Secure Your New Ubuntu Server in Minutes: SSH, Firewall, and Fail2Ban

Securing a newly installed Ubuntu 12.04 LTS server is essential, yet many postpone it; this guide demonstrates that it is straightforward.

Where to start?

If the server has a public IP, lock down root and SSH access immediately. Create a new user, add it to the admin group (pre‑configured in /etc/sudoers for sudo access).

sudo addgroup admin
sudo adduser spenserj
sudo usermod -a -G admin spenserj

Generate a private SSH key on your workstation and add the public key to ~/.ssh/authorized_keys on the server, then disable password authentication.

mkdir ~/.ssh
echo "ssh-rsa [your public key]" > ~/.ssh/authorized_keys

Edit /etc/ssh/sshd_config to enforce the following settings:

PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
AllowUsers spenserj

Reload SSH to apply the changes and verify you can still log in.

Update the server

Run the standard package update and upgrade commands to apply the latest patches.

sudo apt-get update
sudo apt-get upgrade

Install a firewall

Ubuntu ships with iptables. Create a directory for custom rules and write a basic rule set that drops all traffic by default, allows established connections, loopback, DNS, NTP, SSH, and HTTP/HTTPS.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp --dport 123 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
COMMIT

Apply the rules safely with iptables-apply and make them persistent by creating /etc/network/if-pre-up.d/iptables:

#!/bin/sh
iptables-restore < /etc/iptables/rules

Give the script execution permission and test it.

sudo chmod +x /etc/network/if-pre-up.d/iptables
sudo /etc/network/if-pre-up.d/iptables

Install and configure Fail2Ban

Fail2Ban monitors log files and bans IPs that show malicious behavior. Install it and copy the default configuration to a local file for editing.

sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.{conf,local}

In /etc/fail2ban/jail.local set your own ignoreip, ban time, and email notifications, then choose the action_mwl shortcut to ban via iptables and send email.

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 3
backend = auto
destemail = root@localhost,[email protected]
action = %(action_mwl)s

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6

Restart Fail2Ban and verify that the new iptables rules appear.

sudo service fail2ban restart
sudo iptables -L

Keep the server up to date

Regularly apply updates, close unnecessary ports, review logs, and consider additional hardening such as IPv6 security, changing the SSH port, SELinux/GRSecurity, and full system audits.

By following these steps you can quickly lock down a new server and build further security measures tailored to your environment.