Basic Security Checklist for Ubuntu Server 20.04

Contents

  • Disabling SSH login via the root user
  • Changing default sshd port
  • Generating RSA SSH keys on the local machine
  • Copying RSA.pub key to the server
  • Disabling plain-text password logins (enforcing RSA key usage)
  • Setting up Uncomplicated Firewall UFW

/!\ Keep an open ssh session on a second terminal in case you get locked out when changing sshd settings.

Server: Disable SSH Login for the Root User

  1. If you don’t have a user (besides root), see this for user creation instructions.
    cat /etc/sudoers to verify whether your user is present in file, either by group or exclusively.
  2. nano /etc/ssh/sshd_config
  3. Ctrl+W for PermitRootLogin
  4. Uncomment line and switch to no
  5. Restart SSH daemon:
    systemctl restart sshd
  6. Test with a root@server login.

Server: Change Default SSH Port

  1. Login to remote.
  2. Confirm current sshd port (default is 22):
    netstat -tulnp | grep ssh
  3. nano /etc/ssh/sshd_config
  4. Ctr+W for Port 22
  5. Uncomment line and set desired port number.
  6. Restart SSH daemon:
    systemctl restart sshd
  7. Verify port change:
    netstat -tulpn | grep ssh

(i) Connecting to a custom port from the client:
ssh -p 22000 user@192.168.1.100

Client: Generate SSH RSA Keys

Used in this step: SSH-keygen Returns Error on Key Creation “No Such File or Directory”

  1. Take note of existing SSH keys:
    ls -l ~/.ssh/id_*.pub
  2. Generate RSA keys:
    ssh-keygen -t rsa -b 4096 -f /path/to/key -C "note for reference or contact details (optional)"
  3. Follow steps for RSA key generation.
  4. Verify key generation: ls ~/.ssh/id_*; if successful, returns 2 files.

Client: Copy RSA Public Key

  1. ssh-copy-id -p <port> -i <path/to/.pub/file> remote_username@server_ip_address
    (i)     use -n for a test run
  2. Enter remote user pass.
  3. Receive confirmation for key change.

Server: Disable Plain-Text Password Authentication Over SSH

  1. Check sshd_config for overrides:
    cat /etc/ssh/sshd_config | grep -i passwordauthentication
  2. sudo nano /etc/ssh/sshd_config
  3. Ctrl+W for passwordauth
  4. Uncomment line and set to no
  5. Restart SSH service:
    sudo systemctl restart ssh
  6. Verify:
    1. Close connection.
    2. Move RSA keys out of local ~/.ssh
    3. Log back in with ssh -i <identity name>
    4. Expected response:
      Permission denied (publickey).

(i) by default, ssh connects using ~/.ssh/id_rsa. Use -i to connect using the right RSA key.

Server: Install/Run and Configure UFW (Uncomplicated Firewall)

  1. Check if UFW is present: sudo ufw status
    if not present: sudo apt get install ufw
  2. Get overview of ports: netstat -tulpn
  3. Open/close ports with ufw allow <port> and ufw deny <port>
  4. Verify firewall configuration with nmap:
    nmap -p- <server ip> for ports 1 through 65535
    or nmap -p <comma-separated list of ports> <server ip>
  5. Install relevant software and repeat 2. to 4.

References

  1. HOW DO I DISABLE SSH LOGIN FOR THE ROOT USER?
  2. How to Change SSH Port in Ubuntu 18.04
  3. How to Use SSH Public Key Authentication
    * note more advanced use cases at the bottom of the article
  4. How to Set Up SSH Keys on Ubuntu 20.04
  5. UFW – Community Help Wiki
  6. Ubuntu Manpage: ufw – program for managing a netfilter firewall

Did this solve your issue?

Possibly Related Posts: