How to Harden Ubuntu Server 18.04 in 5 Easy Steps

Get the most out of Ubuntu security with your newly installed server platform

Linux is well known for being one of the most secure operating systems available. That doesn’t mean, out of the box, you can count on it to be as secure as possible. In fact, there are a few quick steps you can take to ensure your platform is even more secure. Here are five tasks to take care of on a freshly-installed Ubuntu Server 18.04 platform.

Secure Shared Memory

Configuring secured shared memory in Ubuntu Server 18.04

One of the first things you should do is secure the shared memory used on the system. If you’re unaware, shared memory can be used in an attack against a running service. Because of this, you’ll want to secure that portion of system memory. You can do this by modifying the /etc/fstab file.

First, you must open the file for editing by issuing the command:

sudo nano /etc/fstab

Next, add the following line to the bottom of that file:

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

Save and close the file. In order for the changes to take effect, you must reboot the server with the command:

sudo reboot

Enable SSH Login For Specific Users Only

Enabling SSH login to specific users on Ubuntu Server 18.04.

Secure Shell (SSH) is the tool you’ll use to log into your remote Linux servers. Although SSH is fairly secure, by default, you can make it even more so, by enabling SSH login only for specific users. Let's say you want to only allow SSH entry for the user jack, from IP address 192.168.1.162. Here's how you would do this.

  1. Open a terminal window.
  2. Open the ssh config file for editing with the command sudo nano /etc/ssh/sshd_config.
  3. At the bottom of the file, add the line AllowUsers jack@192.168.1.162.
  4. Save and close the file.
  5. Restart sshd with the command sudo systemctl restart sshd.

Secure Shell will now only allow entry by user jack, from IP address 192.168.1.162. If a user, other than jack, attempts to SSH into the server, they will be prompted for a password, but the password will not be accepted (regardless if it's correct), and entrance will be denied.

You can make use of wildcards, such that all users from a specific IP Address are granted access. Say you want to allow all users on your local area network to be able to access the server via ssh. You would add the following line:

AllowUsers *@192.168.1.*

Restart the ssh server, and you're good to go.

Include a Security Login Banner

Adding a security login banner for Ubuntu Server 18.04.

Although adding a security login banner might not seem like the most effective security measure you can enact, it does have its benefits. For example, if an unwanted user gains access to your server, and if they see you've taken the effort and care to include specific information in a login banner (warning them of the consequences of their actions), they might think twice about continuing on. This is such an easy step, it shouldn't be overlooked. How to you set this up? Like so.

First, create a custom login banner by following these steps:

  1. Open a terminal window.
  2. Issue the command sudo nano /etc/issue.net.
  3. Edit the file to add a suitable warning.
  4. Save and close the file.

Next, disable the banner message from Message Of The Day (motd). Open a terminal and issue the command:

sudo nano /etc/pam.d/sshd

With this file open for editing, comment out the following two lines (adding a # to the beginning of each line):

session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate

Next, open the /etc/ssh/sshd_config with the command:

sudo nano /etc/ssh/sshd_config

Uncomment the line (remove the # symbol):

Banner /etc/issue.net

Save and close that file.

Restart the SSH server with the command:

sudo systemctl restart sshd

At this point, anytime someone logs into your server, via ssh, they will see your newly added banner warning them of any consequences of further action.

Restrict SU Access

Restricting su access on Ubuntu Server 18.04.

Unless configured otherwise, Linux users are able to use the su command to change to a different user. When they do that, they then gain the privileges granted to that other user. So if user A (who has limited access to the server) uses su to change to user B (who has less limited access to the server), user A is now user B and can do more to the server. Because of this, you’ll want to disable access to the su command.

The first thing to do is create a new admin group on the server. Do this with the command:

sudo groupadd admin

Next add users to this group. Say you want to add user jack to the group. The command for this is:

sudo usermod -a -G admin jack

If you’re logged in as user jack, you’ll have to log out and log back in for the changes to take effect.

Now we grant access to su command to the admin group with the command:

sudo dpkg-statoverride --update --add root admin 4750 /bin/su

If you login to your Ubuntu server as the user jack, and attempt to use the su command to switch to another user, it will be allowed. Why? Because jack is a member of admin. Any other user will be denied access to the su command.

Install fail2ban

Installing fail2ban on Ubuntu Server 18.04.

The fail2ban system is an intrusion prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban will block access from that IP address.

To install fail2ban, open a terminal window and issue the command:

sudo apt-get install fail2ban

Within the directory /etc/fail2ban, you'll find the main configuration file, jail.conf. Also in that directory is the subdirectory, jail.d. The jail.conf file is the main configuration file, and jail.d contains the secondary configuration files. Do not edit the jail.conf file. Instead, we’ll create a new configuration that will monitor SSH logins with the command:

sudo nano /etc/fail2ban/jail.local

In this new file add the following contents:

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

This configuration does the following:

  • Enables the jail.
  • Sets the SSH port to be monitored to 22.
  • Uses the sshd filter.
  • Sets the log file to be monitored.

Save and close that file. Restart fail2ban with the command:

sudo systemctl restart fail2ban

If you attempt to Secure Shell into that server, and fail the login three times (set as the default by fail2ban), access will be then blocked from the IP address you are working from.