How to-Ubuntu Hardening Security Best Practices Checklist

How To – Ubuntu Hardening Security Best Practices Checklist. In this post, we will explain some major tips to harden your Ubuntu server.

It’s easy to assume that your server is already secure. Do not fall into this hypothesis and do not expose yourself to a security breach. Learn more in the article below, published here on our blog.

The negative career implications of choosing Ubuntu host are too serious, so I’ll share all the steps you need to take to secure your Ubuntu host.

It is important to know that the Ubuntu operating system has so many distributions and each distribution is different from a command line point of view, but the logic is the same.

Here are some Ubuntu Hardening Security Best Practices Checklist that helps you to strengthen your Ubuntu box. Let’s start.

Role of Hardening in Ubuntu Server Security

When it comes to Ubuntu server security, one of the biggest concerns is how long it takes for your system to detect and respond to an attack.

The answer: not as long as you might think. This is because many of these vulnerabilities are not immediately detected by the system. Rather, they must user action.

Without this extra effort, Ubuntu servers can be vulnerable. Complicating matters further is the fact that many of today’s major security initiatives focus on the front office rather than the server rack.

This opens up many opportunities for attackers to get sensitive data, and the results can be devastating.

The good news? There is no need to take a passive approach and give in to Ubuntu server security issues. A strategic protocol focused on risk prevention and early mitigation can make all the difference.

Ubuntu Hardening Security Best Practices Checklist

1. Use Strong and Unique Passwords

When it comes to passwords, it’s important to remember that the strength of a password is not about the length.

It’s also about how you use special characters or upper and lower case letters. The same password should never be used for many users or software systems. Don’t forget to configure the end date, because no password can provide enough security .

Use tools third party tools, such as “John the ripper” to find out weak users passwords on your server. You can also use the pwgen command line tool to generate a strong password:

					pwgen -N 1 -s 30




2. Generate an SSH Key Pair

If you are a regular user of your private server, it’s likely that you rely on easy to guess passwords. Your private server is there to provide secure access to sensitive information, but these same users are often not the most secure when it comes to their own security.

In this case, strong passwords might be enough to protect you and your data. But, stronger measures are available that will make sure your private server stays safe. Stronger measures include SSH keys and key pairs.

With SSH key pairs in particular are worth implementing as these systems are much more difficult to brute force hack. Before using SSH keys, it’s important to understand why you might want to install them instead of the default username and password configuration. While passwords are more convenient for regular users, those same users tend to rely on easy to guess options that leave the entire security infrastructure vulnerable.

Although not as as passwords, SSH key pairs are much more secure. An SSH key pair represents at least the equal of a 12 character password. Update Your Software.

Run the following command to generate an SSH key then copy it to the remote server for secure access:

					ssh-keygen -t rsa
ssh-copy-id root@your-server-ip

3. Enable Automatic Updates

You’re already aware that it’s important to keep your Ubuntu server up to date, but you might not be doing enough to make sure your software is secure.

The reason for this is simple: without instant updates, software can be exploitable and easy for hackers to access. If you don’t update it, that may not be long before you find out.

There are a variety of accessible options available to help you update Ubuntu. These include command lines and the Ubuntu Update Manager.

This best practice goes hand in hand with our last suggestion for making Ubuntu servers more secure. If you’re struggling to manage the countless security updates required, consider implementing an automated approach.

Enabling automatic updates ensures that software security measures remain up to date even if you neglect to apply necessary updates because you are busy with other concerns.

To update all system packages manually, run the following command:

					apt update -y
apt upgrade -y

To enable the automatic update on Ubuntu machine, edit the /etc/apt/apt.conf.d/50unattended-upgrades file:

					nano /etc/apt/apt.conf.d/50unattended-upgrades

Uncomment the following line:


4. Remove Unnecessary Software

It’s tempting to get a little bit ahead of the game with new software, but sometimes it’s better to wait.

In fact, some web services aren’t necessary at all. Each more program provides another opportunity for your server to be compromised by malicious actors in the future.

While it’s tempting to install exciting new programs when they first become available, this approach could create serious security issues in the long run. Over time, even the most efficient systems can become bogged down and bloated with unused, inconvenient, or redundant programs.

It is recommended that you perform a system wide audit of all software at least once a year. By making this simple commitment, you can optimize your server and keep it running as as possible, even as you add new programs.

You can run the following command to remove unwanted software packages from your system:

					apt remove package-name
apt clean
apt autoremove

5. Disable Booting from External Devices

Malicious parties can use external devices to gain access to sensitive information. These devices include USB thumb drives and other storage media.

By disabling booting for external devices, you can reduce the potential for physical attacks, which can be as damaging as hacking.

You can disable the external device from the BIOS setting. After setting up BIOS, you can set BIOS password to protect these settings.

You can also disable the USB device, by creating the following file:

					nano /etc/modprobe.d/block_usb.conf

Add the below mentioned line:

					install usb-storage /bin/true

6. Close Hidden Open Ports

It turns out that when you’re trying to secure your network, you can’t see the forest for the holes in your firewall. Open ports can reveal information about network architecture as attack surfaces expand. Thus, gates that are not necessary should be closed .

The netstat or ss command can be used to determine which ports are listening, while also revealing the details of currently available connections.

Both commands are powerful tool for figuring out what is happening on your network and how to close any potential gaps in your defenses.

To check the listening ports, run the following command:

					ss -antp

This will display a list of all listening port in your system. Next, you can use the UFW firewall command to disable your desired port:

					ufw deny port-number

7. Scan Log Files with Fail2ban

You’ve been confronted with an authentication failure, and you know exactly what it means. Someone has attempted to log in to your server, without success.

But how do you know?

Many of the best known methods of detecting brute force attacks are either too slow or too impractical for most organizations. These include using monitoring tools like Nagios or syslog, which can take hours or even days to detect the attacks. Other solutions, like the ones suggested by this guide, are too complex for most administrators.

There is one solution that is both effective and easy to use: Fail2ban intrusion prevention software. This system modifies the firewall rules on your Ubuntu server so that any address that has attempted to log in a certain number of times is blocked from accessing resources on your system.

It can be used as a preventative measure against authentication failures as well as an alert system for administrators who need immediate notification when something goes wrong with their servers!

You can install the Fail2Ban firewall using the following command:

					apt install fail2ban

After installing the Fail2Ban, you can configure SSH and HTTP services to protect them from the login attempts.

8. Use Backups and Test Them Often

Well the Ubuntu servers are created to serve their users. They offer a variety of services and provide access to critical data.

These servers can be attacked by hackers in the event of a breach. Offsite backups are essential for Ubuntu servers. In the event of a breach, these can ensure that critical data remains accessible.

They are particularly useful in the event of a ransomware attack. While they cannot completely prevent ransomware issues, they can ensure that damage is limited in the worst case scenario by retaining access to important data.

With the rsync application is a popular Ubuntu backup option. It has a variety of features that allow you to create daily backups or exclude specific files from copying.

It’s versatile, making it a great option for a variety of Ubuntu server security strategies. Feel free to use it to back up files or take it a step further and configure it to sync with different hosts on the internet.

9. Perform Security Audits

The biggest security threat to your Ubuntu server is the fact that you don’t know what it’s capable of. The more customized it is, the more vulnerable it can be to attack.

This is why performing regular security audits is so important. Assists by allowing you to identify where the gaps in your system are and to makes sure they’re fixed before something bad happens.

You can use the Lynis free security auditing tool to perform the full security audit of your Ubuntu system. Run the following command to install the Lynis:

					apt install lynis

After installing the package, run the following command to perform the security audit:

					lynis audit system

That’s it for How To – Ubuntu Hardening Security Best Practices Checklist. Thank you for your time.

How To - Ubuntu Hardening Security Best Practices Checklist Conclusion

In this Ubuntu Hardening Security Best Practices Checklist post, I have explained all possible tips and tricks to secure your Ubuntu system.

Concluding Ubuntu is a great server operating system to use. It’s resilient, secure and reliable, but it can be hard to secure. With the right tools, you can make your Ubuntu server more difficult to attack and even help prevent attacks from successful attempts.

We hope that you treat Ubuntu hardening and server security not like a one time feature. Remember it’s an ongoing journey that requires regular audits, software patches and data backups. Your efforts to meet these necessities could save you a lot of trouble, should things take a wrong turn.

Take your time to install a stronger password policy and some basic security commands. You will be rewarded with a more powerful server that manages to circumvent some of today’s most alarming security threats.

Avatar for Hitesh Jethva
Hitesh Jethva

I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.

5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x