F5F Stay Refreshed Software Operating Systems Protect your Ubuntu system with essential security measures.

Protect your Ubuntu system with essential security measures.

Protect your Ubuntu system with essential security measures.

D
DannyMessi10
Junior Member
Find
44
10-02-2022, 03:15 AM
#1
I've been doing more research into system administration recently, and I have created a checklist of things to do when you need to secure an Ubuntu machine. This guide is not strictly for Ubuntu but commands were ran on an Ubuntu machine. Most of the things in this checklist more advanced Linux users will already know, but I figured this would be a good starting point for newer Linux users. Here is the checklist for people that would not like to read the entire thread, but more detailed explanation's how to do everything in this list is inside this thread. Update your system Setup automatic updates Create a low privileged user Create SSH private public key pair Secure SSH config Setup firewall Disable ping requests When securing a machine, the very first thing you will need to do is ensure that all your packages are up to date. Believe it or not, a most vulnerabilities lay inside of packages that are not updated to the most recent stable version. Ensue your machine is updated by doing the following. sudo apt update && sudo apt upgrade Now that your machine is updated. Lets install a package to have updates be installed automatically. For this run sudo apt install unattended-upgrades -y Now we need to ensure that auto updates are active. Run the following command sudo nano /etc/apt/apt.conf.d/50unattended-upgrades After the file loads you will see towards a top a line that reads "${distro_id}:${distro_codename}-updates"; Ensure this line IS NOT COMMENTED OUT (Remove the // at the beginning of the line) After this, I like to setup my new user. To do this run the following command. adduser {User Name} Now that the user has been created, I will give this user sudo permissions. Run the following command sudo usermod -aG sudo {User Name} Now we can switch to this user to start setting up our SSH keys run su {User Name} Now that we have our user setup, we need to ensure that our SSH connection is secure. Lets start by creating our users ssh directory to store the public key file. sudo mkdir /.ssh && sudo chmod 700 /.ssh Now on your local machine, open whatever terminal your using. (CMD, Bash Terminal, etc.) and lets create our private public key pair ssh-keygen -t rsa -b 4096 This will create two files as an output, an ID_RSA and ID_RSA.pub The file that has the .pub extension is our public key that we need to get on the server into the users .ssh folder we just created. The ID_RSA file is your private key to login to the machine, never send this to anyone. Before we edit the config, disable your firewall on the machine, (We will change SSH Port, and do not want to be locked out. We will also re enable this after.) Run sudo ufw disable Now that our keys have been created and we moved the public key to the server, we will need to edit the config of the SSH server. Run the following sudo nano /etc/ssh/sshd_config Now that we are in the file, we will want to do a few things. Change port Set "AddressFamily" to "inet" (This will disable IPV6 Authentication) Set "PermitRootLogin" to "no" (This will disable root login over ssh) Set "PasswordAuthentication" to "no" (This will disable password authentication to ensure that we only can use keys) Create a new line that reads "AllowUsers {Username}" (This will ensure that only users added in this file on this line, will be able to login via SSH) After you do this you will need to restart your ssh server. (Ensure you did not mess anything up at this point, because if you do there is a change you can be locked out of your machine.) To restart SSH ru sudo systemctl restart sshd Now we will configure our firewall to work with our needs. The first command I like to run is sudo ss -tupln This will give me an idea of what ports are being used for the machine, you should also look through this for things to disable. Now that we know what ports we are utilizing, lets add those ports to the firewall rules ( DONT FORGET YOUR SSH PORT THAT WE CHANGED ). To add a port to the firewall rule run sudo ufw allow {port} At this point we can start our firewall again. Run Code sudo ufw enable Another thing I like to do is disable ping requests to the server. To do this run Code sudo nano /etc/ufw/before.rules Under the line that reads "#ok icmp codes for INPUT" add the following Code -A ufw-before-input -p icmp --icmp-type echo-request -j DROP Now that we have saved this file, in order for this to take affect you must reboot your machine, run Code sudo reboot
Reply
Reply
D
DannyMessi10
10-02-2022, 03:15 AM #1

I've been doing more research into system administration recently, and I have created a checklist of things to do when you need to secure an Ubuntu machine. This guide is not strictly for Ubuntu but commands were ran on an Ubuntu machine. Most of the things in this checklist more advanced Linux users will already know, but I figured this would be a good starting point for newer Linux users. Here is the checklist for people that would not like to read the entire thread, but more detailed explanation's how to do everything in this list is inside this thread. Update your system Setup automatic updates Create a low privileged user Create SSH private public key pair Secure SSH config Setup firewall Disable ping requests When securing a machine, the very first thing you will need to do is ensure that all your packages are up to date. Believe it or not, a most vulnerabilities lay inside of packages that are not updated to the most recent stable version. Ensue your machine is updated by doing the following. sudo apt update && sudo apt upgrade Now that your machine is updated. Lets install a package to have updates be installed automatically. For this run sudo apt install unattended-upgrades -y Now we need to ensure that auto updates are active. Run the following command sudo nano /etc/apt/apt.conf.d/50unattended-upgrades After the file loads you will see towards a top a line that reads "${distro_id}:${distro_codename}-updates"; Ensure this line IS NOT COMMENTED OUT (Remove the // at the beginning of the line) After this, I like to setup my new user. To do this run the following command. adduser {User Name} Now that the user has been created, I will give this user sudo permissions. Run the following command sudo usermod -aG sudo {User Name} Now we can switch to this user to start setting up our SSH keys run su {User Name} Now that we have our user setup, we need to ensure that our SSH connection is secure. Lets start by creating our users ssh directory to store the public key file. sudo mkdir /.ssh && sudo chmod 700 /.ssh Now on your local machine, open whatever terminal your using. (CMD, Bash Terminal, etc.) and lets create our private public key pair ssh-keygen -t rsa -b 4096 This will create two files as an output, an ID_RSA and ID_RSA.pub The file that has the .pub extension is our public key that we need to get on the server into the users .ssh folder we just created. The ID_RSA file is your private key to login to the machine, never send this to anyone. Before we edit the config, disable your firewall on the machine, (We will change SSH Port, and do not want to be locked out. We will also re enable this after.) Run sudo ufw disable Now that our keys have been created and we moved the public key to the server, we will need to edit the config of the SSH server. Run the following sudo nano /etc/ssh/sshd_config Now that we are in the file, we will want to do a few things. Change port Set "AddressFamily" to "inet" (This will disable IPV6 Authentication) Set "PermitRootLogin" to "no" (This will disable root login over ssh) Set "PasswordAuthentication" to "no" (This will disable password authentication to ensure that we only can use keys) Create a new line that reads "AllowUsers {Username}" (This will ensure that only users added in this file on this line, will be able to login via SSH) After you do this you will need to restart your ssh server. (Ensure you did not mess anything up at this point, because if you do there is a change you can be locked out of your machine.) To restart SSH ru sudo systemctl restart sshd Now we will configure our firewall to work with our needs. The first command I like to run is sudo ss -tupln This will give me an idea of what ports are being used for the machine, you should also look through this for things to disable. Now that we know what ports we are utilizing, lets add those ports to the firewall rules ( DONT FORGET YOUR SSH PORT THAT WE CHANGED ). To add a port to the firewall rule run sudo ufw allow {port} At this point we can start our firewall again. Run Code sudo ufw enable Another thing I like to do is disable ping requests to the server. To do this run Code sudo nano /etc/ufw/before.rules Under the line that reads "#ok icmp codes for INPUT" add the following Code -A ufw-before-input -p icmp --icmp-type echo-request -j DROP Now that we have saved this file, in order for this to take affect you must reboot your machine, run Code sudo reboot

Reply
Reply
K
KicaNica
Junior Member
Find
45
10-02-2022, 03:15 AM
#2
Automatic updates are a useful feature on Linux. You can upgrade whenever it feels right, which is one of the reasons I often think about automation when starting my PC without much planning. New drivers sometimes cause issues, so regular updates might not always be ideal—even if they run in the background. For example, updating core or GPU drivers during a game isn’t recommended. Still, keeping your server updated is important, especially for Ubuntu servers.
Reply
Reply
K
KicaNica
10-02-2022, 03:15 AM #2

Automatic updates are a useful feature on Linux. You can upgrade whenever it feels right, which is one of the reasons I often think about automation when starting my PC without much planning. New drivers sometimes cause issues, so regular updates might not always be ideal—even if they run in the background. For example, updating core or GPU drivers during a game isn’t recommended. Still, keeping your server updated is important, especially for Ubuntu servers.

Reply
Reply