Thursday, October 3, 2024

How to Hardening Ubuntu 24.10 Security

  October 03, 2024 Ihsanuddin Idharo   , ,   No comments   Edit

When setting up a new Ubuntu server, security should be a top priority. This tutorial walks you through the essential steps for hardening your server, ensuring its resilience against potential threats.

1. Enabling Automatic Updates

Start by ensuring your server is always up-to-date with the latest security patches. Automatic updates provide a continuous defense against vulnerabilities.

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

2. Creating a New Sudo User

It's crucial to avoid logging in as the root user for everyday tasks. Create a dedicated user with sudo privileges for enhanced security.

adduser <username>
usermod -aG sudo <username>

3. Hardening SSH Access

SSH access is a critical entry point to your server, so we need to implement robust security measures.

a. Enabling SSH Keys

SSH keys provide a more secure alternative to password-based logins.

  1. Generate an SSH key pair:

          ssh-keygen -t rsa -b 4096  -C  "youremail@example.com"

  2. Copy the public key to the server:

          ssh-copy-id username@hostname_ip

    (If you saved the key under a different name or path, specify the exact path to the public key.)

b. Disabling Password Logins

Once SSH keys are successfully configured, disable password-based logins.

  1. Edit the SSH config file:

          sudo nano /etc/ssh/sshd_config

  2. Set PasswordAuthentication to no:

          PasswordAuthentication no

  3. Ensure PubKeyAuthentication is set to yes:

          PubKeyAuthentication yes

  4. Restart the SSH server:

          sudo systemctl restart ssh

c. Disabling Root User Logins

To further strengthen security, disable root logins via SSH.

  1. Edit the SSH config file:

          sudo nano /etc/ssh/sshd_config

  2. Set PermitRootLogin to no:

          PermitRootLogin no

  3. Configure other security settings:

    • MaxAuthTries: Set the maximum login attempts per IP address (consult your company policies).

    • PermitEmptyPasswords: Ensure this is set to no.

    • ChallengeResponseAuthentication: Set to no unless you're setting up 2FA.

  4. Save and restart the SSH server:

          sudo systemctl restart ssh

4. Changing the Default SSH Port

The default SSH port (22) is widely known, making it a target for brute-force attacks. Change the port to a less common one to reduce vulnerability.

  1. Edit the SSH config file:

          sudo nano /etc/ssh/sshd_config

  2. Modify the Port setting:

          Port <your_custom_port>

    (Choose a non-standard port and ensure your firewall allows traffic on this new port.)

  3. Restart the SSH server:

          sudo systemctl restart ssh

5. Implementing Time-Based Two-Factor Authentication (2FA)

While SSH keys provide strong authentication, an additional layer of security with 2FA can significantly enhance protection.

  1. Install the Google Authenticator PAM module:

          sudo apt install libpam-google-authenticator

  2. Add the following line to /etc/pam.d/sshd:

          auth required pam_google_authenticator.so nullok

  3. Comment out the line @include common-auth:

          #@include common-auth

  4. Restart the SSH server:

          sudo systemctl restart ssh

  5. Adjust SSH config settings:

    • KbdInteractiveAuthentication: Set to yes.

    • ChallengeResponseAuthentication: Set to yes.

    • AuthenticationMethods: Set to publickey,keyboard-interactive.

    • UsePAM: Set to yes.

    • PasswordAuthentication: Set to no.

  6. Configure Google Authenticator:

          google-authenticator

    Follow the prompts, customizing the settings as needed. Remember to save the emergency scratch codes in a safe place.

  7. Restart the SSH server:

          sudo systemctl restart ssh

6. Installing Fail2Ban and UFW

Fail2Ban provides robust brute force protection by blocking IP addresses after a specified number of failed login attempts. UFW (Uncomplicated Firewall) helps manage incoming and outgoing traffic, creating a firewall for your server.

a. Installing Fail2Ban and UFW:

      sudo apt-get install fail2ban ufw

b. Configuring Fail2Ban:

  1. Edit the jail.local file:

          sudo nano /etc/fail2ban/jail.local

  2. Add the following configuration:

    [sshd]
enabled = true
port = <your_custom_port>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600
findtime = 600

    Adjust the settings as needed.

  3. Enable and start Fail2Ban:

    sudo systemctl enable fail2ban
sudo systemctl start fail2ban

  4. Check jail status:

    sudo fail2ban-client status
sudo fail2ban-client status sshd

c. Configuring UFW:

  1. Allow traffic on necessary ports:

    sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow <your_custom_ssh_port>

  2. Set default rules:

    sudo ufw default deny incoming
sudo ufw default allow outgoing

  3. Use UFW commands for managing rules:

    • sudo ufw allow <port_number>: Allow traffic on a specific port.

    • sudo ufw deny <port_number>: Deny traffic on a specific port.

    • sudo ufw status: Display UFW status.

    • sudo ufw status numbered: Display status with rule IDs.

    • sudo ufw status verbose: Display status with default rules.

    • sudo ufw app list: List application profiles.

    • sudo ufw delete <rule_id>: Delete a rule by ID.

By following these steps, you have significantly strengthened your Ubuntu server's security, mitigating vulnerabilities and making it more resilient against potential attacks. Regularly review and update your security measures to maintain a robust security posture for your server.

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)