Ubuntu Server Security Configuration Guide

Understanding the Command Prompt

Before executing any commands on your Ubuntu server, it's essential to understand what the command prompt is telling you. The prompt provides crucial information about your current session and privileges.

Anatomy of the Command Prompt

root@hostname:~#

Component	Meaning
`root`	Current username (logged in as root user)
`@`	Separator between username and hostname
`hostname`	Name of your server
`:`	Separator between hostname and directory
`~`	Home directory of current user (/root for root user)
`#`	Indicates root user privileges ($ for regular users)

Step 1: Changing the Root Password

The first critical security step is changing the default root password provided by your hosting provider. A strong password should contain a mixture of uppercase and lowercase letters, numbers, and special characters.

⚠️ Important Warning: If you lose or forget the root password, there is no way to recover it. Make sure to store it securely!

Command Syntax

root@hostname:~# passwd New password: [type your new password - characters won't appear] Retype new password: [type the password again] passwd: password updated successfully

💡 Security Note: When typing passwords in the terminal, no characters (not even asterisks) will appear on screen. This is a security feature, not a malfunction.

Step 2: Creating a Non-Root User

Working directly as the root user is extremely dangerous. A single mistyped command can cause irreversible damage to your system. The best practice is to create a regular user account and grant it the ability to execute commands with elevated privileges when necessary.

Add a new user

root@hostname:~# adduser andrew Adding user `andrew' ... Adding new group `andrew' (1000) ... Adding new user `andrew' (1000) with group `andrew' ... Creating home directory `/home/andrew' ... Copying files from `/etc/skel' ... New password: [enter password for andrew] Retype new password: [confirm password] passwd: password updated successfully Full Name []: [press Enter to skip] Room Number []: [press Enter to skip] Work Phone []: [press Enter to skip] Home Phone []: [press Enter to skip] Other []: [press Enter to skip] Is the information correct? [Y/n] Y

Verify the user's home directory was created

root@hostname:~# cd /home root@hostname:/home# ls -l total 12 drwxr-xr-x 2 andrew andrew 4096 Oct 31 10:15 andrew drwxr-xr-x 2 linuxuser linuxuser 4096 Oct 31 09:00 linuxuser drwxr-xr-x 2 ubuntu ubuntu 4096 Oct 31 09:00 ubuntu

Username Requirements

Usernames can consist of:

Lowercase letters (a-z)
Numbers (0-9)
Underscores and hyphens
Must start with a lowercase letter

Step 3: Removing Default Users

Many hosting providers create default user accounts (like "linuxuser" and "ubuntu") during server provisioning. These should be removed for security purposes.

root@hostname:/home# deluser --remove-home linuxuser Looking for files to backup/remove ... Removing files ... Removing user `linuxuser' ... Done. root@hostname:/home# deluser --remove-home ubuntu Looking for files to backup/remove ... Removing files ... Removing user `ubuntu' ... Done. root@hostname:/home# ls -l total 4 drwxr-xr-x 2 andrew andrew 4096 Oct 31 10:15 andrew

⚠️ Important: If you make a spelling mistake when creating a user (e.g., "andr3w" instead of "andrew"), delete that user with deluser --remove-home username and create a new one with the correct spelling. Do not try to rename users.

Step 4: Changing User Passwords

To change the password for a specific user (not the currently logged-in user), you must specify the username after the passwd command.

root@hostname:~# passwd # Changes root password root@hostname:~# passwd andrew # Changes andrew's password New password: [type new password] Retype new password: [retype password] passwd: password updated successfully

Step 5: Granting Sudo Privileges

Instead of working as root, we grant regular users the ability to execute commands with root privileges using the sudo command. This provides an extra layer of safety and accountability.

Sudo Command Flow

User types: sudo command

⬇️

System prompts for user's password

⬇️

System verifies user has sudo privileges

⬇️

Command executes with root privileges

Setting the Default Editor

Before editing the sudoers file, ensure nano is set as the default editor:

root@hostname:~# update-alternatives --config editor There are 4 choices for the alternative editor. Selection Path Priority Status ------------------------------------------------------------ * 0 /bin/nano 40 auto mode 1 /bin/ed -100 manual mode 2 /bin/nano 40 manual mode 3 /usr/bin/vim.basic 30 manual mode 4 /usr/bin/vim.tiny 15 manual mode Press <enter> to keep the current choice[*], or type selection number: [press Enter]

Editing the Sudoers File

⚠️ CRITICAL WARNING: Never edit the sudoers file directly with nano /etc/sudoers. Always use the visudo command, which validates syntax before saving and prevents corruption.

Open the sudoers file safely

root@hostname:~# visudo

Locate the User Privilege Specification section

# User privilege specification root ALL=(ALL:ALL) ALL

Add your user below the root line

# User privilege specification root ALL=(ALL:ALL) ALL andrew ALL=(ALL:ALL) ALL

Save and exit

Press: Ctrl + X

Type: Y (to save)

Press: Enter (to confirm filename)

Understanding the Sudo Configuration

Field	Value	Meaning
First ALL	ALL	Rule applies to all hosts
Second ALL	(ALL:ALL)	User can run commands as any user
Third ALL	(ALL:ALL)	User can run commands as any group
Fourth ALL	ALL	No restrictions on which commands can be run

Step 6: Disabling Root Login via SSH

One of the most critical security measures is preventing the root user from logging in remotely via SSH. This eliminates a common attack vector used by malicious actors.

⚠️ Important Concept: After modifying any service configuration file, you must restart that service for the changes to take effect. The service re-reads its configuration files upon restart.

Configuration File Hierarchy

SSH Configuration Structure

Main Config File

/etc/ssh/sshd_config

➜

Override Directory

/etc/ssh/sshd_config.d/

➜

Override Files

*.conf files

Navigate to the SSH configuration directory

root@hostname:~# cd /etc/ssh root@hostname:/etc/ssh# ls moduli ssh_config ssh_host_ecdsa_key.pub ssh_host_rsa_key ssh_config.d ssh_host_ed25519_key ssh_host_rsa_key.pub sshd_config ssh_host_ed25519_key.pub sshd_config.d ssh_host_ecdsa_key ssh_host_rsa_key

Open and inspect the main configuration file

root@hostname:/etc/ssh# nano sshd_config

Look for these important lines:

# This is the main SSH server configuration file #PermitRootLogin yes <-- Comment this if it's enabled # ... other configuration options ... Include /etc/ssh/sshd_config.d/*.conf

Ensure no active directives appear above the Include line

Key Rule: Only comments should appear above the Include directive. If there are active (uncommented) directives above it, they should be commented out and moved below the Include line.

# CORRECT Structure: #PermitRootLogin yes <-- Commented out Include /etc/ssh/sshd_config.d/*.conf PermitRootLogin no <-- Active directive below Include

Navigate to the override directory

root@hostname:/etc/ssh# cd sshd_config.d root@hostname:/etc/ssh/sshd_config.d# ls 50-cloud-init.conf

Edit the override configuration file

root@hostname:/etc/ssh/sshd_config.d# nano 50-cloud-init.conf

If the file doesn't exist or is empty, add this line:

PermitRootLogin no

If it contains PermitRootLogin yes, change it to no

# Content of 50-cloud-init.conf PasswordAuthentication yes PermitRootLogin no <-- Add or modify this line

Save and exit (Ctrl+X, then Y, then Enter)

Restart the SSH service

root@hostname:/etc/ssh/sshd_config.d# systemctl restart ssh

✅ Service Restarted: The SSH service has re-read its configuration files. Root login is now disabled.

Step 7: Testing the Configuration

After completing all security configurations, it's crucial to test that everything works as expected.

Log out from the root session

root@hostname:~# exit logout Connection to 192.168.1.100 closed.

Attempt to log in as root (this should fail)

user@local:~$ ssh [email protected] [email protected]'s password: [type password] Permission denied, please try again. [email protected]'s password: [type password] Permission denied, please try again. [email protected]'s password: [press Ctrl+C to cancel]

✅ Security Confirmed: Root login is successfully disabled. The PermitRootLogin no directive is working correctly.

Log in with your regular user account

user@local:~$ ssh [email protected] [email protected]'s password: [type andrew's password] Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-86-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Oct 31 12:45:23 UTC 2025 System load: 0.08 Processes: 123 Usage of /: 15.2% of 24.06GB Users logged in: 0 Memory usage: 23% IPv4 address for eth0: 192.168.1.100 Swap usage: 0% andrew@hostname:~$

Verify your prompt shows non-root status

Notice the prompt has changed:

Username is now andrew (not root)
Symbol is $ (not #)
Directory is ~ (andrew's home directory)

Test sudo privileges

andrew@hostname:~$ sudo apt update [sudo] password for andrew: [type andrew's password] Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease Get:2 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB] ... Reading package lists... Done Building dependency tree... Done

✅ Sudo Working: The user can execute commands with elevated privileges using sudo.

Security Configuration Summary

Completed Security Hardening Steps

Step	Action	Security Benefit
1	Changed root password	Eliminated default credentials vulnerability
2	Created non-root user	Enabled principle of least privilege
3	Removed default users	Reduced attack surface
4	Granted sudo privileges	Provided controlled elevated access
5	Disabled root SSH login	Prevented direct root access attacks

Best Practices and Key Takeaways

🔒 Password Security

Use strong passwords with mixed case letters, numbers, and special characters
Never share your root password
Store passwords securely in a password manager
Change passwords regularly

⚠️ Critical Safety Rules

Never work as root unless absolutely necessary
Always use visudo to edit sudoers files
Always restart services after configuration changes
Think before typing sudo - there is no undo
Test configuration changes before logging out

✅ Configuration Management

Use override files in .d directories when available
Comment out directives rather than deleting them
Keep backups of configuration files before editing
Document all changes you make to the system

Common Commands Reference

Command	Purpose	Example
`passwd`	Change password	`passwd andrew`
`adduser`	Create new user	`adduser andrew`
`deluser`	Remove user	`deluser --remove-home username`
`visudo`	Edit sudoers file safely	`visudo`
`systemctl restart`	Restart a service	`systemctl restart ssh`
`cd`	Change directory	`cd /etc/ssh`
`ls`	List directory contents	`ls -l`
`nano`	Text editor	`nano filename`
`sudo`	Execute with elevated privileges	`sudo apt update`

Next Steps

With your server now hardened with these basic security measures, you're ready to proceed with additional security configurations. In the next section, we'll continue strengthening your server's security posture with additional hardening techniques.

✅ Congratulations! You've successfully completed the foundational security configuration for your Ubuntu server. Your server is now more secure with a non-root user account, sudo privileges properly configured, and root SSH access disabled.

🔐 Ubuntu Server Security Configuration