSH login for the root user. Edit the SSH configuration file (ensure you have root or sudo privileges):
vim /etc/ssh/sshd_config
Within the file, locate the Authentication section and identify this line:
PermitRootLogin yes
Change it to:
PermitRootLogin no
To apply these changes, restart the SSH service:
/etc/init.d/ssh restart
Subsequently, trying to log in via SSH as the root user with a password will be rejected. This adds a layer of security, requiring knowledge of both a valid username and root’s password.
Prevent Empty Passwords: Strengthen security further by ensuring that users without passwords can’t log in. In the SSH configuration file:
vim /etc/ssh/sshd_config
Find the line:
PermitEmptyPasswords no
Confirm it’s set to “no.” This prevents users without passwords from logging in. An attacker would need both a valid username and password.
Port Forwarding: For an extra layer of security, consider adjusting router or firewall settings. Instead of allowing direct access to port 22, forward remote SSH access to a different port. This can thwart many bots and scripts attempting brute force attacks. Refer to your router or server firewall documentation for instructions on port forwarding.
By following these advanced steps, you’ll significantly enhance SSH access security on your Linux server.
3. Securing Your Ubuntu Server: Firewall Configuration
Installing a robust firewall is essential to protect your Ubuntu server. Most recent Ubuntu versions come with Uncomplicated Firewall (UFW). To check if UFW is installed, run:
sudo ufw status
This command will indicate whether UFW is active or inactive. If it’s not installed, you can install it using:
sudo apt-get install ufw
Before configuring the firewall, identify the specific services that will require access to your server. Consider whether SSH access and web traffic are necessary. You should only enable the services essential for incoming traffic to access the server securely.
Let’s say you need SSH and web access. You can allow these services through the firewall using:
sudo ufw allow ssh
sudo ufw allow http
These commands also open up the associated ports. Alternatively, you can allow services through a specific port, for instance:
sudo ufw allow 80/tcp
This is equivalent to allowing HTTP service. After listing the desired services, enable the firewall:
sudo ufw enable
Keep in mind that enabling the firewall may interrupt your current SSH connection if that’s how you’re logged in. Ensure your information is accurate to prevent getting logged out.
Additionally, exercise caution when adding users to the Linux operating system. Only grant access to those individuals who genuinely require it. This prudent approach enhances the security of your server.
4. Defining Your Server’s Purpose and Minimizing Vulnerabilities
Before setting up your server, it’s essential to determine its intended use. Will it primarily serve as a file server, a web server, or a web server responsible for sending emails through web forms? Clear delineation of your server’s role is crucial for tailoring it to your specific requirements.
It’s advisable to deploy only the services essential for your server’s purpose. Introducing unnecessary services can result in outdated software, increasing your server’s vulnerability. To maintain the highest level of security, every component and service should follow best practices.
For instance, if your server operates solely as a static website host, there’s no need to expose it to vulnerabilities associated with outdated email services. By aligning your server’s configuration with its intended functions, you minimize potential security risks and ensure optimal performance.
5. Maintaining an Up-to-Date File System on Your Ubuntu Server
Keeping your server’s file system current with the latest security patches is vital. Although a server can operate for extended periods with minimal maintenance, adopting a “set it and forget it” approach is unwise.
Regular updates for your Ubuntu server are essential to ensure system security and currency. To achieve this, you can employ the following command:
sudo apt-get update
While setting up an Ubuntu server is an excellent way to gain Linux experience, it’s crucial to do so in a controlled environment. Exposing your server to the internet should be avoided until you’re fully prepared.
An ideal starting point is configuring and testing your server at home within your private network. This approach allows you to interact with the server safely, without granting internet or router access.
If and when you decide to deploy your Ubuntu server, remember the following key considerations. Understanding the server’s configuration post-deployment is essential, enabling you to assess public access points and identify areas that require further hardening.
Embrace the learning process and don’t shy away from making mistakes within your safe environment. Experience is a valuable teacher, particularly when transitioning to a live server environment.