After we installed ubuntu server on our machine we need to secure it in order to prevent hacker to access sensitive data on our server. Let’s presume the ip server is

First we need to login via ssh protocol in the machine from terminal (in Linux machines ) or via putty in Windows ( putty can be used from Linux as well ) , the default user we need to use to access the server is the admin user ( root )

ssh root@

default password ( if is a local machine than is the password we setup , if is a vps or physic server from a provider they has setup a default password for you )

Once we are logged in need to create a new user, in this way we will disable the root access via ssh, this for security reason, every hacker know the root user and the first attack they will try to launch is is from this user, so we need to disable it.
adduser john
After this we need to answer some question including here also the password we need to use.
Now we created a new user and need to have root privileges
gpasswd -a john sudo
What we did was to include the john user to sudo group allowing root privileges

Now we need to make some changes on ssh configuration.
nano /etc/ssh/sshd_config
Need to make some changes like the following

PermitRootLogin no

Port 456789 (this port number is optional, we can choose any number we want if free port )
service ssh restart
What we did so far was to change the ssh port and to disallow the root user to login via ssh.
So if a attack will happened via ssh the default port ( 22 ) will be closed and so the attack will not take place, even if the attacker find the correct port he need to find the username as well because the root user is disabled via ssh.

After restarted the ssh service please open a new terminal and try to login with the new credentials
ssh -p 456789 john@
We should be able to login into the server.
Also we can setup public key authentication increasing the server security.
First need to generate a key pair
Just hit enter during the process.

Now we need to install the key into our server, first we need to check our public key in our loca machine
cat ~/.ssh/
Copy the result and login into the ubuntu server machine and pasting into the following file
nano .ssh/authorized_keys
After need to change the user permission so no one can modify the file, only the owner ( john ) can read.

The next step to secure the server is the firewall.
First we need to create some rules

Open 456789 ssh port in order to login
sudo ufw allow 456789/tcp
Open the default http webserver port
sudo ufw allow 80/tcp
Https if we need to enable ssl/tls
sudo ufw allow 443/tcp
Smtp for sending email
sudo ufw allow 25/tcp
Next we can enable the firewall with the following command
sudo ufw enable
In this way we will allow only certain ports open, the rest will remain closed until we will need them.

What if our machine is attacked with brute force or via bad bots?
We need to implement another service called fail2ban or deny2host.

Fail2ban interact with the server firewall creating automatically firewall rules.

First we need to install it
sudo apt-get update && sudo apt-get install fail2ban
Copy the conf file to another file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now we need to work on the .local file in order to secure our server.
sudo nano /etc/fail2ban/jail.local
Please change the following lines

ignoreip = (here we can add our public ip so fail2ban will whitelist us )

bantime = 600 (the time per seconds an ip is banned if security rules broken )

The next step is to enable for every specific service the fail2ban monitoring tool.

For example:

[nginx-http-auth] → ( nginx httpd authentication service)
enabled = true → ( enabled, this service is currently monitored from fail2ban)
filter = nginx-http-auth → ( fail2ban filters )
port = http,https → ( what port fail2ban should check , in this case are 80, 443 )
logpath = /var/log/nginx/error.log ( here fail2ban check the logs and if 1ip make a lot of unusual request fail2ban will create an ip rule in order to ban the ip for the amount of time we setup )

In this way we can setup for every service we use fail2ban so can add firewall rules automatically.

So far we have build a secure ubuntu server, but we can do more in this area.
Another way to secure our server is from our web server, opening the web via 443 port ( https ) is more secure.
In order to do so we need to install first openssl.
sudo apt-get install openssl
Generate key for the csr certificate
openssl genrsa -des3 -out server.key 2048
Please check the displayed questions and answer in the correct way. Now we have the crt file and the key as well. According to the webserver we will use, apache or nginx we need to make the proper configuration for the certificate.
In this way the web connection with the server will be secured.
In order to secure every aspect of the server we should not use ftp protocol, this protocol will transmit data via internet in a non secure way, instead we can use vsftpd of ftp with tls connection securing our data transmition.
No metter how secure is the server we always should take a backup of the server + data somewhere else, so if something happens we will always have a backup.

Prevent IP Spoofing
sudo vi /etc/host.conf
Add the following lines
order bind,hosts
nospoof on

Secure php
sudo vi /etc/php5/apache2/php.ini
add or edit the following lines
disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off

Install a daemon in order to keep an eye on the server logs. For this purpose we will install logwatch package.
apt-get install logwatch
nano /etc/cron.daily/00logwatch
We will add this line in order to receive reports daily mail
/usr/sbin/logwatch --output mail --mailto --detail high
Another tool for monitoring the server is Clamav for scanning the server from viruses.
sudo apt-get install clamav clamav-daemon
Update the clamav virus databases
sudo freshclam
After finished we can take a look on our server by running this command
clamscan -r --bell -i /
This will display only infected files. Also we can make a cron job for this purpose in order to check periodically the logs
00 00 * * * clamscan -r /location_of_files_or_folder
In this way we will have a better view of our server security.
Some other tricks to secure the ubuntu server can be the following:
– Allow mysql connection only from our localhost ( our server )
– Permit only one user to login via ssh, disable the multi user access on the server
Also we can add some more configuration preventing bad routing and malformed ip.
sudo nano /etc/sysctl.conf

IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

Ignore send redirects

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
Block SYN attacks

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
After we need to reload the syscti service
sudo sysctl -p
We can install chkrootkit as well in order to check for rootkit
sudo apt-get install rkhunter chkrootkit
sudo chkrootkit

In order to update the chkrootkit
sudo rkhunter –update
sudo rkhunter --propupd
sudo rkhunter –check

Tiger can be another choice for monitoring and audit securing the system
sudo apt-get install tiger
sudo tiger

After we can check the tiger reports from this command
sudo less /var/log/tiger/*

4 thoughts on “Securing Ubuntu server 14.04”

Leave a Reply

Your email address will not be published. Required fields are marked *