Secure Your Server

Steps to secure an Ubuntu 22.04 LTS server

• Creating a new User
• Installing 2FA
• fail2ban
• Firewall

---

Creating a new User

Create a new user, so you don't use root to log in.

adduser <user>
usermod -aG sudo

---

Installing 2FA

Two-factor authentication (2FA) is a security process that requires users to provide two different forms of identification to access the system. By requiring two factors, 2FA adds a layer of security beyond just a password, making it more difficult for unauthorized users to gain access to sensitive information or systems.

Install the Google Authenticator PAM Module

sudo apt install libpam-google-authenticator

Run the Initialization

Run google-authenticator -t -d -f -r 3 -R 30 -w 3 to automatically set the following options:

• t => Time based counter
• d => Disallow token reuse
• f => Force writing the settings to file without prompting the user
• r => How many attempts to enter the correct code
• R => How long in seconds a user can attempt to enter the correct code
• w => How many codes can are valid at a time (this references the 1:30 min)

To choose other Options run google-authenticator without any parameters.

Scan the QR-Code or copy the 2FA code.

Configuring SSH

/etc/pam.d/sshd

In /etc/pam.d/sshd add auth required pam_google_authenticator.so as shown

# Standard Un*x authentication.
@include common-auth
auth required pam_google_authenticator.so

/etc/ssh/sshd_config

In /etc/ssh/sshd_config set KbdInteractiveAuthentication to yes

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication yes

Disable password authentication, rootlogin and only allow selected user(s) at the bottom

PasswordAuthentication no
PermitRootLogin no
AllowUsers <user>

Allow authentication via publickey or password and 2fa code with pam (needs to be added at the bottom)

AuthenticationMethods publickey keyboard-interactive

Restart SSH

sudo systemctl restart sshd

---

fail2ban

fail2ban is a security tool that monitors log files for suspicious activity on servers, such as multiple failed login attempts, and automatically blocks access from the offending IP address

Installation

sudo apt install fail2ban

Changing the Bantime

Copy the config file

sudo cp /etc/fail2ban/jail.{conf,local}

Change bantime to one day in /etc/fail2ban/jail.local:

bantime  = 1d

Start the Service.

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

fail2ban-client

Status of sshd Jail

sudo fail2ban-client status sshd

Unban an IP

sudo fail2ban-client set sshd unbanip 23.34.45.56

---

Firewall

Here's how you can secure your server with ufw. Keep in mind that these are basic rules, and you may need to adjust them based on your specific needs.

1. Check the current status of ufw by typing the following command:

   sudo ufw status

2. By default, ufw should be inactive. If it's not, you can disable it using the following command:

   sudo ufw disable

3. Set the default policy for incoming traffic to deny all connections:

   sudo ufw default deny incoming

4. Allow SSH connections, so you can still access your server remotely. Use the following command to enable SSH:

   sudo ufw allow ssh

5. If you're running a web server, allow HTTP and HTTPS traffic by using the following commands:

   sudo ufw allow http
   sudo ufw allow https

6. If you're running other services, such as FTP or SMTP, you'll need to allow those ports as well. For example, to allow FTP traffic:

   sudo ufw allow ftp

7. After allowing the necessary traffic, enable ufw:

   sudo ufw enable

8. Check the status again to make sure ufw is running:

   sudo ufw status