How to Harden Your Ubuntu Server: A Step-by-Step Guide

28. April 2025 | Linux | Ubuntu | CentOS

When you deploy a new Ubuntu server — whether on Google Cloud, AWS, or any other platform — it’s essential to harden it immediately.
This minimizes attack surfaces and protects your system from unauthorized access.

Here’s a complete guide to basic, essential hardening for a fresh Ubuntu server.

Step 1: Set a Strong Password for Your User

If your server uses an automatically created user (like ubuntu or a custom name), it might not have a secure password initially — often only SSH keys are set up.

Set a strong password manually:

bash
sudo passwd your-username

Example:

bash
sudo passwd ubuntu

You’ll be prompted to enter and confirm the new password.

Tip for passwords:

  • Minimum 12 characters.

  • Mix uppercase, lowercase, numbers, and symbols.

  • Example: Sunshine!2024 or GcpServer#Secure1

Step 2: Disable Root Login over SSH

Allowing direct root login is a serious security risk.
Attackers frequently target root with brute-force attacks.

To disable root SSH login:

  1. Open the SSH server configuration file:

bash
sudo nano /etc/ssh/sshd_config

  1. Find the line:

bash
#PermitRootLogin prohibit-password

or

nginx
PermitRootLogin yes

  1. Change it to:

nginx
PermitRootLogin no

  1. Save and exit (CTRL+O, ENTER, CTRL+X).

  2. Restart the SSH service:

bash
sudo systemctl restart ssh

Now, even if someone knows the root password, they cannot SSH directly as root.

Step 3: Restrict SSH Access to Specific Users

You can further lock down SSH access by explicitly specifying allowed users.

Edit the same SSH configuration file:

bash
sudo nano /etc/ssh/sshd_config

Add at the end:

nginx
AllowUsers your-username

Example:

nginx
AllowUsers ubuntu

Then restart SSH:

bash
sudo systemctl restart ssh

Now, only the listed user(s) can connect over SSH.

Step 4: Install Fail2Ban to Block Attackers

Fail2Ban automatically bans IP addresses that show malicious signs — like too many failed login attempts.

Install Fail2Ban:

bash
sudo apt-get install -y fail2ban

Fail2Ban works out of the box.
For basic setups, no configuration changes are needed.

If you want to fine-tune it, the config files are located in /etc/fail2ban/.

Step 5: Keep Your System Updated

Security patches come out regularly. Always keep your system up to date.

Run:

bash
sudo apt-get update
sudo apt-get upgrade -y
sudo apt-get dist-upgrade -y

Optional (remove unnecessary packages):

bash
sudo apt-get autoremove -y

Finally, reboot to apply any critical kernel updates:

bash
sudo reboot

Extra Recommendations

  • Disable unused services:
    Use sudo systemctl disable servicename for services you don’t need.

  • Set up a firewall:
    Use ufw (Uncomplicated Firewall) to allow only specific traffic:

bash
sudo ufw allow OpenSSH
sudo ufw enable

  • Change default SSH port:
    Editing /etc/ssh/sshd_config to use a non-standard port (like 2222) can reduce random attack noise (but won’t stop targeted attacks).

  • Monitor logs:
    Regularly check /var/log/auth.log for suspicious activity.

Conclusion

Basic hardening steps like setting strong passwords, disabling root login, restricting SSH users, and installing tools like Fail2Ban are critical for protecting your Ubuntu server.

It only takes a few minutes but dramatically increases your server’s security.

Remember:
Security is not a one-time event — it’s an ongoing process.