Ubuntu 20.04 security hardening | IT blog (2023)

I've mentioned it several times before and will probably mention it again: CentOS is no longer a viable option for anything that needs stability in my workflow, so I'm concentrating on the Debian-Ubuntu alternative. The first thing to do on any computer, especially one that faces the Internet, is to increase security. I'll review some of my steps for Ubuntu here.

This guide assumes that you are doing this on a clean Ubuntu machine with no prior installation or maintenance. It mainly focuses on SSH as it is a constantly running service on your server. If you install other services on your server, also review the security practices of those services.

Log in to your server via SSH. I have a few VPS machines for testing purposes so I'll use them for that.

xxx.xxx.xxx.xxx is your public (or private) IP address of the Ubuntu machine you want to connect to.

root ssh@xxx.xxx.xxx.xxx

Before you try any of these things, make sure you do a backup if you're doing this on the server that already has data on it. If you make a mistake, you can always go back to the previous state.

review software

Always my first step: update the software installation.

sudo apt-Updatesudo apt-Update

create new user

Using the root user (even with administrator) is not a good idea, especially if you are exposing a machine to the Internet. I'll create a user called zeljko and use it for all my administrative purposes. Later we will disable the root user.

add user zeljko

We will also add the user zeljko to the sudo group.

usermod -aG sudo zeljko

and we will test if everything is ok.

First, let's switch from the registered root account to an account created by zeljko.

Instead of username, I put my account name - zeljko

Your username

After changing your user from root to zeljko, let's also check if zeljko is now part of the sudo group by typing sudo

sudo whoami

The command returned root, which means we have sudo privileges.


let go

First, go back to the root account, and then log out of SSH. We will log in again with the created zeljko account and continue to manage our machine.

Also, it's an opportunity to see if all is well with our new user before continuing with the setup.

Enter ssh again, this time using your created account. I'm going in with Zeljko.

ssh zeljko@xxx.xxx.xxx.xxx

Lock root for SSH login

The first step is to remove the root account from the SSH protocol.

sudo nano /etc/ssh/sshd_config

Locate the following line and change it to no


Save the changes and exit the file.

Now let's restart the SSH server

(Video) The COMPLETE Linux Hardening, Privacy & Security Guide!

Restart the sudo ssh service

I tried to connect to the root user via ssh, but got a "Permission Denied" message. That's good.

Change SSH port and account lockout policy

While we're in the SSH setup, we'll also change the default SSH port from 22 to 222. This is optional, you can do it or not.

If you change the SSH port to 22, you can choose any port (as long as no other service is running on your server), it doesn't have to be 222.

This is mainly because it allows you to reduce the number of attacks from bots scanning common ports.

Before changing the SSH port, let's first check if the firewall is active. If the firewall is active we need to pass port 222, if not we do after configuring the firewall.

To check if the firewall is enabled, type

sudo ufw-status

My firewall is down so I'll configure it later. If your firewall is active, enter the following:

This is probably enabled if you can login via ssh

Permitir sudo ufw ssh

And this is a new one that we need to not get locked out after changing the ssh port

sudo ufw allow 222

Now we are going to change the port.

sudo nano /etc/ssh/sshd_config

Now locate the following lines, delete them (remove #) and type the following

The port value changes the port from 22 to 222 and MaxAuthTries blocks the IP address if you enter incorrectly more than 5 tries (you can set a lower or higher value).

Porta 222MaxAuthTries 5

Save and exit the file.

Restart the ssh service

Restart the sudo ssh service

I immediately disconnected from my SSH session and tried to log in again, but the connection was refused.

The command we now need to log back into ssh is

ssh zeljko@xxx.xxx.xxx.xxx -p 222

If you don't use port 222 and want to stick with the default port 22, you can omit the -p 222 option.

Alright, this part is done.

Other SSH settings

We'll go through a few more settings in the SSH configuration file, go through them, and see what suits your workflow.

so let's edit

sudo nano /etc/ssh/sshd_config

Protocol 2

(Video) 10 Basic Ways to Secure Ubuntu from Hackers

First, let's enable Protocol 2. SSH works by default with Protocol 1. Protocol 2 is a newer, more secure, and more robust version that was introduced in 2006.

Protocol 2

Restart SSH

sudo systemctl reiniciar sshd

To test the setup, I disconnected my SSH session and tried protocol 1 first by entering the -1 switch

ssh -1 zeljko@xxx.xxx.xxx.xxx -p 222

I got the error "SSH v.1 protocol is no longer supported"; this is fine and means that protocol 1 stopped working on our machine.

When I try to login with option -2

ssh -2 zeljko@xxx.xxx.xxx.xxx -p 222

This worked and I was able to login. You can omit the -2 option from your ssh login command, it works normally.

idle timeout value

Leaving your PC unattended for a while while your SSH connections are active could be a problem. To be honest, I don't find this setting all that important because an open SSH connection is the least of my worries if someone gets physical access to my PC.

If you want, you can uncomment and set the following value (I set it to 180 seconds, which is 3 minutes).

ClientAliveInterval 180

Restrict SSH access to some users

You can define user accounts that are enabled to connect with SSH. All other users would be rejected. I will allow access to two users, zeljko and informataticar.

Add the following line to your sshd_config file

AllowUsers zeljko IT

You need to restart the ssh service after adding this

sudo systemctl reiniciar sshd


Ok, we looked at this a bit by configuring the custom port for SSH.

You can check the status of your firewall by typing the following

sudo ufw-status

We have already established that my firewall is not active.

First we will allow outgoing connections but we will block incoming connections.

sudo ufw allows output by default sudo ufw denies input by default

We need to pass SSH (if you haven't changed the default port 22 to 222)

Permitir sudo ufw ssh

Since I changed the default SSH port to 222, I need to allow port 222 in without the above default SSH rule.

sudo ufw allow 222

Now we can activate our firewall

enable sudo ufw

Now if we check our ufw status

(Video) 5 Steps to Secure Linux (protect from hackers)

sudo ufw-status

After that, I rebooted the server and logged in to SSH again with no problem.

Completely disable the root account on your system

In addition to disabling root user login via SSH, you can also completely disable the root account on your system.

To disable the root account, type the following

sudo passwd -l root

If you need to reactivate your root user, you can do so by typing the following

sudo root password

You will need to enter the new password for the user twice and it will be reactivated.

enable 2FA

You should make a habit of this, as it takes the security of your Internet-facing servers to a whole new level.

We install Google Authenticator

sudo apt install libpam-google-authenticator

We need to change the /etc/pam.d/sshd file to allow Google Authenticator...

sudo nano /etc/pam.d/sshd

add the following line

Authentication required pam_google_authenticator.so

I added a line at the end of the file.

The next file we need to edit is

sudo nano /etc/ssh/sshd_config

Change the following line to yes

ChallengeResponseAuthentication Ja

Now we are going to configure Google Authenticator for the user zeljko

Just enter it in the terminal

Google Authenticator

Time-based tokens – and

After entering and on the first question, you will receive your QR code and backup codes. Open Google Authenticator on your Android/iPhone and scan the QR code. Also write down the verification and emergency codes.

update the .google_authenticator file –y

Prohibit multiple uses and

Allows viewing for up to 4 minutes - n.a

Enable rate limiting - y

Now let's restart the ssh service

(Video) How to Secure a Linux Server with UFW, SSH Keygen, fail2ban & Two Factor Authentication

Restart the sudo ssh service

I'll also try logging out of my SSH session and hope for the best when I try to log in again.

Success, my verification code was accepted.

Passwordless authentication over SSH

You can also enable public key authentication instead of passwords if you frequently log in to your servers from the same computer. It is highly recommended and safe when used correctly. If you want to use this, you can take a look at it.my blog post about this type of authentication.

Install Fail2Ban

Fail2Ban is IPS (Intrusion Prevention System) and monitors system logs and checks for unusual behavior and login attempts. When it detects multiple failed login attempts, it blacklists the IP address the requests came from.

To install Fail2Ban

sudo apt-get install fail2ban

Let's check the status of the fail2ban service

sudo-dienst fail2ban-status

Now let's create a new jail.local file. The /etc/fail2ban folder contains the jail.conf file, we will not edit this file and we will not touch it. Let's create the jail.local file as follows

sudo nano /etc/fail2ban/jail.local

dd after this file. If your ssh is on port 22, you should specify it instead of port 222. Also, instead of xxx.xxx.xxx.xxx you can put your IP address if you have a fixed one.

[DEFAULT] Bantime = 8h Ignoreip = xxx.xxx.xxx.xxx Ignoreself = True [sshd] ativado = True Port = 222 Filter = sshd Logpath = /var/log/auth.log maxretry = 3

save file and exit

Restart fail2ban

sudo systemctl reset fail2ban

To list the offender blocked, enter

sudo iptables -L f2b-sshd --line numbers

To remove the ban, enter

sudo iptables -D fail2ban-ssh <string number>

Install antivirus protection

This is a hotly debated topic in the Linux community: should I install an antivirus on Linux or not?

It is completely up to you, you have to assess your risks and the type of workload you will be handling and in the end decide if you want AV on your Linux. There are not many good AV solutions for Linux that I can recommend or know about... Ubuntu official website mentions AVAST, NOD32, F-PROT, Panda, Sophos, Symantec... Some of them are only compatible with certain versions of Linux supported.

ClamAV is a free antivirus program, to install it run the following

apt-get install clamav clamav-daemon -y

To update it, we must first stop the service.

systemctl detiene clamav-freshclam

Update the database with the following command

fresh mussel

Restart the service by running it

systemctl iniciar clamav-freshclamsystemctl habilitar clamav-freshclam

Please visit the web for more details of ClamAV on scanning, maintenance, etc.

The second thing to note is rkhunter, which can run a quick scan for rootkits.

apt-get install rkhunter

To scan your system, run it

(Video) How to secure a server (8 steps for Linux server security)



These are the most basic tips to get you started. For each service you enable on your server, check the documentation and the web: find best practices and security tips and make sure you implement them. Do your research and make sure you have the best measurements for your situation and workload. Absolute security does not exist in the IT world, but at least known risk can be minimized.



1. How to Perform a Free Ubuntu Vulnerability Scan with OpenSCAP and Canonical’s Official OVAL Content
(Alexander Leonov)
2. Tutorial: Hardening SSH
(PunKin Tech)
3. Lock Down Your Ubuntu System to Protect It from Being Hacked [Tutorial]
(Null Byte)
4. Linux Firewall Tutorial | How to Configure Firewall Rules with UFW
5. Building an Ubuntu Pro CIS hardened AMI with AWS EC2 Image Builder
6. Linux Security - Securing Apache2


Top Articles
Latest Posts
Article information

Author: Errol Quitzon

Last Updated: 24/06/2023

Views: 5903

Rating: 4.9 / 5 (79 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Errol Quitzon

Birthday: 1993-04-02

Address: 70604 Haley Lane, Port Weldonside, TN 99233-0942

Phone: +9665282866296

Job: Product Retail Agent

Hobby: Computer programming, Horseback riding, Hooping, Dance, Ice skating, Backpacking, Rafting

Introduction: My name is Errol Quitzon, I am a fair, cute, fancy, clean, attractive, sparkling, kind person who loves writing and wants to share my knowledge and understanding with you.