How to Harden Ubuntu Server 18.04

5 simple ways to get the most out of Ubuntu security

Linux is well known for being one of the most secure operating systems available. But that doesn’t mean you can count on it to be as secure as possible right out of the box. There are a few quick, easy steps you can take to ensure your platform is even more secure.

Here are five security-bolstering tasks to execute on a freshly installed Ubuntu Server 18.04 platform.

Secure Shared Memory

One of the first things you should do is secure the shared memory used on the system. If you’re unaware, shared memory can be used in an attack against a running service. Because of this, you’ll want to secure that portion of system memory. You can do this by modifying the /etc/fstab file. Here's how:

  1. Open the file for editing by issuing the command:

    sudo nano /etc/fstab
  2. Next, add the following line to the bottom of that file:

    tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
  3. Save and close the file.

  4. In order for the changes to take effect, you must reboot the server with this command:

sudo reboot
Configuring secured shared memory in Ubuntu Server 18.04

Enable SSH Login for Specific Users Only

Secure Shell (SSH) is the tool you’ll use to log in to your remote Linux servers. Although SSH is fairly secure by default, you can make it even more secure by enabling SSH login only for specific users, for example, if you only want to allow SSH entry for the user jack, from IP address 192.168.1.162.

Here's how to do this:

  1. Open a terminal window.

  2. Open the SSH config file for editing with this command:

    sudo nano /etc/ssh/sshd_config

  3. At the bottom of the file, add the line:

    AllowUsers jack@192.168.1.162
    Enabling SSH login to specific users on Ubuntu Server 18.04.
  4. Save and close the file.

  5. Restart sshd with this command:

sudo systemctl restart sshd

Secure Shell will now only allow entry by user jack from IP address 192.168.1.162. If a user other than jack attempts to SSH into the server, they will be prompted for a password, but the password will not be accepted (regardless if it's correct), and entrance will be denied.

You can make use of wildcards, for example, to grant access to all users from a specific IP address. If you want to allow all users on your local area network to be able to access the server via SSH, you'd add the following line:

AllowUsers *@192.168.1.*

Restart the SSH server, and you're good to go.

Include a Security Login Banner

Although adding a security login banner might not seem like the most effective security measure, it does have its benefits. For example, if an unwanted user gains access to your server, and if they see you've taken the effort and care to include specific information in a login banner (warning them of the consequences of their actions), they might think twice about continuing on. This is such an easy step it shouldn't be overlooked. Here's how to set it up:

  1. Open a terminal window.

  2. Issue the command:

    sudo nano /etc/issue.net
  3. Edit the file to add a suitable warning.

  4. Save and close the file.

  5. Next, disable the banner message from Message Of The Day (motd). Open a terminal and issue the command:

    sudo nano /etc/pam.d/sshd
  6. With this file open for editing, comment out the following two lines (adding a # to the beginning of each line):

    session optional pam_motd.so motd=/run/motd.dynamic
    session optional pam_motd.so noupdate
  7. Next, open the /etc/ssh/sshd_config with the command:

    sudo nano /etc/ssh/sshd_config
  8. Uncomment the line (remove the # symbol):

    Banner /etc/issue.net
  9. Save and close that file.

  10. Restart the SSH server with the command:

    sudo systemctl restart sshd
  11. Now, when someone logs into your server via SSH, they'll see your newly added banner warning them of any consequences of further action.

    Adding a security login banner for Ubuntu Server 18.04.

Restrict SU Access

Unless configured otherwise, Linux users are able to use the su command to change to a different user. When they do that, they gain the privileges granted to that other user. So if user A (who has limited access to the server) uses su to change to user B (who has less limited access to the server), user A is now user B and can do more to the server. Because of this, you’ll want to disable access to the su command. Here's how:

  1. First, create a new admin group on the server with this command:

    sudo groupadd admin
  2. Next, add users to this group. Say you want to add user jack to the group. The command for this is:

    sudo usermod -a -G admin jack

    If you’re logged in as user jack, you’ll have to log out and log back in for the changes to take effect.

  3. Now we grant access to su command to the admin group with the command:

    sudo dpkg-statoverride --update --add root admin 4750 /bin/su
  4. If you log in to your Ubuntu server as the user jack, and attempt to use the su command to switch to another user, it will be allowed. Why? Because jack is a member of admin. Any other user will be denied access to the su command.

    Restricting su access on Ubuntu Server 18.04.

Install fail2ban

Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban will block access from that IP address.

Here's how to install fail2ban:

  1. Open a terminal window and issue this command:

    sudo apt-get install fail2ban
  2. Within the directory /etc/fail2ban, you'll find the main configuration file, jail.conf. Also in that directory is the subdirectory, jail.d. The jail.conf file is the main configuration file and jail.d contains the secondary configuration files. Do not edit the jail.conf file. Instead, we’ll create a new configuration that will monitor SSH logins with the command:

    sudo nano /etc/fail2ban/jail.local
  3. In this new file, add the following contents:

    [sshd]
    enabled = true
    port = 22
    filter = sshd
    logpath = /var/log/auth.log
    maxretry = 3

    This configuration enables the jail, sets the SSH port to be monitored to 22, uses the sshd filter, and sets the log file to be monitored.

  4. Save and close that file.

  5. Restart fail2ban with the command:

    sudo systemctl restart fail2ban
  6. If you attempt to Secure Shell into that server and fail the login three times (set as the default by fail2ban), access will be then blocked from the IP address you are working from.

    Installing fail2ban on Ubuntu Server 18.04.