Normally, there's an ad running in this spot, but you're using an ad blocker. To help support our blog, which provides free tutorials for everybody, we just ask that you whitelist or follow us on facebook, twitter, or subscribe using the form to the leftabove. Thank you!

    Securing a New Ubuntu Installation

    Prerequisites

    1. Prior to setting up Linux Ubuntu, you'll first need either a Virtual Machine or a physical or cloud-based server.
    2. Optional reading: Physical Servers vs. Cloud Hosting

    Tailing Your Logs

    Analyzing server logs is absolutely critical for monitoring the health of your servers. Until you have a robust logging and monitoring solution in place, you'll want to tail them in real time. Let's get to it.

    # tail the machine's syslog in the foreground
    sudo tail -f /var/log/syslog
    
    # you can also open up other panes in your terminal 
    # to monitor the authlog
    sudo tail -f /var/log/authlog
    
    # or even server logs
    sudo tail -f /var/log/nginx/exampledomain.com
    

    Now let's talk about the contents of your syslog. If your server is exposed to the internet, you're going probably going to see a growing list of authentication failure entries: Nov 17 14:25:56 hostname sshd[00000]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=root

    This is a result of brute force attacks from bots trying to log in as the root user. Let's take some steps to prevent that from happening in the future.

    Firewalling Off Port 22

    If you only connect to the server from the same IP address, you can firewall off port 22 to everything except your IP address. However, just know that if you're trying to ssh into the server from home and you haven't set up a static IP through your ISP, expect your dynamic IP to change periodically. You'll have no choice by to access the server through the control panel of your hosting provider in order to update the iptables.

    iptables -A INPUT -p tcp -d 0/0 -s my.own.ip.address --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp -d 0/0 --dport 22 -j DROP
    iptables-save
    

    Changing the SSHD Port

    You're going to want to run sshd on the server on a non-standard port. Here's the list of standard ports. Make sure not to override any of those. You can also firewall off this new port number since you're no longer using port 22. Before changing anything related to sshd, you'll want to make sure you can actually ssh into the machine. Here's a useful guide.

    # login as root
    ssh root@hostname/IP
    
    # back up the config
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup
    
    # update the sshd_config
    sudo nano /etc/ssh/sshd_config
    

    You should see the following contents:

    # Package generated configuration file
    # See the sshd_config(5) manpage for details
    
    # What ports, IPs and protocols we listen for
    Port 22
    # Use these options to restrict which interfaces/protocols sshd will bind to
    #ListenAddress ::
    #ListenAddress 0.0.0.0
    Protocol 2
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key
    #Privilege Separation is turned on for security
    UsePrivilegeSeparation yes
    
    # Lifetime and size of ephemeral version 1 server key
    KeyRegenerationInterval 3600
    ServerKeyBits 1024
    
    # Logging
    SyslogFacility AUTH
    LogLevel INFO
    
    # Authentication:
    LoginGraceTime 120
    PermitRootLogin without-password
    StrictModes yes
    

    You'll want to change Port to a new number and set PermitRootLogin to "no".

    Now restart sshd with service sshd restart. Now when you ssh into the server, make sure you add the -p(port) flag and new port number like so: ssh username@hostname.com -p 50683. Here are some other useful commands:

    # check if the sshd process is running
    ps aux | grep sshd
    
    # check if ssh is running on port 22
    netstat -plant | grep :22
    
    # check if the port 22 TCP file is open
    lsof
    

    And there you have it. That should significantly reduce the number of authentication logs.

    Did you like this tutorial? Help us pay for server costs by following us on Facebook, Twitter, and subscribing below, where you'll get post notifications, training webinar invites, and free bundles.