Defense in Depth Strategy
Effective server hardening requires a layered approach. Below is a visualization of the security layers we will implement.
1. User Access
Sudo, No Root
→
2. SSH Config
Keys Only, No Pwd
→
3. Firewall
UFW Allow Ports
→
4. Intrusion Prev.
Fail2Ban
1. System Updates
Before configuring any security measures, ensure the system repositories and installed packages are up to date to patch known vulnerabilities.
sudo apt update
sudo apt upgrade -y
sudo apt autoremove
2. User Management
Never operate as the root user. Create a dedicated user with sudo privileges.
Create a New User
adduser customuser
usermod -aG sudo customuser
Tip: After creating the user, log out and log back in as customuser before proceeding.
3. SSH Hardening
The SSH daemon is the most common attack vector. We will disable root login and enforce key-based authentication.
Edit Configuration
Open the configuration file:
sudo nano /etc/ssh/sshd_config
Required Changes
Find and modify the following lines in the file:
# Inside sshd_config
PermitRootLogin no
PasswordAuthentication no
Port 2222 # Optional: Change default port
Restart SSH Service
sudo systemctl restart ssh
4. Firewall (UFW)
Ubuntu comes with UFW (Uncomplicated Firewall). It should be enabled to deny all incoming traffic except for essential services.
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Warning: If you changed your SSH port in Step 3 (e.g., to 2222), ensure you run sudo ufw allow 2222/tcp instead of allowing standard ssh.
5. Intrusion Prevention (Fail2Ban)
Fail2Ban scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.
Installation
sudo apt install fail2ban -y
Configuration
Create a local configuration file to override defaults safely:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo systemctl start fail2ban
sudo systemctl enable fail2ban