How to Secure Ubuntu Server
Securing your Ubuntu server is critical for protecting your applications and data. In this guide, I'll walk you through the essential steps to harden your server's security from initial setup to production-ready configuration.
Why Server Security Matters
A properly secured server provides:
- Protection from attacks - Prevent unauthorized access and brute force attempts
- Data integrity - Keep your applications and user data safe
- Peace of mind - Sleep better knowing your infrastructure is hardened
- Compliance ready - Meet basic security requirements for production systems
Initial Setup: Local Machine
First, prepare your local machine with SSH keys:
# Create SSH key if needed
ssh-keygen
# View your SSH keys and configuration
ls .ssh/
cat .ssh/KEY.pub
notepad .ssh/config
Important: Always create a dedicated SSH key for each server and keep a secure backup of your keys.
Connecting to Your Server
Connect to your new server as root:
ssh root@DROPLET_IP
Creating a New User
Never run your server as root. Create a dedicated user account:
# Create new user
adduser NEW_USER
# Grant sudo privileges
usermod -aG sudo NEW_USER
Setting Up SSH Key Authentication
Copy your public key to the server:
# From your local machine
ssh-copy-id -i ~/.ssh/KEY.pub NEW_USER@DROPLET_IP
Alternatively, manually set up SSH keys on the remote server:
# Create SSH directory
mkdir -p ~/.ssh
chmod 700 ~/.ssh
# Create authorized keys file
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Edit and paste your public key
nano ~/.ssh/authorized_keys
# Set proper ownership
sudo chown -R username:username /home/username/.ssh
System Updates
Keep your system up to date:
sudo apt update
sudo apt upgrade
Hardening SSH Access
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Make these critical changes:
- Set
PermitRootLogin no - Set
PasswordAuthentication no - Set
PubkeyAuthentication yes - Change default SSH port to
2222(or your preferred port)
Apply the changes:
systemctl daemon-reload
systemctl restart ssh.socket
systemctl status ssh
Test your new SSH configuration:
ssh -p 2222 -i ~/.ssh/KEY USER@DROPLET_IP
Configuring the Firewall
Set up UFW (Uncomplicated Firewall) to control network access:
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH on custom port
sudo ufw allow 2222/tcp
# Allow web traffic
sudo ufw allow http
sudo ufw allow https
# Enable firewall
sudo ufw enable
Installing Fail2Ban
Protect against brute force attacks:
# Install Fail2Ban
sudo apt install fail2ban
# Enable and start the service
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Fail2Ban automatically bans IP addresses that show malicious signs, such as too many password failures.
Regular Maintenance
Keep your server healthy with regular updates and monitoring:
# Update system packages
sudo apt update && sudo apt upgrade -y
# Monitor system performance
htop
Setting Up Development Environment
Install essential tools for your workflow.
Docker Engine:
Follow the official installation guide at Docker Ubuntu Installation
Git and GitHub CLI:
# Install GitHub CLI
sudo apt install gh
# Authenticate with GitHub
gh auth login
# Configure Git
git config --global user.name YOUR_USERNAME
git config --global user.email YOUR_EMAIL
Key Takeaways
A secure Ubuntu server starts with proper user management, SSH hardening, firewall configuration, and automated security tools like Fail2Ban.
Security checklist:
- ✓ Disable root login and password authentication
- ✓ Use SSH keys exclusively
- ✓ Change default SSH port
- ✓ Configure UFW firewall
- ✓ Install Fail2Ban for intrusion prevention
- ✓ Keep system updated regularly
Your Ubuntu server is now hardened and ready for production workloads! 🔒