Linux is considered to be a well secured operating system. It is quite easy to maintain the security and protect our systems from unauthorized access by following a few simple norms or rules.
You will need access to a root or account with sudo privileges. These steps are intended for a new server setup. You can apply them selectively for the servers already in productions.
Step 1 : Install updates from the Ubuntu repository. You can install all the available updates or just select security updates, depending on your choice and requirement:
sudo apt-get update
sudo apt-get upgrade
Step 2 : Change the root password; set a strong and complex root password and note it down somewhere. You are not going to use it every day
sudo passwd
Step 3 : Add a new user account and set a strong password for it. You can skip this step if the server has already set up a non-root account, like Ubuntu
sudo adduser john
sudo passwd john
Step 4 : Add a new user to the Sudoers group:
sudo adduser john sudo
Step 5 : Enable the public key authentication over SSH and import your public key to new user's authorized_keys file.
Step 6 : Restrict SSH logins:
# Change the default SSH port
port 2222
# Disable root login over SSH
PermitRootLogin no
# Disable password authentication
PasswordAuthentication no
# Restrict users and allow IP address
AllowUsers john@(your-ip) john@(other-ip)
Step 7 : Install fail2ban to protect against brute force attacks and set a new SSH port in the fail2ban configuration
sudo apt-get install fail2ban
Step 8 : Optionally, install UFW and allow your desired ports:
sudo ufw allow from {your_IP} to any port 22 proto tcp
sudo ufw allow 80/tcp
sudo ufw enable
Step 9 : Maintain periodic snapshots (full-disk backups) of your server. Many cloud service providers offer basic snapshot tools.
Step 10 : Keep an eye on application and system logs. You may like to set up log-monitoring scripts that will e-mail any unidentified log entry.