Software & Apps Linux 46 46 people found this article helpful How to Harden Ubuntu Server 18.04 5 simple ways to get the most out of Ubuntu security By Jack Wallen Writer Jack Wallen is a former Lifewire writer, an award-winning writer for TechRepublic and Linux.com, and the voice of The Android Expert. our editorial process LinkedIn Jack Wallen Updated February 13, 2020 Linux Switching from Windows Tweet Share Email Linux is well known for being one of the most secure operating systems available. But that doesn’t mean you can count on it to be as secure as possible right out of the box. There are a few quick, easy steps you can take to ensure your platform is even more secure. Here are five security-bolstering tasks to execute on a freshly installed Ubuntu Server 18.04 platform. Secure Shared Memory One of the first things you should do is secure the shared memory used on the system. If you’re unaware, shared memory can be used in an attack against a running service. Because of this, you’ll want to secure that portion of system memory. You can do this by modifying the /etc/fstab file. Here's how: Open the file for editing by issuing the command: sudo nano /etc/fstab Next, add the following line to the bottom of that file: tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0 Save and close the file. In order for the changes to take effect, you must reboot the server with this command: sudo reboot Enable SSH Login for Specific Users Only Secure Shell (SSH) is the tool you’ll use to log in to your remote Linux servers. Although SSH is fairly secure by default, you can make it even more secure by enabling SSH login only for specific users, for example, if you only want to allow SSH entry for the user jack, from IP address 192.168.1.162. Here's how to do this: Open a terminal window. Open the SSH config file for editing with this command: sudo nano /etc/ssh/sshd_config At the bottom of the file, add the line: AllowUsers email@example.com Save and close the file. Restart sshd with this command: sudo systemctl restart sshd Secure Shell will now only allow entry by user jack from IP address 192.168.1.162. If a user other than jack attempts to SSH into the server, they will be prompted for a password, but the password will not be accepted (regardless if it's correct), and entrance will be denied. You can make use of wildcards, for example, to grant access to all users from a specific IP address. If you want to allow all users on your local area network to be able to access the server via SSH, you'd add the following line: AllowUsers *@192.168.1.* Restart the SSH server, and you're good to go. Include a Security Login Banner Although adding a security login banner might not seem like the most effective security measure, it does have its benefits. For example, if an unwanted user gains access to your server, and if they see you've taken the effort and care to include specific information in a login banner (warning them of the consequences of their actions), they might think twice about continuing on. This is such an easy step it shouldn't be overlooked. Here's how to set it up: Open a terminal window. Issue the command: sudo nano /etc/issue.net Edit the file to add a suitable warning. Save and close the file. Next, disable the banner message from Message Of The Day (motd). Open a terminal and issue the command: sudo nano /etc/pam.d/sshd With this file open for editing, comment out the following two lines (adding a # to the beginning of each line): session optional pam_motd.so motd=/run/motd.dynamicsession optional pam_motd.so noupdate Next, open the /etc/ssh/sshd_config with the command: sudo nano /etc/ssh/sshd_config Uncomment the line (remove the # symbol): Banner /etc/issue.net Save and close that file. Restart the SSH server with the command: sudo systemctl restart sshd Now, when someone logs into your server via SSH, they'll see your newly added banner warning them of any consequences of further action. Restrict SU Access Unless configured otherwise, Linux users are able to use the su command to change to a different user. When they do that, they gain the privileges granted to that other user. So if user A (who has limited access to the server) uses su to change to user B (who has less limited access to the server), user A is now user B and can do more to the server. Because of this, you’ll want to disable access to the su command. Here's how: First, create a new admin group on the server with this command: sudo groupadd admin Next, add users to this group. Say you want to add user jack to the group. The command for this is: sudo usermod -a -G admin jack If you’re logged in as user jack, you’ll have to log out and log back in for the changes to take effect. Now we grant access to su command to the admin group with the command: sudo dpkg-statoverride --update --add root admin 4750 /bin/su If you log in to your Ubuntu server as the user jack, and attempt to use the su command to switch to another user, it will be allowed. Why? Because jack is a member of admin. Any other user will be denied access to the su command. Install fail2ban Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban will block access from that IP address. Here's how to install fail2ban: Open a terminal window and issue this command: sudo apt-get install fail2ban Within the directory /etc/fail2ban, you'll find the main configuration file, jail.conf. Also in that directory is the subdirectory, jail.d. The jail.conf file is the main configuration file and jail.d contains the secondary configuration files. Do not edit the jail.conf file. Instead, we’ll create a new configuration that will monitor SSH logins with the command: sudo nano /etc/fail2ban/jail.local In this new file, add the following contents: [sshd]enabled = trueport = 22filter = sshdlogpath = /var/log/auth.logmaxretry = 3 This configuration enables the jail, sets the SSH port to be monitored to 22, uses the sshd filter, and sets the log file to be monitored. Save and close that file. Restart fail2ban with the command: sudo systemctl restart fail2ban If you attempt to Secure Shell into that server and fail the login three times (set as the default by fail2ban), access will be then blocked from the IP address you are working from.