Here’s a note on how to secure Ubuntu 22.04 and boost server and site security.
For the purposes of this tutorial, I used a VPS server purchased from Time4VPS at an extremely low price for only 1.2 euros per month 🙂
Time4VPS also has the best Black Friday deal right now, so hurry up: The best VPS server deal for Black Friday 2022
You can do most of the steps in this tutorial on a clean and empty server or later, depending on when the lights come on that you need to beef up security on your Ubuntu server.
Login to Ubuntu server over SSH
To begin with, you have to use the root user to access the server, but we will change that later.
Accessing the server via SSH and allowing the root user to access via SSH is not a good idea in terms of security.
To connect to the server via SSH type in Terminal:
ssh root@IP_ADDRESS -p 22After access we can move on.
Update and upgrade
Perform package updates and upgrades.
apt updateapt upgradeThis will take a few minutes and after that we can continue with our work.
Add new user to Ubuntu server
In order to strengthen the security on the Ubuntu server, it is important to add a new user that we will use for access in the future instead of the root user.
To add a new user, type the following in the terminal and replace “YOUR_USER” with the username you want to set up:
adduser YOUR_USERThis process will ask to set a new password for the new user now, the password should be confirmed and you can also enter the user’s data if you want. Here’s how it looked for me:
# adduser ivan
Adding user `ivan' ...
Adding new group `ivan' (1000) ...
Adding new user `ivan' (1000) with group `ivan' ...
Creating home directory `/home/ivan' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for ivan
Enter the new value, or press ENTER for the default
Full Name []: Ivan Blagojevic
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] yStay logged in as the root user until I indicate that you can log out.
Add a new user to the sudo group
In order for a new user to be able to run commands at a higher level, we need to add him to the sudo group:
usermod -aG sudo YOUR_USERNote: This means that a new user will need to type “sudo” in front of the command in order for the command to be executed.
Install UFW firewall on Ubuntu 22.04
The firewall is an important item and we will install it with the following command:
apt install ufwShow the the of installed UFW profiles by typing:
ufw app list# ufw app list
Available applications:
OpenSSHLet’s allow OpenSSH to work through the firewall:
ufw allow OpenSSHAdditionally, for some reason UFW often does not work properly through this profile and does not allow SSH to work.
I recommend that you specifically allow the “ssh” service through UFW just in case:
ufw allow sshAfter that start UFW:
ufw enableCheck the status of UFW on Ubuntu Server:
ufw status ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
22/tcp ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6) If UFW is active, stay logged in as the root user, then open Terminal in a separate window and test if logging in as a regular user works:
ssh YOUR_USER@IP_ADDRESSReplace YOUR_USER with your username. Replace IP_ADDRESS with IP address of your server.
Only now, provided that the login for the user is correct and working, you can log out as the root user.
For all future work, I advise you to use a new user instead of the root user.
Security settings for SSH on Ubuntu
Now that we have a new user with SSH access, let’s beef up SSH security on the Ubuntu server.
Open the SSH configuration file with:
sudo nano /etc/ssh/sshd_configWe will do the following:
Disable root login on Ubuntu server SSH
Find this line:
PermitRootLogin yesChange it to this:
PermitRootLogin noWe have forbidden the root user from logging in via SSH so that any attempt by hackers or bots will be unsuccessful – in case they try to log in as root.
Allow your user to login with SSH
Below that, add this line and be sure to replace USER with your username:
AllowUsers USERThis will allow that user to login successfully via SSH.
Change defatul SSH port on Ubuntu server
Everyone knows that the default SSH port on all servers is 22. That’s why we need to change and set some other port. Pick a number (and remember it). Make the number multi-digit.
Find this line:
#Port 22
Remove the comment (#) i change 22 to something else:
Port 2234Don’t forget this new port or you won’t be able to log in next time.
Save what you changed for now. Restart SSH:
service ssh restartLet’s secure ourselves in time against the possibility that the UFW will block us.
If you use UFW
Allow UFW to allow SSH access over the new port:
sudo ufw allow 2234/tcpPlease, replace 2234 with your port for SSH.
Now, deny using port 22 with:
sudo ufw deny 22/tcpThis is what you should get if you check your status for UFW:
~$ sudo ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
22/tcp DENY Anywhere
2234/tcp ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
22/tcp (v6) DENY Anywhere (v6)
2234/tcp (v6) ALLOW Anywhere (v6) Test if SSH connection works now.
Root connection to SSH no longer works, that’s ok. Connecting to the user you defined works, that’s fine.
Only the root user should have a UID of 0
Accounts and users that have a UID of 0 have the most access to the system.
This command will show exactly who has a UID of 0 and will create a list of users:
awk -F: '($3=="0"){print}' /etc/passwdThis is correct:
$ awk -F: '($3=="0"){print}' /etc/passwd
root:x:0:0:root:/root:/bin/bashIf you get a list with multiple users, and if the users in the list are unknown, it’s time to start worrying.
Command to check if there are users with empty passwords
If there are users with empty passwords, it means that maybe you created them by mistake or you have a serious security problem and someone else created them.
This command will display all users with blank passwords, if such users exist:
cat /etc/shadow | awk -F: '($2==""){print $1}'If you want to block the possibility of connecting a user with an empty password over SSH, read on.
Disable Empty Passwords on Ubuntu server
To disallow blank passwords on SSH, type:
nano /etc/ssh/sshd_configThen add the following line:
PermitEmptyPasswords no
Save the change and restart SSH
service ssh restartNow you’ve hardened your Ubuntu server, but that’s not all. This article will be updated with new tricks for better security on Ubuntu.
