When setting up an Ubuntu server for production, securing the system is crucial to ensure its stability, safety, and accessibility. Although Ubuntu comes with many built-in security features, it’s important to take extra steps to protect your system from unauthorized access and attacks.
In this guide, we’ll cover three essential tools to enhance your Ubuntu server security: UFW (Uncomplicated Firewall), Fail2ban, and AppArmor. These tools will help secure your server by controlling network access, preventing brute-force login attempts, and protecting applications.
1. Securing Network Access with UFW (Uncomplicated Firewall)
Ubuntu comes with a user-friendly firewall configuration tool called UFW (Uncomplicated Firewall), which provides a simple interface to manage firewall rules based on iptables.
Install and Enable UFW
In most Ubuntu installations, UFW is pre-installed, but if it is not installed and enabled, you can install and enable it using the following commands.
sudo apt update && sudo apt install ufw -y sudo ufw enable
Deny Unwanted Services
To block all incoming traffic by default and only allow specific ports, configure UFW to deny all incoming traffic, except for the services you explicitly allow:
sudo ufw default deny incoming sudo ufw default allow outgoing
Allow Essential Services
To allow essential services such as SSH (for remote management), HTTP, and HTTPS (for web server access), you can use the following commands:
sudo ufw allow ssh sudo ufw allow http sudo ufw allow https
Rate Limiting (Prevent Brute Force Attacks)
To further protect your server from brute-force attacks, you can use UFW’s rate limiting feature, which limits the number of SSH connection attempts a client can make in a given time period.
sudo ufw limit ssh
This command allows SSH connections, but limits the number of attempts to 6 per minute, blocking any IP addresses that exceed this limit.
2. Blocking Brute Force Attacks with Fail2ban
Fail2ban is an essential tool for protecting your server against brute-force attacks by monitoring log files for repeated failed login attempts and blocks the offending IP addresses.
Fail2ban can be installed from the default Ubuntu repositories:
sudo apt install fail2ban
The default configuration file for Fail2ban is located in /etc/fail2ban/jail.conf. However, it is recommended not to modify this file directly. Instead, create a copy of the configuration to customize your settings:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now, open the jail.local file for editing:
sudo nano /etc/fail2ban/jail.local
Ensure that the [sshd] section is enabled (uncomment the lines) to protect your SSH service and modify the following options:
enabled: Set this to true to activate SSH protection.port: Specify the port SSH is running on (default is 22).maxretry: Define the maximum number of failed login attempts before banning an IP address.bantime: Define the duration of the ban (in seconds).findtime: Set the time frame in which the failed attempts are counted.
For example:
[sshd] enabled = true port = ssh maxretry = 5 bantime = 3600 # Ban IP for 1 hour findtime = 600 # Count attempts within 10 minutes
Once you have saved your changes, restart Fail2ban to apply the new configurations.
sudo systemctl restart fail2ban
To check the status of Fail2ban and see the active jails:
sudo systemctl restart fail2ban sudo fail2ban-client status sshd
Fail2ban is now actively protecting your server from brute-force SSH login attempts.
3. Using AppArmor for Application Security
AppArmor is a Mandatory Access Control (MAC) system that provides an additional layer of security by enforcing policies for individual applications.
In most Ubuntu installations, AppArmor is pre-installed and enabled, If it isn’t enabled, you can start and enable it to run on boot:
sudo systemctl enable apparmor sudo systemctl start apparmor
Create Custom AppArmor Profiles
AppArmor profiles define what system resources an application can access; by default, AppArmor profiles are applied to many applications in Ubuntu, and you can find the profiles in the /etc/apparmor.d/ directory.
You can view which profiles are currently loaded by running:
sudo apparmor_status
If you have a custom application that needs a specific profile, you can create a new one or modify an existing one.
sudo aa-genprof /path/to/application
Once the profile is created, you can enforce the profile:
sudo aa-enforce /path/to/profile
Enforcing or Complain Mode
AppArmor operates in two modes: enforce and complain.
- In enforce mode, the profile is strictly enforced, and any violation will result in the application being blocked.
- In complain mode, violations are logged but not enforced, making it a useful mode for testing profiles.
To change the mode of a profile:
sudo aa-enforce /path/to/profile # Enforce mode sudo aa-complain /path/to/profile # Complain mode
Auditing with AppArmor
AppArmor generates logs that provide insight into its enforcement actions; these logs can be found in `/var/log/syslog`, and tools like `journalctl` can be used to view them.
sudo journalctl -xe | grep apparmor
4. Additional Security Best Practices
Beyond using UFW, Fail2ban, and AppArmor, there are other important steps you can take to further harden your server:
Regularly Update Your Ubuntu
Ensure that your system and all installed packages are up to date to protect against vulnerabilities:
sudo apt update && sudo apt upgrade -y sudo apt dist-upgrade -y
Enable automatic security updates to keep your server protected:
sudo apt install unattended-upgrades
Disable Unused Services
Any service or application that you do not need should be disabled to reduce the attack surface. However, before disabling services, it’s important to identify which ones are running on your server using the systemctl command:
sudo systemctl list-units --type=service
Once you’ve identified the unnecessary services, you can disable them to prevent the service from starting automatically on boot, thereby reducing the attack surface.
sudo systemctl disable service-name
Use SSH Key Authentication
For improved SSH security, use SSH key pairs for authentication and disable password-based login.
ssh-keygen -t rsa -b 4096 ssh-copy-id user@your-server-ip
Next, edit the SSH configuration file to disable password-based logins:
sudo nano /etc/ssh/sshd_config
Set PasswordAuthentication no, then restart SSH:
sudo systemctl restart ssh
Now, only SSH key authentication will be allowed, increasing the security of your server.
Conclusion
Securing your Ubuntu production server is a critical step in safeguarding your environment from various attacks. By configuring UFW for firewall management, using Fail2ban to mitigate brute-force attacks, and leveraging AppArmor to control application behavior, you can greatly reduce the risk of unauthorized access and attacks.
Always monitor your logs, apply security patches promptly, and review your security configurations regularly to stay ahead of potential threats. Hardening your system today will ensure its stability, security, and reliability in the long run.
