How to Harden Ubuntu Server 18.04

5 simple ways to get the most out of Ubuntu security

Linux is well-known for being one of the most secure operating systems available. But that doesn't mean you can count on it to be as secure as possible right out of the box. There are a few quick, easy steps you can take to ensure your platform is even more secure.

Here are five security-bolstering tasks to execute on a freshly installed Ubuntu Server 18.04 platform.

Secure Shared Memory

One of the first things you should do is secure the shared memory used on the system. If you're unaware, shared memory can be used in an attack against a running service. Because of this, secure that portion of system memory. You can do this by modifying the /etc/fstab file. Here's how:

  1. Open the file for editing by issuing the command:

    sudo nano /etc/fstab
  2. Add the following line to the bottom of that file:

    tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
  3. Save and close the file.

  4. For the changes to take effect, reboot the server with this command:

sudo reboot
Configuring secured shared memory in Ubuntu Server 18.04

Enable SSH Login for Specific Users Only

Use the Secure Shell (SSH) tool to log in to your remote Linux servers. Although SSH is fairly secure by default, you can make it more secure by enabling SSH login only for specific users, for example, if you only want to allow SSH entry for the user jack, from IP address 192.168.1.162.

Here's how to do this:

  1. Open a terminal window.

  2. Open the SSH config file for editing with this command:

    sudo nano /etc/ssh/sshd_config
  3. At the bottom of the file, add the line:

    AllowUsers jack@192.168.1.162
    Enabling SSH login to specific users on Ubuntu Server 18.04.
  4. Save and close the file.

  5. Restart sshd with this command:

sudo systemctl restart sshd

Secure Shell will now only allow entry by user jack from IP address 192.168.1.162. If a user other than jack attempts to SSH into the server, they are prompted for a password, but the password will not be accepted (regardless if it's correct), and entrance will be denied.

You can make use of wildcards, for example, to grant access to all users from a specific IP address. If you want to allow all users on your local area network access to the server via SSH, add the following line:

AllowUsers *@192.168.1.*

Restart the SSH server, and you're good to go.

Include a Security Login Banner

Although adding a security login banner might not seem like the most effective security measure, it has benefits. For example, if an unwanted user gains access to your server, and if they see that you included specific information in a login banner (warning them of the consequences of their actions), they might think twice about continuing. Here's how to set it up:

  1. Open a terminal window.

  2. Issue the command:

    sudo nano /etc/issue.net
  3. Edit the file to add a suitable warning.

  4. Save and close the file.

  5. Disable the banner message from Message Of The Day (motd). Open a terminal and issue the command:

    sudo nano /etc/pam.d/sshd
  6. With this file open for editing, comment out the following two lines (adding a # to the beginning of each line):

    session optional pam_motd.so motd=/run/motd.dynamic
    session optional pam_motd.so noupdate
  7. Next, open /etc/ssh/sshd_config with the command:

    sudo nano /etc/ssh/sshd_config
  8. Uncomment the line (remove the # symbol):

    Banner /etc/issue.net
  9. Save and close that file.

  10. Restart the SSH server with the command:

    sudo systemctl restart sshd
  11. When someone logs into your server using SSH, they see your newly added banner warning them of any consequences of further action.

    Adding a security login banner for Ubuntu Server 18.04.

Restrict SU Access

Unless configured otherwise, Linux users can use the su command to change to a different user. When they do that, they gain the privileges granted to that other user. So if user A (who has limited access to the server) uses su to change to user B (who has less limited access to the server), user A is now user B and can do more to the server. Because of this, disable access to the su command. Here's how:

  1. Create a new admin group on the server with this command:

    sudo groupadd admin
  2. Add users to this group, for example, to add user jack to the group. The command for this is:

    sudo usermod -a -G admin jack

    If you're logged in as user jack, log out and log back in for the changes to take effect.

  3. Grant access to the su command to the admin group with the command:

    sudo dpkg-statoverride --update --add root admin 4750 /bin/su
  4. If you log in to your Ubuntu server as the user jack and attempt to use the su command to switch to another user, it is allowed because jack is a member of admin. Other users are denied access to the su command.

    Restricting su access on Ubuntu Server 18.04.

Install fail2ban

Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.

Here's how to install fail2ban:

  1. Open a terminal window and issue this command:

    sudo apt-get install fail2ban
  2. The directory /etc/fail2ban contains the main configuration file, jail.conf. Also in that directory is the subdirectory, jail.d. The jail.conf file is the main configuration file and jail.d contains the secondary configuration files. Do not edit the jail.conf file. Instead, create a new configuration that monitors SSH logins. Enter the following command:

    sudo nano /etc/fail2ban/jail.local
  3. In this new file, add the following contents:

    [sshd]
    enabled = true
    port = 22
    filter = sshd
    logpath = /var/log/auth.log
    maxretry = 3

    This configuration enables the jail, sets the SSH port to be monitored to 22, uses the sshd filter, and sets the log file to be monitored.

  4. Save and close that file.

  5. Restart fail2ban with the command:

    sudo systemctl restart fail2ban
  6. If you attempt to Secure Shell into that server and fail the login three times (set as the default by fail2ban), access is blocked from the IP address you are working from.

    Installing fail2ban on Ubuntu Server 18.04.