First steps How to secure Ubuntu Server

Here’s a note on how to secure Ubuntu 22.04 and boost server and site security.

For the purposes of this tutorial, I used a VPS server purchased from Time4VPS at an extremely low price for only 1.2 euros per month 🙂

Time4VPS also has the best Black Friday deal right now, so hurry up: The best VPS server deal for Black Friday 2022

You can do most of the steps in this tutorial on a clean and empty server or later, depending on when the lights come on that you need to beef up security on your Ubuntu server.

Login to Ubuntu server over SSH

To begin with, you have to use the root user to access the server, but we will change that later.

Accessing the server via SSH and allowing the root user to access via SSH is not a good idea in terms of security.

To connect to the server via SSH type in Terminal:

ssh root@IP_ADDRESS -p 22

After access we can move on.

Update and upgrade

Perform package updates and upgrades.

apt update
apt upgrade

This will take a few minutes and after that we can continue with our work.

Add new user to Ubuntu server

In order to strengthen the security on the Ubuntu server, it is important to add a new user that we will use for access in the future instead of the root user.

To add a new user, type the following in the terminal and replace “YOUR_USER” with the username you want to set up:

adduser YOUR_USER

This process will ask to set a new password for the new user now, the password should be confirmed and you can also enter the user’s data if you want. Here’s how it looked for me:

# adduser ivan
Adding user `ivan' ...
Adding new group `ivan' (1000) ...
Adding new user `ivan' (1000) with group `ivan' ...
Creating home directory `/home/ivan' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for ivan
Enter the new value, or press ENTER for the default
	Full Name []: Ivan Blagojevic
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y

Stay logged in as the root user until I indicate that you can log out.

Add a new user to the sudo group

In order for a new user to be able to run commands at a higher level, we need to add him to the sudo group:

usermod -aG sudo YOUR_USER

Note: This means that a new user will need to type “sudo” in front of the command in order for the command to be executed.

Install UFW firewall on Ubuntu 22.04

The firewall is an important item and we will install it with the following command:

apt install ufw

Show the the of installed UFW profiles by typing:

ufw app list
# ufw app list
Available applications:

Let’s allow OpenSSH to work through the firewall:

ufw allow OpenSSH

Additionally, for some reason UFW often does not work properly through this profile and does not allow SSH to work.

I recommend that you specifically allow the “ssh” service through UFW just in case:

ufw allow ssh

After that start UFW:

ufw enable

Check the status of UFW on Ubuntu Server:

ufw status
 ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6) 

If UFW is active, stay logged in as the root user, then open Terminal in a separate window and test if logging in as a regular user works:


Replace YOUR_USER with your username. Replace IP_ADDRESS with IP address of your server.

Only now, provided that the login for the user is correct and working, you can log out as the root user.

For all future work, I advise you to use a new user instead of the root user.

Security settings for SSH on Ubuntu

Now that we have a new user with SSH access, let’s beef up SSH security on the Ubuntu server.

Open the SSH configuration file with:

sudo nano /etc/ssh/sshd_config

We will do the following:

Disable root login on Ubuntu server SSH

Find this line:

PermitRootLogin yes

Change it to this:

PermitRootLogin no

We have forbidden the root user from logging in via SSH so that any attempt by hackers or bots will be unsuccessful – in case they try to log in as root.

Allow your user to login with SSH

Below that, add this line and be sure to replace USER with your username:

AllowUsers USER

This will allow that user to login successfully via SSH.

Change defatul SSH port on Ubuntu server

Everyone knows that the default SSH port on all servers is 22. That’s why we need to change and set some other port. Pick a number (and remember it). Make the number multi-digit.

Find this line:

#Port 22

Remove the comment (#) i change 22 to something else:

Port 2234

Don’t forget this new port or you won’t be able to log in next time.

Save what you changed for now. Restart SSH:

service ssh restart

Let’s secure ourselves in time against the possibility that the UFW will block us.

If you use UFW

Allow UFW to allow SSH access over the new port:

sudo ufw allow 2234/tcp

Please, replace 2234 with your port for SSH.

Now, deny using port 22 with:

sudo ufw deny 22/tcp

This is what you should get if you check your status for UFW:

~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
22/tcp                     DENY        Anywhere                  
2234/tcp                   ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
22/tcp (v6)                DENY        Anywhere (v6)             
2234/tcp (v6)              ALLOW       Anywhere (v6) 

Test if SSH connection works now.

Root connection to SSH no longer works, that’s ok. Connecting to the user you defined works, that’s fine.

Only the root user should have a UID of 0

Accounts and users that have a UID of 0 have the most access to the system.

This command will show exactly who has a UID of 0 and will create a list of users:

awk -F: '($3=="0"){print}' /etc/passwd

This is correct:

$ awk -F: '($3=="0"){print}' /etc/passwd

If you get a list with multiple users, and if the users in the list are unknown, it’s time to start worrying.

Command to check if there are users with empty passwords

If there are users with empty passwords, it means that maybe you created them by mistake or you have a serious security problem and someone else created them.

This command will display all users with blank passwords, if such users exist:

cat /etc/shadow | awk -F: '($2==""){print $1}'

If you want to block the possibility of connecting a user with an empty password over SSH, read on.

Disable Empty Passwords on Ubuntu server

To disallow blank passwords on SSH, type:

nano /etc/ssh/sshd_config

Then add the following line:

PermitEmptyPasswords no

Save the change and restart SSH

service ssh restart

Now you’ve hardened your Ubuntu server, but that’s not all. This article will be updated with new tricks for better security on Ubuntu.

Author, Ivan Blagojević

Engineering Lead at Adriahost. I spend most of my time on Linux operating systems with cPanel/WHM panels.

I help people solve problems and choose the right hosting for their site.

I write here in my spare time.

Time4VPS - VPS hosting in Europe