Sign in Subscribe
Ubuntu

Secure Ubuntu Server 24.04

How to securely setup an Ubuntu Server 24.04 in a VPS.

Jake

Jake

3 min read
Secure Ubuntu Server 24.04
Photo by Gabriel Heinzer / Unsplash

We’re going to go about a practical way of securing your Ubuntu server after provisioning it. If you have to provision your ubuntu server, please see the guide below.

Ubuntu Server Provisioning
Learn how to provision an Ubuntu Server from scratch.
Forthright EngineerJake

After provisioning the server we will need to secure the server. The first step is to ensure you have SSH access via SSH Keys only and you are not allowing login via password. This will help prevent brute forcing.

Follow the guide below to generate your SSH keys if you have not already. If you already have generated them, please follow the guide to copy your public SSH key to the sever.

Generate SSH Keys
Three steps to generate and install your own SSH keys. Never use a password to log into the Linux server again.
Forthright EngineerJake

Now that you’ve logged in using your SSH keys, you will need to set up the firewall to prevent anyone else from accessing it. YOu’re going to need to know your public IP addresses to create the firewall rules needed. Please follow the guide below to discover your public IP address.

How to find out your Public IP Address
Your IP Address is your number on the Internet. It’s similar to your home address or personal cell phone number. IPv4 is the bulk of the internet. It is comprised of four sets of numbers that range from 0 - 255. Example 1.1.1.1. IPv6 is required today
Forthright EngineerJake

We’re going to be using the Uncomplicated FireWall (UFW) to configure the firewall on the server. If you’d like to understand in greater detail how to configure the firewall, you can read this article below.

Using UFW to Rate Limit SSH Connections for Security
ufw limit allows up to six new connections every 30 seconds. If exceeded, the source IP is temporarily banned for 30 seconds.
Forthright EngineerJake

Grab your public IP addresses

curl -4 ifconfig.me
curl -6 ifconfig.me

Then figure out the outbound interface of your server. It can be eth# ens# eno# and others. 

ip route list | grep default

The output of this command will be similar to this: 

default via 1.1.1.1 dev ens6 proto dhcp src 1.1.1.2 metric 100

What we want is the name directly after dev. In this case it was ens6.

Now we can craft our commands to secure the firewall. 

sudo ufw limit in on ens6 from [IPv4] port 22 proto tcp
sudo ufw limit in on ens6 from [IPv6 Network] port 22 proto tcp
sudo ufw enable
yes

Now your firewall will be enabled and it will only allow SSH traffic from you to the public interface. It will be rate limited so even a device on your network is not able to brute force it and it will require an SSH key.

Recap

  1. We provisioned an Ubuntu server with
    1. a network firewall only allowing traffic from our home.
    2. security updates applied during the install process
    3. an SSH key installed and password authentication disallowed.
  2. We made a software firewall rule on the UFW of the Ubuntu server to make sure only you can access the server. (This prevents local brute forcing from inside the VPS hosting company.)

Read more