Roman Chursanov
Back to blog
Sep 11, 2024
3 min read

Linux Server Security Hardening Guide

Detailed best practices for securing Ubuntu 24.04 server infrastructure

Overview

This guide provides comprehensive security hardening techniques for Ubuntu 24.04 servers, focusing on implementing robust security measures through best practices and principle of least privilege.

Prerequisites

  • Ubuntu 24.04 LTS Server
  • Sudo access
  • Basic Linux command-line knowledge

1. Non-Root User Configuration

Create a non-privileged user account to enhance system security:

# Add new user
sudo adduser <username>

# Grant sudo privileges
sudo usermod -aG sudo <username>

Secure the root account:

# Disable direct root login
sudo usermod -s /sbin/nologin root
sudo passwd -l root

Best Practices

  • Use a strong, randomly generated passphrase
  • Limit direct root access
  • Use sudo -s for temporary root shell access when necessary

2. System User Management

Create dedicated system users for specific applications:

# Create system user for an application
sudo adduser --system --home /opt/app --shell /sbin/nologin --group appuser

Example systemd service configuration (/etc/systemd/system/app.service):

[Unit]
Description=Application Service
After=network.target

[Service]
User=appuser
Group=appuser
Type=simple
Restart=always
ExecStart=/opt/app/run.sh

[Install]
WantedBy=multi-user.target

3. SSH Hardening

Generate a strong SSH key:

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

Configure /etc/ssh/sshd_config:

# SSH Hardening Configuration
Protocol 2
MaxAuthTries 3
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
KbdInteractiveAuthentication no
X11Forwarding no

Restart SSH service:

sudo systemctl restart ssh

4. Firewall Configuration

Install and configure UFW:

# Install firewall and dependencies
sudo apt update
sudo apt install -y iptables ipset ufw curl wget

# Allow SSH and enable firewall
sudo ufw allow <ssh_port>/tcp comment "OpenSSH"
sudo ufw enable

For Docker compatibility, follow UFW Docker configuration guidelines.

5. Nginx Security Hardening

Add security headers to Nginx configuration:

# Security Headers
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;

# Block Common Exploits
include /etc/nginx/block-exploits.conf;

# Prevent Search Engine Indexing
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive" always;
location /robots.txt {
    return 200 "User-agent: *\nDisallow: /\n";
}

6. Fail2Ban Configuration

Install and configure Fail2Ban:

sudo apt install -y fail2ban

Create /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 1d
findtime = 15m
maxretry = 3
backend = auto

[sshd]
port = <your_ssh_port>

[nginx-http-auth]
enabled = true
mode = aggressive

[nginx-bad-request]
enabled = true

[nginx-botsearch]
enabled = true

7. CIS Benchmarks Considerations

  • Review CIS Benchmarks for Ubuntu
  • Use Ubuntu Security Guide for automated auditing
  • Carefully evaluate and apply Level 1 security profiles

Additional Recommendations

  • Use strong, unique passwords
  • Implement multi-factor authentication
  • Regularly update system packages
  • Monitor system logs
  • Conduct periodic security audits

Conclusion

Implement these practices incrementally, testing each step to ensure system stability and security.

Prev
Mastering SSH Key Generation
Next
Mastering SSH Key Generation