Excellent software and practical tutorials
How to configure Ubuntu server, a beginner's guide to secure configuration
For Ubuntu server novice users, entry-level security configuration can help protect the system from common network threats. Security configuration includes changing the default SSH port, limiting login users, setting firewall rules, regularly updating system patches, and enabling protection tools such as Fail2Ban. These basic steps can not only reduce the risk of server brute force cracking and unauthorized access, but also establish a solid security foundation for the server.
Network security is very important, especially when novices install the operating system without making any security settings, which is equivalent to opening the door to hackers.
Ubuntu's default operating system settings alone are not enough to ensure server security. This article will show you how to configure security on Ubuntu 22.04 to improve server security.
Switch to root user
In the SSH terminal, enter the following command to switch to the root user:
sudo -i
After entering the user password, enter the root account and enter the following command to set the root password.
sudo passwd root
Update the system
The first step after the system is installed is to update the system so that the software in the system is up to date.
sudo apt update && sudo apt upgrade -y
Enable automatic updates to ensure your system stays up to date:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
Install the latest security patches
sudo apt autoremove -y
Regular updates and patch management: Regularly update the Ubuntu system and all installed packages to ensure timely security patches.
These messages usually appear in system update or security check reports, indicating that the system is in good condition. The specific meanings are as follows:
- No containers need to be restarted: Currently, there are no containers that need to be restarted, indicating that all containers are running the latest code or configuration.
- No user sessions are running outdated binaries: No user sessions run outdated binaries, ensuring that users are using the latest programs and avoiding security vulnerabilities.
- No VM guests are running outdated hypervisor (qemu) binaries on this host: No VM guests use outdated QEMU (hypervisor) binaries, ensuring the security of the virtualization environment.
Overall, this indicates that the containers, user sessions, and virtual machines in the system have been updated and no restart or further action is required, which is a "normal" prompt.
Install Chinese language pack
The Chinese language pack can be installed through the graphical interface or the command line.
Via command line:
Update the package list and install the language pack:
sudo apt update
sudo apt install language-pack-zh-hans -y
After the installation is complete, set the system's locale:
sudo update-locale LANG=zh_CN.UTF-8
Restart or log out of your system to apply the new language setting.
Adjust time zone
The time zone can be changed via the command line or through the graphical interface.
Set the time zone, for example, to set the time zone to China Standard Time (Asia/Shanghai):
sudo timedatectl set-timezone Asia/Shanghai
Set up a swap file (optional)
If the system memory is small, creating a swap file can improve system performance:
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
Install the basic toolkit
Install some commonly used toolkits and development tools.
sudo apt install -y build-essential curl wget git vim zip unzip htop nload
Install network tools, some network debugging and management tools.
sudo apt install -y net-tools dnsutils traceroute telnet nload
Install Python and its tools. Python is a commonly used scripting language and many applications rely on it.
sudo apt install -y python3 python3-pip python3-venv
Install Node.js and npm. Node.js is a server-side JavaScript runtime environment, and npm is its package manager.
sudo apt install -y nodejs npm
Install Snap and install more applications. Snap is Ubuntu's package manager that can be used to install many applications:
sudo apt install -y snapd
Install development-related tools. For Java, install OpenJDK (such as OpenJDK 11 or 17):
sudo apt install -y openjdk-17-jdk
For C/C++ development, in addition to build-essential, install some common libraries and tools:
sudo apt install -y cmake gdb
Install image processing tools and some common image processing and conversion tools.
sudo apt install -y imagemagick ffmpeg
Install text processing tools, install some commonly used text processing tools.
sudo apt install -y jq silversearcher-ag tree
You can use the following command to clean up installation packages and dependencies that are no longer needed:
sudo apt autoremove -y
sudo apt autoclean
Choose to install according to different needs. After completing these, the system will have the tools required for common development and operation and maintenance environments.
Add multiple IP addresses
View the IP configuration file
ls /etc/netplan/
Editing the IP Configuration File
vi /etc/netplan/50-cloud-init.yaml
Apply the new profile
sudo netplan apply
View the port binding IP
ip a show eno1
Check the hard disk and mount the new hard disk to /home
Check the current disk status
sudo fdisk -l
Use parted to partition the new hard drive:
sudo parted /dev/sdb
sdb is the second hard disk on the server. Generally, the first hard disk sda is used as the system disk and sdb is used as the data disk.
SSH Security Configuration
To enhance the security of SSH access to Linux servers, you can configure the /etc/ssh/sshd_config file to limit the number of login attempts, the interval time, and control the users allowed or denied. Here are the specific steps:
Set the number of login attempts and the time between failed login attempts
Edit the /etc/ssh/sshd_config file:
sudo vi /etc/ssh/sshd_config
Configuring MaxAuthTries
MaxAuthTries: This parameter is used to set the maximum number of authentication attempts, after which the connection will be disconnected.
The default value is usually 6, and you can set it to 3 or less for increased security.
MaxAuthTries 3
Restricting user access using the DenyUsers and AllowUsers directives
Configuring the DenyUsers directive
DenyUsers: Used to specify a list of users that are prohibited from logging in through SSH.
Format: DenyUsers Username1 Username2
For example, to prohibit users testuser and guest from logging in via SSH:
DenyUsers testuser guest
Configuring the AllowUsers directive
AllowUsers: Used to specify a list of users allowed to log in via SSH (only these users are allowed to log in).
Format: AllowUsers Username1 Username2
For example, to allow only the adminuser to log in via SSH:
AllowUsers adminuser
Note: AllowUsers and DenyUsers cannot be used interchangeably. If AllowUsers is used, only users in the list are allowed to log in, and other users cannot log in even if they are not in DenyUsers.
Save and close the file when you are finished, then restart the SSH service:
sudo systemctl restart sshd
Use tools like Fail2Ban
Install Fail2Ban
Further improve security by monitoring login logs and automatically banning IP addresses that have failed multiple attempts. Use Fail2Ban to automatically ban IPs.
Fail2Ban is a very effective tool that monitors failed SSH login attempts and automatically bans IP addresses that have failed too many times. Installing and configuring Fail2Ban can provide a similar delay effect:
sudo apt install fail2ban
Configuring Fail2Ban
Edit /etc/fail2ban/jail.local file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Note: If jail.local does not exist, you can copy the jail.conf content to create jail.local:
sudo vi /etc/fail2ban/jail.local
To set up SSH monitoring, add the following to your SSHD options:
[sshd] enabled = true port = ssh maxretry = 3 bantime = 6000 findtime = 60
maxretry: Setfindtime The maximum number of failures allowed within (seconds).
bantime: Set the ban time (in seconds), which can be increased as needed.
Start Fail2Ban
After saving the configuration file, restart the Fail2Ban service:
sudo systemctl restart fail2ban
Check whether the configuration is effective
sudo fail2ban-client status
If the following is displayed, it means the configuration is successful.
Status |- Number of jail: 1 `- Jail list: sshd
After configuring /etc/ssh/sshd_config, by setting the MaxAuthTries, DenyUsers, AllowUsers parameters and installing Fail2Ban, you can effectively limit the number of SSH login attempts and allowed users, thereby reducing the risk of brute force cracking.
Fail2Ban ConfigurationAfter completion, your server can be effectively protected from brute force attacks. You can also enable more jails or custom rules based on your specific needs.
SSH login without using root user
To improve security, it is recommended to avoid logging into the server directly with the root user, but to create a normal user with sudo privileges to perform administrator tasks. The following is the setup and configuration process:
Create a New User
Create a new user and grant it sudo privileges using the following commands:
sudo adduser new username
sudo usermod -aG sudo new username
After running the command, make sureNew UsernameHas been added to the sudo group:
groups New Username
If the group list returned by the command contains sudo, it means that the addition is successful.
Re-login: The user's group information is loaded at the start of the session, so you will need to log out and log back in to apply the changes.
On some systems, the sudo group may not be enabled or the /etc/sudoers file may not be configured correctly.
Check the sudoers file configuration using the following command:
sudo visudo
Make sure the file contains the following line:
%sudo ALL=(ALL:ALL) ALL
Add the following line at the end of the file:
New Username ALL=(ALL) ALL
This ensures that the new username has sudo privileges.
Disable SSH login for root user
You can further enhance the security of your server by disabling SSH access for the root user. Edit the SSH configuration file /etc/ssh/sshd_config:
sudo vi /etc/ssh/sshd_config
Find the following line:
#PermitRootLogin prohibit-password
Modified to:
PermitRootLogin no
Save and close the file, then restart the SSH service for the changes to take effect:
sudo systemctl restart sshd
Change root password
After logging in as root, use the passwd command to change the root password to something more complex.
SSH login using keys
Using SSH key pairs to log in is a safe and convenient way to effectively prevent brute force attacks. The following are detailed steps on how to generate a key pair, upload a public key, and configure the SSH server to disable password login:
Generate SSH key pair
On your local computer, open a terminal and execute the following command:
ssh-keygen -t rsa -b 4096
This generates a pair of RSA keys (public and private).
You will be prompted for a file name and password:
Filename: You can press Enter to use the default filename (usually ~/.ssh/id_rsa).
Password: You can choose to set a password for added security, or leave it blank.
After generation, the key pair will be saved in the following path:
Private key: ~/.ssh/id_rsa
Public key: ~/.ssh/id_rsa.pub
Manually log in to the server, open (or create) the ~/.ssh/authorized_keys file, and paste the public key ~/.ssh/id_rsa.pub into it:
vi ~/.ssh/authorized_keys
Permission settings
Make sure the permissions on the ~/.ssh directory and the authorized_keys file are set correctly:
The .ssh directory should be set to 700:
chmod 700 /root/.ssh
The authorized_keys file should be set to 600:
chmod 600 /root/.ssh/authorized_keys
Configure SSH Server
Open the SSH configuration file:
sudo vi /etc/ssh/sshd_config
Make sure the following configuration items are set:
PubkeyAuthentication yes
PasswordAuthentication no
To make the configuration changes take effect, restart the SSH service:
sudo systemctl restart sshd
View memory usage
Memory usage is also an important indicator of server security. We can use commands such as free, top, or htop to view the current server's memory usage to ensure that no malicious processes occupy too much memory resources.
Install a firewall
Virus Firewall
On Ubuntu, you can use some popular antivirus software to protect your system. ClamAV is an open source virus scanner that is widely used on Linux systems.
ClamAV is an open source antivirus software suitable for detecting and removing malware. Following are the detailed steps to install and configure ClamAV on Ubuntu system.
Install ClamAV:
Install ClamAV and clamav-daemon (which provides real-time scanning support) using the APT package manager
sudo apt install clamav clamav-daemon -y
Verify that the installation was successful
clamscan --version
Update virus database:
Before updating the virus database, stop ClamAV
sudo systemctl stop clamav-freshclam
sudo freshclam
After the update is complete, start the service
sudo systemctl start clamav-daemon
sudo systemctl start clamav-freshclam
To perform a full system scan:
sudo clamscan -r /
Automatic Scanning (You can set up a Cron job to scan regularly). You can edit a Cron task to run a ClamAV scan regularly.
Configure ClamAV daemon clamav-daemon to provide real-time scanning support. Make sure the service is started:
sudo systemctl enable clamav-daemon
sudo systemctl start clamav-daemon
Automatic update of virus database
sudo systemctl enable clamav-freshclam
sudo systemctl start clamav-freshclam
Modify the configuration file
vi /etc/clamav/freshclam.conf
Modify the following line to update every hour
Checks 24
Schedule regular scans
You can use cron to schedule regular scans. Edit crontab:
sudo crontab -e
Add the following line to scan the /home directory at 2 AM every day:
0 2 * * * clamscan -r /home
System Firewall
UFW (Uncomplicated Firewall) is a commonly used firewall tool on Ubuntu. It is simple and easy to use, suitable for both novice and experienced users.
Install UFW:
sudo apt install ufw
Enable UFW:
sudo ufw enable
Allow SSH access (make sure remote access is possible before enabling the firewall):
sudo ufw allow ssh
Allow access to other ports (such as HTTP and HTTPS):
sudo ufw allow 80/tcp # Allow HTTP
sudo ufw allow 443/tcp # Allow HTTPS
Check UFW status:
sudo ufw status verbose
Disable UFW:
sudo ufw disable
Summarize
In a modern network environment, it is essential to ensure the security of your Ubuntu server. First of all, regularly updating the system and software packages to obtain the latest security patches is a basic measure to prevent potential vulnerabilities. At the same time, it is recommended to use SSH keys to log in and disable password authentication to improve the security of remote access. Configuring the UFW firewall can effectively limit access to unnecessary services. In addition, regularly installing and updating virus protection software (such as ClamAV) and monitoring system logs can help to detect and respond to security threats in a timely manner. Through these comprehensive measures, Ubuntu users can effectively protect the system from attacks and ensure data security and stability.
CyberPanel Configuration Tutorial
Install CSF firewall (ConfigServer Security & Firewall)
To install CSF on Ubuntu and enable basic configuration, follow these steps:
# Install dependencies sudo apt update sudo apt install -y perl libwww-perl liblwp-protocol-https-perl # Download CSF wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf # Run the installation script sudo bash install.sh # Check if the server is compatible with CSF sudo perl /usr/local/csf/bin/csftest.pl
The official installation script has been upgraded. If you encounter a 500 error after installing csf, you only need to use the official upgrade script to upgrade and install.
sh <(curl https://raw.githubusercontent.com/usmannasir/cyberpanel/stable/preUpgrade.sh || wget -O - https://raw.githubusercontent.com/usmannasir/cyberpanel/stable/preUpgrade.sh)
