Update packages#

It’s important to upgrade packages to ensure you have the latest security updates.

You can get the latest security updates by running:

1
sudo apt update

Now apply those updates by running:

1
sudo apt upgrade -y

Once complete, you can remove packages that are no longer needed:

1
sudo apt autoremove -y

Setup automatic updates#

Ubuntu can be configured to automatically install new security updates.

To do so, run the following commands:

1
sudo apt install unattended-upgrades -y
2
sudo dpkg-reconfigure --priority=low unattended-upgrades

This will open a configuration dialog where you can choose to enable automatic security updates.

Install fail2ban#

By default, SSH allows unlimited password attempts.

This means your server is currently exposed to brute-force attacks.

Fail2ban is a simple tool which will lock out IP addresses with repeated failed login attempts.

To install and enable it, run:

1
sudo apt install fail2ban -y
2
sudo systemctl enable --now fail2ban

To verify that Fail2ban is running:

1
sudo systemctl status fail2ban

If the service is running, you should see it output active (running):

To see the current list of banned IPs for SSH, run:

1
sudo fail2ban-client status sshd

Setup a firewall#

UFW (Uncomplicated Firewall) comes pre-installed with Ubuntu, but is disabled by default.

First, run the following command to allow traffic through SSH:

1
sudo ufw allow ssh

It’s important to allow SSH first to ensure you don’t lock yourself out of the server.

To enable the firewall, run:

1
sudo ufw enable

Now, only connections to allowed ports will be permitted, while still allowing outgoing traffic.

To check the status of the firewall, run:

1
sudo ufw status verbose

If you configured it correctly, you should see the SSH ports allowed in:

Disable root access#

Logging in directly as root is a major security risk.

If the root account is compromised, the attacker gains full control of your server.

Add a new user (replace <name> with your chosen name):

1
adduser <name>

Follow the prompts to set a password, everything else is optional.

Grant the new user sudo privileges:

1
usermod -aG sudo <name>

Test the new user by switching to it and checking sudo access:

1
su - <name>
2
sudo whoami
3
whoami

Note that when sudo prompts for a password, it’s your user password, not the root password.

sudo whoami should return root and whoami should return your new username.

Once confirmed working, disable root SSH login by editing the SSH config:

1
sudo nano /etc/ssh/sshd_config

Find PermitRootLogin and change it from yes to no:

1
PermitRootLogin no

Finally, restart SSH to apply the changes:

1
sudo systemctl restart ssh

Setup SSH key authentication#

SSH key authentication is much more secure than password logins.

To connect with a key, we first need to generate a public and private key pair.

1
ssh-keygen -t ed25519

1
ssh-copy-id your_username@your_server_ip

1
ssh -v your_username@your_server_ip

1
mkdir -p ~/.ssh
2
nano ~/.ssh/authorized_keys

1
chmod 700 ~/.ssh
2
chmod 600 ~/.ssh/authorized_keys

Disable password login#

After confirming SSH key authentication is working, you should disable password logins entirely.

Open the SSH configuration file:

1
sudo nano /etc/ssh/sshd_config

Find PasswordAuthentication and change it from yes to no:

1
PasswordAuthentication no

Restart the SSH service to apply the changes:

1
sudo systemctl restart ssh

Conclusion#

By following these steps you now have:

• Regular security updates
• Limited access
• Strong authentication

With these combined, your Ubuntu system is now much more difficult to compromise.