Skip to main content
  1. My Blog Posts/

How I harden Linux server Security

·6 mins
Table of Contents

What measures I take to secure my linux server: #

I mainly take the following security measures on my ubuntu/debian servers:

  • Limited User Account
  • Use SSH-Keys
  • Disable Password login
  • Disable Root Login
  • Change SSH Port
  • Use Firewall (UFW)
  • Block Pings
  • Use of behavior-based security engine (Crowdsec)

All these points are briefly discussed below:

Limited User Account: #

Using the root account as your main user on a system can be risky because it has full control over everything, making it a prime target for hackers. Instead, it’s safer to create a new user with fewer powers for everyday tasks. Here’s how you can do that:

Once you connected to your server as root, use the adduser command followed by the desired username. For example:

sudo adduser <username>

Make sure to replace the . After that you’ll be prompted to set a password and provide additional user information. Once the user is created, add it to the sudo group to grant it root privileges. Use the usermod command to modify the user’s group membership:

sudo usermod -aG sudo <username>

This command adds the user to the sudo group, allowing them to execute commands with superuser privileges using sudo. Now to test the new user, log in with the newly created user account:

su <username>

To verify that the user has root privileges, try executing a command with sudo:

sudo apt update

Enter the password for the new user when prompted. If the command executes successfully, the user has been granted root privileges.

Use SSH-Keys to login: #

Before disabling password, we should add our SSH-Keys to the server to ensure the password-less login.

Open Windows Terminal. Use the ssh-keygen command to generate SSH keys. Choose the default location or specify a custom path if needed. For example:

ssh-keygen -t rsa -b 4096 -C "[email protected]"

Follow the prompts to specify the file location and passphrase.

Once the keys are generated, locate the public key file (usually named id_rsa.pub). Use a text editor or the built-in terminal text editors (e.g., code, notepad) to open the public key file. Copy the contents of the public key.

Log in to your Linux server using SSH. Navigate to the user’s home directory (e.g., /home/username) or create a .ssh directory if it doesn’t exist:

mkdir -p ~/.ssh

Use a text editor like Nano or Vim to open the authorized_keys file:

nano ~/.ssh/authorized_keys

Paste the copied public key(The contents you copied from id_rsa.pub) into the authorized_keys file. Save and exit the editor.

Once the public key is added, attempt to log in to the server using SSH from your Windows machine. If configured correctly, you should be able to log in without entering a password:

ssh username@server_ip

Disable Password login: #

We have successfully created a SSH-key to login to the server. Now you can remove the Password login as using password on SSH is highly insecure and can be cracked using ssh-brute force attacks. Here’s how you can do that:

After connecting to your server using SSH, open the SSH configuration file using a text editor like Nano or Vim:

sudo nano /etc/ssh/sshd_config

Find the line that begins with PasswordAuthentication.It’s probably commented. Remove the # sign from the start and change it to no:

PasswordAuthentication no

After making the changes, restart the SSH service to apply the new configuration:

sudo systemctl restart sshd

Now you have successfully disabled the password login.

Disable Root Login: #

To bolster security on your Ubuntu server, disable direct root login by SSH. Connect to your server via SSH and navigate to the SSH configuration file. Use the nano or vim command:

sudo nano /etc/ssh/sshd_config

Find the line containing PermitRootLogin and set it to no. Now restart the SSH server and Root user login is disabled in your server:

sudo systemctl restart sshd

Change SSH Port: #

To enhance security on your Ubuntu server, consider changing the default SSH port from 22 to a custom port. Connect to your server and run the command:

sudo nano /etc/ssh/sshd_config

Locate the line containing Port 22, which specifies the default SSH port. Change the port number to your desired custom port, ensuring it’s not already in use and is within the valid port range (e.g., 1024 to 65535). Save the changes to the SSH configuration file and exit the text editor. Make sure to allow the port on UFW or any firewall you are using.

sudo ufw allow [custom_port]

Reload the SSH service to apply the new port configuration:

sudo systemctl reload sshd

Verify SSH Port Change:

After changing the SSH port, it’s crucial to verify that the new port is in use and accessible. Attempt to reconnect to your server via SSH using the new port:

ssh username@server_ip -p [custom_port]

Replace [custom_port] with the port number you specified. If successful, you’ve confirmed that the SSH port change has been implemented correctly.

Use Firewall (UFW): #

UFW provides a straightforward and efficient way to manage firewall rule. Now we will just allow the ports that we are using:

If UFW is not already installed, you can install it by running:

sudo apt update
sudo apt install ufw

Once installed, enable UFW with the command:

sudo ufw enable

As from above, we have configured SSH on a custom port, allow traffic on that port:

sudo ufw allow [custom_ssh_port]/tcp

You can run the command to cehck all the ports being used and you can allow them using the command shown above:

ss -tupln # To check the ports being used
sudo ufw allow [port_number] # To allow a specific port

After allowing all your required ports, you need to reload the firewall:

sudo ufw reload

To check all the allowed ports on ufw, use the command:

sudo ufw status verbose

Block Pings: #

When you run a ping test on a server IP, it returns with an output request.

ping server_IP -t

It verify that the server is online. To hide the server visiblity, you can block the ping requests by going to the file:

sudo nano /etc/ufw/before.rules

Locate the line where it says:

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Now on the last line where it says echo-request -j ACCEPT, change the ACCEPT to DROP. Save the file and reload the UFW:

sudo ufw relaod

Firewall needs to be enabled for this to work. And now the pinging will not return the requests.